Questions About Storing the CVV Code on Credit Cards

Several folks responded to the previous post with the same question regarding the CVV code on credit cards. This is the three-digit code stamped on the back of the card. Actually, Visa calls it a CVV. It is also referred to as a CVC, CVC2, CVV2, or CID by other card issuers.
It often appears that this information is being stored when you enter information into a web form. NerdsBackup is a good example. When information is entered, there is a field for this information. You will note, though, that when you go back to a client record, the card number is partially masked and this field is always blank.
This number is NOT stored by any processing company that is operating in accordance with the PCI-DSS (Payment Card Industry Digitial Security Standard). It is used for the initial authorization, but it is NOT stored permanently on the system. Subsequent charges are sent through without this information. Use of this code is not required to process a transaction – it is simply an additional fraud-prevention control. The very fact that PCI-DSS standards prohibit storing the code in association with the card number in any form (written, encrypted, etc.) is why it has value. A hacker that manages to compromise other credit card date cannot only obtain this through physical possession of the card.
This code is NOT recorded on the magnetic strip. “Swiped” transactions ensure physical possession of the card and to not use this code. Some processing companies require it for “non-swiped” or “keyed” transactions as verification that the person keying the transaction has physical possession.
I hope this clears things up.

Dennis H in West Virginia, US
July 28, 2010