[PCI DSS 3.0] [PCI DSS 3.0] 3.2.2 Do not store the card verification code or value

pcinetwork

PCINetwork.org Admin
#1
3.2.2 Do not store the card verification
code or value (three-digit or four-digit
number printed on the front or back of
a payment card) used to verify card-
not-present transactions.

3.2.2 For a sample of system components, examine data
sources, including but not limited to the following, and verify
that the three-digit or four-digit card verification code or value
printed on the front of the card or the signature panel (CVV2,
CVC2, CID, CAV2 data) is not stored after authorization:
 Incoming transaction data
 All logs (for example, transaction, history, debugging,
error)
 History files
 Trace files
 Several database schemas
 Database contents.

The purpose of the card validation code is to
protect "card-not-present" transactions—Internet
or mail order/telephone order (MO/TO)
transactions—where the consumer and the card
are not present.
If this data is stolen, malicious individuals can
execute fraudulent Internet and MO/TO
transactions.
 
Top