3

I have a limited amount plastic card issued by a certain company. When I log into my online account of the same company, I can see complete details - 16 digits card number, name, expiry date and CVV number visible there.

The login is protected via OTP as well.

My question is: can the card issuer store complete information about my card in their portal?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
ISGuy
  • 61
  • 7
  • 4
    how could they even function without having such info? – dandavis Dec 30 '16 at 21:54
  • 1
    I assume you mean CVV2/CVC2/etc which is the one displayed on the back of your card (front for Amex); the **1** values are only in the magstripe and used only for machine-read txns. The issuer _must store_ CV2, because they are the ones who check it when it used for a txn; if they couldn't check it, it would be totally useless. _Displaying_ it is a very different matter, and maybe a bad idea, though as answered not covered by PCI DSS. – dave_thompson_085 Dec 31 '16 at 07:52
  • Not good practice to display the CVV number. – Julian Knight Jan 01 '17 at 15:21

3 Answers3

8

Yes.

A payment handler (e.g. Amazon, Netflix, Thames Water, Comcast) must not store CVV and must mask the PAN (card number), assuming that they are contractually bound to the Payment Card Industry Data Security Standard (PCI-DSS) by their bank.

The card issuer, however, has no such restrictions. They issued the card and they are ultimately responsible for storing its information safely. In all likelihood the card's funds will be protected by a mandatory insurance policy (either private or governmental), such as the Financial Services Compensation Scheme (FSCS) in the UK, and the bank will be liable for damages in the event of card fraud caused by their negligence.

Local law, however, may override this, though I am entirely unaware of any law governing the data security practices of financial institutes at this level of detail.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • Not exactly, in case his card is a part of a local brand than tour answer is wrong – BokerTov Jan 01 '17 at 06:35
  • @BokerTov True; he said it was a prepay issued by a company, not a bank card, so I made an assumption that it wouldn't be governed as such. – Polynomial Jan 01 '17 at 12:00
0

Depends.

if the card is a part of the following brands VISA\MASTERCARD\AMEX\JCB\DISCOVER than no , your card issuer is not allowed to show that information. your card issuer need to comply with PCI DSS requirements as well as all other merchants and service providers.

If your issued card is not a part of the mentioned brands than PCI DSS is not relevant and he can do what ever he wants.

BokerTov
  • 539
  • 4
  • 10
-3

Card Issuing company can store card no, expiry but not cvv. If a virtual card is issued then all storage is permitted.

krishna Telgave
  • 101
  • 3
  • This is incorrect. As explained in the accepted answer, the card **issuer** absolutely can store the CVV. – Joseph Sible-Reinstate Monica Nov 30 '19 at 15:20
  • @JosephSible-ReinstateMonica The card issuer can not store cvv unless it is closed loop card(https://whatis.techtarget.com/definition/open-loop-closed-loop-payment-cards). I am talking about a card with can be used at any atm or ecommerce website irrespective of brand. In India a bank which i work for issues Rupay Cards do not store cvv. Also it is useless to store cvv at issuers end because issuer can anytime calculate cvv using two des keys, card number, service code, expiry date. – krishna Telgave Dec 01 '19 at 06:49
  • That's not true either. – Joseph Sible-Reinstate Monica Dec 01 '19 at 06:56
  • @JosephSible-ReinstateMonica The purpose of cvv is to check integrity of track data using HSM. If you are storing cvv then you are defying the purpose of having cvv. It is not optional to comply with PCI DSS standards. In India Reserve Bank of India mandates PCI DSS compliance whatever brand you may are. – krishna Telgave Dec 01 '19 at 06:56
  • @JosephSible-ReinstateMonica What is not true? instead of down voting can you explain a bit. – krishna Telgave Dec 01 '19 at 07:00