10

I need to store the payment info of a transaction.

We have a script that reads which transactions haven't yet been sent to our ERP (the business management software), to then send it. This script runs every several minutes.

According to PCI DSS, I can store info such as credit card number, cardholder name and expiration date, but I can't store the CVV2. How should I store this info until the script sends it?

leo0
  • 103
  • 1
  • 1
  • 4

5 Answers5

16

Technically, according to PCI SSC you can hold onto CVV and other sensitive authentication data until authorization has occurred. In other words the restriction on storing sensitive authentication data applies to post authentication/processing storage. Here is a document from the PCI SSC about data storage requirments. See the "Technical Guidelines for PCI Data Storage" table. Footnote 2 to the table states:

Sensitive authentication data must not be stored after authorization (even if encrypted).

My advice as a QSA, would be that the pre-auth storage time needs to be reasonable from a business stand point. I would also want it to be as short as technically possible. If your data flow is similar to others in your industry and they are processing payments without storing sensitive data for more then a few seconds at most, then I would expect the same of you.

Timee
  • 591
  • 2
  • 9
  • 1
    This is great news, thanks a lot for the answer. We will only keep the CVV stored until authorization. And sorry for the long delay, I thought no one would answer this question anymore. – leo0 Jul 07 '14 at 18:36
  • Yeah that is good insight with the footnote. It appears that their guidelines are leaving out some situations. They say never store the CVV, but the footnote says it must not be stored after authorization. Those 2 things don't completely agree. What about before authorization? They need to address that. Some businesses put billing information on file before performing a service as a precaution for example. – mikato Sep 18 '17 at 16:23
  • Additionally, the Attestation of Compliance your QSA completes asks to certify that "No evidence of full track data1, CAV2, CVC2, CID, or CVV2 data2, or PIN data3 storage *after transaction authorization* was found on ANY system reviewed during this assessment". (This is how hotel booking sites can have a hotel charge your card for no shows, even if its months after the original booking) – Gareth Oakley Apr 17 '19 at 16:58
2

You need to speak to a QSA.

You may not store the CVV. However, incidental storage may occur as part of an approved transactional flow, and that is acceptable if the QSA finds it so. Otherwise, it would be impossible to use CVV in batch transactions.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
1

As gowenfawr answered you may not store the CVV number. The purpose of the CVV number is to prove the cardholder possesses the card, not to authorize transactions. If the merchant is able to obtain the CVV number it denies the consumer the ability to successfully charge back an unauthorized transaction since the Credit Card company will deny the chargeback.

The most popular answer to this question is not the correct one. The only place the CVV number should be stored is on the Credit Card itself.

Community
  • 1
user34445
  • 503
  • 2
  • 12
  • 3
    BOTH Timee AND gowenfahr said you can store it during the initial auth only, not thereafter, and that's the same thing your link says. And it's also what PCISSC has consistently said for a decade. – dave_thompson_085 Feb 18 '17 at 09:09
  • A fallacy does not cease to be a fallacy because it becomes fashionable. – user34445 Feb 18 '17 at 10:44
1

You're not going to be able to do that - you'll need to find another way.

If memory serves the PCI DSS framework also states that you can't store a credit card number (or other PAN) in plaintext in it's entirety. You'll need to obfuscate the middle numbers as is show on receipts, so you need to ensure your script will allow you to do that as well.

DKNUCKLES
  • 9,237
  • 2
  • 37
  • 47
  • Yeah - I was going to store the credit card number, name and expiration date encrypted. Guess I need to find another way. – leo0 Jul 03 '14 at 12:13
  • You can store PAN and other 'Cardholder Data' either (1) strongly encrypted (2) one-way hashed OR (3) masked. Or (4) you can freely store and use a nonsensitive token which _represents_ the PAN stored by _some other_ compliant system such as the processor. But you can't store 'Sensitive Auth Data' (which CVV is) at all after authorization. – dave_thompson_085 Feb 18 '17 at 09:12
0

There are certainly (naturally) a lot of details missing here. I am in agreement with DKNUCKLES, and believe you have a process problem. Are you able to sanitize the rationale for the delay through authorization of your cardholder data?

You definitely cannot store full track data or the CVV2 number at all.

M15K
  • 1,182
  • 6
  • 7