Stop asking me for Security Codes on paper invoices, part 2

Aug

Posted (db) in General on August-7-2008

I wrote about this topic before: see here:

The Card Security Code is located on the back of MasterCard, Visa and Discover credit or debit cards and is typically a separate group of 3 digits to the right of the signature strip.

Now the latest perpetrator is an organization that:

is the global, not-for-profit leader in educating and certifying information security professionals throughout their careers. Recognized for Gold Standard certifications and world class education programs.

So when paying for my annual dues for a security certification: I see the following prompt for my "Security Code"

PCI 3.3.2:

"Do not store the card validation value or code (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions"

More here on the Visa CVV2 fact sheet:

Q. Can merchants store my 3-digit code?
A. No. To ensure information security, all merchants are prohibited from storing the 3-digit code in any format whether on paper drafts, receipts or electronically.

From : Rules for Visa Merchants

Avoid CVV2 Storage. All merchants are prohibited from storing CVV2 data.
When asking a cardholder for CVV2, merchants must not document this
information on any kind of paper order form or store it on any database.

Comments:

Mark Baldwin on September 10th, 2008 at 7:54 pm #

Storing the CVV2 is not allowed once the transaction is completed. I don’t see how their request for it on paper is any different than their request for it online. They can just as easily store the CVV2 if input into a web form as they can when written onto a piece of paper. Unless they are storing the invoice with the code after the transaction is complete, I don’t think this is a violation of the DSS.

About

Recent Posts

Blogroll

Links

Categories

Archives

Meta