Aug
07
Stop asking me for Security Codes on paper invoices, part 2
Posted (db) in General on August-7-2008

I wrote about this topic before: see here:

The Card Security Code is located on the back of MasterCard, Visa and Discover credit or debit cards and is typically a separate group of 3 digits to the right of the signature strip.

Now the latest perpetrator is an organization that:

is the global, not-for-profit leader in educating and certifying information security professionals throughout their careers. Recognized for Gold Standard certifications and world class education programs.

 

So when paying for my annual dues for a security certification: I see the following prompt for my "Security Code"

isc2
isc2_001

 

PCI 3.3.2:

"Do not store the card validation value or code (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions"

 

More here on the Visa CVV2 fact sheet:

Q. Can merchants store my 3-digit code?
A. No. To ensure information security, all merchants are prohibited from storing the 3-digit code in any format whether on paper drafts, receipts or electronically.

 

From : Rules for Visa Merchants

Avoid CVV2 Storage. All merchants are prohibited from storing CVV2 data.
When asking a cardholder for CVV2, merchants must not document this
information on any kind of paper order form or store it on any database.


Possibly Related Posts (automatically generated):

  1. Visa’s Misuse of Authorization Fee
   Read More   

Comments:
Mark Baldwin on September 10th, 2008 at 7:54 pm #

Storing the CVV2 is not allowed once the transaction is completed. I don’t see how their request for it on paper is any different than their request for it online. They can just as easily store the CVV2 if input into a web form as they can when written onto a piece of paper. Unless they are storing the invoice with the code after the transaction is complete, I don’t think this is a violation of the DSS.

Post a comment
Name: 
Email: 
URL: 
Comments: