Prohibited Data Storage
February 15th, 2007 Posted in PCI DSS
Dan asks:
I’ve just read the post on Chip and Pin, but I’m still unclear about the storing of the CVV value. Is it the case that the CVV value cannot be stored under any circumstances, whether in a MOTO, Chip and PIN environment etc. The article doesn’t make this 100% clear.
It should be noted that there is a difference between CVV (Card Verification Value) and the CVV2/CVC2/CID. The CVV is a value that is rarely discussed and part of the magnetic track data. The CVV2/CVC2/CID is the 3 digits on the back (or 4 digits on the front for American Express) of the credit card.
Regardless of this nuance, there are three pieces of data that cannot be stored (prohibited) after authorization. It does not matter if you are handling a card-present (swipe), card-not-present (MOTO), or chip-pin transaction, this rule still applies.
You cannot store any of the following after authorization:
- Magnetic stripe data (Track 1 or 2)
- PIN block data (and, yes, this means ‘encrypted PIN block’ too)
- CVV2/CVC2/CID
You can read more about this in a prior post here: Do NOT store sensitive data after authorization.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
2 Responses to “Prohibited Data Storage”
By Monica Douglas on Feb 28, 2007
What ever happen to Track 3 Data? Are merchants allowed to store Track 3?
By datasecurity on Feb 28, 2007
Monica, Track 3 is not used to store credit card data. It has other purposes that are outside the scope of PCI. (i.e. hotel rooms store information on this track.)
It is actually more correct to say “Track Data” instead of “Track 1 and 2 Data” because of the confusion you raised. From now on we will try to use the more correct Track Data. =)
Thanks!