[ic] mv_credit_card_cvv2 is no longer capture in mv_credit_card_info

Bill Carr bill at bottlenose-wine.com
Tue Oct 20 13:17:05 UTC 2009

On Oct 20, 2009, at 7:35 AM, DB wrote:

>> Author: Jon Jensen <jon at endpoint.com>
>> Date:   Thu Jun 18 22:56:42 2009 -0600
>>    Remove CVV2/CSC from default credit card encrypted block template
>>    The card security code should not be stored at all, even in  
>> encrypted
>>    form. This makes the default behavior compliant with section  
>> 3.2.2 of
>>    PCI-DSS 1.2:
>> https://www.pcisecuritystandards.org/security_standards/download.html?id=pci
>>    It is of course still possible to manually supply a template that
>>    stores the card security code in violation of PCI-DSS  
>> requirements, so
>>    developers should review any custom credit card encryption  
>> templates
>>    to make sure that the CVV2 is not included, and purge it from any
>>    historical data they have stored.
>>    Thanks to Mark Lipscombe for calling attention to this.
>> CU,
>> Gert
> I have a client that runs charges manually on a terminal using the
> credit card data (including cvv) that's decrypted from emails sent by
> the server. Without undoing the above change and breaking  
> compliance, is
> there no way for my client to continue this practice?
There is no way to store the CVV2 and be PCI compliant. Try setting up  
a payment gateway.

-Bill Carr

More information about the interchange-users mailing list