What Merchants Need To Know About CVV Codes

Many people know what a CVV code is even if they do not immediately recognize the term. A CVV code is a three-digit code found on the back of major credit cards.  Mostly, a CVV code is used in a virtual transaction to take further steps to ensure that the person completing the transaction physically has the card which the transaction will be charged to.  CVV codes are meant to protect consumers and merchants from monetary losses as well as help mollify damages in the event the security of a database containing cardholder information is compromised.

Can merchants store CVV codes?

Merchants are not authorized to store the following sensitive authentication data per PCI DSS standards: full magnetic stripe data or equivalent on a chip, CVV codes, and PINs.  CVV codes are not necessary to complete a transaction.  Merchants are allowed to store cardholder data including primary account number, cardholder name, and expiration date – which can be used to complete a transaction – but storing this data is not recommended for most merchants as it vastly increases the scope of PCI Compliance and consequently drastically increases the cost to achieve and maintain PCI Compliance.

Why merchants use CVV codes?

CVV codes offer further assurance that it is, in fact, the authorized cardholder who is attempting to complete a transaction.  According to the Card Acceptance Guidelines for Visa Merchants, merchants should treat virtual credit card transactions like a transaction in a store.  In short, first the payment must be processed and necessary precautions must be taken to ensure that the card is being charged lawfully before the customer receives any merchandise.

Collecting payments virtually, either via phone or online, presents new challenges for merchants.  Merchants should take further measures to verify cardholder identity as well as properly store cardholder information in addition to sensitive authentication data.  Some measures that can be used as a substitute for a physical card, signatures, and an official form of identification include asking for the cardholder’s billing address and CVV code.  However, CVV codes can present a problem when completing a transaction.  They may be illegible, or the cardholder may not be able to locate the CVV code.  Additionally, since CVV codes are not required to complete transactions, and since collecting them increases the scope of PCI Compliance, many merchants opt not to collect them at the point of transaction.

Why can’t merchants store CVV codes?

Every day thousands of merchants are attacked and a great number are being successfully hacked.  If merchants were allowed to store this CVV data hackers would gain access to it as well, and it would no longer serve its intended purpose of showing that the card is physically in the possession of the party to the transaction. Therefore merchants are not allowed to record CVV codes in an effort to mollify damages incurred in the event a large quantity of cardholder information gets in the wrong hands.  It is common for hackers to sell cardholder information to 3rd parties.  Whereas illicit purchases can still be made using the illegally obtained information, lacking CVV codes can be a preventative measure to minimize the amount of damage suffered by unsuspecting merchants and banks.

Most banks will drop fees and illicit charges against consumers for the charges associated with stolen card numbers if the cardholder signs an affidavit explaining the situation.  The same is not true however for merchants who have been hacked due to a lack of full PCI Compliance. For merchants, the costs are extremely steep. Typically fees average around $20,000 for each compromised credit card account. You can imagine the cost if just 1,000 credit card accounts were illegally obtained from your non-compliant systems.

Learn more about merchant requirements

Much of the information available for merchants regarding achieving PCI Compliance and securing your business against massive fines just isn’t clear or accessible for the average merchant who is just interested in doing what is necessary to protect their business and their customers.

If you’re a merchant who is looking into PCI Compliance – good for you! Most businesses will eventually be hacked if they are not fully protected. The trafficking of stolen credit card data is extremely big business, and the small merchant ends up as the victim in this case.

If you’re just getting started and need some help learning about what you will need to do to protect your business, please contact us for a free consultation on securing your business and achieving PCI Compliance. We’re happy to talk with you about your existing systems and seek the most economical solution for you to obtain full PCI Compliance.