VISA Rules for Merchant Use of CVV2 Data
You are probably aware of the three digit security code stamped on the signature panel of your VISA or MasterCard credit or debit card. Did you know that it is prohibited by VISA and MasterCard for the Merchant to store that code in any way?
Rules For Visa Merchants clearly states:
All merchants are prohibited from storing CVV2 data. When asking a cardholder for CVV2, merchants must not document this information on any kind of paper order form or store it on any database.
The official document on VISA's site is here:
Rules for Visa Merchants
See section 3, page 41 - it's in the blue box on the left side of the page.
Why is this, and what is the Security Code for?
The CVV2 code was developed as a security measure to combat the use of stolen credit card numbers. The CVV2 code is used for card-not-present transactions to verify that the person trying to use the card has physical possession of the card. The three digit code is stored in only only one place - on the back of the card. It is NOT on your statements, nor does the issuing bank have access to it. There is no master database containing these numbers. The CVV2 number is the result of a sophisticated algorithm that uses both your credit card number and a private security key from the issuing financial institution.
If the person using the card has the correct CVV2 number, it is assumed they have physical posession of the card.
It is primarily used in automated authorization systems, like buying something online through an automated system that doesn't involve a human on the merchant end.
IF you are talking to the merchant on the phone and they ask you for the security code, BE VERY CAUTIOUS! Ask how they are using it. Are they writing it down? entering it in the company's order system? The merchant is prohibited by their merchant agreement to do either of these!!
They are allowed to enter it directly into a live authorization system for approval of the sale, but they are not allowed to store it in any manner!!
Remember that the person you are dealing with probably isn't aware of this rule, and they are only doing what their employer asks them to do. Be polite, and ask them to refer their management to this page so they can comply with Visa's rules. The link at the top of the page to VISA's Rules for Merchants is the official word.
NOTES TO MERCHANTS:
There are other ways to verify a customer has physical posession of the card. Some merchants require the customer fax a signed credit card authorization form before the charge is submitted for approval. If you do this, you can provide a blank area on your authorization form and instruct the cardholder to place the card underneath, then take a pencil and rub the surface of the card with the edge of the pencil lead. This will transfer the imprintable data to the authorization form, which can then be faxed to you.
Use of the CVV2 data is a powerful tool to insure the purchaser isn't using a card they don't physically posess (as with stolen credit card numbers), but be sure you are following the rules set forth in your merchant agreement. Storage of a customer's CVV2 data is prohibited, and you could lose your merchant account by doing so. There is no increase in your processing costs if CVV2 authorization is not utilized.
If your system does not allow automated or instant approval for your transactions, Do not collect the CVV2 data. Remeber, it can't be written down or stored in any way. Consider other ways to insure the person ordering is using the card legitimately. A signed, faxed credit card authorization form containing a card imprint and a government-issued ID is considered by many to be irrefutable proof that the cardholder authorized the transaction and is a great tool to guard against chargebacks.