Frequently Asked Question
Are merchants allowed to request card-verification codes/values from cardholders?
The card verification code or value (also referred to as CVV2, CVC2, CID, or CAV2) is the three- or four- digit code printed on the front or back of a payment card which provides additional assurance that the card is in the possession of the authorized cardholder. Card verification codes/values are considered to be sensitive authentication data (SAD) and merchants and other entities involved in payment card processing are required to strictly protect this data and securely delete it after authorization in accordance with PCI DSS Requirement 3.2.
Featured FAQ Articles
Most Recently Updated
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?