Frequently Asked Question
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
No. PCI DSS prohibits storage of card verification codes, for example, after transaction authorization or to facilitate potential future transactions.
There are four common scenarios where organizations may want to, or think it is necessary to, store card verification codes for consumers, due to software or functionality on a consumer's device:
-
Applications that facilitate consumers' online purchases and where the merchant or service provider stores card verification codes for use on behalf of consumers. Examples include merchant online store applications, gaming applications, and web browsers for auto fill of payment transactions.
-
Functionality where a service provider stores card verification codes on behalf of consumers, including password vaults.
-
Issuing functions that provision a consumer's account data into a consumer's device (which may include card verification codes). Not the subject of this FAQ. Only issuers or companies supporting issuing services with a legitimate issuing business need may store SAD after transaction authorization.
-
Consumers that enter their own payment account data into their device (which may include card verification codes). Not the subject of this FAQ. In this case, the device is treated similarly to a consumer's payment card.
This FAQ applies only to the first two bullets above.
Card verification codes are typically used for authorization in card-not-present transactions.— PCI DSS does not prohibit the collection of card verification codes prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes once the specific purchase or transaction for which it was collected has been authorized.
It is not permissible to store card verification codes regardless of any permission the entity may have received from their customer to store the sensitive authentication data on their behalf. A customer's request or approval for an entity to retain a card verification code has no validity for PCI DSS and does not constitute an allowance to store the data.
Generally, PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). This includes all entities involved in payment card account processing —including merchants, processors, acquirers, issuers, and other service providers.
Note that whether such an entity is required to undergo a PCI DSS assessment is determined by organizations that manage compliance programs, such as acquirers (merchant banks), payment brands, or other entities. Entities should contact these organizations directly for information about any such requirements. Contact details for the payment brands can be found in FAQ #1142 'How do I contact the payment card brands'?.
See also the following related FAQs:
FAQ 1280: Can card verification codes/values be stored for card-on-file or recurring transactions?
FAQ 1283: How do PCI standards apply to organizations that develop software that runs on a consumer's device (for example, a smartphone, tablet, or laptop) and is used to accept payment card data?
FAQ 1533: For PCI DSS, why is storage of sensitive authentication data (SAD) after authorization not permitted even when there are no primary account numbers (PANs) in an environment?
Featured FAQ Articles
Featured
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Is the PCI DSS Attestation of Compliance intended to be shared?
-
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
-
Where do I direct questions about complying with PCI standards?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Most Popular
-
What evidence is a TPSP expected to provide to customers to demonstrate PCI DSS compliance?
-
Does PCI SSC consider guidance from other standards organizations when making updates to PCI standards?
-
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Can a compensating control be used for requirements with a periodic or defined frequency, where an entity did not perform the activity within the required timeframe?
Most Recently Updated
-
Where can I find the current version of PCI DSS?
-
Why are there multiple PCI DSS Self-assessment Questionnaires (SAQs)?
-
What is a PCI DSS Self-Assessment Questionnaire?
-
Are Mobile Payments on COTS (MPoC) solutions, Software-based PIN Entry on COTS (SPoC)™ solutions, or Contactless Payments on COTS (CPoC™) solutions eligible for a P2PE Solution approval?
-
How can an entity meet PCI DSS requirements for PAN masking and truncation if it has migrated to 8-digit BINs?