Frequently Asked Question
If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
No. PCI DSS prohibits storage of card verification codes, for example, after transaction authorization or to facilitate potential future transactions.
There are four common scenarios where organizations may want to, or think it is necessary to, store card verification codes for consumers, due to software or functionality on a consumer's device:
-
Applications that facilitate consumers' online purchases and where the merchant or service provider stores card verification codes for use on behalf of consumers. Examples include merchant online store applications, gaming applications, and web browsers for auto fill of payment transactions.
-
Functionality where a service provider stores card verification codes on behalf of consumers, including password vaults.
-
Issuing functions that provision a consumer's account data into a consumer's device (which may include card verification codes). Not the subject of this FAQ. Only issuers or companies supporting issuing services with a legitimate issuing business need may store SAD after transaction authorization.
-
Consumers that enter their own payment account data into their device (which may include card verification codes). Not the subject of this FAQ. In this case, the device is treated similarly to a consumer's payment card.
This FAQ applies only to the first two bullets above.
Card verification codes are typically used for authorization in card-not-present transactions.— PCI DSS does not prohibit the collection of card verification codes prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes once the specific purchase or transaction for which it was collected has been authorized.
It is not permissible to store card verification codes regardless of any permission the entity may have received from their customer to store the sensitive authentication data on their behalf. A customer's request or approval for an entity to retain a card verification code has no validity for PCI DSS and does not constitute an allowance to store the data.
Generally, PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). This includes all entities involved in payment card account processing —including merchants, processors, acquirers, issuers, and other service providers.
Note that whether such an entity is required to undergo a PCI DSS assessment is determined by organizations that manage compliance programs, such as acquirers (merchant banks), payment brands, or other entities. Entities should contact these organizations directly for information about any such requirements. Contact details for the payment brands can be found in FAQ #1142 'How do I contact the payment card brands'?.
See also the following related FAQs:
FAQ 1280: Can card verification codes/values be stored for card-on-file or recurring transactions?
FAQ 1283: How do PCI standards apply to organizations that develop software that runs on a consumer's device (for example, a smartphone, tablet, or laptop) and is used to accept payment card data?
FAQ 1533: For PCI DSS, why is storage of sensitive authentication data (SAD) after authorization not permitted even when there are no primary account numbers (PANs) in an environment?
Related
-
When should an entity implement PCI DSS requirements noted as best practices until a future date?
-
For PCI DSS, can multi-factor authentication (MFA) implementations indicate the success of a factor prior to presentation of subsequent factors?
-
What is the completion date for PCI DSS assessments documented in a Report on Compliance and its related Attestations of Compliance?
Featured FAQ Articles
Featured
-
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?
-
Is the PCI DSS Attestation of Compliance intended to be shared?
-
How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?
-
Where do I direct questions about complying with PCI standards?
-
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Most Popular
-
When should an entity implement PCI DSS requirements noted as best practices until a future date?
-
For PCI DSS, can multi-factor authentication (MFA) implementations indicate the success of a factor prior to presentation of subsequent factors?
-
What is the completion date for PCI DSS assessments documented in a Report on Compliance and its related Attestations of Compliance?
-
What is the completion date for PCI DSS assessments documented in a Self-Assessment Questionnaire and its related Attestations of Compliance?
-
How does PCI DSS Requirement 6.4.3 apply to 3DS scripts called from a merchant check-out page as part of 3DS processing?
Most Recently Updated
-
When should an entity implement PCI DSS requirements noted as best practices until a future date?
-
What is meant by "At-Risk Timeframe" and at risk referenced in the Final PFI Report?
-
Does PCI DSS Requirement 8.2.2 allow users to share authentication credentials?
-
For PCI DSS, can multi-factor authentication (MFA) implementations indicate the success of a factor prior to presentation of subsequent factors?
-
What is the completion date for PCI DSS assessments documented in a Report on Compliance and its related Attestations of Compliance?