[ic] mv_credit_card_cvv2 is no longer capture in mv_credit_card_info
Bill Carr
bill at bottlenose-wine.com
Tue Oct 20 13:17:05 UTC 2009
On Oct 20, 2009, at 7:35 AM, DB wrote:
>> Author: Jon Jensen <jon at endpoint.com>
>> Date: Thu Jun 18 22:56:42 2009 -0600
>>
>> Remove CVV2/CSC from default credit card encrypted block template
>>
>> The card security code should not be stored at all, even in
>> encrypted
>> form. This makes the default behavior compliant with section
>> 3.2.2 of
>> PCI-DSS 1.2:
>>
>>
>> https://www.pcisecuritystandards.org/security_standards/download.html?id=pci
>>
>> It is of course still possible to manually supply a template that
>> stores the card security code in violation of PCI-DSS
>> requirements, so
>> developers should review any custom credit card encryption
>> templates
>> to make sure that the CVV2 is not included, and purge it from any
>> historical data they have stored.
>>
>> Thanks to Mark Lipscombe for calling attention to this.
>>
>>
>> CU,
>>
>> Gert
>
> I have a client that runs charges manually on a terminal using the
> credit card data (including cvv) that's decrypted from emails sent by
> the server. Without undoing the above change and breaking
> compliance, is
> there no way for my client to continue this practice?
There is no way to store the CVV2 and be PCI compliant. Try setting up
a payment gateway.
-Bill Carr
More information about the interchange-users
mailing list