[ic] mv_credit_card_cvv2 is no longer capture in mv_credit_card_info

Gert van der Spoel gert at 3edge.com
Wed Sep 16 08:49:58 UTC 2009

> -----Original Message-----
> From: interchange-users-bounces at icdevgroup.org [mailto:interchange-
> users-bounces at icdevgroup.org] On Behalf Of Raymond Cheng
> Sent: Wednesday, September 16, 2009 9:47 AM
> To: interchange-users at icdevgroup.org
> Subject: [ic] mv_credit_card_cvv2 is no longer capture in
> mv_credit_card_info
> Hi, All:
> I have a site captures credit card information (pgp encrpted) and
> process charges off line . mv_credit_card_info in report will include
> credit card numbers and expiration date as weel as cvv2 numbers. The
> mv_credit_card_info in latest daily build (5.7.1-200909070658) includes
> only credit card numbers and expiration date. The cvv2 numbers are no
> longer included in  mv_credit_card_info. any clue. Thank you.

Likely because of the following commit (lib/Vend/Order.pm):
diff --git a/lib/Vend/Order.pm b/lib/Vend/Order.pm
index fe08095..1e9b4b6 100644
--- a/lib/Vend/Order.pm
+++ b/lib/Vend/Order.pm
@@ -443,7 +443,6 @@ sub build_cc_info {
-                       {MV_CREDIT_CARD_CVV2}
                )) . "\n";

commit fe182d93b4741210ca1511bdeb03d2c51cc87097
Author: Jon Jensen <jon at endpoint.com>
Date:   Thu Jun 18 22:56:42 2009 -0600

    Remove CVV2/CSC from default credit card encrypted block template

    The card security code should not be stored at all, even in encrypted
    form. This makes the default behavior compliant with section 3.2.2 of
    PCI-DSS 1.2:


    It is of course still possible to manually supply a template that
    stores the card security code in violation of PCI-DSS requirements, so
    developers should review any custom credit card encryption templates
    to make sure that the CVV2 is not included, and purge it from any
    historical data they have stored.

    Thanks to Mark Lipscombe for calling attention to this.



More information about the interchange-users mailing list