3.3.1.2 The card verification code is not stored upon completion of the authorization process.

Defined Approach Requirements

3.3.1.2 The card verification code is not stored upon completion of the authorization process.

Customized Approach Objective

This requirement is not eligible for the customized approach.

Applicability Notes

The card verification code is the three- or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions.

Defined Approach Testing Procedures

3.3.1.2 Examine data sources, to verify that the card verification code is not stored upon completion of the authorization process.

Purpose

If card verification code data is stolen, malicious individuals can execute fraudulent Internet and mail-order/telephone-order (MO/TO) transactions. Not storing this data reduces the probability of it being compromised.

Examples

If card verification codes are stored on paper media prior to completion of authorization, a method of erasing or covering the codes should prevent them from being read after authorization is complete. Example methods of rendering the codes unreadable include removing the code with scissors and applying a suitably opaque and un-removable marker over the code.

Data sources to review to ensure that the card verification code is not retained upon completion of the authorization process include, but are not limited to:

• Incoming transaction data.
• All logs (for example, transaction, history, debugging, error).
• History files.
• Trace files.
• Database schemas.
• Contents of databases, and on-premise and cloud data stores.
• Any existing memory/crash dump files.