Shostack + Friends Blog Archive


Free advice for merchants accepting payment cards

3. Protect Stored Data
3.1 	Keep cardholder information storage to a minimum.  Develop a data
retention and disposal policy.  Limit your storage amount and retention
time to that which is required for business, legal, and/or regulatory
purposes, as documented in the data retention policy.
3.2 	Do not store sensitive authentication data subsequent to authorization
(not even if encrypted):
3.2.1 Do not store the full contents of any track from the magnetic
stripe (on the back of a card, in a chip, etc.).
3.2.2 Do not store the card-validation code (CVC) (Three-digit or
four-digit value printed on the front or back of a payment card
(for example, CVV2, and CVC2 data).
3.2.3 Do not store the PIN Verification Value (PVV).

Payment Card Industry Data Security Standard, (Jan. 2005) p. 6

One comment on "Free advice for merchants accepting payment cards"

  • schopenhauer says:

    What’s the PVV? hopefully not a number that allows the vendor to push pins through a known algorithm, and know that then the algorithm generates this PVV, they have your PIN?

Comments are closed.