Merchant Processes and CID/CVV2

I recently received a letter from the company that monitors my home alarm. It basically stated that to avoid a $3US surcharge that I must opt out of receiving bill in the mail (which is fine) and that I must set up automatic transactions.  I also found this form attached.

Merchant Form

This is not the first time that I have seen a payment option that includes a requirement for the CVV2  or CID value from my credit card. However with a little knowledge of PCI, I have to ask myself the following question, “What exactly are they going to do with this information?” According to PCI-DSS, this information must not be stored (even in an encrypted format) after authorization.

That raises the following questions for the merchant requiring this information–

  1. Is this truly only for the first transaction authorization and the physical form will be securely destroyed?
  2. In this particular case, this is for a monthly transaction. So their relationship with their provider is such that CID/CVV is optional (and not used) for secondary transactions?
  3. Or is this information being stored, electronically or physically, allowing for the possibility of later transactions?

In this case, I am assuming this information would be stored an used for each transaction. So this raises some additional questions around PCI assessment, understanding and process. The bottom line is the CID/CVV value is going to be useless if it is as easily compromised as the rest of card information.

In my role as a consumer, I regularly see invoices requesting CID/CVV information. I believe we need to ask questions about how this information is going to be handled and used.

As I implemented this, I did run into a couple of caveats. My suggestion is to make sure to read the comments in the script and to relaunch Outlook between changes. Thanks to Justin Lancy for a great tip.

I’d love to hear from you, so share your thoughts by commenting below.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Other. Bookmark the permalink.

2 Responses to Merchant Processes and CID/CVV2

  1. Steve says:

    Wouldn’t storing the CVV or any credit card details on paper violate PCI by default?

    • I thought the same. My understanding of the intent of CVV usage would also preclude it being written on paper. However, I have had multiple merchants ask this of me. I the short PCI pdf “Do’s and Don’t” it states that it cannot be stored after the transaction. So even using that yardstick, the merchant would have to input the data, shred the paper and then click submit (to technically not have it stored after the transaction). I think what you are saying is this is a red flag from a Merchant PCI process standpoint. To your point, I fully agree.

Comments are closed.