I recently received a letter from the company that monitors my home alarm. It basically stated that to avoid a $3US surcharge that I must opt out of receiving bill in the mail (which is fine) and that I must set up automatic transactions. I also found this form attached.
This is not the first time that I have seen a payment option that includes a requirement for the CVV2 or CID value from my credit card. However with a little knowledge of PCI, I have to ask myself the following question, “What exactly are they going to do with this information?” According to PCI-DSS, this information must not be stored (even in an encrypted format) after authorization.
That raises the following questions for the merchant requiring this information–
- Is this truly only for the first transaction authorization and the physical form will be securely destroyed?
- In this particular case, this is for a monthly transaction. So their relationship with their provider is such that CID/CVV is optional (and not used) for secondary transactions?
- Or is this information being stored, electronically or physically, allowing for the possibility of later transactions?
In this case, I am assuming this information would be stored an used for each transaction. So this raises some additional questions around PCI assessment, understanding and process. The bottom line is the CID/CVV value is going to be useless if it is as easily compromised as the rest of card information.
In my role as a consumer, I regularly see invoices requesting CID/CVV information. I believe we need to ask questions about how this information is going to be handled and used.
As I implemented this, I did run into a couple of caveats. My suggestion is to make sure to read the comments in the script and to relaunch Outlook between changes. Thanks to Justin Lancy for a great tip.
I’d love to hear from you, so share your thoughts by commenting below.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This
may or may does not reflect the position of past, present or future employers.