Skip to main content

Are you storing CVV security codes?

Updated

Storing CVV codes (the 3-4 digit security numbers on cards) is strictly prohibited under PCI DSS, whether stored electronically or on paper. This violation puts you at extreme compliance risk and creates immediate liability for your business.

Essential steps to reduce your risk:


1. Destroy all stored CVV codes immediately

  • Electronic storage: Delete CVV codes from all digital systems, databases, and backup files
  • Paper storage: Shred or burn all documents containing CVV codes
  • Don't delay: Every moment these codes remain stored increases your legal and financial exposure

2. Implement strict CVV handling procedures

  • Train all staff that CVV codes must never be written down or saved anywhere
  • Use CVV codes only for immediate transaction processing, then discard
  • Establish clear procedures for handling payment information without storing CVVs

3. Update your security policies and training

  • Document in your security policy that CVV storage is absolutely prohibited
  • Train all staff on proper CVV handling procedures
  • Regularly remind employees that this is a zero-tolerance policy
  • Include CVV handling in new employee training

4. Audit and monitor for compliance

  • Regularly check all systems and files to ensure no CVV codes are being stored
  • Monitor staff practices during payment processing
  • Implement checks to catch accidental CVV storage before it becomes a violation

5. Red flags that increase your risk

  • CVV codes written on receipts, order forms, or customer records
  • CVV numbers stored in digital customer files or databases
  • Staff unsure about CVV storage rules
  • CVV codes in email communications or notes
  • Any backup systems containing historical CVV data
  • Manual processes that involve writing down complete card information

The bottom line


CVV storage is one of the most serious PCI violations and creates immediate non-compliance. There are no exceptions - these codes must never be stored anywhere, for any reason.


Take action immediately to destroy any stored CVV codes and implement strict handling procedures. Contact your payment processor if you need guidance on compliant payment processing methods.