Frequently Asked Question
 
															Can card verification codes be stored for card-on-file or recurring transactions?
No. It is not permitted to retain card verification codes once the specific purchase or transaction for which it was collected has been authorized. Card verification codes are typically used for authorization in card-not-present transactions. PCI DSS does not prohibit the collection of card verification codes prior to authorization of a specific purchase or transaction.
 
A card verification code (also referred to a CAV2, CVC2, CVN2, CVV2, or CID, depending on the payment brand) is the 3- or 4- digit number printed on the front or back of a payment card. —These values are considered sensitive authentication data (SAD), which, in accordance with PCI DSS Requirement 3, cannot be stored after authorization*.
 
Card verification codes are not needed for card-on-file or recurring transactions (for example, for a recurring gym membership payment), and PCI DSS prohibits storage for these purposes. PCI DSS also prohibits storage of card validation codes for concierge-style services, where cardholder details are retained by an entity to facilitate potential future transactions on behalf of a consumer (for example, for making restaurant reservations or purchasing theatre tickets). 
 
All card verification codes must be completely removed from the entity's systems to comply with Requirement 3. The requirement that prohibits retaining sensitive authentication data after authorization applies even if that data is encrypted. Any service or process that claims to "remove" card verification codes from storage, yet is able to retrieve them for future authorization, would need to be assessed (for example, by a QSA or ISA), to confirm that all card verification codes have been truly removed from the entity's systems and are not being stored in any way, shape, or form.
 
It should also be noted that it is not permissible to store card verification codes regardless of any permission the entity may have received from their customer to store the sensitive authentication data on their behalf. A customer's request or approval for an entity to retain a card verification code has no validity for PCI DSS and does not constitute an allowance to store the data.
 
Merchants and their service providers should contact organizations that manage compliance programs, such as their acquirer (merchant bank), the payment brands, or other entity directly, as applicable, for guidance on how to process recurring or card-on-file transactions without requiring transmission or storage of the card verification codes. Contact details for the payment brands can be found in FAQ #1142 How do I contact the payment card brands?
 
See also the following related FAQs:
FAQ 1574: If an organization provides software or functionality that runs on a consumer's device (for example, smartphones, tablets, or laptops) and is used to accept payment account data, can the organization store card verification codes for those consumers?
FAQ1533: For PCI DSS, why is storage of sensitive authentication data (SAD) after authorization not permitted even when there are no primary account numbers (PANs) in an environment?
 
* Only issuers or those companies supporting issuing services with a legitimate issuing business need may store SAD after transaction authorization. 
Related
- 
										Are Approved Scanning Vendors and Qualified Security Assessors considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?
										
 
- 
										What are the expectations for entities when assigning risk rankings to vulnerabilities and resolving or addressing those vulnerabilities?
										
 
- 
										Is phishing-resistant authentication alone acceptable as multi-factor authentication for PCI DSS Requirements 8.4.1 and 8.4.3?
										
 
Featured FAQ Articles
Featured
- 
									
										Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?									
									
 
- 
									
										Is the PCI DSS Attestation of Compliance intended to be shared?									
									
 
- 
									
										How does an entity report the results of a PCI DSS assessment for new requirements that are noted in PCI DSS as best practices until a future date?									
									
 
- 
									
										Where do I direct questions about complying with PCI standards?									
									
 
- 
									
										Can SAQ eligibility criteria be used as a guide for determining applicability of PCI DSS requirements for merchant assessments documented in a Report on Compliance?									
									
 
Most Popular
- 
									
										Are Approved Scanning Vendors and Qualified Security Assessors considered third-party service providers for PCI DSS Requirements 12.8 and 12.9?									
									
 
- 
									
										What are the expectations for entities when assigning risk rankings to vulnerabilities and resolving or addressing those vulnerabilities?									
									
 
- 
									
										Is phishing-resistant authentication alone acceptable as multi-factor authentication for PCI DSS Requirements 8.4.1 and 8.4.3?									
									
 
- 
									
										Are passkeys synced across devices, implemented according to the FIDO2 requirements, acceptable for use as phishing-resistant authentication to meet PCI DSS Requirement 8.4.2?									
									
 
- 
									
										How should PCI DSS v4.x requirements noted as superseded by another requirement be reported after 31 March 2025?									
									
 
Most Recently Updated
- 
									
										Can unencrypted PANs be sent over e-mail, instant messaging, SMS, or chat?									
									
 
- 
									
										Are entities allowed to request that cardholder data be provided over end-user messaging technologies?									
									
 
- 
									
										Does PCI DSS allow faxing of payment card numbers?									
									
 
- 
									
										What is the maximum period of time that cardholder data can be stored?									
									
 
- 
									
										To which devices does PCI DSS Requirement 10.4.2 apply?