Solved

CAV2 / CVC2 / CID / CVV2 Passed in Form PCI

Posted on 2011-03-20
8
1,661 Views
Last Modified: 2012-05-11
Is it permitted to pass the CAV2 / CVC2 / CID / CVV2 data from one page to a confirmation page then transmit it.

The CAV2 / CVC2 / CID / CVV2 are never stored in a database they are just passed in a form field that is pass via POST with SSL strength of 2048 bit.

Is there any documentation on this?
0
Comment
Question by:RickEpnet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 19

Accepted Solution

by:
CoccoBill earned 500 total points
ID: 35183235
The card verification codes and other sensitive authentication data must not be stored "after authorization". Make sure they are not stored in logs, temp files, cache etc. and that they are gotten rid of after the transaction has been authorized, and there shouldn't be a problem.
0
 
LVL 14

Author Comment

by:RickEpnet
ID: 35183338
This is good information is there any documentation that gives that much detail?
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 35183405
Get the PCI DSS, sensitive authentication data is described in the beginning and requirement 3.2.2 deals with the verification codes.

https://www.pcisecuritystandards.org/security_standards/documents.php
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 
LVL 14

Author Comment

by:RickEpnet
ID: 35183953
I am having a hard time finding that version with that information on the link in you answer.
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 35184094
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

Sensitive authentication data is described on page 7, requirement 3.2 is on page 29.

"3.2 Do not store sensitive authentication data after authorization (even if encrypted)."

If the data is stored, even temporarily, in temp files, cache or memory, you need to have a documented procedure that describes how the data is deleted securely after authorization.
0
 
LVL 14

Author Comment

by:RickEpnet
ID: 35184752
That helped thanks.
Do you know what it means by "Incoming transaction data"
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 35184796
The payment information you are receiving from the customers.
0
 
LVL 14

Author Closing Comment

by:RickEpnet
ID: 35185042
Thank you
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
Color can increase conversions, create feelings of warmth or even incite people to get behind a cause. If you want your website to really impact site visitors, then it is vital to consider the impact color has on them.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question