Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

CAV2 / CVC2 / CID / CVV2 Passed in Form PCI

Posted on 2011-03-20
8
1,634 Views
Last Modified: 2012-05-11
Is it permitted to pass the CAV2 / CVC2 / CID / CVV2 data from one page to a confirmation page then transmit it.

The CAV2 / CVC2 / CID / CVV2 are never stored in a database they are just passed in a form field that is pass via POST with SSL strength of 2048 bit.

Is there any documentation on this?
0
Comment
Question by:RickEpnet
  • 4
  • 4
8 Comments
 
LVL 19

Accepted Solution

by:
CoccoBill earned 500 total points
ID: 35183235
The card verification codes and other sensitive authentication data must not be stored "after authorization". Make sure they are not stored in logs, temp files, cache etc. and that they are gotten rid of after the transaction has been authorized, and there shouldn't be a problem.
0
 
LVL 14

Author Comment

by:RickEpnet
ID: 35183338
This is good information is there any documentation that gives that much detail?
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 35183405
Get the PCI DSS, sensitive authentication data is described in the beginning and requirement 3.2.2 deals with the verification codes.

https://www.pcisecuritystandards.org/security_standards/documents.php
0
Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

 
LVL 14

Author Comment

by:RickEpnet
ID: 35183953
I am having a hard time finding that version with that information on the link in you answer.
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 35184094
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

Sensitive authentication data is described on page 7, requirement 3.2 is on page 29.

"3.2 Do not store sensitive authentication data after authorization (even if encrypted)."

If the data is stored, even temporarily, in temp files, cache or memory, you need to have a documented procedure that describes how the data is deleted securely after authorization.
0
 
LVL 14

Author Comment

by:RickEpnet
ID: 35184752
That helped thanks.
Do you know what it means by "Incoming transaction data"
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 35184796
The payment information you are receiving from the customers.
0
 
LVL 14

Author Closing Comment

by:RickEpnet
ID: 35185042
Thank you
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
When crafting your “Why Us” page, there are a plethora of pitfalls to avoid. Follow these five tips, and you’ll be well on your way to creating an effective page.
This video teaches users how to migrate an existing Wordpress website to a new domain.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question