• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1830
  • Last Modified:

CAV2 / CVC2 / CID / CVV2 Passed in Form PCI

Is it permitted to pass the CAV2 / CVC2 / CID / CVV2 data from one page to a confirmation page then transmit it.

The CAV2 / CVC2 / CID / CVV2 are never stored in a database they are just passed in a form field that is pass via POST with SSL strength of 2048 bit.

Is there any documentation on this?
0
RickEpnet
Asked:
RickEpnet
  • 4
  • 4
1 Solution
 
CoccoBillCommented:
The card verification codes and other sensitive authentication data must not be stored "after authorization". Make sure they are not stored in logs, temp files, cache etc. and that they are gotten rid of after the transaction has been authorized, and there shouldn't be a problem.
0
 
RickEpnetAuthor Commented:
This is good information is there any documentation that gives that much detail?
0
 
CoccoBillCommented:
Get the PCI DSS, sensitive authentication data is described in the beginning and requirement 3.2.2 deals with the verification codes.

https://www.pcisecuritystandards.org/security_standards/documents.php
0
Live Q & A: Securing Your Wi-Fi for Summer Travel

Traveling this summer? Join us on June 18, 2018 for a live stream to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
RickEpnetAuthor Commented:
I am having a hard time finding that version with that information on the link in you answer.
0
 
CoccoBillCommented:
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

Sensitive authentication data is described on page 7, requirement 3.2 is on page 29.

"3.2 Do not store sensitive authentication data after authorization (even if encrypted)."

If the data is stored, even temporarily, in temp files, cache or memory, you need to have a documented procedure that describes how the data is deleted securely after authorization.
0
 
RickEpnetAuthor Commented:
That helped thanks.
Do you know what it means by "Incoming transaction data"
0
 
CoccoBillCommented:
The payment information you are receiving from the customers.
0
 
RickEpnetAuthor Commented:
Thank you
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now