Solved

CAV2 / CVC2 / CID / CVV2 Passed in Form PCI

Posted on 2011-03-20
8
1,605 Views
Last Modified: 2012-05-11
Is it permitted to pass the CAV2 / CVC2 / CID / CVV2 data from one page to a confirmation page then transmit it.

The CAV2 / CVC2 / CID / CVV2 are never stored in a database they are just passed in a form field that is pass via POST with SSL strength of 2048 bit.

Is there any documentation on this?
0
Comment
Question by:RickEpnet
  • 4
  • 4
8 Comments
 
LVL 19

Accepted Solution

by:
CoccoBill earned 500 total points
ID: 35183235
The card verification codes and other sensitive authentication data must not be stored "after authorization". Make sure they are not stored in logs, temp files, cache etc. and that they are gotten rid of after the transaction has been authorized, and there shouldn't be a problem.
0
 
LVL 14

Author Comment

by:RickEpnet
ID: 35183338
This is good information is there any documentation that gives that much detail?
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 35183405
Get the PCI DSS, sensitive authentication data is described in the beginning and requirement 3.2.2 deals with the verification codes.

https://www.pcisecuritystandards.org/security_standards/documents.php
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 14

Author Comment

by:RickEpnet
ID: 35183953
I am having a hard time finding that version with that information on the link in you answer.
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 35184094
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

Sensitive authentication data is described on page 7, requirement 3.2 is on page 29.

"3.2 Do not store sensitive authentication data after authorization (even if encrypted)."

If the data is stored, even temporarily, in temp files, cache or memory, you need to have a documented procedure that describes how the data is deleted securely after authorization.
0
 
LVL 14

Author Comment

by:RickEpnet
ID: 35184752
That helped thanks.
Do you know what it means by "Incoming transaction data"
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 35184796
The payment information you are receiving from the customers.
0
 
LVL 14

Author Closing Comment

by:RickEpnet
ID: 35185042
Thank you
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…
This video teaches users how to migrate an existing Wordpress website to a new domain.

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question