Solved

CAV2 / CVC2 / CID / CVV2 Passed in Form PCI

Posted on 2011-03-20
8
1,583 Views
Last Modified: 2012-05-11
Is it permitted to pass the CAV2 / CVC2 / CID / CVV2 data from one page to a confirmation page then transmit it.

The CAV2 / CVC2 / CID / CVV2 are never stored in a database they are just passed in a form field that is pass via POST with SSL strength of 2048 bit.

Is there any documentation on this?
0
Comment
Question by:RickEpnet
  • 4
  • 4
8 Comments
 
LVL 19

Accepted Solution

by:
CoccoBill earned 500 total points
ID: 35183235
The card verification codes and other sensitive authentication data must not be stored "after authorization". Make sure they are not stored in logs, temp files, cache etc. and that they are gotten rid of after the transaction has been authorized, and there shouldn't be a problem.
0
 
LVL 14

Author Comment

by:RickEpnet
ID: 35183338
This is good information is there any documentation that gives that much detail?
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 35183405
Get the PCI DSS, sensitive authentication data is described in the beginning and requirement 3.2.2 deals with the verification codes.

https://www.pcisecuritystandards.org/security_standards/documents.php
0
 
LVL 14

Author Comment

by:RickEpnet
ID: 35183953
I am having a hard time finding that version with that information on the link in you answer.
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 19

Expert Comment

by:CoccoBill
ID: 35184094
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

Sensitive authentication data is described on page 7, requirement 3.2 is on page 29.

"3.2 Do not store sensitive authentication data after authorization (even if encrypted)."

If the data is stored, even temporarily, in temp files, cache or memory, you need to have a documented procedure that describes how the data is deleted securely after authorization.
0
 
LVL 14

Author Comment

by:RickEpnet
ID: 35184752
That helped thanks.
Do you know what it means by "Incoming transaction data"
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 35184796
The payment information you are receiving from the customers.
0
 
LVL 14

Author Closing Comment

by:RickEpnet
ID: 35185042
Thank you
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Learn by example how to specify CSS selectors for Selenium WebDriver test automation software.
Developer portfolios can be a bit of an enigma—how do you present yourself to employers without burying them in lines of code?  A modern portfolio is more than just work samples, it’s also a statement of how you work.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now