PCI Watch

With regard to issuers or companies that support issuing services such as third party processors (TPPs), and other issuing type processors, it is recognized that such entities may have a legitimate need to retain sensitive authentication data such as the card verification code or value (CVV2, CVC2, CID, or CAV2 data) or PIN. While the topic of issuing entities is not specifically addressed in the PCI Data Security Standard, the PCI Security Standards Council recognizes that in certain instances storage of this data is necessary for entities performing, facilitating, or supporting issuing functions. It is allowable for companies that perform, facilitate, or support issuing services to store sensitive authentication data IF they have a legitimate business need to store such data. It should be noted that all other PCI DSS requirements apply to issuers, and the only exception for issuers and issuer processors is that sensitive authentication data may be retained if there is a legitimate reason to do so. A legitimate reason is one that is necessary for the performance of the function being provided for the issuer and not one of convenience. At their discretion, payment card brands may require issuers to validate PCI DSS compliance. For more specific information on PCI DSS compliance validation requirements, please contact the individual payment card brands at the following email addresses: americanExpressCompliance@trustwave.com askdatasecurity@discoverfinancial.com riskmanagement@jcbati.com sdp@mastercard.com cisp@visa.com