PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is a copy of content from the PCI Security Standards Council FAQ database, preserved for tracking changes over time.
View Original →
FAQ #1280 Published

Can card verification codes/values be stored for recurring transactions?

Card verification codes/values (the 3- or 4- digit number printed on a payment card) are considered sensitive authentication data (SAD), which in accordance with PCI DSS Requirement 3.2 must not be stored after authorization.

Card verification codes/values are used for initial authorization in card-not-present transactions, and are not needed for recurring transactions. Merchants should contact their acquirer (merchant bank) or the payment brands directly, as applicable, for guidance on how to process recurring transactions without storing the prohibited data. Contact details for the payment brands can be found in FAQ #1142How do I contact the payment card brands?

View original on PCI SSC website View all versions Back to recent changes

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.