Credit card and CVV

This forum is dedicated to answering AbleCommerce 7.0 questions about PCI certification and compliance.
Post Reply
chuckdvc
Lieutenant Commander (LCDR)
Lieutenant Commander (LCDR)
Posts: 97
Joined: Fri Mar 20, 2009 12:32 pm

Credit card and CVV

Post by chuckdvc » Thu Apr 16, 2009 3:02 pm

I have verified with Merchant Services that it is perfectly legal and allowed to collect the CVV and use it but we have to discard it once it has been utilized.

We also currently process through PC Charge and would like to continue that way So we need access to the number, expiration and CVV.

PCCharge is set up to accept this info also so its highly unlikely what they are set up to accept is not legal.

I am afraid i may have selected the wrong Shopping Cart since most my questions go unanswered. This is something that it appears is needed but Able just keeps saying its not allowed. That is incorrect.

In our current cart, oscommerce, we did a mod that collected the CVV and then added a button to delete it when we were done processing.

William M
Commander (CMDR)
Commander (CMDR)
Posts: 150
Joined: Sat Feb 14, 2009 9:40 am
Contact:

Re: Credit card and CVV

Post by William M » Thu Apr 16, 2009 3:50 pm

So OS doesn't show it ootb either? Now I know of 8 that don't... that should tell you something.

chuckdvc
Lieutenant Commander (LCDR)
Lieutenant Commander (LCDR)
Posts: 97
Joined: Fri Mar 20, 2009 12:32 pm

Re: Credit card and CVV

Post by chuckdvc » Fri Apr 17, 2009 7:24 am

It showed it, we just had to install a button to remove it to comply with new rules.

User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Re: Credit card and CVV

Post by AbleMods » Sun Apr 19, 2009 12:50 pm

chuckdvc wrote:I have verified with Merchant Services that it is perfectly legal and allowed to collect the CVV and use it but we have to discard it once it has been utilized.
I would strongly suggest you and your merchant services review the PCI documentation. They are putting you in a serious liability position.
Image2.jpg
...because your merchant services/processor won't be footing the bill for a PCI compliance violation fine.
Q: What are the penalties for noncompliance?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business.

It is important to be familiar with your merchant account agreement, which should outline your exposure.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

User avatar
nickc
Captain (CAPT)
Captain (CAPT)
Posts: 276
Joined: Thu Nov 29, 2007 3:48 pm

Re: Credit card and CVV

Post by nickc » Sun Apr 19, 2009 10:19 pm

Ahh, but the poster is not asking to store CVV data, just to be able to retrieve it for subsequent processing (not via integrated payment gateway). That is allowed by PCI DSS and PA DSS - you can keep any data until authorization. You just have to demonstrate a policy and method for destruction.
3.2 Do not store sensitive
authentication data after authorization
(even if encrypted).
Sensitive authentication data includes the
data as cited in the following Requirements
3.2.1 through 3.2.3
3.2.2 being CVV...
Interesting. PCI DSS doesn't define what constitutes "storage". You'd think they'd be all over that.

Still, no surprise that Able doesn't want to muddy those waters when they are petitioning for PA DSS certification.

William M
Commander (CMDR)
Commander (CMDR)
Posts: 150
Joined: Sat Feb 14, 2009 9:40 am
Contact:

Re: Credit card and CVV

Post by William M » Mon Apr 20, 2009 6:11 am

So it sounds like "no longer than required to complete the transaction" is the rule here.

Printed on paper and stuffed in a file cabinet.... ah, those were the days!!!!!

User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Re: Credit card and CVV

Post by AbleMods » Mon Apr 20, 2009 7:48 am

There is no gray area in 3.2.2. Defining "storage" is irrelevant - any need to "retrieve at a later date" by default requires "storage". The wording is very clear - do not store the CVV under any circumstances. You will put your business and your customers personal financial data at risk by doing so.
Image2.jpg
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

User avatar
nickc
Captain (CAPT)
Captain (CAPT)
Posts: 276
Joined: Thu Nov 29, 2007 3:48 pm

Re: Credit card and CVV

Post by nickc » Mon Apr 20, 2009 9:35 am

Yes, CVV can't be stored by merchant. However, no reason that Able software can't provide merchant access to the CVV.
pa-dss.jpg

afm
Captain (CAPT)
Captain (CAPT)
Posts: 339
Joined: Thu Nov 03, 2005 11:52 pm
Location: Portland, OR
Contact:

Re: Credit card and CVV

Post by afm » Mon Apr 20, 2009 11:57 am

Joe quoted PCI DSS and Nick quoted PA DSS. Which one is current?
Andy Miller
Structured Solutions

Shipper 3 - High Velocity Shipment Processing

User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Re: Credit card and CVV

Post by AbleMods » Mon Apr 20, 2009 12:28 pm

PA is a subset of requirements as part of PCI. It applies when a payment application is sold to a third-party like us as customers of AC7. Applications written in-house do not require meeting PA-DSS standards however they do still require meeting PCI-DSS standards.
The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to a third party are not subject to the PA-DSS requirements, but must still be secured in accordance with the PCI DSS.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

afm
Captain (CAPT)
Captain (CAPT)
Posts: 339
Joined: Thu Nov 03, 2005 11:52 pm
Location: Portland, OR
Contact:

Re: Credit card and CVV

Post by afm » Mon Apr 20, 2009 1:04 pm

Thank you Joe.

It seems pretty clear that the PA-DSS quoted by Nick allows the security code to be stored until the payment is authorized. I don't see an upper limit, so I suppose it can be stored indefinitely (while waiting for back ordered goods for example).

So what qualifies as a "payment application"? AbleCommerce? n/software IBizPay?

If AbleCommerce qualifies as a "payment application" and is certified to comply with PA-DSS by a reputable 3rd party, who is liable for fines if the data is stolen?

If I was fined, I would try to get my insurance carrier to pay. My insurance carrier would try to get someone else to pay (i.e. BV Software or the server host). Would AbleCommerce be exposing itself to liability by adding the ability to store the security code, even temporarily?
Last edited by afm on Mon Apr 20, 2009 3:45 pm, edited 1 time in total.
Andy Miller
Structured Solutions

Shipper 3 - High Velocity Shipment Processing

User avatar
nickc
Captain (CAPT)
Captain (CAPT)
Posts: 276
Joined: Thu Nov 29, 2007 3:48 pm

Re: Credit card and CVV

Post by nickc » Mon Apr 20, 2009 1:21 pm

afm wrote:So what qualifies as a "payment application"? AbleCommerce? n/software IBizPay?
Here's the list: https://www.pcisecuritystandards.org/se ... dards/vpa/
afm wrote:If AbleCommerce qualifies as a "payment application" and is certified to comply with PA-DSS by a reputable 3rd party, who is liable for fines if the data is stolen?
That one's easy - hasn't changed since the first draft of VISA CISP. You, the merchant. Remember, more than half of the requirements for PCI DSS have nothing to do with technology - they're about policy and best practice. Doesn't matter how strong the safe is if you leave the door open.
Last edited by nickc on Mon Apr 20, 2009 3:54 pm, edited 1 time in total.

afm
Captain (CAPT)
Captain (CAPT)
Posts: 339
Joined: Thu Nov 03, 2005 11:52 pm
Location: Portland, OR
Contact:

Re: Credit card and CVV

Post by afm » Mon Apr 20, 2009 1:51 pm

Very cool! Only 1 "Shopping Cart & Store Front" (not AC) and it is "Not recommended for new deployments".
nickc wrote:That one's easy - hasn't changed since the first draft of VISA CISP. You, the merchant. Remember, more than half of the requirements for PCI DSS have nothing to do with technology - they're about policy and best practice. Doesn't matter how strong the safe is if you leave the door open.
I agree, but me (and my insurance company) would do our darndest to pass it on to someone else...like AbleCommerce or the server host. It seems clear that PA-DSS allows AbleCommerce to implement storing the security code. But if I were them, I might not do it because it of the potential liability.
Last edited by afm on Mon Apr 20, 2009 3:46 pm, edited 1 time in total.
Andy Miller
Structured Solutions

Shipper 3 - High Velocity Shipment Processing

User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Re: Credit card and CVV

Post by AbleMods » Mon Apr 20, 2009 2:16 pm

I don't agree with the interpretation of the PA-DSS. You're assuming the statement "Don't store...after authorization" implicitely grants you permission to save it prior to authorization.

That's in direct conflict with the overlaying PCI-DSS standard. Regardless of whether authorization has been obtained or not, it's a violation to store the sensitive data (in this case, CVV codes). Just because you haven't gotten the authorization yet doesn't change the security risk inherit to storage of sensitive customer data.

You're left with the situation where your payment application (the payment gateway??) may possibly be in compliance but your overall website would be in violation. That makes no sense.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

chuckdvc
Lieutenant Commander (LCDR)
Lieutenant Commander (LCDR)
Posts: 97
Joined: Fri Mar 20, 2009 12:32 pm

Re: Credit card and CVV

Post by chuckdvc » Mon Apr 20, 2009 2:36 pm

I had one post deleted hope this one doesn't get the axe also.

The level of risk of having a few transactions susceptible during a short window is much less than having all your transaction info stored over a long period of time. Thats why they say you cant store the info. Store means to

Verb

* S: (v) store, hive away, lay in, put in, salt away, stack away, stash away (keep or lay aside for future use) "store grain for the winter"; "The bear stores fat for the period of hibernation when he doesn't eat"
* S: (v) store (find a place for and put away for storage) "where should we stow the vegetables?"; "I couldn't store all the books in the attic so I sold some"

The word chosen "Store" is much different than possess and in this case store would mean to keep the info for more then the normal processing cycle.

afm
Captain (CAPT)
Captain (CAPT)
Posts: 339
Joined: Thu Nov 03, 2005 11:52 pm
Location: Portland, OR
Contact:

Re: Credit card and CVV

Post by afm » Mon Apr 20, 2009 3:41 pm

SolunarServices wrote:I don't agree with the interpretation of the PA-DSS. You're assuming the statement "Don't store...after authorization" implicitly grants you permission to save it prior to authorization.
You are right...I am. It is possible that the PA- is ahead of or behind the PCI-DSS. I wonder if the companies that can certify compliance have published a more detailed interpretation.
chuckdvc wrote:The word chosen "Store" is much different than possess and in this case store would mean to keep the info for more then the normal processing cycle.
Maybe. Technical documents often overload words with additional meaning not found in a common English dictionary. Is there a glossary in either the PCI or PA DSS that defines "store"?

In any case, the onus seems to be on the merchant to keep the data away from bad actors. Even though I am a programmer and capable of changing the software so that it does store the security code, I choose not to for 3 reasons: 1) to reduce the value of the data so it is less attractive bait, 2) to limits my potential liability, and 3) most importantly, to protect my customers.
Last edited by afm on Mon Apr 20, 2009 4:39 pm, edited 1 time in total.
Andy Miller
Structured Solutions

Shipper 3 - High Velocity Shipment Processing

User avatar
nickc
Captain (CAPT)
Captain (CAPT)
Posts: 276
Joined: Thu Nov 29, 2007 3:48 pm

Re: Credit card and CVV

Post by nickc » Mon Apr 20, 2009 4:24 pm

I wonder where the benefit is in the back and forth between storefront and third party (PCCharge) processing.
With the short storage/smaller risk but HUGE potential for liability surrounding CVV aside - surely labor and opportunity for error easily wash away any savings in discount rates, assuming that's the motivation to remain with existing processor and use the CVV. With this model, there's no economy of scale - the more transactions you do, the harder it is to maintain.

Unless you're selling big ticket items, of course :)

maison09
Ensign (ENS)
Ensign (ENS)
Posts: 1
Joined: Tue Apr 21, 2009 3:12 am

Re: Credit card and CVV

Post by maison09 » Tue Apr 21, 2009 3:21 am

Thank you so much for your informative posts :D

maison de credit

User avatar
Logan Rhodehamel
Developer
Developer
Posts: 4116
Joined: Wed Dec 10, 2003 5:26 pm

Re: Credit card and CVV

Post by Logan Rhodehamel » Mon May 04, 2009 5:12 pm

It was our determination according to PCI DSS v1.2 that storage of card security code under any circumstance is not allowed. I am in the process of confirming this with the QSA who handled our review for PA-DSS. Assuming our storage of this value were allowed (which I am confident it is not), and assuming we wanted to pursue this feature (which I am confident we would not), it could not be implemented without a complete recertification of the application.

We provide a selection of online payment gateways that can be implemented to take advantage of the card security value. We also use a provider model for our payment gateways, along with a documented API and sample code. If your gateway is not one currently supported, perhaps it could be integrated directly with AbleCommerce so that you would not require storage of the value.
Cheers,
Logan
Image.com

If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.

Post Reply