Are you storing card verification code?

Forum Moderators: buckworks

Message Too Old, No Replies

Are you storing card verification code?

Don't defeat the purpose of this security check

cfx211

6:52 am on Aug 14, 2003 (gmt 0)

I was just looking over the billing backend that we will be implementing for our brand new site, and noticed that there was a column on one table for the card verification code (the little 3-4 digit number on the back of the card). This stopped me for a minute, and after thinking it over and then doing some reading online I realized that was a no no.

This was an oversight on my end. The developer was told to store just about everything we send over and I flat out forgot that number is not to be stored. If you store the number that is only supposed to be on the back of the card then it isn't only on the back of the card anymore.

Luckily it has been caught well before we go live, but I thought I would pass this story along as a precautionary tale to all those getting started.

jpjones

9:17 am on Aug 14, 2003 (gmt 0)

As far as credit cards are concerned, I make it a policy of storing as little as possible, for as short a time as possible. Furthermore, anything I do store is encrypted.

Credit cards = extreme paranoia for me. Think worst case scenario - someone else gets the data - you want to minimise the worth of that data and save yourself some embarrasment.

And yes, CVV2 code on the back of the card is an extreme no no.

jamesa

10:51 pm on Aug 14, 2003 (gmt 0)

And yes, CVV2 code on the back of the card is an extreme no no.

And yes, any protection that CVV2 gives won't last. That, unfortunatly, is the reality.