Anyone caught writing the CVV2 number down or storing it is subject to a $100,000 fine by Visa or MC and the lose of the merchant account and being black listed from ever getting another merchant account.
These rules are posted on the Visa site for the US.

This is a huge problem in the industry. Anyone who handles a credit card has access to these numbers. Accepting them may alleviate some of the chargeback fees issued by your bank, but they do nothing to prevent fraud. They are actually a joke, and aren't readily applied internationally.

I think its funny people still ask for them on their site.

yeah, but how many of the idiot fraudsters know this? The majority of these people who fraud websites are very stupid and asking for CVV2 will deter some people from frauding. You're right that it won't stop the pros, but what will? I'd rather have something that is at least somewhat effective than nothing.

Conard, do you have a link to the list on VISA's site? MasterCard has a DON'T DO IT list, but CVV2 isn't on the list. Thanks

I just did some poking around looking for info. on Visa/Mastercard the other day.

Here's what I found:

"Can I see a photo ID?"
Visa says they don't have a policy on this. If the merchant suspects fraud, they can ask for an ID. This was verified by a phone call to their office.
Mastercard, on the other hand, says it's a "no-no". Here section 9.11.1 [mastercardmerchant.com]

"Recording CVC 2 code"
Visa? No. See below
Mastercard? No. Section 2.8.2.1 of above.

It appears even storing the CVV2(Visa) or the CVC 2(Mastercard) in your shopping cart database is a violation.

I'll be honest and say I didn't read through the whole document at Mastercard, so I put the link up to let others poke around a bit.

Here are a couple of Visa Fraud Control links:
Visa Card Present [usa.visa.com]

More on CVV2 from Visa

To protect CVV2 data from being compromised, Visa U.S.A. Inc. Operating Regulations prohibit merchants from keeping or storing CVV2 numbers once a transaction has been completed.

Here (Card Not Present) [usa.visa.com]

It appears in both cases, recording the CVV2 is a violation of the merchant agreement and the merchant can and should be reported.

Oops...Where are my manners?
Welcome to WebmasterWorld junes reston!

Thanks Scott, This is where I "got into it" with one Merchant (and I use that term loosely).

"To protect CVV2 data from being compromised, Visa U.S.A. Inc. Operating Regulations prohibit merchants from keeping or storing CVV2 numbers once a transaction has been completed."

According to some "merchants," they can't afford a wireless so they imprint the cards with a knucklebuster (entire account number), entering the data after the show. According to the "merchants," the transaction isn't complete until entered (after the show), therefore, they're entitled to the same data they would ask for if it were an internet sale.

Citibank, my card issuer, said if I have a problem with this I should pay with cash. Somehow, that just doesn't sound like a viable solution to this concern.

It appears that with the imprint and your signature, the card was present and they do not need your CVV2/CVC 2, nor do they need to record it.

I agree, it's a violation.

They are actually a joke, and aren't readily applied internationally.
I think its funny people still ask for them on their site.

Of course requiring the ccv2 is not 100%, but it's far from being a joke as far as fraud prevention goes.

SkyDog, I think CVV has it's place, and when used appropropriately it can reduce fraud. It's when they go over the top that I have a concern.

When they have my card in their hand, and an imprint with my signature, they don't need to write that number on the receipt. Someone somewhere is telling the newbies this is the way it's done. When you say "no way" they give you the blank stare like you just arrived on the planet.

I thank you all for your input. I wish I could say I can take comfort in knowing I wasn't totally off base. Sadly, it looks like this is something we're going to be seeing more of - as the rule rather than the exception.

Scott, thanks so much for the links. I actually read all 203 pages of the MC manual - even for world regions that don't apply. I had a little trouble navigating the VISA links, but I'll keep trying.

Have a great weekend everyone!

When they have my card in their hand, and an imprint with my signature, they don't need to write that number on the receipt. Someone somewhere is telling the newbies this is the way it's done. When you say "no way" they give you the blank stare like you just arrived on the planet.

This is a card present transaction and the CCV2 is basically meaningless. If a merchant is writing down the number, they are either a) incredibly ignorant or b)scamming credit card #s.

It's more like c) trying to save a few bucks by contracting for a MOTO setup, then making "modifications" for Card Present sales.

After this discussion, and input from everyone, a lady posted this on a forum. If this is what one merchant account rep told her, I'm presuming the logic is it isn't stored in the machine therefore writing it down is a moot issue as the card is always processed as MOTO regardless of how the sale was made.

The rep with whom I spoke said it's defined this way -- "card not present" refers to the actual transmission of the information. In other words, is the card present when you're transmitting? If not, the cvv and zip are required. It's part of the transmission process, not the sales process.

Essentially, according to him, a delayed transmission such as occurs when you do a show and later come back home to transmit your sales is treated like a MOTO sale. The card is not actually processed when it's present.

He also said that the issue of "storing" cvv information is essentially moot. Any MOTO vendor does it when they get the number. If it's written down for five seconds, it can be kept.