3.2.2 For a sample of system components, examine data sources, including but not limited to the following, and verify that the three-digit or four-digit card verification code or value printed on the front of the card or the signature panel (CAV2, CVC2, CVN2, CVV2, CID, data) is not stored after authorization:
• Incoming transaction data
• All logs (for example, transaction, history, debugging, error)
• History files
• Trace files
• Several database schemas
• Database contents.
The purpose of the card validation code is to protect “card-not-present” transactions—Internet or mail order/telephone order (MO/TO) transactions—where the consumer and the card are not present.
If this data is stolen, malicious individuals can execute fraudulent Internet and MO/TO transactions.