1.1.2 After authorization, do not store the card-validation value or code (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions.
Note: See PCI DSS Glossary for additional information.
PCI Data Security Standard Requirement 3.2.2
Testing Procedures:
1.1.2 Use forensic tools and/or methods (commercial tools, scripts, etc.)[2] to examine all output created by the payment application and verify that the three-digit or four-digit card-validation code printed on the front of the card or the signature panel (CVV2, CVC2, CID, CAV2 data) is not stored after authorization. Include the following types of files (as well as any other output generated by the payment application)
[ul]
[li] Incoming transaction data[/li][li] Transaction logs[/li][li] History files[/li][li] Trace files[/li][li] Non-volatile memory, including non-volatile cache[/li][li] Debugging and error logs[/li][li] Audit logs[/li][li] Database schemas and tables[/li][li] Database contents[/li][/ul]
[SIZE=2][2] Forensic tool or method: A tool or method for uncovering, analyzing and presenting forensic data, which provides a robust way to authenticate, search, and recover computer evidence rapidly and thoroughly. In the case of forensic tools or methods used by PA-QSAs, these tools or methods should accurately locate any sensitive authentication data written by the payment application. These tools may be commercial, open-source, or developed in-house by the PA-QSA.[/SIZE]