3.2.2 Do not store the card verification
code or value (three-digit or four-digit
number printed on the front or back of
a payment card) used to verify card-
not-present transactions.
3.2.2 For a sample of system components, examine data
sources, including but not limited to the following, and verify
that the three-digit or four-digit card verification code or value
printed on the front of the card or the signature panel (CVV2,
CVC2, CID, CAV2 data) is not stored after authorization:
Incoming transaction data
All logs (for example, transaction, history, debugging,
error)
History files
Trace files
Several database schemas
Database contents.
The purpose of the card validation code is to
protect “card-not-present” transactions—Internet
or mail order/telephone order (MO/TO)
transactions—where the consumer and the card
are not present.
If this data is stolen, malicious individuals can
execute fraudulent Internet and MO/TO
transactions.