Per PCI Compliance Guidelines, it is not legal to store the CVV number of a credit card, whether it be paper or digital, regardless of encryption status. Due to this, the credit card remit option will not have a field for the client to indicate the CVV number.
The CVV number is a security measure to indicate that the person you are taking payment from has physical access to the credit card. Storing this information defeats the purpose.
You can contact your credit card merchant to ask if they have an option to process credit cards without a CVV number. This may result in higher transaction fees.
What information is legal to store?
According to the guidelines, merchants can electronically store certain cardholder data information when encrypted:
- Primary Account Number (PAN)
- Cardholder Name
- Service Code (This is not the CVV code)
- Expiration Date
What information is illegal to store?
The following information should never be stored, even if encrypted:
- Full Magnetic Stripe Data
- PIN/PIN Block
My previous program had a field for the CVV code. Why can't you add it?
At WebPT, we go to great lengths to follow all regulations to protect your clinic and your clients, ensuring that you are never at risk for a lawsuit.