PCI question

[Mike Cunningham <mike.cunningham () PCT EDU>]

We have(had) a process that stored credit card numbers, expiration and CVV codes locally (encrypted) for a few days 
while the office needing the information worked on processing the charge (for reasons I can't go into in a short email 
they were not able to do real time validation and charging). We recently tokenized the data so the card number and 
expiration date are now immediate sent to a PCI approved cloud service who stores the info and we retrieve it when 
needed using a token. When we made this change we found that the cloud service will not store and return the CVV code. 
It will only store and return the card number and expiration date. But we need the CVV to process the charge. So for 
now we left the CVV code stored locally (encrypted) and so have access to process the transaction. Once the charge is 
process we do remove the CVV code from local storage. While we were working on this we were told that storing the CVV 
the way we are is a violation of PCI guidelines. We have found conflicting data online. Some places say you can't store 
it, others say you can't store it after authorization. We are not keeping it after authorization but we are storing it 
for a short period of time. I know the regulations don't speak to volume of transactions the way they use to but we do 
only store at most 10 transactions at any time before they get processed. Does anyone have an opinion on which way to 
read the PCI regulations? If we really can't store the CVV local and the cloud service can't store it either is there 
anything we can do or is our only choice to change business process and do an immediate charge to the card?

Thanks

Mike Cunningham
Pennsylvania College of Technology



________________________________
This email may contain confidential information about a Pennsylvania College of Technology student. It is intended 
solely for the use of the recipient. This email may contain information that is considered an "educational record" 
subject to the protections of the Family Educational Rights and Privacy Act Regulations. The regulations may be found 
at 34 C.F.R. Part 99 for your reference. The recipient may only use or disclose the information in accordance with the 
requirements of the Federal Educational Rights and Privacy Act Regulations. If you have received this transmission in 
error, please notify the sender immediately and permanently delete the email.