I recently received a letter from the company that monitors my home alarm. It basically stated that to avoid a $3US surcharge that I must opt out of receiving bill in the mail (which is fine) and that I must set up automatic transactions. I also found this form attached.
Image may be NSFW.
Clik here to view.
This is not the first time that I have seen a payment option that includes a requirement for the CVV2 or CID value from my credit card. However with a little knowledge of PCI, I have to ask myself the following question, “What exactly are they going to do with this information?” According to PCI-DSS, this information must not be stored (even in an encrypted format) after authorization.
That raises the following questions for the merchant requiring this information–
- Is this truly only for the first transaction authorization and the physical form will be securely destroyed?
- In this particular case, this is for a monthly transaction. So their relationship with their provider is such that CID/CVV is optional (and not used) for secondary transactions?
- Or is this information being stored, electronically or physically, allowing for the possibility of later transactions?
In this case, I am assuming this information would be stored an used for each transaction. So this raises some additional questions around PCI assessment, understanding and process. The bottom line is the CID/CVV value is going to be useless if it is as easily compromised as the rest of card information.
In my role as a consumer, I regularly see invoices requesting CID/CVV information. I believe we need to ask questions about how this information is going to be handled and used.
As I implemented this, I did run into a couple of caveats. My suggestion is to make sure to read the comments in the script and to relaunch Outlook between changes. Thanks to Justin Lancy for a great tip.
I’d love to hear from you, so share your thoughts by commenting below.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.
The post Merchant Processes and CID/CVV2 appeared first on PacketU.
