I’m trying to find out if merchants are required to ask for (and key in) a CVV number when handling a credit card transaction over the phone. If the merchant skips that step, do they still maintain PCI compliance?
Everything I can find online addresses the issue of merchants storing the CVV numbers, but not whether or not they need to add it to the other credit card details in the 1st place while processing the initial purchase.
Is there perhaps a dollar amount that determines this? (For example, transactions under a hundred bucks don’t need a CCV or something along those lines.) Anyone here know?
I have two (PCI Compliant) credit card machines at my store. When keying in a card, one of them asks for a CVV number, the other one asks for an address (street number and zip code).
I could be wrong, but I believe the one that does not ask for the CVV number can be changed so it will, but that’s on the processor side. I’d have to call them, request the change, they flip some switches and I have to download and install new software. It’s a whole big thing that can, and does, go wrong in so many ways.
Anyway, yes, you’re right that merchants can not store the CVV number, but even the rules about that (the last time I checked) are a bit fuzzy.
I don’t know that we’re required to ask for or use them.
Don’t forget, PCI compliance is mainly about not letting the credit card information that a merchant has in their possession, get stolen. Most of the PCI requirements are about network security, data encryption and keeping prying eyes (physical and virtual) away from places they don’t belong.
From that POV, PCI compliance doesn’t have anything to do with requiring merchants to gather CVV numbers and everything to do with making sure that the numbers they do collect stay safe.
For my credit card processing system which is all card-not-present, I keep all my client’s card info stored on my merchant’s portal, which makes me PCI compliant. They are in charge of all the network security.
I don’t store their CVV in the portal. There’s no field for it even.
When I run cards, if I run one without the CVV (I have them all stored elsewhere and I type them in when I make the charge), the processing fee is slightly higher for that charge. I see it on my statement in its own category with its own fee.