[PCI-DSS] 3.2.2 Do not store the card-verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions.

[admin]

[PCI-DSS] 3.2.2 Do not store the card-verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions.

Note: See PCI DSS Glossary of Terms, Abbreviations, and Acronyms for additional information.

3.2.2 For a sample of system components, verify that the three-digit or four-digit card-verification code or value printed on the front of the card or the signature panel (CVV2, CVC2, CID, CAV2 data) is not stored under any circumstance:

• Incoming transaction data
• All logs (for example, transaction, history, debugging, error)
• History files
• Trace files
• Several database schemas
• Database contents

[Lemnik]

In one of our markets we have extremely high levels of credit-card fraud. In order to combat this problem, we make phone calls directly to peoples banks in order to authorize the transfer. However the banks require that we give the CVV number over the phone. Is it possible for us to store the CVV number in our system somehow, or do we need to find another way to get it from the client (the card details are only stored until the payment is authorized or until a timeout, and only 2 people have access to the details)?