A company I bought something from was recently hacked into and my credit card details stolen, so my spider-senses are up. I noticed that CM asks for CVV numbers (The 3 digit code on the back of credit cards), and that it's stored - when I return to my credit card info, I can see my CVV number staring back at me.
The problem is that CVV numbers are not suppose to be stored. See http://usa.visa.com/download/merchants/rules_for_visa_merchants.pdf, page 13 says -
*Merchants or their agents that store, process, or transmit data may not store sensitive authentication data (full magnetic-stripe or chip) contents. Card Verification Value 2 (CVV2), or PIN Verification Value (PVV)—even if it is encrypted. Once an authorization is processed, such data should no longer exist. The only components of the magnetic stripe that can be stored are name, account number, and expiration date.
I think CM should only ask for CVV at time of purchase, and not store it in their database - if CM is ever hacked into this could turn out very badly.
I hope that credit card numbers are stored encrypted, but CVV numbers should never be stored.
Are you sure it isn't your browser storing it as an entered field?
Yes, absolutely. I opened IE - which I never use (I always use Firefox), and I can see it under Payment Details at https://secure.createsend.com/admin/billing/paymentDetails.aspx
Thanks for bringing this to our attention guys, much appreciated. I can certainly confirm all sensitive data is encrypted, and I will discuss the CVV issue with the team and get back to you. Sometimes spider sense is a good thing!
Storing CCV data is definitely prohibited. For recurring transactions, I would think you:
a) Use CCV the first time to verify the card details that you are going to store for the future are legitimate.
b) When processing the recurring transactions, you wouldn't need any further auditing of details, just process the number and expiry to determine if the card hasn't expired. If the customer updates their info, then you grab the new CCV and process.
Thanks for the additional heads up on that Visa document phillipsdata. It's a good read.
Thanks for the quick reply, Dave. I just want to make sure that both CM and your customers are protected. If a breach occurs it would be devastating - but worse if data is leaked that never should have been stored. We have our own web based billing software on the market and I can say that many of the rules MC/Visa have are ridiculous, but can never be too cautious these days.
Many thanks, and looking forward to sending out our first campaign later today!