CVV via email breaches

A three-digit code on the back of a card is not just another number: under Payment Card Industry Data Security Standard rules, merchants cannot keep it after authorization, and sending it in ordinary email can also break transmission rules. (pcisecuritystandards.org) The Payment Card Industry Security Standards Council says card verification values are “sensitive authentication data” and “must not be stored after authorization.” Its guidance says that ban applies even if a customer says the merchant may keep the code for later use. (pcisecuritystandards.org) The same rulebook treats ordinary email, text messaging, chat, and similar tools as end-user messaging channels that cannot carry unprotected account numbers. A 2025 council FAQ says if a business uses those channels to receive or send primary account numbers, the channel must meet the standard’s protection requirements, including strong cryptography. (pcisecuritystandards.org) That is where emailed payment details become a compliance problem. If a merchant emails a card number and card verification value in plain text, it risks violating both the rule against retaining sensitive authentication data and the rule requiring protected transmission over open networks. (pcisecuritystandards.org 1) (pcisecuritystandards.org 2) The standard itself does not hand out fines. The council says whether a company must comply or validate compliance is decided by payment brands, acquiring banks, and other compliance programs, while Visa says it manages enforcement and requires merchants and service providers that store, process, or transmit Visa cardholder data to validate compliance regularly. (pcisecuritystandards.org) (visa.com) Visa’s public merchant tiers show how broad that net is. Level 1 merchants process more than 6 million Visa transactions a year and must file an annual Report on Compliance, while Level 2 covers 1 million to 6 million transactions and Levels 3 and 4 cover smaller merchants, including ecommerce sellers under 1 million online Visa transactions. (visa.com) Mastercard’s merchant security rules also tie merchants to Payment Card Industry standards through its Site Data Protection program. Its February 11, 2025 merchant manual lists merchant compliance requirements by level, alongside broader cybersecurity obligations for customers in the Mastercard network. (mastercard.us) The current version of the standard is Payment Card Industry Data Security Standard version 4.0.1, published June 11, 2024. The council said version 4.0 was retired on December 31, 2024, leaving version 4.0.1 as the only active version it supports. (pcisecuritystandards.org) The practical fix is narrower than many merchants assume: collect the card verification value only for the transaction being authorized, do not keep it afterward, and do not move card data through ordinary inboxes or chat threads unless the channel is protected to Payment Card Industry standards. (pcisecuritystandards.org 1) (pcisecuritystandards.org 2)