Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
How Appstore gets to skit round this restriction? Can CVV2 details be kept locally on an iOS device and still be in PCI compliance? Encrypt the CVV2 details locally, and only user has the key? While the rest of the credit card details like PAN are stored on server side?
SHORT ANSWER:
Your issuing bank doesn’t require security code validation with every transaction.
LONG ANSWER:
Card security codes and magnetic stripe data are not permitted to be stored by PCI DSS. Furthermore, VISA (and possibly other networks) strictly forbid their storage:
http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html
Merchants storing this data can be hammered with hefty fines and dropped by processors. This happened to a client of mine.
Apple’s e-commerce system asks for the security code when an account is created or whenever a new device accesses an existing account. In both instances, their platform initiates a zero-dollar transaction with the processing network to verify the customers’ identity (username + password + security code):
https://discussions.apple.com/thread/2594628?start=0&tstart=0
Some issuing banks require security codes to be used with each transaction. In those cases, the iTunes store will prompt you for the code.
xixonia is correct that personal data is tokenized within Apple’s infrastructure. Most of their servers never touch secure data, as all credentials and financial data is passed encrypted to an inner network of highly protected and monitored systems.
In addition, large retailers like Apple and Amazon use third-party fraud detection and prevention technologies that look for patterns of abuse.
Easier purchasing and subsequent transactions are NOT business justification.
A pertinent use case would be batch transactions. During purchase the card is authorized to confirm the card is active and the funds are available. The issuing bank typically encumbers, but does not withdraw, the transaction amount from the cardholder’s account. During a subsequent capture transaction, the merchant settles with the processor and the funds are transferred. This might happen because:
Going this route triggers MUCH higher scrutiny under PCI DSS. Merchants who use third party checkout systems like Google Checkout and PayPal get minimal treatment (SAQ A). Merchants who store ANY cardholder data have the heavy burden of SAQ D.
The compensating controls for holding security codes & magnetic stripe data are even more strict: