CVV Input & Security: A Web Site Guide

TL;DR

Yes, a web site can take CVV input even if it doesn’t store the data. The key is how it handles that information. It must be processed securely and never saved. This guide explains how to do this correctly.

Understanding the Problem

CVV (Card Verification Value) codes are sensitive security features. PCI DSS standards strictly regulate their handling. You should never store CVV data after a transaction is complete. However, you need it during processing to verify the cardholder.

How to Handle CVV Input Securely

1. Use a PCI-Compliant Payment Gateway: This is the most important step. Do not attempt to build your own payment processing system. Reputable gateways (like Stripe, PayPal Payments Pro, Braintree) handle sensitive data securely and are certified to meet PCI DSS requirements.
2. Tokenization: The gateway should replace the card details (including CVV during transaction) with a unique token. Your web site stores the token, not the actual card number or CVV.

   // Example of requesting a payment token (conceptual - specific implementation varies by gateway)
   const token = await paymentGateway.createToken({ cardNumber: '...', expiryDate: '...', cvv: '...' });
   

3. Direct Form Integration (IFrames/Hosted Pages): Many gateways offer ways to embed a secure form directly into your web site (often using IFrames) or redirect the user to a hosted payment page. This keeps sensitive data away from your servers entirely.
   • iFrame: The gateway provides an iFrame that you embed in your page. The cardholder enters their details within the secure iFrame, and the gateway handles everything directly.
   • Hosted Page: Redirecting to a hosted payment page is even more secure as all data entry happens on the gateway’s servers.
4. Secure Transmission (HTTPS): Ensure your entire web site uses HTTPS (SSL/TLS) to encrypt all communication between the user’s browser and your server. This protects data in transit.
   • Check for a valid SSL certificate: Look for the padlock icon in the browser address bar.
5. Never Log CVV Data: Your web site’s logs, databases, or any other storage mechanism must never contain CVV data. Implement strict filtering to prevent accidental logging.
   • Regularly audit your logs and code for potential vulnerabilities.
6. CVV Validation: Validate the CVV format on the client-side (using JavaScript) to provide immediate feedback to the user, but always re-validate it server-side before sending it to the gateway.

   // Example of basic client-side CVV validation
   function validateCVV(cvv) {
     const cvvRegex = /^[0-9]{3,4}$/;
     return cvvRegex.test(cvv);
   }
   

7. Limited Retention: The payment gateway may temporarily store the CVV during transaction processing but should not retain it beyond what is necessary to complete the authorization.
   • Confirm the gateway’s retention policy.
8. Regular Security Scans & Audits: Perform regular vulnerability scans and security audits of your web site and payment processing integration to identify and address potential weaknesses.
   • Consider using a Qualified Security Assessor (QSA) for comprehensive PCI DSS compliance assessments.

What NOT To Do

• Do not store CVV data: This is the most critical rule.
• Do not build your own payment processing system: Use a PCI-compliant gateway.
• Do not transmit CVV data over insecure connections (HTTP): Always use HTTPS.
• Do not display the full CVV on screen: Mask it appropriately.