Which statement is correct about storing the card verification code after authorization?

• A. It can be stored if encrypted.
• B. It must not be stored after authorization.
• C. It can be stored for a limited time with PCI compliance.
• D. It can be stored if the merchant is PCI compliant.

Answer: (B)

The key idea is that the card verification code (CVV/CVV2) is considered sensitive authentication data and must not be stored after the authorization decision is made. The CVV is meant only to verify that the cardholder has the card at the moment of the transaction. Storing it after authorization introduces unnecessary risk because it could be stolen in a data breach and then used for fraudulent charges.

PCI DSS requires that sensitive authentication data not be stored once authorization is completed, and this prohibition applies even if the data is encrypted. Being PCI compliant does not override this rule—the CVV must be discarded after processing. If you need to handle future transactions, you should rely on tokenization or a PCI-compliant processor that stores only a token, not the CVV, rather than saving the CVV itself.