Storing CVC / CVV / CVV2 until payment is processed

Technically, according to PCI SSC you can hold onto CVV and other sensitive authentication data until authorization has occurred. In other words the restriction on storing sensitive authentication data applies to post authentication/processing storage. Here is a document from the PCI SSC about data storage requirments. See the "Technical Guidelines for PCI Data Storage" table. Footnote 2 to the table states:

Sensitive authentication data must not be stored after authorization (even if encrypted).

My advice as a QSA, would be that the pre-auth storage time needs to be reasonable from a business stand point. I would also want it to be as short as technically possible. If your data flow is similar to others in your industry and they are processing payments without storing sensitive data for more then a few seconds at most, then I would expect the same of you.


You need to speak to a QSA.

You may not store the CVV. However, incidental storage may occur as part of an approved transactional flow, and that is acceptable if the QSA finds it so. Otherwise, it would be impossible to use CVV in batch transactions.