We use cookies to give you the best browsing experience and to help us understand how you use our site. Cookies are small snippets of data stored on your computer and some have already been set. By continuing to use our website you are accepting our use of cookies. To find out more, read about cookies

Please note

We cannot answer specific queries about your account here. For Account queries please

Your selected question

Where does Barclaycard stand on the position surrounding pre-authorisation and the storage of sensitive data including CVV2?

The short answer is that the PCI DSS rules are clear in prohibiting storage of sensitive data (including CVV2) post-authorisation, but are 'silent' on what should happen before the authorisation.

Until this is clarified/corrected by PCI SSC, we can only revert to risk management best practice, which suggests that merchants should only store sensitive data if absolutely necessary, and if so it should be stored as securely as possible (because obviously the risk in terms of financial and reputational damage is the same, whether it is pre or post-auth data that is compromised). As the data is being stored -before authorisation then the secure retention of up to 5 days will be acceptable.

How useful did you find the answer given?

Not at all Very useful