Your selected question
Where does Barclaycard stand on the position surrounding pre-authorisation and the storage of sensitive data including CVV2?
The short answer is that the PCI DSS rules are clear in prohibiting storage of sensitive data (including CVV2) post-authorisation, but are 'silent' on what should happen before the authorisation.
Until this is clarified/corrected by PCI SSC, we can only revert to risk management best practice, which suggests that merchants should only store sensitive data if absolutely necessary, and if so it should be stored as securely as possible (because obviously the risk in terms of financial and reputational damage is the same, whether it is pre or post-auth data that is compromised). As the data is being stored -before authorisation then the secure retention of up to 5 days will be acceptable.
How useful did you find the answer given?Not at all Very useful