There is a way in which you can send the cvv2 code in the new order e-mail that can be cc’d to the store owner set in the system > config settings.
This ensures that if you’re using offline payments you can safely store the encrypted credit card number without having to store the CVV2 code. It IS against PCI regulations to store the CVV2 code after the authorisation. To “store” the CVV2 code includes storing it in a database or any other way including in an e-mail or even if you just happen to write it down! So, the store owner is duty bound to delete the e-mail with the CVV2 code once the transaction has been processed.
To add the CVV2 code to the order e-mail go to /app/design/frontend/your_interface/your_theme/template/payment/info/ccsave.phtml
No, will only send you the CVV2 code. Make sure that in system > config you are down as an e-mail contact for new orders, otherwise only your customer will receive the e-mail and not you.
Storing the CVV2 code in this way is against PCI protocol. We informed our client of this and they still insisted that the site operate in this manner so we had them sign a waiver that they understood that storing the CVV2 code for offline processing, even if a transaction fails the first time round, isn’t compliant.
I’m going to jump in with my first post here. We’ve been looking at Magento for a client and it looks good, however they too want to collect credit card details for manual processing. They need the CVV code, the house number and the numbers from the postcode (as well as the credit card details).
From what I understand it is possible to setup Magento to collect this information, and then email the CVV code as part of the confirmation to the store owner? Does that email also go to the customer - surely they won’t be happy to see their CVV code being emailed around?
I too am looking for an answer to this question. We manually process the credit cards to screen out possible fraudulent orders by hand. To do this we need to be able to have the CVV. We delete them afterwards as the credit card companies require.
The solution to have it email the CVV to the customer and the admin is silly. Is there not a fix to email the admin one email, and the customer another? That way the CVV is blocked out in the customers email, and retained in the email to the admin.
The solution posted by gfawce1 above in adding to CCsave.phtml does not apply for 126.96.36.199 this information does not exist in the mentioned file (but is in 1.3.x.x) just to save you the time if you are on 1.4.
Be very careful following clicking links from posts on this topic, I picked up ‘Total XP Security’ Malware last Thursday after clicking an external CVV discussion link from another post on this subject in this forum. The bad link was not directly on this forum I must add, it was external. The vitriol flying about on this subject is a little surprising.
So here is the deal. Not sure why I am not getting any hits on this question. But I am trying to remove CC data in my database as a result of allowing the CC Save method type in Checkout. Now I thought the place that it was stored was the sales_flat_quote_payment table but even after blanking out the cc_number_enc and the cc_cid_enc fields, credit card numbers and cvv numbers would still show up under the Admin Sales Order Control Panel. So could they be stored somewhere else?