Credit Card CCV
All credit card suppliers have strict compliance rules. One of these rules is that credit card details can't be stored on databases and fines are imposed on e-commerce businesses that breach this. For this reason, you should only keep the details on the database for 7 days. After this they should be permanently removed.
7 days gives plenty of time to retrieve the card details from the CRS database. To minimize problems with credit card details, we recommend the following:
1. When a booking is received; get pre-authorization from the credit card vendor for the cancellation fee. This way you will know if there is an issue with the credit card before guest arrival.
2. For no shows. The no show fee should be charged the next day and supporting documentation include a letter we can provide the hotel together with a copy of the reservation. All credit card vendors accept this practice for online bookings from Travel Agent booking sources worldwide.
Credit card verification (CCV) numbers must not be collected when guaranteeing reservations. All Credit Card providers have global compliance rules that CCV numbers are not collected for off-line transactions. The only time CCV should be used by a merchant is when immediate payment is being made via a payment gateway when the bank system queries the credit card vendor system online.
The Hotel Electronic Distribution Network Association (HEDNA) explains this further " the CVV2 is equal to the signature of guest and legally no entity can store the CVV2 in any database. When passed, the CVV2 information must be used for credit card validation and payment; it can't be stored for future payment." This means for us that no CRS, PMS or any third-party database (such as GDS) can store the CVV2 number. Under the compliance rules, interfaces can pass that information electronically, but merchants are not allowed to store this piece of information on any system they use.