CVV Retention and Retrieval

Card Verification Value retention policies across the TokenEx platform

How does IXOPAY retain and expire CVVs?

When a CVV is associated with a TokenEx token, that CVV is available to use for 7 days. The CVV is deleted from TokenEx systems after 7 days of non-use. See the below guidance for utilizing a CVV within this 7 day window. The following guidance applies to the TokenEx PCI Token Services, Transparent Gateway, and Payment Services APIs.

How does CVV retention work in the PCI Token Services API?

The /DetokenizeWithCvv action has an optional parameter called cacheCVV which defaults to false.

cacheCVV	Outcome
false or omitted	The CVV is immediately deleted upon retrieval.
true	Initial request - updates the purge date to 5 minutes from the first request. Subsequent attempts to cache the CVV will not extend the timer.

How does CVV retention work in the Transparent Gateway?

The below request headers apply to processing of the CVV Function. When tx-retain-cvv is true, tx-cachecvv is ignored.

tx-retain-cvv	tx-cachecvv	Outcome
false or omitted	false or omitted	TGAPI v2: the CVV is immediately deleted upon retrieval. PS v2: the CVV is deleted when the transaction response indicates approved.
false or omitted	true	Initial request - updates the purge date to 5 minutes from the first request including the tx-cachecvv:true. Subsequent attempts to cache the CVV will not extend the timer.
true	false or omitted	Skips updating the CVV's purge date. 7 days from initial add is still in effect.
true	true	Skips updating the CVV's purge date. 7 days from initial add is still in effect.

How does CVV retention work in Payment Services?

The below request header applies to srequests containing the CreditCard.Cvv request parameter.

tx-cachecvv	Outcome
false or omitted	The CVV is deleted when the transaction response indicates approved.
true	Initial request - updates the purge date to 5 minutes from the first request's true. Subsequent attempts to cache the CVV will not extend the timer.