CVV number on a remit envelope

Caroline Lochner
Caroline Lochner
Sixth Anniversary Participant Facilitator 1
in Blackbaud Raiser's Edge NXT®: General Discussions

Is an organization located in the US allowed to require the CVV in writing on a remit envelope?

Tagged:

Comments

  • Austen Brown
    Austen Brown Community All-Star
    Tenth Anniversary Kudos 5 PowerUp Challenge: Product Update Briefing Feedback Task 3 bbcon 2025 Attendee Badge

    Hi @Caroline Lochner - It is a general recommendation to not store CVV information along with credit card numbers. Additionally, RE does not need to the CVV number to process a gift via Database View. Going one step further, you may want to consider removing credit card lines all together from your remittance envelope and encouraging your donors to donate online. Check out this blog post for ways you can improve your remittance envelope/pledge card:

    https://askgenius.com/pledge-card-design-tips/

  • Caroline Lochner
    Caroline Lochner
    Sixth Anniversary Participant Facilitator 1

    Thank you!

  • Janis Worley
    Janis Worley
    Sixth Anniversary Kudos 3 Name Dropper Participant

    We never ask for it and have always been fine. And I agree with @Austen Brown - post the online link instead. Saves a lot of room on the envelope, plus people are skittish about giving their credit card numbers in writing these days anyway.

  • Silvia Ochoa
    Silvia Ochoa
    Third Anniversary Facilitator 1

    I believe if you add the CVV to your paperwork it makes you non PCI compliant, so it's best to leave it out, however, most times you need the CVV in order to run the card so you're stuck?

  • Patty Driscoll
    Patty Driscoll
    Sixth Anniversary Kudos 1 Name Dropper Facilitator 1

    As we look at moving our gift processing to Unified View, we are now required to have the CVV to process offline credit card donations. @Silvia Ochoa is correct, PCI DSS prohibits CVV data from being written, retained or handled in any format including paper (DM reply coupons in our case). So it looks like we are stuck being unable to accept credit card donations for mailed appeals once database view is gone. @Jake Gaston where does this leave all of your customers who still use mailed appeals?

  • Ben Evans
    Ben Evans
    Tenth Anniversary Kudos 1 Facilitator 1 Participant

    I just saw the notice this morning about the CVV and the solutions provided are not workable for direct mail. I understand the unified view needs the CVV, but this is a big deal to lose the ability to process credit cards received in the mail.

    Requesting CVV in the mail is non-compliant with PCI DSS, full stop.

    (And while we already provide a QR code for years, the take-up is very slow. Some donors still prefer to correspond via mail directly and avoid the website. If they're comfortable giving via the website, you'll probably respond to the email appeal version instead. With Cheques phasing out and now effecting Credit Cards… you've just announced the death knell of direct mail. It's a big deal!)

  • JoAnn Strommen
    JoAnn Strommen Community All-Star
    Tenth Anniversary Kudos 5 April 2026 Monthly Challenge March 2026 Challenge: Answered Questions

    I understand the need for the CVV. In our opinion having the info on a reply slip mailed back to the org is a very high risk to the donor. We removed it from our response slips. Still have a few folks who call in to make their payment by card.

    I am not an expert on PCI compliance. My understanding has always been, for US anyway - don't know if different for other countries, is that it's storing the CVV/card info that is a compliance issue. Not receiving it in the mail. The compliance documents I been a part of reviewing focused on secure storage and destruction.

    Google AI results:

    PCI Compliance Requirements for Donation Cards:

    • Do Not Store: The card verification code (CVV2, CVC2, CID) must not be stored in any system or paper file after the transaction is authorized.
    • Immediate Destruction: If a, CVV is collected to process a one-time, mail-in donation, the paper form must be physically destroyed immediately after the transaction.
    • No Recurring Storage: You cannot store the CVV code to facilitate future or recurring donations.
    • PCI Security Standards Council +5 image-1132275c167378-c8c2.png

    FWIW

  • JoAnn Strommen
    JoAnn Strommen Community All-Star
    Tenth Anniversary Kudos 5 April 2026 Monthly Challenge March 2026 Challenge: Answered Questions

    Resources:

    For more information, see the PCI Security Standards FAQ on storage and the PCI DSS Quick Reference Guide

  • Patty Driscoll
    Patty Driscoll
    Sixth Anniversary Kudos 1 Name Dropper Facilitator 1

    Most of the PCI guidance talks about storing the CVV after authorization, but writing it down on a paper reply coupon counts as storage, even though it is prior to authorization, and it constitutes a big risk to the donor to do that, as well as making the organization collecting and handling it, now PCI non-compliant.

    PCI also suggests checking the card brands in your country. I’m in Canada and Visa Canada specifically exempts mail-order transactions from requiring the CVV (and prohibits the collections of it in written form) [visa.ca]

  • JoAnn Strommen
    JoAnn Strommen Community All-Star
    Tenth Anniversary Kudos 5 April 2026 Monthly Challenge March 2026 Challenge: Answered Questions

    Resources:

    For more information, see the PCI Security Standards FAQ on storage and the PCI DSS Quick Reference Guide

    While I am in total agreement about not storing the data, the org has to be able to have it temporarily to do busiess. Protect it, use it, destroy it.
    And for their own security encourage donors to use other means of payment. Security during the mail process is the issue. Mailing checks can lead to problems as well. We recently had an issue of check being intercepted and 'washed' to a different payee.

    From pg 14 of quick reference guide (bold font my edit).

    Requirement 3: Protect stored cardholder data Cardholder data should not be stored unless it’s necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored after authorization. If your organization stores PAN, it is crucial to render it unreadable (see 3.4, and table below for guidelines). 3.1 Limit cardholder data storage and retention time to that which is required for business, legal, and/ or regulatory purposes, as documented in your data retention policy.

  • Andrea Wilson
    Andrea Wilson
    Tenth Anniversary Blackbaud Certified Name Dropper Kudos 1

    There are some useful comments on this thread that I'd encourage you to read/respond to so we can share as much as possible about why this process is not ideal for charities relying on mailed donations. 😔

    https://community.blackbaud.com/discussion/comment/312766#Comment_312766
  • Rachel Cavalier
    Rachel Cavalier Community All-Star
    Seventh Anniversary Kudos 5 April 2026 Monthly Challenge bbcon 2025 Attendee Badge
    https://community.blackbaud.com/discussion/comment/312700#Comment_312700

    In the UK here and it's been interesting to discover that it seems like no one else uses CVV!.

    For Direct Mail appeals, we process the card payment as soon as the form is received in the post and then use a camo-roller over the card details before shredding it. We still have many supporters who prefer to make their donations by post in this fashion, though we do try to make donating online as easy as possible.

Categories