Skip to main content
CVV data is stored within the card token, subject to your CVV retention policy. This page covers how to manage the CVV data on an existing token.

How CVV Retention Works

PCI DSS prohibits permanent storage of CVV data. PCI Booking enforces this through configurable retention policies that automatically clear CVV after a defined period or usage count. The default retention window is 60 minutes after capture. After this window closes, PCI Booking automatically deletes the CVV from the token. You can customize this behavior per account or per token through the CVV Retention Policy configuration. Retention policies support two modes:
  • Time-based: CVV is cleared after a set duration (e.g., 60 minutes, 24 hours, 7 days)
  • Usage-based: CVV is cleared after a set number of detokenization uses per destination, allowing you to control exactly how many times the CVV can be sent to each PSP
You can combine both modes. For example, retain CVV for up to 7 days or 3 uses per destination, whichever comes first. This gives you flexibility to support multiple charge attempts while still enforcing strict limits.

Check CVV Status

Use the Retrieve Token Metadata endpoint to check whether CVV is currently stored on a token. The response includes the CvvExists flag and the EndRetentionDate indicating when the CVV is scheduled to be cleared. To see the full retention policy with per-destination quotas and usage counts, use the Get CVV Retention Policy endpoint. To check the policy for a specific destination, use Get Specific Policy.

Capture CVV Separately

When you already have a card token but need the CVV for a transaction, send a CVV-only capture form to the cardholder. This is useful when the original CVV has expired or been cleared, or when the card was tokenized without a CVV in the first place. See the CVV Capture Form guide for details.

Clear CVV Manually

Explicitly remove stored CVV from a token at any time using the Clear CVV endpoint, regardless of the retention policy. This is useful when you have completed all planned charges and want to proactively remove the CVV before the retention window expires. Once cleared, CVV cannot be recovered. You must capture it again from the cardholder.

Next Steps

CVV Capture Form

Capture CVV separately from the cardholder

CVV Retention Policy

Configure how long CVV is retained and under what conditions

Token Management Overview

All token management capabilities