How CVV Retention Works
PCI DSS prohibits permanent storage of CVV data. PCI Booking enforces this through configurable retention policies that automatically clear CVV after a defined period or usage count. The default retention window is 60 minutes after capture. After this window closes, PCI Booking automatically deletes the CVV from the token. You can customize this behavior per account or per token through the CVV Retention Policy configuration. Retention policies support two modes:- Time-based: CVV is cleared after a set duration (e.g., 60 minutes, 24 hours, 7 days)
- Usage-based: CVV is cleared after a set number of detokenization uses per destination, allowing you to control exactly how many times the CVV can be sent to each PSP
You can combine both modes. For example, retain CVV for up to 7 days or 3 uses per destination, whichever comes first. This gives you flexibility to support multiple charge attempts while still enforcing strict limits.
Check CVV Status
Use the Retrieve Token Metadata endpoint to check whether CVV is currently stored on a token. The response includes theCvvExists flag and the EndRetentionDate indicating when the CVV is scheduled to be cleared.
To see the full retention policy with per-destination quotas and usage counts, use the Get CVV Retention Policy endpoint. To check the policy for a specific destination, use Get Specific Policy.
Capture CVV Separately
When you already have a card token but need the CVV for a transaction, send a CVV-only capture form to the cardholder. This is useful when the original CVV has expired or been cleared, or when the card was tokenized without a CVV in the first place. See the CVV Capture Form guide for details.Clear CVV Manually
Explicitly remove stored CVV from a token at any time using the Clear CVV endpoint, regardless of the retention policy. This is useful when you have completed all planned charges and want to proactively remove the CVV before the retention window expires. Once cleared, CVV cannot be recovered. You must capture it again from the cardholder.Next Steps
CVV Capture Form
Capture CVV separately from the cardholder
CVV Retention Policy
Configure how long CVV is retained and under what conditions
Token Management Overview
All token management capabilities

