> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pcibooking.net/llms.txt
> Use this file to discover all available pages before exploring further.

# CVV Management

> Manage CVV storage, retention policies, and re-capture for stored card tokens. PCI DSS compliant.

CVV data is stored within the card token, subject to your [CVV retention policy](/capture-cards/cvv-retention-policy). This page covers how to manage the CVV data on an existing token.

## How CVV Retention Works

PCI DSS prohibits permanent storage of CVV data. PCI Booking enforces this through configurable retention policies that automatically clear CVV after a defined period or usage count.

The default retention window is **60 minutes** after capture. After this window closes, PCI Booking automatically deletes the CVV from the token. You can customize this behavior per account or per token through the [CVV Retention Policy](/capture-cards/cvv-retention-policy) configuration.

Retention policies support two modes:

* **Time-based**: CVV is cleared after a set duration (e.g., 60 minutes, 24 hours, 7 days)
* **Usage-based**: CVV is cleared after a set number of detokenization uses per destination, allowing you to control exactly how many times the CVV can be sent to each PSP

<Info>
  You can combine both modes. For example, retain CVV for up to 7 days or 3 uses per destination, whichever comes first. This gives you flexibility to support multiple charge attempts while still enforcing strict limits.
</Info>

## Check CVV Status

Use the [Retrieve Token Metadata](/api-reference/manage-tokens/retrieve-token-metadata) endpoint to check whether CVV is currently stored on a token. The response includes the `CvvExists` flag and the `EndRetentionDate` indicating when the CVV is scheduled to be cleared.

To see the full retention policy with per-destination quotas and usage counts, use the [Get CVV Retention Policy](/api-reference/manage-tokens/get-cvv-retention-policy) endpoint. To check the policy for a specific destination, use [Get Specific Policy](/api-reference/manage-tokens/get-cvv-retention-policy-specific).

## Capture CVV Separately

When you already have a card token but need the CVV for a transaction, send a CVV-only capture form to the cardholder. This is useful when the original CVV has expired or been cleared, or when the card was tokenized without a CVV in the first place. See the [CVV Capture Form](/capture-cards/cvv-capture) guide for details.

## Clear CVV Manually

Explicitly remove stored CVV from a token at any time using the [Clear CVV](/api-reference/manage-tokens/clear-cvv) endpoint, regardless of the retention policy. This is useful when you have completed all planned charges and want to proactively remove the CVV before the retention window expires. Once cleared, CVV cannot be recovered. You must capture it again from the cardholder.

## Next Steps

<CardGroup cols={2}>
  <Card title="CVV Capture Form" icon="book" href="/capture-cards/cvv-capture">
    Capture CVV separately from the cardholder
  </Card>

  <Card title="CVV Retention Policy" icon="book" href="/capture-cards/cvv-retention-policy">
    Configure how long CVV is retained and under what conditions
  </Card>

  <Card title="Token Management Overview" icon="book" href="/manage-tokens/overview">
    All token management capabilities
  </Card>
</CardGroup>
