For vaulted transactions (such as recurring or card-on-file payments), regulations do not permit merchants to store or reuse the CVV after the initial authorization. The PCI DSS (Payment Card Industry Data Security Standard) explicitly forbids storing the CVV (also called CVC2, CVV2, CID) after a transaction is authorized, even if encrypted or tokenized—this restriction applies to all forms of storage, including within vaulting solutions, databases, logs, or backups.
The CVV is required for charging, and so will need to be user input each time.
For vaulted transactions (such as recurring or card-on-file payments), regulations do not permit merchants to store or reuse the CVV after the initial authorization. The PCI DSS (Payment Card Industry Data Security Standard) explicitly forbids storing the CVV (also called CVC2, CVV2, CID) after a transaction is authorized, even if encrypted or tokenized—this restriction applies to all forms of storage, including within vaulting solutions, databases, logs, or backups.
The CVV is required for charging, and so will need to be user input each time.