I wrote about this topic before: see here:
Now the latest perpetrator is an organization that:
is the global, not-for-profit leader in educating and certifying information security professionals throughout their careers. Recognized for Gold Standard certifications and world class education programs.
So when paying for my annual dues for a security certification: I see the following prompt for my “Security Code”
“Do not store the card validation value or code (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions”
Q. Can merchants store my 3-digit code?
A. No. To ensure information security, all merchants are prohibited from storing the 3-digit code in any format whether on paper drafts, receipts or electronically.
From : Rules for Visa Merchants
Avoid CVV2 Storage. All merchants are prohibited from storing CVV2 data.
When asking a cardholder for CVV2, merchants must not document this
information on any kind of paper order form or store it on any database.