LastPass.com asks to store CVV2 code for Automatic Form Filling

I’ve been enjoying LastPass for generating and secure storing and synchronization of passwords between web browsers and my machines. LastPass also has a feature called Automatic Form Filling, I was a little surprised when I saw a spot to store the following information:

Look at the “Credit Card Number” Section:

12-2-2008 8-28-50 AM

Notice the spot for Security Code ? PCI considers the Security Code (CAV2,CVC2,CVV2,CID) Sensitive Authentication Data, and does not permit the storage of Sensitive Authentication Data, even if it is encrypted. This is PCI DSS requirement 3.2: also see this “PCI Data Storage Do’s and Don’ts”

So if a user enters in their Security Code and saves it in their “Form Fill Profile” the encrypted Security Code in stored in encrypted format on your computer (when you log-in to Lastpass.com), the LastPass.com servers and Amazon S3 (where LastPass stores its backups). [1] Interesting.

I’ve decided that I can type in my Social Security Number, Credit Card Number, Exp Date and Security on the websites that I frequent :) (Actually the main card number that I use for e-commerce sites I have memorized anyway.

It should also be noted that PCI 3.2 language states “Do not Store sensitive authentication data after authorization (even if encrypted) — With LastPass.com it acts more like a password manager or eWallet, and does not participate in the authorization process - Also the information in the user’s account is solely the cardholder’s.

[1] https://lastpass.com/technology.php

Comments

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×