Never collect or store card CVV / security codes

Context

A '1-click autofill' style feature is tempting, but storing CVV/CVV2 after authorization is a direct PCI-DSS violation (Requirement 3.2) regardless of encryption.

Decision

Pikt does not collect, transmit, or store card security codes. Any future autofill capability must rely on network tokens or processor-supplied payment tokens where the card network provides the cryptogram — never a stored CVV.

Consequences

• Pikt stays out of the highest-risk band of PCI scope.
• No CVV exists at rest to be breached.
• Autofill, if built, is designed around tokenization rather than secret storage.