"Q: Can card verification codes/values be stored for card-on-file or recurring transactions?
A: A card verification code or value (also referred to a CAV2, CVC2, CVV2, or CID, depending on the payment brand) is the 3- or 4- digit number printed on the front or back of a payment card. These values are considered sensitive authentication data (SAD), which, in accordance with PCI DSS Requirement 3.2, must not be stored after authorization.*
Card verification codes/values are typically used for authorization in card-not-present transactions. These values are not needed for card-on-file or recurring transactions, and storage for these purposes is prohibited under PCI DSS Requirement 3.2.
PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized. Some service providers offer a concierge-style service, where cardholder details are retained by the provider to facilitate potential future transactions. Retention of card verification codes/values for this purpose is also prohibited under PCI DSS Requirement 3.2.
All card verification codes/values must be completely removed from the entityâ(TM)s systems in order to comply with Requirement 3.2. The requirement to not store sensitive authentication data cannot be met by the use of cryptographic techniques. "
https://blog.pcisecuritystanda...
They'll lose thier right to process CC for this.