A transaction run with a CVV is still a CNP transaction.

While PCI is mostly toothless, mail-order merchants generally certify under the SAQ C standard, which requires that they do not store cardholder data.

Obviously that does nothing to stop a phone agent from scribbling down your details on a post-it note but who cares? You're not liable for it.