How to Manage the CVV2 Card Verification Process

Your primary concern when accepting credit cards should be to ensure that the card presented for payment is valid and the customer is its authorized user. This is more easily done in face-to-face transactions where, if in doubt, you can simply ask your customer for her driver’s license to make sure that she really is who she claims to be. This is the reason brick-and-mortar businesses typically suffer from much lower fraud rates than their counterparts accepting payments online or over the phone.

This is also the reason the credit card companies have designed various tools and services specifically for validating card and cardholder information in non-face-to-face types of transactions. One of these tools is Visa’s Card Verification Value 2 (CVV2), which I will review in this post.

What Is CVV2?

Card Verification Value 2 (CVV2) is a three-digit security code imprinted on the signature panel, or in a white box immediately to the right of it, on the back of all valid Visa cards to help verify that a customer is in possession of a genuine card at the time an order is placed.

How to Use CVV2?

When processing a card-not-present Visa payment, you should:

1. Ask your customers for the last three numbers on or to the right of the signature panel on the back of their cards. Avoid asking for the “CVV2” number, as the customer may not know what it refers to.
2. If your customer provides the CVV2 code, send this information, along with all other transaction data (that is 16-digit account number, card expiration date, cardholder name and address, etc.) for authorization approval.
3. Additionally, include one of the following CVV2 indicators, whether or not you are including a CVV2 code in your authorization request:
   
   

   CVV2 Presence in Authorization Request	Indicator
   You have not included CVV2	0
   You have included CVV2	1
   Customer has stated CVV2 is illegible	2
   Customer has stated CVV2 is not on the card	9




4. After obtaining an authorization approval, examine the CVV2 response code and take action based on all transaction characteristics.
   
   

   Response Code	Recommended Action
   M — Match	Proceed with the transaction (provided no other transaction characteristics raise suspicions).
   N — No Match*	This response code should be seen as a sign of possible fraud. Hold the order for further verification and examine all other potentially suspicious transaction characteristics.
   P — Not Processed	This response indicates a technical problem or the request did not provide all the information needed to validate the CVV2 code. Resubmit your authorization request.
   S — CVV2 should be on the card	Follow up with your customer and make sure that she checked the correct location for CVV2 (see above).
   U — The issuer does not participate in CVV2	Examine all available information and decide whether to complete the transaction or investigate further.

   
   *If the authorization request is approved, but the CVV2 response is a “No Match,” the merchant is protected against fraud chargebacks.

Do Not Store CVV2

Visa prohibits the storage of CVV2 codes as a part of the order information or customer account data. The security code can only be used during the authorization process and removed from any files or storage devices once a response is received. MasterCard, Discover and American Express also prohibit the storage of their security codes.

Image credit: Readwrite.com.