Most of us are familiar with the card security codes, which we are often asked for at the checkout of an e-commerce website or when we make a payment over the phone. As a customer, for you it is just another number that you have to provide before the transaction can be completed.
If you manage a business that accepts credit cards in a non-face-to-face setting, however, your point of view changes quite significantly. If that is the case, you will need to have a much better understanding of these three- and four-digit codes and know how to implement them into your payment processing procedures.
What Are the Card Security Codes?
The security codes are used to help verify that the customer is in a physical possession of the credit or debit card during a card-not-present transaction. These numbers are not stored in the card’s magnetic stripe and are not used in face-to-face transactions.
The security codes are given different names and abbreviations by the credit card companies and associations and are located at different positions, as follows:
|Card Brand||Security Code||Description and Location|
|Visa||CVV2 — Card Verification Value 2||The last three digits of the number printed in the signature panel on the back of the card.|
|MasterCard||CVC 2 — Card Verification Code 2||Same as above.|
|Discover||CID — Card Identification Number||Same as above|
|American Express||CID — Card Identification Number||The four-digit number located above the card number on the front of the card.|
How to Use the Security Codes?
The security codes should be used in all card-not-present transactions. Following is a step-by-step guide on how to do it:
- Ask the customer for the security code. Do not use the abbreviations in the table above, as your customer may or may not know what they mean. E-commerce websites should offer help locating the code on the card.
- Send the code to the issuer with the authorization request. This should be an automated process, but check with your processor to make sure.
- Evaluate the response and take action accordingly. Following are the possible issuer responses and suggestions on how to act on them:
- M — match. This response means that the code provided by the customer matches the one on file with the issuer. Proceed with the transaction, taking into account all other relevant information.
- N — no match. The two numbers do not match. This is a strong sign of fraud and you should not complete the transaction.
- P — request not processed. For some reason the processor’s system is unavailable. Resubmit the request later.
- S — the customer states there is no security code on the card. All cards must have a security code. Follow up with your customer and help her find the code.
- U — the issuer does not support the security code. This should be a very rare response, but if you do get one, you will have to decide on how to proceed with the transaction based on the other available information.
Do Not Store Security Codes
Once the transaction is completed, you should destroy all information containing the security code. You can store other account information, including the cardholder name, card number and expiration date, however industry regulations prohibit the storage of security codes in any form. Failure to comply can cost you a heavy fine.
Image credit: Akbo.info.