Credit Card Processing Blog

Most of you are quite familiar with Visa’s Card Verification Value 2 (CVV 2) – the three-digit number on the back of all Visa cards that is used to verify that customers are in physical possession of their cards in non-face-to-face transactions. What you probably know much less about is the other CVV number, the one that is stored in the card’s memory and is used to perform similar purposes, but in face-to-face transactions. Let’s take a look at it.

What Is CVV

The Card Verification Value (CVV) is a 3-digit number encoded on Visa credit and debit cards. CVV is stored within the card’s magnetic stripe, if available, or alternatively it can be stored in the chip of a smart credit or debit card.

CVV is a point-of-sale (POS) and ATM risk management service that protects card transaction participants from fraud-related losses resulting from mag-stripe counterfeit Visa cards. Each CVV is a unique value, calculated from data encoded in the magnetic stripe or the chip using the Data Encryption Standard (DES) algorithm.

Types of CVV

There are two types of card verification value, based on where the information is stored:

• CVV is the code stored in the card’s magnetic stripe.
• iCVV (Integrated Chip Card Card Verification Value) is the code stored in the card’s chip.

If a smart card features both a magnetic stripe and a chip, the same CVV number can be stored on both. Alternatively, issuers can choose to calculate different values, in which case the one stored on the chip is an iCVV.

The two types of CVV are calculated with an algorithm that uses a service code for CVV validation and the value 999 for iCVV validation. All other algorithm components are the same and include the:

• DES key.
• Primary account number (PAN).
• Card expiration date.

How Is CVV Validation Performed

The CVV value is submitted with all other magnetic stripe or chip data as part of the transaction authorization request. The CVV can be validated either by VisaNet – Visa’s payment system – or by the issuer itself. The issuer can approve, refer, or decline transactions that fail CVV or iCVV validation, depending on its procedures.

When an authorization request is received, VisaNet or the issuer:

1. Calculates the CVV or the iCVV.
2. Verifies the CVV or the iCVV on the card by comparing it to the calculated value.
3. Sends a response code to the processor that indicates whether the validation was successful or it failed. A failed validation can indicate a counterfeit card, but it can also be due to an incorrect reading or encoding of the CVV or iCVV. The available CVV validation response codes are:
   • Approve.
   • Refer to issuer.
   • Pick up.
   • Decline.

The Takeaway

You don’t really need to know all that much about the CVV, as in face-to-face transactions your POS terminal simply collects it, together with all other mag-stripe or chip information, and routes the whole thing for authorization. You never get to handle it the way e-commerce and MO / TO merchants do CVV 2 numbers. Still, if you are going to be accepting cards for payments, educating yourself on the basics can’t be all bad.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Your primary concern when accepting credit cards should be to ensure that the card presented for payment is valid and the customer is its authorized user. This is more easily done in face-to-face transactions where, if in doubt, you can simply ask your customer for her driver’s license to make sure that she really is who she claims to be. This is the reason brick-and-mortar businesses typically suffer from much lower fraud rates than their counterparts accepting payments online or over the phone.

This is also the reason the credit card companies have designed various tools and services specifically for validating card and cardholder information in non-face-to-face types of transactions. One of these tools is Visa’s Card Verification Value 2 (CVV2), which I will review in this post.

What Is CVV2?

Card Verification Value 2 (CVV2) is a three-digit security code imprinted on the signature panel, or in a white box immediately to the right of it, on the back of all valid Visa cards to help verify that a customer is in possession of a genuine card at the time an order is placed.

How to Use CVV2?

When processing a card-not-present Visa payment, you should:

1. Ask your customers for the last three numbers on or to the right of the signature panel on the back of their cards. Avoid asking for the “CVV2″ number, as the customer may not know what it refers to.
2. If your customer provides the CVV2 code, send this information, along with all other transaction data (that is 16-digit account number, card expiration date, cardholder name and address, etc.) for authorization approval.
3. Additionally, include one of the following CVV2 indicators, whether or not you are including a CVV2 code in your authorization request:
   
   

   CVV2 Presence in Authorization Request	Indicator
   You have not included CVV2	0
   You have included CVV2	1
   Customer has stated CVV2 is illegible	2
   Customer has stated CVV2 is not on the card	9




4. After obtaining an authorization approval, examine the CVV2 response code and take action based on all transaction characteristics.
   
   

   Response Code	Recommended Action
   M – Match	Proceed with the transaction (provided no other transaction characteristics raise suspicions).
   N – No Match*	This response code should be seen as a sign of possible fraud. Hold the order for further verification and examine all other potentially suspicious transaction characteristics.
   P – Not Processed	This response indicates a technical problem or the request did not provide all the information needed to validate the CVV2 code. Resubmit your authorization request.
   S – CVV2 should be on the card	Follow up with your customer and make sure that she checked the correct location for CVV2 (see above).
   U – The issuer does not participate in CVV2	Examine all available information and decide whether to complete the transaction or investigate further.

   
   *If the authorization request is approved, but the CVV2 response is a “No Match,” the merchant is protected against fraud chargebacks.

Do Not Store CVV2

Visa prohibits the storage of CVV2 codes as a part of the order information or customer account data. The security code can only be used during the authorization process and removed from any files or storage devices once a response is received. MasterCard, Discover and American Express also prohibit the storage of their security codes.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Most of us are familiar with the card security codes, which we are often asked for at the checkout of an e-commerce website or when we make a payment over the phone. As a customer, for you it is just another number that you have to provide before the transaction can be completed.

If you manage a business that accepts credit cards in a non-face-to-face setting, however, your point of view changes quite significantly. If that is the case, you will need to have a much better understanding of these three- and four-digit codes and know how to implement them into your payment processing procedures.

What Are the Card Security Codes?

The security codes are used to help verify that the customer is in a physical possession of the credit or debit card during a card-not-present transaction. These numbers are not stored in the card’s magnetic stripe and are not used in face-to-face transactions.

The security codes are given different names and abbreviations by the credit card companies and associations and are located at different positions, as follows:

How to Use the Security Codes?

The security codes should be used in all card-not-present transactions. Following is a step-by-step guide on how to do it:

1. Ask the customer for the security code. Do not use the abbreviations in the table above, as your customer may or may not know what they mean. E-commerce websites should offer help locating the code on the card.
2. Send the code to the issuer with the authorization request. This should be an automated process, but check with your processor to make sure.
3. Evaluate the response and take action accordingly. Following are the possible issuer responses and suggestions on how to act on them:
   • M – match. This response means that the code provided by the customer matches the one on file with the issuer. Proceed with the transaction, taking into account all other relevant information.
   • N – no match. The two numbers do not match. This is a strong sign of fraud and you should not complete the transaction.
   • P – request not processed. For some reason the processor’s system is unavailable. Resubmit the request later.
   • S – the customer states there is no security code on the card. All cards must have a security code. Follow up with your customer and help her find the code.
   • U – the issuer does not support the security code. This should be a very rare response, but if you do get one, you will have to decide on how to proceed with the transaction based on the other available information.

Do Not Store Security Codes

Once the transaction is completed, you should destroy all information containing the security code. You can store other account information, including the cardholder name, card number and expiration date, however industry regulations prohibit the storage of security codes in any form. Failure to comply can cost you a heavy fine.

Accept credit cards at one flat rate!

Accept credit cards with our flat rate e-commerce merchant account with no fixed monthly fees! You will get:

• One rate for all types of MasterCard and Visa cards (including rewards, commercial, etc.).
• No mid-qualified and non-qualified fees.
• No merchant account application or set-up fees.

Credit card fraud is much more difficult to prevent when neither the cardholder nor the card are present during the transaction. In a face-to-face setting the merchant can inspect the card to ensure that it is valid and can verify that the cardholder is an authorized user on the account by matching his or her signature on the transaction receipt to the one on the back of the card and request an ID when in doubt. None of these actions can be performed when the payment is submitted online or accepted by phone.

Yet, a combination of best practices and fraud prevention tools can provide card-not-present merchants with strong fraud prevention capabilities. If your business accepts payments online or by phone, you should implement the following safeguards:

• Verify the phone number and transaction information. Prior to shipping your products, call the phone number provided by the customer and verify the transaction information. Criminals may be unable to verify such information, because in their haste to max out the credit line before the fraud is discovered, they often order at random and do not keep records.
• Examine priority shipment requests. Costly priority shipments may indicate a fraudulent transaction, especially if a free shipping option has been ignored. Unlike the rest of us, criminals do not much care about shipping costs.
• Validate orders from repeat customers that differ from the established pattern. If an order from a past customer deviates from the established pattern, contact the customer and validate the transaction.

In addition to implementing the above procedures, you should take advantage of the available fraud prevention tools. Following is a short list of the most prominent among them:

• Address Verification Service (AVS). AVS enables you to compare the billing address (the address to which the card issuer sends its monthly statement for the account) provided by your customer with the billing address on the card issuer’s file before processing a transaction. These addresses should match.
• Card Security Codes. Card Security Codes are the 3-digit numbers located on the back of Visa (CVV2), MasterCard (CVC 2) and Discover (CID) cards, in or around the signature panel, and the 4-digit numbers located on the front of American Express (CID) cards, above the card account number. Card Security Codes help verify that the customer is in a physical possession of a valid card during a card-not-present transaction.
• Verified by Visa and MasterCard SecureCode. These fraud prevention services are offered by the two Credit Card Associations to e-commerce merchants and to online shoppers. MasterCard SecureCode and Verified by Visa enable cardholders to authenticate themselves to their card issuers through the use of personal passwords they create when they register their cards with the programs. These services protect merchants against fraudulent “unauthorized use” chargebacks.
• PCI compliance. All merchants accepting card payments are now required to be compliant with the requirements of the Payment Card Security Data Security Standard (PCI DSS), which sets the rules for data security management, policies, procedures, network architecture, software design and other protective measures.

Additionally, you should build and maintain an internal negative file that includes data from fraudulent transactions that you have not been able to prevent. Be sure to leave out of it information that relates to customer disputes or chargebacks, as these can be caused by reasons that are unrelated to fraud. Whenever a new order contains information that matches data in the file, your system should be designed to automatically identify the mismatch and trigger an examination.

Accept card payments quickly and safely

Accept online payments via credit and debit cards and electronic checks at the lowest processing costs. You will get:

• Free merchant account and Authorize.Net gateway set-up.
• No monthly merchant services or gateway fees.

Authentication of an e-commerce credit card transaction is the process through which a merchant verifies the validity of the payment information provided be the customer. The process involves the verification of both the cardholder’s identity and the card’s authenticity. The Credit Card Associations of Visa and MasterCard have developed several authentication services that are all available to e-commerce merchants and it is recommended that they use them all to reduce the number of fraudulent transactions and chargebacks.

• Address Verification Service (AVS). AVS enables merchants who accept credit card payments in a non-face-to-face setting to compare the billing address (the address to which the card issuer sends its monthly statement for that account) provided by a customer to the billing address on the card issuer’s file before processing a transaction. After comparing the provided address with the one they have on file for their cardholder, the card issuer responds by issuing one of the AVS Response code listed in the table below.
  
  

  AVS Response Code	Explanation and Recommended Action
  X – exact match	Address and nine-digit ZIP code match – if the other fraud services raise no suspicions, you should process the transaction.
  Y – match	Address and five-digit ZIP code match – follow the instructions above.
  A – partial match	Address matches but ZIP code does not – a sign of a potential fraud. You may want to investigate further before making a decision.
  Z – partial match	ZIP code matches but address does not – a sign of a potential fraud. Follow the above instructions.
  N – no match	Neither address nor ZIP code match – a strong sign of a fraud. You should take additional steps to investigate the transaction.
  U – unavailable	The card issuer system is unavailable and the address cannot be verified. You need to make a decision whether to process the transaction without AVS or not.
  R – retry	The card issuer system is unavailable – you should try again later.
  U – no AVS support	If the card issuer does not support AVS you will have to make a decision whether to process the transaction or not based on other criteria.
  G – global	The address is outside of the U.S. – AVS cannot be used. You should take further steps to verify the authenticity of the transaction.

  
  Address verification and transaction authorization occur simultaneously and, within seconds, the merchant receives both results.

• Card Security Codes. Card Security Codes are the 3-digit numbers located on the back of Visa (CVV2), MasterCard (CVC 2) and Discover (CID) cards, in or around the signature panel, and the 4-digit numbers located on the front of American Express (CID) cards, above the card account number. Card Security Codes help verify that the customer is in a physical possession of a valid card during a card-not-present transaction. Similarly to the AVS, the merchant includes the security code with the authorization request and the issuer replies with a response code, as listed in the table below:
  
  

  Response Code	Explanation and Recommended Action
  M – match	The code is valid. Complete the transaction, taking into account all other transaction characteristics.
  N – no match	The code is not valid. View this result as a very strong indicator of fraud. It may, however, be the result of a key-entry error, so you may consider resubmitting the code request.
  P – request not processed	You should resubmit the request.
  S – the cardholder has stated that the code is not on the card	The security code should be on all valid cards. Consider following up with your customer to verify that he or she has checked the correct card location.
  U – the issuer does not support the card security codes	In this case you should evaluate all other available information and decide whether to proceed with the transaction or investigate further.




• Verified by Visa and MasterCard SecureCode. Verified by Visa and MasterCard SecureCode are authentication systems that validate a cardholder’s ownership of an account in real-time during an e-commerce transaction. When the cardholder clicks “Buy” at the checkout page of a participating merchant’s website, a new screen automatically appears in the cardholder’s browser. The cardholder enters a password that allows the card issuer to verify his or her identity.

These services are free to cardholders who can register their credit card accounts online on the Associations’ or on the card issuers’ websites. During the registration process the cardholder creates the password he or she will use later during the authentication process. Once the card is registered and activated with Verified by Visa or MasterCard SecureCode, the card number will be automatically recognized whenever the cardholder shops at participating stores. The cardholder will be prompted to enter his or her password and, upon password verification, the transaction will be completed.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).