Credit Card Processing Blog

Friday, June 25th, 2010

Authentication of E-Commerce Credit Card Transactions

Tags: Address Verification Service (AVS), card security codes, CVC 2, CVV2, e-commerce best practices, MasterCard SecureCode, Verified by Visa

Authentication of E-Commerce Credit Card Transactions Authentication of an e-commerce credit card transaction is the process through which a merchant verifies the validity of the payment information provided be the customer. The process involves the verification of both the cardholder’s identity and the card’s authenticity. The Credit Card Associations of Visa and MasterCard have developed several authentication services that are all available to e-commerce merchants and it is recommended that they use them all to reduce the number of fraudulent transactions and chargebacks.

Address Verification Service (AVS). AVS enables merchants who accept credit card payments in a non-face-to-face setting to compare the billing address (the address to which the card issuer sends its monthly statement for that account) provided by a customer to the billing address on the card issuer’s file before processing a transaction. After comparing the provided address with the one they have on file for their cardholder, the card issuer responds by issuing one of the AVS Response code listed in the table below.

AVS Response Code	Explanation and Recommended Action
X – exact match	Address and nine-digit ZIP code match – if the other fraud services raise no suspicions, you should process the transaction.
Y – match	Address and five-digit ZIP code match – follow the instructions above.
A – partial match	Address matches but ZIP code does not – a sign of a potential fraud. You may want to investigate further before making a decision.
Z – partial match	ZIP code matches but address does not – a sign of a potential fraud. Follow the above instructions.
N – no match	Neither address nor ZIP code match – a strong sign of a fraud. You should take additional steps to investigate the transaction.
U – unavailable	The card issuer system is unavailable and the address cannot be verified. You need to make a decision whether to process the transaction without AVS or not.
R – retry	The card issuer system is unavailable – you should try again later.
U – no AVS support	If the card issuer does not support AVS you will have to make a decision whether to process the transaction or not based on other criteria.
G – global	The address is outside of the U.S. – AVS cannot be used. You should take further steps to verify the authenticity of the transaction.

Address verification and transaction authorization occur simultaneously and, within seconds, the merchant receives both results.

Card Security Codes. Card Security Codes are the 3-digit numbers located on the back of Visa (CVV2), MasterCard (CVC 2) and Discover (CID) cards, in or around the signature panel, and the 4-digit numbers located on the front of American Express (CID) cards, above the card account number. Card Security Codes help verify that the customer is in a physical possession of a valid card during a card-not-present transaction. Similarly to the AVS, the merchant includes the security code with the authorization request and the issuer replies with a response code, as listed in the table below:

Response Code	Explanation and Recommended Action
M – match	The code is valid. Complete the transaction, taking into account all other transaction characteristics.
N – no match	The code is not valid. View this result as a very strong indicator of fraud. It may, however, be the result of a key-entry error, so you may consider resubmitting the code request.
P – request not processed	You should resubmit the request.
S – the cardholder has stated that the code is not on the card	The security code should be on all valid cards. Consider following up with your customer to verify that he or she has checked the correct card location.
U – the issuer does not support the card security codes	In this case you should evaluate all other available information and decide whether to proceed with the transaction or investigate further.

Verified by Visa and MasterCard SecureCode. Verified by Visa and MasterCard SecureCode are authentication systems that validate a cardholder’s ownership of an account in real-time during an e-commerce transaction. When the cardholder clicks “Buy” at the checkout page of a participating merchant’s website, a new screen automatically appears in the cardholder’s browser. The cardholder enters a password that allows the card issuer to verify his or her identity.

These services are free to cardholders who can register their credit card accounts online on the Associations’ or on the card issuers’ websites. During the registration process the cardholder creates the password he or she will use later during the authentication process. Once the card is registered and activated with Verified by Visa or MasterCard SecureCode, the card number will be automatically recognized whenever the cardholder shops at participating stores. The cardholder will be prompted to enter his or her password and, upon password verification, the transaction will be completed.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
E-Book – Payment Card Acceptance Guide (19 pages).

Article has No Comments »

Friday, April 30th, 2010

MasterCard’s Card Validation Code 2 – CVC 2

Tags: card security codes, card-not-present transactions, chargebacks, CVC 2, e-commerce, fraud prevention, MasterCard, risk management

MasterCard's Card Validation Code 2 - CVC 2 MasterCard, just like bigger rival Visa, puts security codes on all credit and debit cards that bear its logo, as an additional security feature to help merchants who accept payments in a card-not-present environment fight fraud. The CVC 2, which stands for Card Validation Code 2, is located on the back of all MasterCard cards. It is a three-digit code indent printed on the signature panel of MasterCard cards. The CVC 2 is preceded by the last four digits of the card’s account number, printed in the signature panel. This added security measure enables e-commerce and MO / TO retailers to verify that the buyer has the actual card in his or her possession during a card-not-present transaction. Visa’s equivalent security code is called Card Verification Value 2 (CVV2).

The CVC 2 is a security feature that all major payment gateways and virtual terminals support and your payment processor should make it available to you.

How to use CVC 2? The CVC 2 should be used in every e-commerce or MO / TO transaction. Consider implementing the following steps:

Ask your customers for the last three digits in the signature panel on the back of the MasterCard card. Do not ask for the CVC 2 number, as your customer will most likely have no idea what this is.

Depending on the response your customer gives to your CVC 2 request, include one of the following indicators in your authorization request, along with the card’s expiration date and the account number:

Indicator	When to Use It
0	If the CVC 2 is not included in the authorization request.
1	If the CVC 2 is included in the authorization request.
2	If your customer has stated that the CVC 2 is illegible.
9	If your customer has stated that the CVC 2 is not on the card.

The card issuer will reply to your request with one of the CVC 2 result codes listed below. Take it into consideration, along with all other factors in determining the validity of the transaction.

Result Code	Recommended Action
M – Match	The CVC 2 is valid. Complete the transaction, taking into account all other transaction characteristics.
N – No Match	The CVC 2 is not valid. View this result as a very strong indicator of fraud. It may, however, be the result of a key-entry error, so you may consider resubmitting the CVC 2 request.
P – CVC 2 request not processed	You should resubmit the request.
S – the cardholder has stated that the CVC 2 is not on the card	The CVC 2 code should be on all MasterCard cards. Consider following up with your customer to verify that he or she has checked the correct card location.
U – the card issuer does not support CVC 2	In this case you should evaluate all available information and decide whether to proceed with the transaction or investigate further.

Storing of CVC 2 is prohibited. Never keep or store CVC 2 codes once a transaction is completed. Storing CVC 2 codes is prohibited and could result in fines. You may store other account information, e.g. cardholder name, account number and expiration date but not the CVC 2.

Why should you use CVC 2? Using CVC 2 will benefit your organization in a number of ways, including:

Enhanced fraud protection. Card-not-present merchants run a greater risk of processing fraudulent transactions than their store-front counterparts. Using CVC 2 provides an additional step in the process of verifying the validity of both the card and the cardholder.
Reduced chargebacks. Reduced fraud leads to reduced fraud-related chargebacks. Chargebacks due to other reasons, however, will remain unaffected by the use of CVC 2.
Improved bottom line. Fraudulent and charged-back transactions lead to lost revenue and can mean extra processing time and costs. CVC 2 helps limit such losses and minimize operating costs.

Accept card payments quickly and safely

Accept online payments via credit and debit cards and electronic checks at the lowest processing costs. You will get:

Free merchant account and Authorize.Net gateway set-up.
No monthly merchant account or gateway fees.

Article has No Comments »

Thursday, March 25th, 2010

How to Validate Credit Card Numbers in E-Commerce Transactions

Tags: card security codes, card-not-present transactions, CVC 2, CVV2, e-commerce best practices, fraud prevention

How to Validate Credit Card Numbers in E-Commerce Transactions Card-not-present transactions present merchants with fraud prevention challenges that are either non-existent or much easier to address in a card-present environment. E-commerce merchants are required to verify the validity of all bank cards submitted for payment on their websites, just as their brick-and-mortar counterparts are required to do in their physical stores. However, they lack the advantage that store-front retailers have in being able to physically examine the card’s features, in order to determine whether or not it has been tampered with.

Still, web-based merchants are not entirely helpless in their fraud prevention efforts and have at their disposal plenty of tools to assist them in the card validation process and should implement the following best practices:

Use the Mod 10 algorithm. Developed by IBM scientist Hans Peter Luhn, the Mod 10 algorithm was designed to validate a variety of identification numbers. In the payment card industry, the Mod 10 algorithm is used to verify credit card numbers before submitting transactions for authorization. The Mod 10 algorithm detects all single-digit errors, as well as almost all transpositions of adjacent digits. To implement the algorithm in your fraud prevention system:
- Contact your processor and ask for the Mod 10 algorithm that lets you check the validity of a card number.
- Use the Mod 10 algorithm to check all e-commerce transactions before submitting them for authorization.
- Immediately notify your customer if the card fails to pass the Mod 10 check. Display the following message on the customer’s screen “The card number you entered is invalid. Please try again.” or a similar message.
- Do not submit the transaction for authorization until the card number passes the Mod 10 check.
Using the Mod 10 algorithm for checking the validity of your customers’ card numbers will help protect your business against fraud or an error on the part of the cardholder and minimize related disputes and losses.
Display only the last four digits of a repeat customer’s card number. When showing on your website the account information of a returning customer, only display the last four digits of his or her card number. The truncation of the sixteen-digit account number and the displaying of only the last four digits helps minimize e-commerce fraud risk, but it also assures customers that you are taking concrete measures to securely handle their personal information. The last four digits of a card account provide customers with enough information to enable them to identify their card and to determine whether or not to use it or to select another payment method.
Use the card security codes. Card security codes are the three-digit numbers found in the signature panels on the back of Visa (Card Verification Value 2 – CVV2), MasterCard (Card Verification Code 2 – CVC 2) and Discover (Card Identification Number – CID) cards and the four-digit numbers found slightly above and to the right of the account numbers of American Express cards (Card Identification Number – CID). These numbers are generated when the card is issued, by hashing the card number and expiration date under a key known only to the card issuer. Card security codes help merchants verify that their customers are in a physical possession of their cards at the time of the transaction. To use the card security codes, follow these steps:
- Ask your customer for the card’s security code. Make sure you explain where the code is to be found on the card.
- Include the number your customer provides in your authorization request.
- Evaluate the result code you receive and take it into consideration when determining the validity of the transaction. Be advised that the card security code response is separate from the authorization response.