Credit Card Processing Blog

Authentication of an e-commerce credit card transaction is the process through which a merchant verifies the validity of the payment information provided be the customer. The process involves the verification of both the cardholder’s identity and the card’s authenticity. The Credit Card Associations of Visa and MasterCard have developed several authentication services that are all available to e-commerce merchants and it is recommended that they use them all to reduce the number of fraudulent transactions and chargebacks.

• Address Verification Service (AVS). AVS enables merchants who accept credit card payments in a non-face-to-face setting to compare the billing address (the address to which the card issuer sends its monthly statement for that account) provided by a customer to the billing address on the card issuer’s file before processing a transaction. After comparing the provided address with the one they have on file for their cardholder, the card issuer responds by issuing one of the AVS Response code listed in the table below.
  
  

  AVS Response Code	Explanation and Recommended Action
  X – exact match	Address and nine-digit ZIP code match – if the other fraud services raise no suspicions, you should process the transaction.
  Y – match	Address and five-digit ZIP code match – follow the instructions above.
  A – partial match	Address matches but ZIP code does not – a sign of a potential fraud. You may want to investigate further before making a decision.
  Z – partial match	ZIP code matches but address does not – a sign of a potential fraud. Follow the above instructions.
  N – no match	Neither address nor ZIP code match – a strong sign of a fraud. You should take additional steps to investigate the transaction.
  U – unavailable	The card issuer system is unavailable and the address cannot be verified. You need to make a decision whether to process the transaction without AVS or not.
  R – retry	The card issuer system is unavailable – you should try again later.
  U – no AVS support	If the card issuer does not support AVS you will have to make a decision whether to process the transaction or not based on other criteria.
  G – global	The address is outside of the U.S. – AVS cannot be used. You should take further steps to verify the authenticity of the transaction.

  
  Address verification and transaction authorization occur simultaneously and, within seconds, the merchant receives both results.

• Card Security Codes. Card Security Codes are the 3-digit numbers located on the back of Visa (CVV2), MasterCard (CVC 2) and Discover (CID) cards, in or around the signature panel, and the 4-digit numbers located on the front of American Express (CID) cards, above the card account number. Card Security Codes help verify that the customer is in a physical possession of a valid card during a card-not-present transaction. Similarly to the AVS, the merchant includes the security code with the authorization request and the issuer replies with a response code, as listed in the table below:
  
  

  Response Code	Explanation and Recommended Action
  M – match	The code is valid. Complete the transaction, taking into account all other transaction characteristics.
  N – no match	The code is not valid. View this result as a very strong indicator of fraud. It may, however, be the result of a key-entry error, so you may consider resubmitting the code request.
  P – request not processed	You should resubmit the request.
  S – the cardholder has stated that the code is not on the card	The security code should be on all valid cards. Consider following up with your customer to verify that he or she has checked the correct card location.
  U – the issuer does not support the card security codes	In this case you should evaluate all other available information and decide whether to proceed with the transaction or investigate further.




• Verified by Visa and MasterCard SecureCode. Verified by Visa and MasterCard SecureCode are authentication systems that validate a cardholder’s ownership of an account in real-time during an e-commerce transaction. When the cardholder clicks “Buy” at the checkout page of a participating merchant’s website, a new screen automatically appears in the cardholder’s browser. The cardholder enters a password that allows the card issuer to verify his or her identity.

These services are free to cardholders who can register their credit card accounts online on the Associations’ or on the card issuers’ websites. During the registration process the cardholder creates the password he or she will use later during the authentication process. Once the card is registered and activated with Verified by Visa or MasterCard SecureCode, the card number will be automatically recognized whenever the cardholder shops at participating stores. The cardholder will be prompted to enter his or her password and, upon password verification, the transaction will be completed.

Learn how to minimize chargebacks and fraud

Learn how to minimize chargebacks and reduce your processing costs. The Chargeback Management kit contains a video and an e-book:

• E-Book – Chargeback Manual (40 pages).
• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).

Card-not-present transactions present merchants with fraud prevention challenges that are either non-existent or much easier to address in a card-present environment. E-commerce merchants are required to verify the validity of all bank cards submitted for payment on their websites, just as their brick-and-mortar counterparts are required to do in their physical stores. Yet, e-commerce merchants lack the advantage that store-front retailers have in being able to physically examine the card’s features, in order to determine whether or not it has been tampered with.

Still, web-based merchants are not entirely helpless in their fraud prevention efforts and have at their disposal plenty of tools to assist them in the card validation process and should implement the following best practices:

• Use the Mod 10 algorithm. Developed by IBM scientist Hans Peter Luhn, the Mod 10 algorithm was designed to validate a variety of identification numbers. In the payment card industry, the Mod 10 algorithm is used to verify credit card numbers before submitting transactions for authorization. The Mod 10 algorithm detects all single-digit errors, as well as almost all transpositions of adjacent digits. To implement the algorithm in your fraud prevention system:
  • Contact your processor and ask for the Mod 10 algorithm that lets you check the validity of a card number.
  • Use the Mod 10 algorithm to check all e-commerce transactions before submitting them for authorization.
  • Immediately notify your customer if the card fails to pass the Mod 10 check. Display the following message on the customer’s screen “The card number you entered is invalid. Please try again.” or a similar message.
  • Do not submit the transaction for authorization until the card number passes the Mod 10 check.

  
  Using the Mod 10 algorithm for checking the validity of your customers’ card numbers will help protect your business against fraud or an error on the part of the cardholder and minimize related disputes and losses.

• Display only the last four digits of a repeat customer’s card number. When showing on your website the account information of a returning customer, only display the last four digits of his or her card number. The truncation of the sixteen-digit account number and the displaying of only the last four digits helps minimize e-commerce fraud risk, but it also assures customers that you are taking concrete measures to securely handle their personal information. The last four digits of a card account provide customers with enough information to enable them to identify their card and to determine whether or not to use it or to select another payment method.
• Use the card security codes. Card security codes are the three-digit numbers found in the signature panels on the back of Visa (Card Verification Value 2 – CVV2), MasterCard (Card Verification Code 2 – CVC 2) and Discover (Card Identification Number – CID) cards and the four-digit numbers found slightly above and to the right of the account numbers of American Express cards (Card Identification Number – CID). These numbers are generated when the card is issued, by hashing the card number and expiration date under a key known only to the card issuer. Card security codes help merchants verify that their customers are in a physical possession of their cards at the time of the transaction. To use the card security codes, follow these steps:
  • Ask your customer for the card’s security code. Make sure you explain where the code is to be found on the card.
  • Include the number your customer provides in your authorization request.
  • Evaluate the result code you receive and take it into consideration when determining the validity of the transaction. Be advised that the card security code response is separate from the authorization response.

What is Card Verification Value 2 (CVV2). All major credit card companies have placed card security codes on their credit and debit cards as an additional security feature for merchants who accept Visa cards as payment over the telephone or online. Visa’s Card Verification Value 2 (CVV2) is a three-digit number printed on the back of every Visa credit or debit card. It is located in the top right corner of the signature panel or immediately to the right of it. It is preceded by the last four digits of the card’s account number, printed in the signature panel. CVV2 was introduced to help e-commerce and mail order and telephone order (MO / TO) merchants verify that their customers are in a physical possession of their cards at the time of the transaction. It is a feature that all major e-commerce payment gateways support and your payment processing provider should make it available to you.

How to use CVV2. If your organization operates in either the e-commerce or the MO / TO industry, you should follow these procedures when accepting credit and debit cards:

1. Always ask your customers for the last three digits in the signature panel on the back of the card. Do not ask for the CVV2 number as customers will most likely have no idea what this is.
2. Depending on the response the customer gives to your CVV2 request, you should include one of the following indicators in your authorization request, along with the card’s expiration date and the account number:
   • “0″ – if the CVV2 is not included in the authorization request.
   • “1″ – if the CVV2 is included in the authorization request.
   • “2″ – if your customer has stated that the CVV2 is illegible.
   • “9″ – if your customer has stated that the CVV2 is not on the card.
3. When the card issuer replies with the CVV2 result code, you should take it into consideration, along with all other factors in determining the validity of the transaction. You will receive one of the following result codes:
   • “M” – Match – the CVV2 is valid.
   • “N” – No Match – the CVV2 is not valid, a very strong indicator of fraud. It may, however, be the result of a key-entry error, so you may consider resubmitting the CVV2 request.
   • “P” – CVV2 request not processed – you should resubmit the request.
   • “S” – the cardholder has stated that the CVV2 is not on the card. The CVV2 code should be printed on all Visa cards. In the case of an “S” response you should verify that the customer is looking for it in the right place.
   • “U” – the card issuer does not support CVV2. In this case you should considering other fraud prevention services.

Be advised that storing of CVV2 is prohibited. You may store other account information, e.g. cardholder name, account number and expiration date but not the CVV2.

Benefits of using CVV2. CVV2 benefits merchants operating in a card-not-present environment in a number of ways, including:

• Enhanced Fraud Protection. E-commerce and MO / TO merchants run a greater risk of processing transactions using stolen account numbers than their brick-and-mortar counterparts. Using CVV2 provides an additional step in the process of verifying the validity of both the card and the cardholder.
• Minimized Chargebacks. Reduced fraud leads to reduced fraud-related chargebacks. Chargebacks due to other reasons, however, will remain unaffected by the use of CVV2.
• Improved Bottom Line. Fraudulent and charged-back transactions lead to lost revenue and to additional processing costs. CVV2 helps limit such losses.