Credit Card Verification Code (CVV)

Credit Card Verification Code (CVV)


Introduction

This code is not found on the magnetic stripe, making it impossible for the defrauder to copy the magnetic stripe or to learn the card’s verification code. This code is not embossed on the credit card either (characters engraved in the card) so it is impossible to trace the card to obtain the code.
The following shows the location of the verification code on the card:

MasterCard and Visa: The code is located on the back of the card and follows the number of the card printed on the front. The code is comprised of three numbers.


This validation technique does not entirely eliminate the risk of fraud, but it can ensure that the client who made the transaction has all of the card information before proceeding.


Advantages and disadvantages

The advantages of this feature are as follows:

  • It reduces the possibility of fraud (does not eliminate all possibilities of credit card fraud).
  • It increases the client confidence rate because merchants request additional security information.
  • The three-digit code enables a merchant who takes orders over the Internet, by telephone or by mail to ask the cardholder to provide the unique three-digit number that appears on the back of the Visa card.
    • Visa and the issuers verify this code in real time in order to help the merchant to ensure that the person making the purchase is in possession of the card.
    • If the client can only provide the credit card’s 16-digit number and expiry date, it is possible that the client does not possess the card, which could signal a fraudulent transaction.


Known disadvantages are as follows:

  • Not all issuing institutions support this validation.
  • The payment solution does not support verification code validation with American Express cards.
    • There is a note on the payment solution redirection page indicating that the verification only applies to Visa and MasterCard credit cards (which make up approximately 96% of the credit card transactions made using the PayFacto solution).

Impacts and changes in processing the transaction

Operation


When carrying out a transaction in which the client is not in the presence of the point of sale terminal operator (Internet or MOTO), the merchant will:

In integrated mode


  • Obtain the verification code from the client when obtaining credit information;
  • Forward this information to the payment solution;
  • The response is sent to the merchant. The payment solution returns a verification status to the merchant along with the transaction response. The code verification does not influence the transaction’s return code. The transaction can be accepted when there is an error in the code verification. It is up to the merchant to determine what action to take next depending on the status returned.
  • The merchant makes a decision using the verification status to accept or decline the transaction.



If accepted:


  • The merchant must send the acknowledgement of receipt to the payment solution.
  • The payment solution issues a return code to the merchant once the acknowledgement of receipt has been received. The transaction will not be cancelled.



If declined:


  • The merchant must send a negative acknowledgement (NACK) to the payment solution.
  • The payment solution will issue a return code. If the NACK is successful, the payment solution will cancel the transaction. The payment solution will create a new status in the management tool: cancelled by the merchant.


In redirection mode

  • The redirection process will not change the page, so the client will not see the redirection page on the payment solution servers. The payment page displays the verification code input field as well as the instructions to visually locate the code on the various cards.
  • When the transaction is being processed and if it is successful, the payment solution servers will redirect to the merchant’s success page. The merchant must obtain the response by using the session identifier.
  • The response is returned to the merchant. During the integration process, the merchant will be able to choose who between the PayFacto solution and the merchant will make the decision to cancel a transaction when there is an error in the verification code validation status.
  • If the merchant chooses to process the transaction:
  • The payment solution returns a verification status to the merchant with the transaction response. The verification of the code does not influence the transaction’s return code. The transaction can be accepted when there is an error in the verification code. It is up to the merchant to determine what action to take next depending on the status returned.
  • The merchant makes a decision using the verification status to accept or decline the transaction.


  • If accepted:



- The merchant must send the acknowledgement of receipt to the payment solution.

- The payment solution issues a return code to the merchant for the acknowledgement of receipt. The transaction will not be cancelled.

  • If declined:



- The merchant must send a negative acknowledgement (NACK) to the payment solution.

- The payment solution will issue a return code. If the NACK is successful, the payment solution will cancel the transaction. The payment solution will create a new status in the management tool: cancelled by the merchant.

  • If the merchant decides that the payment solution is to process the validation status.
  • If the transaction is successful with a validation code status that is not recommended (see table below), the PayFacto solution will cancel the transaction and issue a substantive return code to the validation code and no verification code. The merchant must acknowledge receipt of the transaction. The following is an equivalency table for the PayFacto solution return codes with non-recommended statuses.
Validation StatusAssociated Return Code
N9122
S9123

Note that if the verification code does not meet the specifications mentioned in the technical documentation, the code returned will be 9121, regardless of who makes the decision.

The payment solution restates that currently, if the merchant does not send the acknowledgement of receipt, the payment solution will cancel the transaction within less than three minutes. This cancellation is made without notifying the merchant and the result of the cancellation is displayed on the PayFacto solution management console. If the merchant does not send the acknowledgement of receipt (ACK) or the negative acknowledgement (NACK), the payment solution will cancel the transaction after three minutes have passed since the client pressed the Pay key.

User interface

In integrated mode

The changes to be made in the user interface consist of adding an additional input field (intended for the three-digit verification code) on the payment by credit card page, as well as clear instructions for the client indicating how to locate and identify the verification code on the credit card. The payment solution has no restrictions regarding the method used to indicate the position of the verification code.

Depending on its business rules, the merchant can make the input field mandatory.

Internet mode

In Internet mode, it is preferable to require the input before processing the transaction. The PayFacto solution recommends inputting the validation code.

In call centre mode (MOTO)

The merchant has the right to request the credit card’s verification code to proceed with the purchase. During their conversation, the call center agent must properly guide the user to enable him/her to locate and identify the verification code on the card. The mail request form should include a space for the client to record the verification code along with clear instructions to help the client locate and identify the code.

In redirection mode

The PayFacto solution has modified the redirection page to add this new field. The modification should appear as follows:

Displaying the input field is optional. It is activated by the payment solution integrators when the merchant terminals have been activated to support the validation and the merchant has completed the changes in the application. When the verification code’s input field is activated, the code will have to be entered or else the transaction cannot be processed. The payment solution’s redirection page will display an error window indicating to the user that the verification code must be entered.

Edit

In virtual terminal mode

The payment solution offers validation for Internet and MOTO merchants. Merchants in point-of-sale terminal (POS) mode are not affected by this change.

The following changes have been made to the virtual terminal page for verification code input:



Once integrated, the merchant will have the choice between a sale with or without a verification code. If the code option is selected, the page displayed will have an additional field to enter the code together with the instructions to help the client to locate the code on the credit card.

Edit

Return code management


Important

Merchants must never, under any circumstances, store the verification code in their databases. The PayFacto solution does not store this value in its payment history. If the verification code is available, it must be provided in the payment request. Web services users must use the new WSDL. Note that the verification code value will not be returned in the response to the merchant. A new field will be added to the payment solution’s response.



The following are the possible values returned by the payment solution:

ValeurMeaningRecommendation
M(3-Digit code matched) Indicates that the issuer was able to verify the 3-digit code value provided by the merchant. Complete the transaction if the authorization request was approved.The merchant must send the acknowledgement of receipt (ACK) in order to complete the transaction.
Y(4-Digit code matched) Indicates that the issuer was able to verify the 4-digit code value provided by the merchant. Complete the transaction if the authorization request was approved.The merchant must send the acknowledgement of receipt (ACK) in order to complete the transaction.
N(3-Digit Code did not match) Indicates that the issuer was not able to verify the 3-digit code provided by the merchant. Contact the cardholder to verify the 3-digit code before completing the transaction, even if the authorization request was approved.The issuer received the verification code but the code received does not match the one that should be on the card.The merchant must send the NACK to cancel the transaction if an authorization was issued.
P(3-Digit code request was not processed) Indicates that the issuer was unable to verify the 3-digit code provided by the merchant because their verification system was not functioning or not all the information needed to verify the 3-digit code (such as the expiration date) was included in the request).The merchant must send the acknowledgement of receipt (ACK) in order to complete the transaction.
U(the issuer does not participate in 3-digit code service or has not provided Visa with encryption keys, or both) Indicates that the issuer is not participating in the 3-digit code service, or has not provided the issuer with the encryption keys needed to perform the verification.The merchant must send the ACK in order to complete the transaction. VISA: If the merchant requests a 3-digit code response during authorization and receives a U response from an issuer, it means the issuer is not participating in the 3-digit code service. In this situation, the acquirer has the right to represent a fraud chargeback for the transaction on the merchant’s behalf, effective April 2005
S(3-Digit code should be on the card) Indicates that the issuer was unable to perform 3-digit code verification, and notifies the merchant that the card should contain a 3-digit code value. Contact the cardholder to verify the 3-digit code before completing the transaction.The merchant must send the NACK in order to cancel the transaction if an authorization was issued.
All other valuesIssuers may produce new statuses for this verification.
NOTE : It is recommended to save this value and to contact the payment solution for more information.		The merchant must send the NACK in order to cancel the transaction if an authorization was issued.



Important

It is important to remember that the verification code’s validation status does not influence authorization of the transaction.
If the transaction is not authorized, no validation status will be returned to the merchant.
The card issuer can decide to deny the transaction in the event of an erroneous verification code.
Some issuers authorize transactions with N, P and U return codes. Others will simply deny authorization.



Edit

In integrated mode

The verification code entered must be provided upon sending or when the Web service calls.

When the purchase transaction is entered, there are two additional parameters. In the case of the Web service, a new WSDL will be published and the parameters will be taken into account in the new transaction.The merchant must add the input of the verification code into its Internet or MOTO applications. The current payment application must be modified to add the verification code to the beginning of the transaction. The sending of the transaction remains unchanged.

When the merchant obtains the parameters in response to the transaction, a verification code validation status will be added. Based on this status, the merchant will have to acknowledge receipt to complete the transaction or use a new function that issues an acknowledgement of receipt to the payment solution but with a warning to cancel the transaction (transaction called NACK).

The synopsis of the transaction will be similar to the acknowledgement of receipt (ACK). The difference is that the function’s success indicates that the transaction will be cancelled at the merchant’s request (statuses 10, 11 or 12 in the payment solution management console).

Meanings of the management console statuses:

10The merchant received the transaction’s response and requests its cancellation.
11The transaction is being cancelled following the merchant’s request.
12The transaction was cancelled at the merchant’s request.



In redirection mode


The payment solution provides the client with this option on the redirection page. The session creation procedure and redirection to the payment page remain unchanged. If the merchant chooses to process the verification code’s validation status, the change will be on the successful transaction page (transaction authorized). When the merchant obtains the parameters in response to the transaction, a verification code validation status will be added. Based on this status, the merchant will have to acknowledge receipt to complete the transaction or use a new function that issues an acknowledgement of receipt to the payment solution but with a warning to cancel the transaction (transaction called NACK).

The synopsis of the transaction will be similar to the acknowledgement of receipt (ACK). The difference is that the function’s success indicates that the transaction will be cancelled at the merchant’s request (status 10 in the payment solution management console).

    • Related Articles

    • Address Verification Status (AVS) Result Codes

      INTRODUCTION During a transaction where the customer's card is not presented at the merchant's location (inputType : I or M), the merchant can enter the address corresponding to his credit card statement on the payment page. This validation technique ...

    • Code Example - Java

      JAVA Edit main.java CTPaymentClient restv1Client = new CTPaymentClient("https://test.api.payfacto.com/", "00000000000000000000000000000000000" ); // PURCHASE EXAMPLE HashMap<String, String> params = new HashMap<String, String>(); ...

    • Code Example Microsoft .NET

      Microsoft .NET Edit main.cs PaymentTransaction paymentTransaction = new PaymentTransaction("https://test.api.payfacto.com/v1", "00000000000000000000000000000000000"); String purchaseInput = FillPurchaseInput(); transactionOutput = ...

    • SHC - Secure Hosted Checkout

      Secure Hosted Checkout What is Secure Hosted Checkout? Secure Hosted Checkout (SHC) is a JavaScript library that allows merchants to collect and send cardholder information to PayFacto for authorization (pre-authorization), purchase, or verification ...

    • API v1.0 - SHC - Secure Hosted Checkout

      About SHC What is Secure Hosted Checkout? Secure Hosted Checkout (SHC) is a JavaScript library that allows merchants to collect and send cardholder information to PayFacto for verification without needing to access that information directly. When ...