[ic] CVV2 with Interchange

Mike Heins interchange-users@interchange.redhat.com
Wed Jan 23 14:23:01 2002


Quoting Ed LaFrance (edl@newmediaems.com):
> At 10:23 AM 01/23/2002 -0500, you wrote:
> >On Wed, 23 Jan 2002, Mike Heins wrote:
> >
> > > Once again, I advise against collecting CCV2, and *certainly* against
> > > storing it anywhere. I know quite a few merchant providers who give
> > > discounts for using AVS, but none that give a discount for CCV2.
> > >
> > > I know I would not fill my own in on a form; it is my protection
> > > against fraud. If it is not embossed on the card, it should not
> > > be left as an "impression" on the site.
> > >
> > > If your payment gateway includes it as a "best practice" item in their
> > > recommended implementation, perhaps they have a rationale in this. At
> > > that point, if you collect and use it in your gateway implementation, I
> > > would strongly recommend putting
> > >
> > >       FormIgnore  mv_credit_card_ccv2
> > >
> > > in catalog.cfg. That prevents it from being stored in the session,
> > > just like mv_credit_card_number is not stored now. It could still
> > > be used in the gateway module by bringing it from the $CGI reference.
> >
> >Actually, since sometime in the IC 4.7.x timeframe, mv_credit_card_cvv2
> >has been on the list of CGI variables not to add to the session, like
> >mv_credit_card_number, so the above shouldn't be necessary.
> 
> FWIW, I think we will be seeing more of this requirement in the near 
> future.  Especially among third-party processors ("aggregators") like the 
> on I use; they have just notified me that effective Feb 1, the CVV2 will be 
> required for all credit card transactions.  While I understand Mike Heins' 
> hesitation to key it in on a web form for fear of compromising his 
> protection against fraud, I'm afraid that the CC co's and gateway providers 
> look at it from a different angle: it is *their* extra measure of 
> protection against being defrauded.
> 

Most processors are not having problems within the US (or your domestic
country of choice). The great push is for more verification for overseas
orders, where AVS is simply not practical.

For instance most volume online operations are no longer accepting overseas
credit card orders where shipment does not go to the billing address. In
the case of Eastern European countries like Romania and the Ukraine,
many companies simply refuse to make shipments to them. The fraud rate
on Romanian orders apparently is well in excess of 90%, and it is
getting unacceptably high in some other countries like Mexico.

[sidebar]
    It is a shame that ISPs in countries like Romania, China, and the
    Ukraine don't crack down on their abusers. It makes it very
    difficult for honest businesses and citizens in the country to
    prosper. If you can add your voice to this effort when talking to an
    ISP, please do.
[/sidebar]

I could see using CVV2 in that case. For domestic shipments where the fraud
rate for online-verified orders is negligible, that doesn't make sense.

Once again, I don't pretend to be authoritative here -- the processor is the
best guide. Still in all, if I was asked for a CVV2 when I use a US credit
card and Billing Address == Shipping Address, I would not supply it.

-- 
Red Hat, Inc., 3005 Nichols Rd., Hamilton, OH  45013
phone +1.513.523.7621      <mheins@redhat.com>

If you like what you're gettin', keep doin' what you're doin'. -- Hector