 |
 |
Visa / MasterCard
Industry Terms |
|
Card Verification for
Card-Not-Present Sales - CVV2 & CVC2
In
a traditional retail (card present) transaction, the magnetic stripe is read
by a point-of-sale (POS) terminal. Visa's Card Verification Value (CVV)
or MasterCard's Card Validation Code (CVC) is encoded within that stripe and
can be verified by the card issuer during the authorization.
However, when the card is
not present the CVV or CVC cannot be validated. To help reduce fraud in
the card-not-present environment, acquirers, merchants, and issuers use the
CVV-2 or CVC-2 program.
What is CVV2 or CVC2?
The CVV2 / CVC2 is a three-digit security code that is printed on the back
of cards. The number appears in reverse italic at the top of the signature
panel at the end (see sample). This program helps validate that a genuine
card is being used during a transaction. All MasterCard cards, both credit
and debit, were required to contain CVC2 by January 1, 1997; all Visa cards
by January 1, 2001.
How does CVV2 or CVC2 Work?
Card-not-present merchants are being directed to ask cardholders for CVV-2 /
CVC-2 when cardholders place orders. Merchants ask the cardholder to read
this code from the card. The merchant then asks for CVV2/CVC2 verification
during the authorization process. The issuer (or processor) validates the
CVV2/CVC2 and relays the decline/approve results during the authorization
process. Merchants, by using the CVV2/CVC2 results along with the
Address Verification Service (AVS) and
authorization responses, can then make more informed decisions about whether
to accept transactions. In addition, merchants using CVV2/CVC2 can expect to
reduce their chargebacks by as much as 26 percent.
Changes to signature panel?
Previously the three-digit CVV2 or CVC2 number followed the 16-digit account
number printed on the card's signature panel. The 16-digit account number is
now truncated to four digits on the signature panel. This change makes
it easier for cardholders to sign their cards. It also makes it easier for
merchants to compare the signature on the card to the one on the sales
draft; no longer will those 19 digits (16 + 3) get in the way of verifying a
signature!
Data Security
 Payment Card Industry Data
Security Standards (PCI DSS) prohibit the storage of the CVV2 data.
However, for recurring,
installment or split transactions, merchants may be exempted from having
to submit the CVV values with subsequent transactions. Ask us
about the Merchant Vault ; an approved and certified service wherein the
CVV codes are encrypted and secured for future transactions.
What are CVV2
Result Codes?
|
Result Code |
Definition
|
|
|
|
|
M |
CVV 2
matched - Generally speaking, you will want to proceed with
transactions for which you received an authorization approval, a CVV 2
match and an address verification match If requested). |
|
|
|
|
N |
CVV 2
did not match - You may want to follow up with the cardholder
before completing the transaction, even if you received an
authorization approval. If you got an authorization approval but you
think an incorrect CVV 2 value might have been sent initially, you can
resend the CVV 2 - but be sure to use a zero dollar amount for the
transaction so the customer's credit line won't be affected by the
second CVV 2 request. |
|
|
|
|
P |
CVV 2 request not
processed - Either (1) the expiration date was not provided, or
(2) the card does not have a CVV 2 value. If the expiration date
was left blank, resubmit as a zero dollar amount for the transaction
so the customer's credit line won't be affected by the second CVV 2
request. |
|
|
|
|
S |
CVV 2 should be on
the card but merchant sent a code indicating there was no CVV 2.
You may want to follow up with the customer to re-verify that the
customer checked the correct location for the CVV 2 |
|
|
|
|
U |
Issuer does not
support CVV 2 |
|
