cancel
Showing results for 
Search instead for 
Did you mean: 

CVV numbers without violating PCI compliance

Hi everyone.  Here is a situation for which I am looking for a conceptual solutution at this point.  Data is collected via our vendor then send to our site then we work with data and at the later date, the client has to pay for the services.  At the point of data collection with our vendor, a credit card information is passed to the site, to be charged at the later date and the "later date" part is the issue.

 

We can't store cvv numbers without violating PCI compliance and other payment provider we had used form many years allows transactions without cvv numbers, yet, this particular client is determined to use authorize.net.  Any thought on how I would approach something like this? 

paulZ
Member
1 ACCEPTED SOLUTION

Accepted Solutions

Your only option in that scenario would be to use the card numbers without CVV2/CVC2 data. That's something fully supported by Authorize.Net, by the way.

 

If there was a compelling case for needing the card code to run the transaction (lower rates, lower fraud risk, requirement of the merchant account provider), you could set up a system where the customer is notified that their account is ready to be charged, then direct them to a form where they confirm the last 4 of the card number on file and enter the card code to actually process the transaction. In the meantime, you could be storing the card information yourself (subject to more stringent PCI-DSS requirements) or store the card information using our customer profiles features.

 

Another possibility is to authorize the transaction with an authorization-only transaction with the card code at the time the customer first provides the payment details. Later, when the transaction is ready to be completed and fully paid, you simply send a "capture" request to tell us it's time to settle that transaction that was previously authorized. That's a more common way of working in this scenario, but whether it works for you depends on how much time is elapsed (in days) between the time the customer enters the data and the time you need to complete the transaction, as well as the relationship with your vendor and whether you can step in and do an authorization right when the payment info is entered.

View solution in original post

Aaron
All Star
4 REPLIES 4

Your only option in that scenario would be to use the card numbers without CVV2/CVC2 data. That's something fully supported by Authorize.Net, by the way.

 

If there was a compelling case for needing the card code to run the transaction (lower rates, lower fraud risk, requirement of the merchant account provider), you could set up a system where the customer is notified that their account is ready to be charged, then direct them to a form where they confirm the last 4 of the card number on file and enter the card code to actually process the transaction. In the meantime, you could be storing the card information yourself (subject to more stringent PCI-DSS requirements) or store the card information using our customer profiles features.

 

Another possibility is to authorize the transaction with an authorization-only transaction with the card code at the time the customer first provides the payment details. Later, when the transaction is ready to be completed and fully paid, you simply send a "capture" request to tell us it's time to settle that transaction that was previously authorized. That's a more common way of working in this scenario, but whether it works for you depends on how much time is elapsed (in days) between the time the customer enters the data and the time you need to complete the transaction, as well as the relationship with your vendor and whether you can step in and do an authorization right when the payment info is entered.

Aaron
All Star

Aaron,

 

Thank you for your reply, it answered my question completely and fully.  I really appreciate it.

Can you address another use case that may be similar? A cusotmer comes into my store to make a payment, our system is down. A company rep takes their CC payment information to input once the system is up and running again. Would the rep be able to collect all the CC data including the CVV?

rhines
Member

Visa/MC rules specifically prohibit requesting a CVV2/CVC2 number for a card present environment transaction. Since you're talking about doing this in a store, I'm assuming that you're talking about hand-keying the information into your terminal later. The short answer in that scenario is "no".