The logic and process we have decided to implement is to validate the CVV and AVS at the time we create the Customer Payment Profile. The CVV will not change if the credit card is still valid (i.e. if the credit card is not expired). I suppose there is the possibility that if the user has lost their credit card and a new credit card is issued, then the CVV will change and the stored profile will not contain a valid CVV.
I don’t think this happens very often and of how often that may occur, how likely is it that the credit card is compromised and used on your website or in your app? If the user attempts to update their credit card we also validate the CVV and AVS responses, so I think the only loophole would be if the credit card has been lost and the CVV is changed. A new CVV is issued when the credit card has expired, but we will not let the user charge a credit card with an expiration in the past.
This seems to be the trade off. You, as the merchant, offload all PCI responsibility to Authorize.net, so that the merchant is not taking on the extra PCI scrutiny and staying in a lower PCI level.
This approach requires the fraud filter restrictions to be altered, which require a CVV to be present only when it is provided. We only check CVV when we create or update a Customer Payment Profile, which is when we ask the user to provide all relevant data to store a Customer Payment Profile in CIM.
CCV Handling Filter:
Tools → Fraud Detection Suite → Enhanced CCV Handling Filter
Change this setting:
P is NOT Processed from Decline → Allow
Our Enhanced Card Code Verification settings:
N Does NOT Match → Decline
P is NOT Processed → Allow
S Should be on card, but is not indicated → Decline
U Issuer is not certified or has not provided encryption key → Decline
This means that when you charge a Customer Payment Profile and the CVV is not provided, the transaction will not trigger the filter (Authorize.net’s response is P). This way you won’t have to store the CVV or ask the client for a CVV every time there is a purchase. If you want to be safe and validate the CVV every time, you would have to ask the client to provide it as it violates PCI compliance to store a CVV. I suppose you could ask in a pop-up for the CVV. I have seen this implemented in websites, but it doesn’t provide a very friendly user experience.
I hope this helps! If you have another solution, I would love to hear about it.