Reply
Highlighted
Member
Posts: 3
Registered: ‎09-10-2018
Accepted Solution

How to send CVV when charging customer profile

Hi All,

 

We are using {createCustomerProfileRequest} to add Customer profiles and {createCustomerPaymentProfileRequest} method to add customer payment profiles.

 

Now my question is if we want to use {createTransactionRequest} to charge that customer's profile how should we pass CVV for each transaction?

 

Thanks


Accepted Solutions
Highlighted
Solution
Accepted by topic author shah9il
‎09-13-2018 04:44 AM
Posts: 333
Kudos: 59
Solutions: 36
Registered: ‎03-13-2017

Re: How to send CVV when charging customer profile

Hi @shah9il

 

You can pass it along with the paymentProfileID as below 

 

<profile>
<customerProfileId>27388924</customerProfileId>
<paymentProfile>
<paymentProfileId>25000332</paymentProfileId>
<cardCode>123</cardCode>

</paymentProfile>
</profile>

 

 

Check the Request fields under https://developer.authorize.net/api/reference/index.html#payment-transactions-charge-a-customer-prof...

 

Thanks





Send feedback at developer_feedback@authorize.net

View solution in original post


All Replies
Highlighted
Solution
Accepted by topic author shah9il
‎09-13-2018 04:44 AM
Posts: 333
Kudos: 59
Solutions: 36
Registered: ‎03-13-2017

Re: How to send CVV when charging customer profile

Hi @shah9il

 

You can pass it along with the paymentProfileID as below 

 

<profile>
<customerProfileId>27388924</customerProfileId>
<paymentProfile>
<paymentProfileId>25000332</paymentProfileId>
<cardCode>123</cardCode>

</paymentProfile>
</profile>

 

 

Check the Request fields under https://developer.authorize.net/api/reference/index.html#payment-transactions-charge-a-customer-prof...

 

Thanks





Send feedback at developer_feedback@authorize.net
Highlighted
Member
Posts: 7
Registered: ‎06-01-2017

Re: How to send CVV when charging customer profile

Are you saying that we have to store the CCV/CVC value ourselves and send that through every time we want to charge a payment profile?

 

This surely violates PCI compliance rules and goes against the point of the customer pay profile mechanism?

 

I ask because I have a similar-sounding setup detailed in my question here: https://community.developer.authorize.net/t5/Integration-and-Testing/AcceptJS-not-passing-through-CV...

Highlighted
Member
Posts: 2
Registered: ‎08-09-2019

Re: How to send CVV when charging customer profile

[ Edited ]

if you have found the solution can you help with what will be the PHP code for this?

Highlighted
Contributor
Posts: 14
Registered: ‎12-06-2019

Re: How to send CVV when charging customer profile

The logic and process we have decided to implement is to validate the CVV and AVS at the time we create the Customer Payment Profile. The CVV will not change if the credit card is still valid (i.e. if the credit card is not expired). I suppose there is the possibility that if the user has lost their credit card and a new credit card is issued, then the CVV will change and the stored profile will not contain a valid CVV.

 

I don’t think this happens very often and of how often that may occur, how likely is it that the credit card is compromised and used on your website or in your app? If the user attempts to update their credit card we also validate the CVV and AVS responses, so I think the only loophole would be if the credit card has been lost and the CVV is changed. A new CVV is issued when the credit card has expired, but we will not let the user charge a credit card with an expiration in the past.

 

This seems to be the trade off. You, as the merchant, offload all PCI responsibility to Authorize.net, so that the merchant is not taking on the extra PCI scrutiny and staying in a lower PCI level.

This approach requires the fraud filter restrictions to be altered, which require a CVV to be present only when it is provided. We only check CVV when we create or update a Customer Payment Profile, which is when we ask the user to provide all relevant data to store a Customer Payment Profile in CIM.

 

CCV Handling Filter:

Tools → Fraud Detection Suite → Enhanced CCV Handling Filter

 

Change this setting:
P is NOT Processed from DeclineAllow

 

Our Enhanced Card Code Verification settings:

N Does NOT Match → Decline

P is NOT Processed → Allow

S Should be on card, but is not indicated → Decline

U Issuer is not certified or has not provided encryption key → Decline

 

This means that when you charge a Customer Payment Profile and the CVV is not provided, the transaction will not trigger the filter (Authorize.net’s response is P). This way you won’t have to store the CVV or ask the client for a CVV every time there is a purchase. If you want to be safe and validate the CVV every time, you would have to ask the client to provide it as it violates PCI compliance to store a CVV. I suppose you could ask in a pop-up for the CVV. I have seen this implemented in websites, but it doesn’t provide a very friendly user experience.

 

I hope this helps! If you have another solution, I would love to hear about it.