Can anybody give me any suggestions on this issue I'm facing?

Thank you, again.

olimits7

AVS verifications still work with international customers

No, the address verification system/service is not capable of verifying billing addresses outside of the United States. Furthermore, International orders will run at a non-qualified discount tier meaning that when shopping for a merchant account you will specifically need to shop with this fee in mind.

To avoid headaches down the road you should be sure to mention to any prospective merchant account provider that you expect a large percentage of your orders to be of international (in relation to the United States) origins.

I'm a bit fuzzy about your order process, but the CVV/CVC information is very sensitive. You should check the exact card association regulations (VISA/MasterCard) about if and for how long you are able to store this info - there are restrictions. I would suggest that you take the time to read about VISA's Cardholder Information Sercurity Program (CISP) [usa.visa.com].

I believe an authorization expires after 30 days

Don't bet on this. For this reason I would suggest a slightly modified version of your option #2. Authorizations will not necessarily keep for 30 days. In fact, some may drop after only 5 days. Also, the longer you hold an authorization the more at risk you will be for chargebacks (and losing disputed payments).

Are you selling a product (tangible) or a service (design, software, etc.)? Depending on what you're offering it may be in your best interest to take a nominal deposit up front so that you are able to take advantage of the fraud protection measure such as CVV/CVC immediately and then discard such information as to not infringe on storage regulations of sensitive data. Of course, processing banks aren't too keen on deposits.

Hi,

Thank you for your reply.

So the AVS won’t be helpful to me on my international customers, right? How about the CVV, will the CVV respond with the correct response variable if it matches for international customers?

I looked at the CISP and it says I can’t save the CVV number in my database, so I will have to figure out another way to handle this.

I’ll be selling products (tangibles) on my website.

I’ve been doing some thinking; let me know if you think this will work.

What if I setup my website to have an error popup message for a CVV number that didn’t match? It can say something like “Your CVV didn’t match, please try again.” It will use the response variable from Authorize.Net to determine if the CVV matched (M) or if it didn’t match (N), and use the proper popup message. This will still allow me to use the CVV fraud feature, and I won’t be saving the CVV number so I won’t be going against CISP.

If the CVV number didn’t match I won’t save any credit card number/info for that order in my database. However, if the CVV number did match I will save the credit card number/info encrypted in my database but not the CVV number, and import the orders to my order processing software I have. Where I can later authorize and capture all the non-fraud orders once I receive the inventory.

What do you think? My only question now is if the CVV will work on international customers because if it doesn’t it will be turning down a lot of valid CVV numbers.

Thank you, again.

olimits7

Sounds like you've got a plan.

if the CVV will work on international customers

Yes, CVV and CVC will function properly on any bankcard with the feature. This includes cards issued outside of the United States.

I would recommend against using CVV numbers on your shopping cart. It it against TOS from credit card companies to store these numbers on either server or in paper form. It is really a huge security/liability problem. The key is to look for 'red flags' when deciding if a credit card is valid or not. Things like originating country (Nigeria), valid telephone number, valid email account, Bank card is drawn on, large order with NDA shipping overseas, etc. After a while you can spot these orders immediately.

Hello,

I was reading this in the FAQ of the CISP *.pdf file.

5. When is it acceptable to store Card Verification Value 2 (CVV2)?
It is never acceptable for Acquirers, merchants, or service providers to retain CVV2, which consists of the last three digits printed on the signature panel of all Visa Cards, subsequent to transaction authorization. The Visa Operating Regulations prohibit such storage, whether encrypted or unencrypted.

Can this be interpreted as allowing me to store the CVV number just until I authorize the order? Since I'm dealing with a lot of pre-orders and don't have the inventory just yet. I will like to authorize the card once I get the inventory and then delete the CVV number. Do you think this is still goes against CISP?

Thank you,

olimits7

I just spoke with the person who processes our credit cards (we do them manually through a terminal to prevent fraud and our chargebacks are almost zero). Starting Christmas 2005 we got a ton of declines so we started asking for the cvv codes and our declines went to almost zero - I asked her if we still need them and she said a ton of transactions would be declined without them

It sounds like this authorization - sometimes called a pre-auth. It does not last 30 days. It usually lasts 3-14 business days - depending on the issuing bank.

Basically this authorizes your account to have a specific amount of money. once this authorization lapses, you can still sometimes claim the money thru the internet payment gateway. And usually it will go through - as long as the consumer has the money, but the money is not guaranteed to you once the authorization lapses.

-Corey

Hi,

Thank you for your replies.

Do you store the CVV numbers in a database just up until the authorization is submitted? Do you think this is something that is allowed?

Thank you,

olimits7

my understanding is that it isn't allowed

you can't store them in any way at any time

Hello,

I just got in contact with CISP and this is what they told me regarding storing the CVV number.

======
The duration allowed for TEMPORARY CVV2 storage PRIOR to authorization follows the industry standard - either immediate authorization once obtained or within the 24-hr allowable period. The only exception for a longer storage duration pertains to store-and-forward when lines are down. After authorization is initialized, all CVV2 data must be completely purged in all parts of the system.
======

olimits7

The other are correct, you cannot store the CVV at all. When Visa finds out, your merchant account can be terminated and you might be placed on the TMF

-Corey