Complying With Visa’s CVV2 Mandate

If you’re a retailer in Canada, you need to make sure you’re following Visa’s CVV2 mandate. Visa is looking to crack down on fraudulent “Card Not Present” transactions in Canada and is now implementing the mandate to combat fraud. If you fail to follow the mandate, you could be liable for the fraudulent charges.

“Card Not Present” transactions refer to transactions over the phone or online. In both cases, the merchant is processing a payment with a credit card, but the card itself is not physically presented to the merchant. This makes it easier for unscrupulous parties to push fraudulent transactions through.

As for CVV2, this refers to a “Card Verification Value”. For Visa credit cards, the CVV2 number can be found on the back of the card, at the top of the signature space. Most credit cards have a CVV2 number somewhere on the card. Mastercard and Discover card CVV2s can also be found on the back of the card, in the signature box. American Express instead has a four digit number on the front of the card.

While unscrupulous parties may be able to get their hands on a credit card number and name through a skimming machine or other methods, they often fail to capture the CVV2. So by requiring merchants to obtain the CVV2, Visa may be able to reduce fraudulent transactions.

While this article focuses specifically on Canada, Visa has been rolling out similar requirements globally. Rules and requirements may vary from jurisdiction to jurisdiction.

So What is Visa’s New CVV2 Mandate?

First, all ecommerce merchants or merchants processing payments over the phone or online must obtain the CVV2 while completing a transaction. Online, this simply means asking the customer for their CVV2 number and having them type it into a box. For orders over the phone, the customer service representative or order processing program can ask for the CVV2.

If a merchant does process a payment without obtaining the correct CVV2, they will be liable for the charges. Visa will not reimburse your company. For ecommerce merchants, this shifts the risks of fraud from the customer and Visa to you. Obviously, this is a major risk that must be mitigated. 

Visa has enforced the CVV2 mandate on new merchants since October of 2017. As of October 13, 2018, all merchants have been required to follow the mandate. 

It’s important to note that as a merchant you are not allowed to ask for a Card Verification Value on a mail order form. This is strictly forbidden. If Card Verification Values start floating around on physical forms, it’ll be easier for unscrupulous parties to uncover the should-be secured number. 

What Do PayKickstart’s Customers Need to Do?

Not much! PayKickstart already includes a box for customers to plug in their Card Verification Value. From here, the merchant or payment processor must ensure that the typed in CVV matches the value that’s on file. This makes it much easier for you to stay on the right side of Visa’s mandate. 

PayKickstart’s payment forms have been designed to be simple but comprehensive. By using the many templates we offer, it should be easy to obtain the Card Verification Value. You can also build your own template. Either way, you can quickly and easily mitigate risks. 

What if My Shopping Cart Solution Doesn’t Support Card Verification Value?

If your shopping cart doesn’t allow or doesn’t make it easy for you to obtain a CVV, you need to switch to a cart that does. The same is true of payment processors. Getting the appropriate CVV is not an option but is instead required. If you fail to do so, you’ll end up paying. 

How Serious of a Risk is Card Not Present Fraud?

There’s a reason Visa and other card companies are cracking down on Card Not Present (CNP) fraud. Quite simply, it’s the most common type of credit card fraud in Canada, and in many other countries as well. 

In 2012, CNP fraud totaled CAD $269.5 Million. This accounted for a significant chunk of the total $18.9 billion dollars in online sales in Canada in 2012. Even worse, CNP fraud has grown more prevalent since. By 2015, CNP fraud had reached CAD $537.3 million.

Meanwhile, physically lost or stolen credit cards accounted for just 5 percent of fraudulent transactions in 2015. In other words, risks increase greatly when the card is not present. 

Card Not Present fraud has been on the rise in other markets as well. The United States has seen a surge for CNP fraud in recent years. Part of this is simply due to the fact that e-commerce is booming. At the same time, however, unscrupulous parties are becoming increasingly sophisticated. 

Every Ecommerce Company Must Take Fraud Seriously

No matter where you’re located, credit card fraud and CNP fraud in particular present great risks. Even if a credit card company reimburses you, in the long run fraud will make ecommerce more expensive, exerting pressure on fees and interest rates as credit card companies try to recoup their losses. 

Governments in Europe, the United States, Canada, and elsewhere have been rolling out regulations and requirements to combat credit card fraud. Credit card companies are also actively combating fraud. CVV2 will likely be followed up by new mandates and regulations.

The best way to stay prepared is to make sure you’re up to date on all of the current regulations and mandates, such as CVV2 in Canada and 3-D Secure in the European Union. You also need to keep an eye on emerging developments and trends. When it comes to security, it’s always best to be proactive as you’ll mitigate risks and ensure you’re in compliance well before reaching the deadline.

From: https://en.wikipedia.org/wiki/3-D_Secure#/media/File:3D_Secure_Flow.png

And Always Use a Secure Shopping Cart

On one final note, we take security and regulatory requirements seriously at PayKickstart. Payment processing services and shopping carts can represent a risk if they are not properly secured. 

That’s why we work with payment processors that have a reputation for being secure, such as PayPal, and also take security seriously ourselves. We also work hard to ensure that our cart empowers our customers and makes it easier for them to meet regulatory requirements.