Retrieving CVV # from standard credit card methods

This forum is dedicated to answering AbleCommerce 7.0 questions about PCI certification and compliance.
Post Reply
ksolito
Lieutenant, Jr. Grade (LT JG)
Lieutenant, Jr. Grade (LT JG)
Posts: 42
Joined: Tue Nov 25, 2008 3:16 pm

Retrieving CVV # from standard credit card methods

Post by ksolito » Wed Apr 29, 2009 1:48 pm

The standard credit card methods appear to collect the CVV number but it is not displayed in the order payment account details where the CC # is displayed.

1) Is the CVV actually collected and saved in the database.
2) What do I have to do to display the CVV and delete it after it has been retrieved?

kastnerd
Commodore (COMO)
Commodore (COMO)
Posts: 474
Joined: Wed Oct 22, 2008 9:17 am

Re: Retrieving CVV # from standard credit card methods

Post by kastnerd » Thu Apr 30, 2009 7:51 am

Normally the CVV code is not stored, its sent to your credit card gateway to Authorize the transaction, or to actually card the card. Then the approval code is stored in the database.

User avatar
Logan Rhodehamel
Developer
Developer
Posts: 4116
Joined: Wed Dec 10, 2003 5:26 pm

Re: Retrieving CVV # from standard credit card methods

Post by Logan Rhodehamel » Thu Apr 30, 2009 10:03 am

ksolito wrote:1) Is the CVV actually collected and saved in the database.
2) What do I have to do to display the CVV and delete it after it has been retrieved?
The major card issuers all have merchant terms of service that specifically prohibit the storage of this value for any reason. If you are not sending the CVV to a real-time payment gateway (like AuthorizeNet) then you are out of luck. As part of complying with PCI requirements we strip this value from the data before it is written to the database.
Cheers,
Logan
Image.com

If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.

ksolito
Lieutenant, Jr. Grade (LT JG)
Lieutenant, Jr. Grade (LT JG)
Posts: 42
Joined: Tue Nov 25, 2008 3:16 pm

Re: Retrieving CVV # from standard credit card methods

Post by ksolito » Thu Apr 30, 2009 10:50 am

Logan_AbleCommerce wrote:
ksolito wrote:1) Is the CVV actually collected and saved in the database.
2) What do I have to do to display the CVV and delete it after it has been retrieved?
The major card issuers all have merchant terms of service that specifically prohibit the storage of this value for any reason. If you are not sending the CVV to a real-time payment gateway (like AuthorizeNet) then you are out of luck. As part of complying with PCI requirements we strip this value from the data before it is written to the database.
So what you're saying then, is AbleCommerce cannot take credit cards except by paying for a third party gateway service?

Was this disclosed when my customer purchased AC? Can you give me links to the specific terms that prohibit collecting the CVV?

My customer tells me he specifically contacted his credit card companies and was told only that it must be deleted after it's retrieved.

ETA: I am looking at merchant agreements now and will be doing more research but the exact wording I am seeing is "Other data elements, such as CVV must not be stored after authorization." We have no intention of retaining CVV numbers but we do need to have them to obtain the initial authorization.

User avatar
Logan Rhodehamel
Developer
Developer
Posts: 4116
Joined: Wed Dec 10, 2003 5:26 pm

Re: Retrieving CVV # from standard credit card methods

Post by Logan Rhodehamel » Thu Apr 30, 2009 2:14 pm

ksolito wrote:So what you're saying then, is AbleCommerce cannot take credit cards except by paying for a third party gateway service?
Not at all. You are welcome to use the other collected cardholder data (name, card number, expiration) and process manually. AbleCommerce supports this, so long as your offline processor does not require the CVV. This really depends on your merchant account and your bank. Usually processing rates are higher for transactions without CVV.

AbleCommerce is not allowed to store the CVV, nor can we facilitate any attempts to do so. Instead I need to inform you of the risks and the potential penalties of attempting to store this value. The agreement that binds AbleCommerce is the PA-DSS:
pa-dss wrote:3.2.2 Do not store the cardverification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions.
You can find more at https://www.pcisecuritystandards.org/se ... _dss.shtml. As for merchants, I don't have the specific agreements signed by your customer. I can point you to an example of what I mean:

http://www.mastercard.com/us/merchant/p ... s_5_08.pdf
MasterCard wrote:A Merchant and any DSE of the Merchant must not store in any system or in any manner, discretionary Card-read data, CVC 2 data, PIN data, Address Verification Service (AVS) data, or any other prohibited information as set forth in the Standards including, but not limited to, section 10.2 of the Security Rules and Procedures manual, except during the authorization process for a Transaction, that is, from the time an Authorization Request message is transmitted and up to the time the Authorization Request Response message is received. The Corporation permits storage of only the Card account number, expiration date, Cardholder name, and service code, each of which, if stored, must be stored in a secure environment to which access is limited, and then only to the extent that this data is required for bona fide purposes and only for the length of time that the data is required for such purposes.
This is on page 5-12, under section "5.10.3 Storage of Information".

The penalties for non-compliance with PCI for merchants are pretty hefty. I hope this information is helpful.
Cheers,
Logan
Image.com

If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.

ksolito
Lieutenant, Jr. Grade (LT JG)
Lieutenant, Jr. Grade (LT JG)
Posts: 42
Joined: Tue Nov 25, 2008 3:16 pm

Re: Retrieving CVV # from standard credit card methods

Post by ksolito » Mon May 04, 2009 1:04 pm

Logan_AbleCommerce wrote:except during the authorization process for a Transaction, that is, from the time an Authorization Request message is transmitted and up to the time the Authorization Request Response message is received.
I understand that the CVV2 data cannot be stored post authorization. The quote above confirms that. I do not understand why you prohibit pre-auth storage.

My assertion is confirmed here as well:

PA-DSS Security Audit Procedures
https://www.pcisecuritystandards.org/pd ... s_v1-1.pdf
1.1 Do not store sensitive authentication data subsequent to authorization (even if encrypted): Sensitive authentication data includes the data as cited in the following Requirements 1.1.1 through 1.1.3. PCI Data Security Standard Requirement 3.2 Note: By prohibiting storage of sensitive authentication data “subsequent to authorization,” the assumption is that the transaction has completed the authorization process and the customer has received the final transaction approval. After authorization has completed, this sensitive authentication data cannot be stored.
And...
1.1 If sensitive authentication data (see 1.1.1–1.1.3 below) is stored prior to authorization and then deleted, obtain and review methodology for deleting the data to determine that the data is unrecoverable. For each item of sensitive authentication data below, perform the following steps after completing numerous test transactions that simulate all functions of the payment application, to include generation of error conditions and log entries.
All of the above quotes (as does Visa, not sure about AMEX) clearly allow storage of the CVV2 UNTIL authorization so I remain confused as to why you don't support this necessary operation.

afm
Captain (CAPT)
Captain (CAPT)
Posts: 339
Joined: Thu Nov 03, 2005 11:52 pm
Location: Portland, OR
Contact:

Re: Retrieving CVV # from standard credit card methods

Post by afm » Mon May 04, 2009 2:14 pm

ksolito wrote:All of the above quotes (as does Visa, not sure about AMEX) clearly allow storage of the CVV2 UNTIL authorization so I remain confused as to why you don't support this necessary operation.
I think most e-commerce developers believe those statements apply to online authorization, not manual authorization. With online authorization, the time period is less than 1 minute. With manual authorization, the time period is open ended, but could easily be days.

Can you contact one of the accredited auditors or Visa to get a definitive answer? Please don't go by what your merchant processor says...they seem to be more confused than merchants.
Andy Miller
Structured Solutions

Shipper 3 - High Velocity Shipment Processing

User avatar
Logan Rhodehamel
Developer
Developer
Posts: 4116
Joined: Wed Dec 10, 2003 5:26 pm

Re: Retrieving CVV # from standard credit card methods

Post by Logan Rhodehamel » Mon May 04, 2009 2:51 pm

ksolito wrote:from the time an Authorization Request message is transmitted
You left out this very important part of the quote. You are not asking about transmission of the request, you are asking about temporary storage of the value until you can manually transmit the request to your processor on the customer behalf. That violates the whole purpose of the value - it is to show that you have the card present, when in fact you would not.

Also two things... you are referring to an older specification and you are referring to the audit procedures rather than the spec itself. The new specification against which we are concerned with is v1.2. The requirement I am concerned with is 3.2.2. I quoted the requirement above, and the testing criteria we must pass is even more clear:
pci-dss v1.2 wrote:3.2.2 For a sample of system components, verify that the three-digit or four-digit card-verification code or value printed on the front of the card or the signature panel (CVV2, CVC2, CID, CAV2 data) is not stored under any circumstance:
AbleCommerce does not and will not support attempts to store the card security code. If you wish to take advantage of the code using AbleCommerce, you must use an online payment gateway.
Cheers,
Logan
Image.com

If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.

ksolito
Lieutenant, Jr. Grade (LT JG)
Lieutenant, Jr. Grade (LT JG)
Posts: 42
Joined: Tue Nov 25, 2008 3:16 pm

Re: Retrieving CVV # from standard credit card methods

Post by ksolito » Mon May 04, 2009 8:28 pm

Logan_AbleCommerce wrote:You are not asking about transmission of the request, you are asking about temporary storage of the value until you can manually transmit the request to your processor on the customer behalf.
Correct. The spec clearly prohibits storage AFTER auth.
Logan_AbleCommerce wrote:That violates the whole purpose of the value - it is to show that you have the card present, when in fact you would not.
That is incorrect. CVV2 is card NOT present. A google search will show many links to documents confirming that, Visa is clear about it: http://usa.visa.com/merchants/risk_mana ... esent.html.

And here: http://www.bbbonline.org/eexport/doc/me ... e_cvv2.pdf
What is CVV2? CVV2, which stands for Card Verification Value 2, is an important security feature for merchants who accept Visa cards as payment over the telephone or online. Located on the back of all Visa cards, the CVV2 consists of the last three digits printed on the signature panel. In the card-not-present sales environment, CVV2 is an excellent tool for verifying that the customer has a legitimate Visa card in hand at the time of the order.
I agree that the testing criteria 3.2.2 is clear about storage "not stored under any circumstance". It also contradicts the primary specification that prohibts storage but 'after authorization'. PCI then, destroys any possiblity of ecommerce credit card sales except where real time authorization occurs.

User avatar
Logan Rhodehamel
Developer
Developer
Posts: 4116
Joined: Wed Dec 10, 2003 5:26 pm

Re: Retrieving CVV # from standard credit card methods

Post by Logan Rhodehamel » Tue May 05, 2009 9:07 am

ksolito wrote:Correct. The spec clearly prohibits storage AFTER auth.
It also prohibits storage prior to transmission. I interpret transmission to be between the customer and the bank.
ksolito wrote:
Logan_AbleCommerce wrote:That violates the whole purpose of the value - it is to show that you have the card present, when in fact you would not.
That is incorrect. CVV2 is card NOT present.
I was rephrasing what you posted in response. The CVV2 proves the customer has the actual card. The reason it is proof is because nobody is ever supposed to record that value. That value is ONLY available if you have the card. As soon as you start recording the value, it opens the possibility that the recorded data could be compromised. Then it would no longer be proof that a customer has the actual card.
ksolito wrote:I agree that the testing criteria 3.2.2 is clear about storage "not stored under any circumstance". It also contradicts the primary specification that prohibts storage but 'after authorization'. PCI then, destroys any possiblity of ecommerce credit card sales except where real time authorization occurs.
Unless you find a card processor that will allow you to submit offline transactions without the CVV. They are available but their per-transaction rate will be higher, since the risk of fraud is higher.

I am not understanding the resistance to the use of an online payment gateway? They are an integral part of ecommerce sales. We offer plenty of choices and some of them (like PayPal) are extremely simple to get started with! Then you can take advantage of the card security code without the need to store it. In fact, you don't need to store any card information. That is the best protection of all.
Cheers,
Logan
Image.com

If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.

ksolito
Lieutenant, Jr. Grade (LT JG)
Lieutenant, Jr. Grade (LT JG)
Posts: 42
Joined: Tue Nov 25, 2008 3:16 pm

Re: Retrieving CVV # from standard credit card methods

Post by ksolito » Tue May 05, 2009 12:40 pm

Logan_AbleCommerce wrote:I am not understanding the resistance to the use of an online payment gateway?
Expense and change of business practices.
Logan_AbleCommerce wrote:We offer plenty of choices and some of them (like PayPal) are extremely simple to get started with!
Paypal is just about useless when the merchandise is shooting related.

chuckdvc
Lieutenant Commander (LCDR)
Lieutenant Commander (LCDR)
Posts: 97
Joined: Fri Mar 20, 2009 12:32 pm

Re: Retrieving CVV # from standard credit card methods

Post by chuckdvc » Wed May 20, 2009 10:35 pm

The resistance comes from our experience in the last 2 days after going live with Ablecommerce and Authorize.net.

I want to reiterate that I confirmed with my processor more than once that I am allowed to collect and use the CVV until processed then it must be removed completely.

But we had so much time and money invested i decided to go ahead with Authorize.net.

These are a couple problems I experienced and maybe you can help me with a way to handle these problems better.

We have Authorize.net set to Authorize only. We capture once we pick and verify the order.

One thing that happens to us on a daily basis is a customer will place an order then email us or call in and add to it, sometimes more than once. Or we may find a customer orders 5 products that ship in 5 separate boxes and the shipping was incorrect. I know we can select an option to ship the product by itself but more times than not they will order small items with it than go in the same box. So no way to account for both scenarios with any software that I know of. Different issue anyway.

So the issue is the actual charge is more than the authorization. we tried to capture one today for more and it was not successful. Well if we capture the first amount now we dont have the info for billing to process a separate order for the additional amount. If we change it and authorize again then that ties up the customers card for the second amount also and if its a debit card it holds their money until it drops off. And all this assumes they have enough capacity on the card to handle the extra.

We are trying to adopt our business to the parameters of these products but find it very inflexible. I was hoping Able would keep the card and expiration and allow future billing to save us or the customer from adding again and again. I did post a question some time ago in a different section about this function and how it integrates with Authorize.net but failed to get an answer last I looked.

One other issue is we had a customer order a high dollar product today that was a custom/special order. We require a 300.00 deposit. I dont want to hit this guys card for the complete amount when we wont get it in for 2 months. So now that we captured the 300.00 we cant bill the remainder without calling him to get the number again. Maybe we can and why I am asking for help.

I have provided real life examples of why the process needs to be diferent than what it appears it is restricted to. If there is another way to proceed i would appreciate any input.

Mods, if this needs to go in another part of the forum please move. It just really relayed to the last post here. Kevin is my webmaster so its relevant as he was asking for my store.

User avatar
jmestep
AbleCommerce Angel
Posts: 8163
Joined: Sun Feb 29, 2004 8:04 pm
Location: Dayton, OH
Contact:

Re: Retrieving CVV # from standard credit card methods

Post by jmestep » Thu May 21, 2009 6:29 am

Able does store the expiration date if you have it set to retain account information. If you go into an order, click payments, click Show Account Details, you will see the card number and expiration date.
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx

chuckdvc
Lieutenant Commander (LCDR)
Lieutenant Commander (LCDR)
Posts: 97
Joined: Fri Mar 20, 2009 12:32 pm

Re: Retrieving CVV # from standard credit card methods

Post by chuckdvc » Thu May 21, 2009 10:01 am

Ok, ours was set to save it for 0 days. This should help for now. Except I tried a transacation with no cvv and it wouldnt take it through Auhtorize.net. I no I can set the parameters to not need a cvv but I want it at least for the initial order.

We are looking into doing some of our own work arounds to get the cvv so we can still use another method.

nogatek
Ensign (ENS)
Ensign (ENS)
Posts: 18
Joined: Thu Aug 28, 2008 7:57 pm

Re: Retrieving CVV # from standard credit card methods

Post by nogatek » Wed Nov 18, 2009 8:01 pm

Hello Judie,

We are using AC 7.0.3 and have storage and SSL enabled as you mention above, but when I follow you instructions above the 'Account Details:' field is following with an 'n/a'?

We we need setup a subscription / recurring payment, but our payment gateway doesn't support this. However, it does support manually setting up a scheduled payment, which would work for us.

The problem is, we need the customer CC number when they make the initial payment via our website (AC).

We have storage and SSL enabled... how can I go in via the Admin interface and pull out the CC number on an order? We don't need to AVS / CVV...

I would really appreciate some help with this!

Thanks,

Mark

User avatar
jmestep
AbleCommerce Angel
Posts: 8163
Joined: Sun Feb 29, 2004 8:04 pm
Location: Dayton, OH
Contact:

Re: Retrieving CVV # from standard credit card methods

Post by jmestep » Thu Nov 19, 2009 6:14 am

I think AbleMods posted an answer here?
viewtopic.php?f=42&t=7430
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx

Post Reply