CVV2 Mandate 2012

Introduction

CVV2 mandate requires all electronic commerce merchants to check CVV2 (Cardholder Verification Value) and acquirers to process CVV2 response codes correctly. The growth of the internet retailer sector means that an increasing number of merchants are now processing transactions in situations where the card and cardholder are not present and fraud may be difficult to detect. Basic card acceptance and fraud control procedures include the merchant asking for the CVV2.

CVV2 is a unique three-digit code that appears on the signature panel of all Visa and MasterCard cards and is used to confirm the validity of the card during card-not-present sales. Card-not-present merchants ask customers for the CVV2 as part of the order taking process and submit it for verification with other authorization information. The issuer will check the CVV2 and send a result ("match" or "no match") along with the authorization decision. The CVV2 result enables the merchant to make a more informed decision regarding completing the transaction. To ensure more effective fraud control during Card-not-present transactions, please contact your merchant bank to find out your mandate deadline.

DPS is currently working with all acquirers to ensure the requirements are met for the CVV2 mandate. Please check on our website for the latest updates.
 

Requirements

DPS Hosted (PxPay)

  1. Cardholder is presented to the DPS Hosted Payment Page.

  2. Cardholder enters their card details INCLUDING CVC value. (For all merchants who have CVC as a mandatory requirement in their payment page already can ignore the rest of step 2).
    • CVC value for all Visa / MasterCard transactions are mandatory and if a CVC value is not submitted, the transaction cannot be processed any further from the payment page.
    • CVC value for all card types OTHER than Visa / MasterCard will allow the cardholder the option of providing a CVC value on the payment page. i.e. Amex / Diners etc.
       
  3. Transaction is submitted to the banking network for authorisation and a response is returned for the cardholder to indicate if the transaction has been approved or declined.

  4. Merchant receives the result of the transaction with a key value "Cvc2ResultCode" with one of the following response codes:
    M- Match 
    N- Not match 
    P- Not processed 
    S- Should be on card 
    U- Issuer does not participate

  5. Depending on the response code, the merchant can make a more informed decision on the payment that has taken place. Please see below table for interpretation of response codes

RESPONSE CODE DEFINITION
 		 DEFINITION
 
M CVC matched. You will want to proceed with transactions for which you have received an authorisation approval. A CVC match indicates the values provided matches the Issuing Banks details
N CVC did not match. You may want to follow up with the cardholder to verify the CVC value before completing the transaction, even if you have received an authorisation approval. The CVC details provided by the Cardholder do not match their Issuing Banks details
P CVC request not processed. Issuing Bank is unable to process CVC at this time
S CVC should be on the card, but merchant has sent code indicating there was no CVC. You may want to follow up with the cardholder to verify that the customer checked the correct location for the CVC. If the transaction is Approved you may also wish to consider not fulfilling the transaction
U Issuer does not support CVC. The card Issuing bank does not support CVC process


Merchant Hosted (PxPost, Web Service, PxFusion)

  1. Cardholder is presented to the Merchant Hosted Payment Page

  2. Cardholder enters their card details INCLUDING CVC value.
    • Merchant to implement CVC presence verification based on their acquirer's requirements.
    • Merchant to send DPS a presence indicator within "Cvc2Presence" field in the transaction request to one of the below:
      0 - You (MERCHANT) have chosen not to submit CVC 
      1 - You (MERCHANT) have included CVC in the Auth / Purchase
      2 - Card holder has stated CVC is illegible.
      9 - Card holder has stated CVC is not on the card.
      E.g. PX POST transaction:
<Txn>
	<PostUsername>TestUsername</PostUsername>
	<PostPassword>TestPassword</PostPassword>
	<CardHolderName>A Anderson</CardHolderName>
	<CardNumber>4111111111111111</CardNumber>
	<Amount>1.23</Amount>
	<DateExpiry>1010</DateExpiry>
	<Cvc2>3456</Cvc2>

	<!-- CVC2Presence Field -->         
	<Cvc2Presence>1</Cvc2Presence>
	<!-- End CVC2Presence Field  -->

	<InputCurrency>NZD</InputCurrency>
	<TxnType>Purchase</TxnType>
	<TxnId>inv1278</TxnId>
	<MerchantReference>Test Transaction</MerchantReference>
</Txn>

  • Transaction is submitted to the banking network for authorisation and a response is returned for the cardholder to indicate if the transaction has been approved or declined
  • Merchant receives the result of the transaction with a key value "Cvc2ResultCode" with one of the following response codes:

    M- Match
    N- Not match
    P- Not processed
    S- Should be on card
    U- Issuer does not participate

  • Depending on the response code, the merchant can make a more informed decision on the payment that has taken place. Please see below table for interpretation of response codes:
RESPONSE CODE DEFINITION
 		 DEFINITION
 
M CVC matched. You will want to proceed with transactions for which you have received an authorisation approval. A CVC match indicates the values provided matches the Issuing Banks details
N CVC did not match. You may want to follow up with the cardholder to verify the CVC value before completing the transaction, even if you have received an authorisation approval. The CVC details provided by the Cardholder do not match their Issuing Banks details
P CVC request not processed. Issuing Bank is unable to process CVC at this time
S CVC should be on the card, but merchant has sent code indicating there was no CVC. You may want to follow up with the cardholder to verify that the customer checked the correct location for the CVC. If the transaction is Approved you may also wish to consider not fulfilling the transaction
U Issuer does not support CVC. The card Issuing bank does not support CVC process


Tokenisation


To effectively manage tokenised payments for the CVV2 mandate, please contact devsupport@paymentexpress.com.

DPS Payline

Merchants can log into Payline (DPS Web Portal) to view CVC response codes. The CVC response is stored within a field called "Cvc2 Result" within the transaction search screen.
  1. Merchant logs into Payline with DPS provided Username and Password

  2. Merchant clicks "Transaction" on the left side of the menu and clicks the "Transaction Search" option as part of the sub menu.

  3. Merchant selects "Details" on a transaction that they wish to view the CVC response code.
  4. "Cvc2 Result" field will display one of the following response codes:
    M- Match
    N- Not match
    P- Not processed
    S- Should be on card
    U- Issuer does not participate
  5. Depending on the response code, the merchant can make a more informed decision on the payment that has taken place. Please see below table for interpretation of response codes:
RESPONSE CODE DEFINITION
 		 DEFINITION
 
M CVC matched. You will want to proceed with transactions for which you have received an authorisation approval. A CVC match indicates the values provided matches the Issuing Banks details
N CVC did not match. You may want to follow up with the cardholder to verify the CVC value before completing the transaction, even if you have received an authorisation approval. The CVC details provided by the Cardholder do not match their Issuing Banks details
P CVC request not processed. Issuing Bank is unable to process CVC at this time
S CVC should be on the card, but merchant has sent code indicating there was no CVC. You may want to follow up with the cardholder to verify that the customer checked the correct location for the CVC. If the transaction is Approved you may also wish to consider not fulfilling the transaction
U Issuer does not support CVC. The card Issuing bank does not support CVC process


Support

DPS Hosted (PxPay)

  • If you are using the DPS Hosted Payment Page (PxPay) and you have any questions around the layout and style of the page, please contact DPS on 0800 SUPPORT or alternatively email DPS Support.
  • If you require developer support on your current implementation, please email Development Support.

Merchant Hosted (PxPost, Web Service, PxFusion)

  • If you are using one of DPS Merchant Hosted Payment Page (PxPost, Web Service, PxFusion) and you have any questions around the layout and style of the page, please contact your development team.
  • If you require developer support on your current implementation, please email Development Support.


Glossary

TERM DESCRIPTION
ACQUIRER The financial institution accepting payment for the products or services on behalf of the merchant.
ISSUER The financial institution or other organization that issued the credit card to the cardholder.
CARDHOLDER The holder of the card used to make a purchase; the consumer.
BIN Bank Identification Number. The first six digits of the number of various financial cards, such as Visa or MasterCard. These digits identify which organization issued it.
CVC/CVV Stands for "Card Verification Code"/"Card Verification Value", it is the 3-digit number on the back of credit cards used for security purposes.
PCI-DSS Payment Card Industry - Data Security Standards. Set data security standards for hardware and software in the payments industry.
API Application Programming Interfaces
FEP Front End Processor

WANT TO KNOW MORE?
If you require any additional information on credit card processing, or if you would like to discuss specific needs for your business, please complete the form.