CVV2 Processing in Card-not-Present Transactions

Card Verification Value 2 (CVV2) is a three-digit number located on the back of every Visa credit and debit card, to the right of the signature panel. It is used by MO/TO and eCommerce merchants to verify that the customer is in a physical possession of the card at the time of the payment. When processing CVV2 requests in card-not-present transactions, merchants should follow these best practices:

• The CVV2 verification process begins with the merchant asking the customer to provide the last three digits in or next to the signature panel on the back of the Visa card.
• If the customer provides the requested numeric code, it should be included with the account number and the expiration date when the transaction is submitted for authorization. Whether the CVV2 is included in the authorization request or not, one of the following CVV2 presence indicators should be included in the authorization request:

  Indicator	Meaning
  0	CVV2 is not included in authorization request.
  1	CVV2 is included in authorization request.
  2	Cardholder has stated that CVV2 is illegible.
  9	Cardholder has stated that CVV2 is not on the card.

• The merchants will receive a CVV2 result code from the card issuer, along with the transaction authorization. You should evaluate the code and take it into account when deciding on how to proceed with the transaction. You will receive one of the following result codes.

  CVV2 Result Code	Recommended Action
  M - Match	Complete the transaction, taking into account all other transaction characteristics and verification data.
  N - No match	This is a sign of potential fraud which should be taken into account along with the authorization response and any other verification data. You may also want to resubmit the CVV2 with a zero-dollar authorization request to rule out the possibility of a key-entry error.
  P - CVV2 Request not processed	Resubmit the authorization request.
  S - Cardholder reports that CVV2 is not on the card	Follow up with the customer to verify that the correct card location has been checked for CVV2.
  U - Issuer does not support CVV2	Evaluate all available information and decide whether to proceed with the transaction or to investigate further.

Be advised that for security reasons CVV2 can never be stored as a part of order information or customer data. Merchants who do store CVV2 may be assessed substantial fines.

Cardholder Information Security Program

Visa has established the Cardholder Information Security Program (CISP) to define standards for protecting sensitive information. CISP compliance is mandatory for all merchants that accept Visa credit cards and for merchant services companies that provide payment processing services. There are twelve basic CISP requirements that merchants and service providers have to meet. By demanding compliance with all of these requirements, Visa ensures that if one of them fails, there are other walls left to protect the sensitive information from unauthorized use. CISP requires that merchants:

1. Install and maintain a functioning firewall to protect personal data.
2. Regularly install security updates.
3. Protect stored data.
4. Encrypt cardholder and other sensitive information when transmitted across public networks.
5. Install and regularly update anti-virus software or programs.
6. Restrict internal access to cardholder account data on a "need-to-know" basis.
7. Assign a unique user ID to each person with computer access to sensitive data.
8. Do not use vendor-supplied default settings for system passwords and other security parameters.
9. Track access to data by unique user ID.
10. Regularly test security systems and processes.
11. Establish and maintain information security requirements for employees and contractors.
12. Restrict physical access to cardholder information.

The above CISP requirements apply to any merchant or payment processing service provider that stores, processes, or transmits Visa cardholder information. All eligible merchants and card processing service providers, regardless of size (or in the case of service providers, whether they support issuing or merchant activity) must comply with the twelve basic CISP requirements.