CVV Card Verification Value vs 3-D Secure, D365, Dynamics Ax

What’s the difference between Card Verification Value verification and 3-D Secure cardholder authentication? How can each be used in Microsoft D365 F&O or Dynamics AX 2012? Both are solutions to reduce chargeback risk for card not present transactions, but not much else is the same.

The CVV, or Card Verification Value, is a three or four-digit number on credit cards to add an extra layer of security for phone and online purchases to help protect against identity theft. CVV or CSC, or Card Security Code, and CVV2 have the same purpose. The “2” means it was created using a newer process to make the number more difficult to guess.

3-D Secure is a protocol providing an additional layer of security for eCommerce transactions prior to authorization. 3-D secure 1.0 is being retired October 1, 2021 and legacy integrations often require an update.

What are merchant benefits for using 3-D Secure vs CVV?

  • More authorization approvals. False declines are a significant source of lost revenue.
  • Some cards have reduced interchange rates when the authentication is invoked, which are usually over 90% of fees.
  • Less friction for customers at checkout because it’s more likely to get approved and no need to chat or call for help.
  • Reduced risk of chargeback losses. Fraud liability for “it wasn’t me” automatically shifts to the issuer; Merchants do not have to defend those chargebacks, they never even see them.

At this stage of massive data breaches and stolen data globally, the CVV is just not enough to mitigate chargeback risk because too many compromised cards with CVV data are available on the dark web. Additionally, merchants can experience issuer generated chargebacks even if an authorization was granted. What? Yes, and there is no recourse. A big issue is following authorization rules. Here’s some examples:

  1. A merchant has customer card numbers on file (old school on paper). The merchant key enters each transaction. This fails the unscheduled credential on file rule, where after the initial authorization, a response code is submitted with each subsequent authorization.
  2. A merchant has customer card numbers on file via stored tokens, no access to cardholder data. The merchant uses token to get new authorizations. This can fail the unscheduled credential on file rule, where after the initial authorization, a response code is required with each subsequent authorization, however, the technology used does not support those protocols.
  3. A merchant gets a phone order and enters CVV. The merchant has higher risk of fraud because the customer must self-enter the card number to participate in 3-D Secure authentication.

If you have non-qualified, STD, and other classes of transactions on merchant statements, that usually means that an authorization rule was not followed. So while an authorization code may have been granted, the merchant is at higher risk of a chargeback and usually pays penalty fees.

How can Microsoft D365 and Dynamics AX users leverage the benefits of 3-D Secure 2.0 vs CVV verification? For B2B, I recommend all merchants require their customers self-manage their payment methods using a payment gateway that supports all the latest authorization rules. (Few do.) For cards that have been stored over multiple years, it’s unlikely that the token stored has the correct data (not visible to merchants) to send with newer transactions. For example, Authorize.net, a popular payment gateway, just started supporting unscheduled credential on file this year, and only on First Data. Ask about our integrated and standalone solutions that include a cloud portal for customers to self-manage payment methods, view payment history, and pay invoices, if applicable.

What payment gateways support customers self-managing payment methods in compliance with all the current rules? Contact us for stand alone, Dynamics integrated, Magento and other solutions. Remember, 3-D secure can only be invoked if the customer entered their cardholder data. For subsequent unscheduled credential on file transactions, CVV and 3-D secure are not needed, because the cardholder has already verified themselves.

Call Christine Speedy, PCI Council Qualified Integrator Reseller (QIR) certified, for all your card not present, Microsoft Dynamics AX and D365 payment processing needs from ACH to credit cards and more. Get a new merchant account or keep your existing. 954-942-0483, 9-5 ET.

3-D Secure 2.0 Merchant Overview 2020 2021

3-D Secure is a protocol providing an additional layer of security for eCommerce transactions prior to authorization. It enables the exchange of data between the merchant, card issuer and, when necessary, the consumer, to validate that the transaction is being initiated by the actual cardholder. Ecommerce transactions includes traditional shopping cart as well as any digital payment where the cardholder initiates and completes the payment process. For example, einvoicing or electronic bill presentment and payment are ecommerce transactions.

Each card network has a name for their product that uses 3-D secure, also referred to as 3D Secure, 3DS, 3-D Secure authentication or EMV 3-D Secure. Visa rebranded Verified by Visa to Visa Secure. MasterCard SecureCode (3DS 1.0) merchants are being encouraged to migrate to Mastercard Identity Check which uses EMV 3-D Secure 2.0. American Express SafeKey 2.0 is also available now. 3-D Secure 2.x helps reduce fraud and minimize the need for one-time passcodes, improving the user experience and reducing shopping cart abandonment.

What are merchant benefits for using 3-D Secure?

  • More authorization approvals. False declines are a significant source of lost revenue.
  • Some cards have reduced interchange rates when the authentication is invoked, which are usually over 90% of fees. American Express does reduce rates.
  • Less friction for customers at checkout.
  • Reduced risk of chargeback losses. Fraud liability for “it wasn’t me” automatically shifts to the issuer; Merchants do not have to defend those chargebacks, they never even see them.

How do merchants get started using 3-D Secure?

There are two elements- the payment gateway and the merchant account. Contact your payment gateway company to see if they support it and how to set it up. In most cases, this is simply a back office set up process. Merchants may also need to sign acceptance of pricing. The transaction fees are minimal and typically more than offset by the 11 to 20 basis point reduction in merchant fees on applicable cards.

Christine Speedy, Founder 3D Merchant Services, QIR certified, is a credit card processing expert with specialized expertise in card not present and B2B payment processing technology. Less than 1% of all merchant services sales representatives are QIR certified by the PCI Council. Christine is an authorized reseller for Elavon and CenPOS products and services, in addition to other solutions.

How to add freight cost after credit card preauthorization

A preauthorization, or authorization hold, is a temporary hold on a customer’s credit card until final settlement. In this B2B transaction scenario, such as for distributors and manufacturers, the customer buys an item online, for example via Woocommerce or Shopify; the customer does not save their card on file or use a saved card on file, in which case different rules apply. Compliance with credit card processing rules improves authorization approvals, mitigates risk and reduces merchant fees.

On the merchant side for ecommerce sale described: request for authorization goes out and the issuer responds with an approval code if all goes well. By also using 3-D Secure, the merchant shifts fraud liability to the issuer, reduces chargeback risk and can potentially qualify for reduced merchant fees. An additional authorization is not required if the final settlement amount is not more than 15% of the original authorization. Note, this is based upon scenario described! However, depending on the card type, the qualified interchange rate may downgrade to the worst rate possible due to authorization and settlement mismatch; The same applies if the final settlement on the original authorization is less.

Some, but not all payment gateways and API’s have solutions to help merchants resolve the mismatch problem.

How can merchant maximize profits on this type of transaction? Here are some requirements:

  1. Settlement date must be within 2 days of the transaction date.
  2. Settlement date must be within 7 days of initial authorization for purchasing cards (non-gov)
  3. Obtain and pass 1 valid electronic authorization. Authorization and
    settlement MCC must match. One authorization reversal is allowed.
  4. Transaction date must equal shipping date and that date is no more than 7 days after authorization.
  5. Transaction must include order number and either customer service phone number, URL or email.
  6. Must have secured E-Commerce indicator of “5” or “6”. The POS Condition Code must be “59”. Must perform Cardholder Authentication Verification Value (CAVV) and AVS4 (zip code, except goverment cards).
  7. Must Pass Level II and Level III Data.

Failure to meet all requirements can increase merchant fees more to an additional 1% or more of the transaction amount.

References:

Visa Product and Services Rules, section 5.8.3.1

Christine Speedy, Founder 3D Merchant Services, is a credit card processing expert with specialized expertise in card not present and omnichannel technology. Christine is an authorized reseller for Elavon and CenPOS products and services, in addition to other solutions. Call Christine for payment gateway, cloud technology, merchant services and check processing needs.

Magento mandatory upgrade for PCI Compliance

Merchants must replace Magento version 2.1.x summer 2019. The Magento 2.1.18 software release marks the final supported software release for Magento version 2.1.x. As of June 30 2019, Magento 2.1.x will no longer receive security updates or product quality fixes now that its support window has expired.

PCI compliance requires the installation of critical software security patches within 30 days. When a software or related service provider no longer offers security patches, then merchants must replace or upgrade within 30 days. This is the same reason merchants using Microsoft Windows XP would not be PCI compliant.

I previously reported the Magento vulnerabilities and patch requirements in April 2019. Merchants should not rely on their business partners to automatically perform updates. Here’s a handy web site to check your Magento version now.

Now is a great time to also do a payment gateway checkup.

Call Christine Speedy, PCI Council QIR certified, to reduce merchant fees with new or existing merchant account at 954-942-0483, 9-5 ET.

Magento Security Alert requires action to maintain PCI Compliance

Magento 2.3.1, 2.2.8 and 2.1.17 Security Update

A SQL injection vulnerability has been identified in pre-2.3.1 Magento code. To quickly protect your store from this vulnerability only, install patch PRODSECBUG-2198. However, to protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. We strongly suggest that you install these full patches as soon as you can.

PCI Compliance Requirement 6: Develop and maintain secure systems and applications. All critical systems must have the most recently released software patches to prevent exploitation. The average merchant relies upon third party developers for web site maintenance, but unless specifically contracted to update the e-commerce software and add-on modules, don’t count on it.

Only 16.4% of organizations that had suffered a data breach were compliant with Requirement 6, compared to an average of 64% of organizations assessed by our QSAs in 2014- Verizon 2015 PCI Compliance Report.

Payment gateway implementation requirements have changed over time as a result of cross-site scripting and cross-site request forgery (CSRF) to meet current PCI Compliance standards. Merchants should verify all components of their ecommerce ecosystem are current, and have a system for ongoing monitoring and updating.

RESOURCES

  • Magento Security Center
  • MAGENTO SECURITY ALERT, March 26, 2019
  • Christine Speedy, 3D Merchant Services, offers a Magento payment gateway module for merchants to improve their omnichannel customer experience and mitigate fraud and vulnerability risk. Special B2B customer benefits include friction-less payments across all sales channels; text and email Express Checkout, customer invoice portal for 24/7 ACH, credit card, wire and more payment types, and US EMV with level 3 processing. Magento and ERP modules combine to provide a powerful array of solutions to improve cash flow and profits while maximizing security. 954-942-0483.