What’s the difference between Card Verification Value verification and 3-D Secure cardholder authentication? How can each be used in Microsoft D365 F&O or Dynamics AX 2012? Both are solutions to reduce chargeback risk for card not present transactions, but not much else is the same.
The CVV, or Card Verification Value, is a three or four-digit number on credit cards to add an extra layer of security for phone and online purchases to help protect against identity theft. CVV or CSC, or Card Security Code, and CVV2 have the same purpose. The “2” means it was created using a newer process to make the number more difficult to guess.
3-D Secure is a protocol providing an additional layer of security for eCommerce transactions prior to authorization. 3-D secure 1.0 is being retired October 1, 2021 and legacy integrations often require an update.
What are merchant benefits for using 3-D Secure vs CVV?
- More authorization approvals. False declines are a significant source of lost revenue.
- Some cards have reduced interchange rates when the authentication is invoked, which are usually over 90% of fees.
- Less friction for customers at checkout because it’s more likely to get approved and no need to chat or call for help.
- Reduced risk of chargeback losses. Fraud liability for “it wasn’t me” automatically shifts to the issuer; Merchants do not have to defend those chargebacks, they never even see them.
At this stage of massive data breaches and stolen data globally, the CVV is just not enough to mitigate chargeback risk because too many compromised cards with CVV data are available on the dark web. Additionally, merchants can experience issuer generated chargebacks even if an authorization was granted. What? Yes, and there is no recourse. A big issue is following authorization rules. Here’s some examples:
- A merchant has customer card numbers on file (old school on paper). The merchant key enters each transaction. This fails the unscheduled credential on file rule, where after the initial authorization, a response code is submitted with each subsequent authorization.
- A merchant has customer card numbers on file via stored tokens, no access to cardholder data. The merchant uses token to get new authorizations. This can fail the unscheduled credential on file rule, where after the initial authorization, a response code is required with each subsequent authorization, however, the technology used does not support those protocols.
- A merchant gets a phone order and enters CVV. The merchant has higher risk of fraud because the customer must self-enter the card number to participate in 3-D Secure authentication.
If you have non-qualified, STD, and other classes of transactions on merchant statements, that usually means that an authorization rule was not followed. So while an authorization code may have been granted, the merchant is at higher risk of a chargeback and usually pays penalty fees.
How can Microsoft D365 and Dynamics AX users leverage the benefits of 3-D Secure 2.0 vs CVV verification? For B2B, I recommend all merchants require their customers self-manage their payment methods using a payment gateway that supports all the latest authorization rules. (Few do.) For cards that have been stored over multiple years, it’s unlikely that the token stored has the correct data (not visible to merchants) to send with newer transactions. For example, Authorize.net, a popular payment gateway, just started supporting unscheduled credential on file this year, and only on First Data. Ask about our integrated and standalone solutions that include a cloud portal for customers to self-manage payment methods, view payment history, and pay invoices, if applicable.
What payment gateways support customers self-managing payment methods in compliance with all the current rules? Contact us for stand alone, Dynamics integrated, Magento and other solutions. Remember, 3-D secure can only be invoked if the customer entered their cardholder data. For subsequent unscheduled credential on file transactions, CVV and 3-D secure are not needed, because the cardholder has already verified themselves.
Call Christine Speedy, PCI Council Qualified Integrator Reseller (QIR) certified, for all your card not present, Microsoft Dynamics AX and D365 payment processing needs from ACH to credit cards and more. Get a new merchant account or keep your existing. 954-942-0483, 9-5 ET.