CVV Card Verification Value vs 3-D Secure, D365, Dynamics Ax

What’s the difference between Card Verification Value verification and 3-D Secure cardholder authentication? How can each be used in Microsoft D365 F&O or Dynamics AX 2012? Both are solutions to reduce chargeback risk for card not present transactions, but not much else is the same.

The CVV, or Card Verification Value, is a three or four-digit number on credit cards to add an extra layer of security for phone and online purchases to help protect against identity theft. CVV or CSC, or Card Security Code, and CVV2 have the same purpose. The “2” means it was created using a newer process to make the number more difficult to guess.

3-D Secure is a protocol providing an additional layer of security for eCommerce transactions prior to authorization. 3-D secure 1.0 is being retired October 1, 2021 and legacy integrations often require an update.

What are merchant benefits for using 3-D Secure vs CVV?

  • More authorization approvals. False declines are a significant source of lost revenue.
  • Some cards have reduced interchange rates when the authentication is invoked, which are usually over 90% of fees.
  • Less friction for customers at checkout because it’s more likely to get approved and no need to chat or call for help.
  • Reduced risk of chargeback losses. Fraud liability for “it wasn’t me” automatically shifts to the issuer; Merchants do not have to defend those chargebacks, they never even see them.

At this stage of massive data breaches and stolen data globally, the CVV is just not enough to mitigate chargeback risk because too many compromised cards with CVV data are available on the dark web. Additionally, merchants can experience issuer generated chargebacks even if an authorization was granted. What? Yes, and there is no recourse. A big issue is following authorization rules. Here’s some examples:

  1. A merchant has customer card numbers on file (old school on paper). The merchant key enters each transaction. This fails the unscheduled credential on file rule, where after the initial authorization, a response code is submitted with each subsequent authorization.
  2. A merchant has customer card numbers on file via stored tokens, no access to cardholder data. The merchant uses token to get new authorizations. This can fail the unscheduled credential on file rule, where after the initial authorization, a response code is required with each subsequent authorization, however, the technology used does not support those protocols.
  3. A merchant gets a phone order and enters CVV. The merchant has higher risk of fraud because the customer must self-enter the card number to participate in 3-D Secure authentication.

If you have non-qualified, STD, and other classes of transactions on merchant statements, that usually means that an authorization rule was not followed. So while an authorization code may have been granted, the merchant is at higher risk of a chargeback and usually pays penalty fees.

How can Microsoft D365 and Dynamics AX users leverage the benefits of 3-D Secure 2.0 vs CVV verification? For B2B, I recommend all merchants require their customers self-manage their payment methods using a payment gateway that supports all the latest authorization rules. (Few do.) For cards that have been stored over multiple years, it’s unlikely that the token stored has the correct data (not visible to merchants) to send with newer transactions. For example, Authorize.net, a popular payment gateway, just started supporting unscheduled credential on file this year, and only on First Data. Ask about our integrated and standalone solutions that include a cloud portal for customers to self-manage payment methods, view payment history, and pay invoices, if applicable.

What payment gateways support customers self-managing payment methods in compliance with all the current rules? Contact us for stand alone, Dynamics integrated, Magento and other solutions. Remember, 3-D secure can only be invoked if the customer entered their cardholder data. For subsequent unscheduled credential on file transactions, CVV and 3-D secure are not needed, because the cardholder has already verified themselves.

Call Christine Speedy, PCI Council Qualified Integrator Reseller (QIR) certified, for all your card not present, Microsoft Dynamics AX and D365 payment processing needs from ACH to credit cards and more. Get a new merchant account or keep your existing. 954-942-0483, 9-5 ET.

Mandatory Visa logo update

Do you display the Visa logo on your ecommerce web site or other online checkout? Visa mandatory deadline to implement updated logos was August 31, 2021. The merchant signage web page below includes all the logos and general requirements and guidelines for use of Visa brand artwork.

Visit Visa brand logos guidelines for partners, acquirers and online merchants, used across credential-on-file, stored credential and online transactions for immediate logo downloads.

When will I receive American Express deposits?

American Express merchant services deposits are now faster. As of April 2021, merchants see deposits the next business day after the transactions are submitted Monday through Friday. As of October 2020, merchants are receiving separate payment deposits for Friday, Saturday and Sunday on Monday to help simplify payment reconciliation.

American Express receipts for small businesses now appear on merchant statements with other credit cards, depending on when the merchant account opened. Older merchant accounts that did not sign up for the new program, merchants that prefer separate, and those that do not meet the maximum processing limits receive separate statements from American Express instead of their acquirer.

Call Christine Speedy, PCI Council QIR certified, for all your credit card processing questions and services. 954-942-0483, 9-5 ET.

EMVCo Publishes EMV® 3-D Secure UI/UX Guidelines

New interactive online resource to help card issuers, merchants and solution providers optimise the EMV® 3DS payment authentication experience for e-commerce consumers.


16 August 2021 – Global technical body EMVCo has published EMV® 3-D Secure (EMV 3DS) UI/UX Design Guidelines to help card issuers, banks, merchants and solution providers optimise the EMV 3DS payment authentication experience for e-commerce consumers. The guidelines are publicly available on the EMVCo website in an easy-to-use interactive format.
In e-commerce purchases where EMV 3DS solutions are used, EMV 3DS user interface (UI) and user experience (UX) design refers to the look and feel of the screen that consumers interact with on their device during authentication with their card issuer. This includes how visual components (e.g., logo, colour, iconography, etc.) are displayed in various device layouts, and how information is presented and communicated to guide them through the steps for verifying that they are the legitimate cardholder.
According to an EMVCo-commissioned global market research study1, consistent, familiar and efficient EMV 3DS UI/UX design is key to instilling consumer trust in the authentication process and optimising the checkout experience during shopping. The new guidelines are designed specifically to help card issuers, merchants and EMV 3DS solution providers achieve this objective and deploy user interfaces for EMV 3DS authentication that support a secure and seamless e-commerce checkout experience.
“Authenticating the individual making the payment continues to be key in the fight against e-commerce fraud. The EMV 3DS UI/UX Guidelines support the consistent implementation of EMV 3DS for fraud prevention to deliver an efficient and trusted e-commerce consumer experience, which benefits the entire payment ecosystem,” said Robin Trickel, EMVCo Executive Committee Chair.
The EMV 3DS UI/UX Guidelines are supplemental to the EMV 3-D Secure User Interface Templates, Requirements, and Guidelines chapter in the EMV 3DS Protocol and Core Functions Specification.
1 Methodology: Qualitative and quantitative usability study conducted in 2019-2020. Featured surveys with 650+ participants in UK, Brazil, China, France, Singapore and the U.S.


To learn more, view the EMV Insights post: Optimising the EMV 3DS Payment Experience: UI/UX Design Guidelines.
About EMV 3DS
EMV 3DS is a fraud prevention technology that enables consumer authentication, without adding unnecessary friction to the payment process that often leads to abandoned purchases. The EMV 3DS Specification provides a common set of requirements product providers can use to integrate this technology into their solutions to support seamless and secure e-commerce payments. View the EMV 3DS Press Kit to learn more.

Ingenico ISC 250 PCI PTS v3 and v4 End of Life

Ingenico announced end of life for the ISC 250 with PCI PTS v3 and v4 in March of 2019. This has not stopped companies from selling them, however, due to the PCI PTS expiration in April 2021, merchants who use them would not be able to prove PCI compliance in the event of a data breach.

Did you know terminals have their own Payment Card Industry or PCI certification? The standards are part of the overall merchant requirements to maintain the security of cardholder data. Those rules change over time and a bunch of Ingenico equipment recently expired, including the popular ISC250 lane terminal.

Ingenico issued end of life notifications on their PCI PTS 3 range of payment devices in compliance with the PCI Security Standards Council PCI 3 expiration date of April 30, 2020, which was extended to April 30, 2021 due to Covid. Often merchants will get notifications like this from their acquirer on their merchant statement.

Which Ingenico terminals are impacted?

  • iSC Touch 480 PCI-PTS v3/4 model
  • iSC Touch 250 PCI-PTS v3/4 model
  • iPP320 PCI-PTS v4
  • iPP350 PCI-PTS v4
  • This list does not include all devices! Merchants should check with their providers especially if using a non-EMV device or if you were an early EMV chip adopter.
ingenico isc250 signature capture terminal
Ingenico isc250

What does End of Life mean?

(PCI) PIN Transaction Security (PTS) v3 expires April 30, 2021.

(PCI) PIN Transaction Security (PTS) v4 expires April 30, 2023.

PCI PTS v5 expires April 30, 2026.

Are merchants PCI Compliant if they continue to use PCI 3 terminals after April 2021? The PCI Council urges but does not mandate merchants use approved PTS devices in their payment environments. However, in our experience, between payment brand and acquirer requirements, merchants generally need to use only approved PTS devices or risk getting shut down. Research expiration dates of terminals on the PCI Council web site. I’d be concerned about liability and the ability to prove PCI compliance, especially in the event of a data breach. If security vulnerabilities or exploits are identified by processors after April 2021, and you’re using the terminals, who’s to say when or even if a solution could be found to fix it?

How disruptive would it be for your business to have to shut down using them and get another solution? There are always people who procrastinate making changes. And when something goes wrong, phone calls to processors explode, so change is usually not as swift as you’d like.

Note, only employees and PCI QIR certified individuals can install or touch your credit card terminals. Terminals are one of the most important factors determining rates you pay and chargeback risk. Why? Call now to learn more. This is the perfect time for an external account review by a payments expert.

TIP for Christine Speedy Ingenico ISC250 customers: If you were an early adopter and had your terminals deployed prior to the EMV chip liability shift in October 2015, there’s no need to check part numbers; They need to be replaced. Please contact me directly to consult on replacement options.

Call Christine Speedy , PCI QIR certified, for new PCI 5 terminals, technology review and or merchant account review to maximize profits and improve your customer experience. 954-942-0483, 9-5 ET