CVV Card Verification Value vs 3-D Secure, D365, Dynamics Ax

What’s the difference between Card Verification Value verification and 3-D Secure cardholder authentication? How can each be used in Microsoft D365 F&O or Dynamics AX 2012? Both are solutions to reduce chargeback risk for card not present transactions, but not much else is the same.

The CVV, or Card Verification Value, is a three or four-digit number on credit cards to add an extra layer of security for phone and online purchases to help protect against identity theft. CVV or CSC, or Card Security Code, and CVV2 have the same purpose. The “2” means it was created using a newer process to make the number more difficult to guess.

3-D Secure is a protocol providing an additional layer of security for eCommerce transactions prior to authorization. 3-D secure 1.0 is being retired October 1, 2021 and legacy integrations often require an update.

What are merchant benefits for using 3-D Secure vs CVV?

  • More authorization approvals. False declines are a significant source of lost revenue.
  • Some cards have reduced interchange rates when the authentication is invoked, which are usually over 90% of fees.
  • Less friction for customers at checkout because it’s more likely to get approved and no need to chat or call for help.
  • Reduced risk of chargeback losses. Fraud liability for “it wasn’t me” automatically shifts to the issuer; Merchants do not have to defend those chargebacks, they never even see them.

At this stage of massive data breaches and stolen data globally, the CVV is just not enough to mitigate chargeback risk because too many compromised cards with CVV data are available on the dark web. Additionally, merchants can experience issuer generated chargebacks even if an authorization was granted. What? Yes, and there is no recourse. A big issue is following authorization rules. Here’s some examples:

  1. A merchant has customer card numbers on file (old school on paper). The merchant key enters each transaction. This fails the unscheduled credential on file rule, where after the initial authorization, a response code is submitted with each subsequent authorization.
  2. A merchant has customer card numbers on file via stored tokens, no access to cardholder data. The merchant uses token to get new authorizations. This can fail the unscheduled credential on file rule, where after the initial authorization, a response code is required with each subsequent authorization, however, the technology used does not support those protocols.
  3. A merchant gets a phone order and enters CVV. The merchant has higher risk of fraud because the customer must self-enter the card number to participate in 3-D Secure authentication.

If you have non-qualified, STD, and other classes of transactions on merchant statements, that usually means that an authorization rule was not followed. So while an authorization code may have been granted, the merchant is at higher risk of a chargeback and usually pays penalty fees.

How can Microsoft D365 and Dynamics AX users leverage the benefits of 3-D Secure 2.0 vs CVV verification? For B2B, I recommend all merchants require their customers self-manage their payment methods using a payment gateway that supports all the latest authorization rules. (Few do.) For cards that have been stored over multiple years, it’s unlikely that the token stored has the correct data (not visible to merchants) to send with newer transactions. For example, Authorize.net, a popular payment gateway, just started supporting unscheduled credential on file this year, and only on First Data. Ask about our integrated and standalone solutions that include a cloud portal for customers to self-manage payment methods, view payment history, and pay invoices, if applicable.

What payment gateways support customers self-managing payment methods in compliance with all the current rules? Contact us for stand alone, Dynamics integrated, Magento and other solutions. Remember, 3-D secure can only be invoked if the customer entered their cardholder data. For subsequent unscheduled credential on file transactions, CVV and 3-D secure are not needed, because the cardholder has already verified themselves.

Call Christine Speedy, PCI Council Qualified Integrator Reseller (QIR) certified, for all your card not present, Microsoft Dynamics AX and D365 payment processing needs from ACH to credit cards and more. Get a new merchant account or keep your existing. 954-942-0483, 9-5 ET.

EMVCo Publishes EMV® 3-D Secure UI/UX Guidelines

New interactive online resource to help card issuers, merchants and solution providers optimise the EMV® 3DS payment authentication experience for e-commerce consumers.


16 August 2021 – Global technical body EMVCo has published EMV® 3-D Secure (EMV 3DS) UI/UX Design Guidelines to help card issuers, banks, merchants and solution providers optimise the EMV 3DS payment authentication experience for e-commerce consumers. The guidelines are publicly available on the EMVCo website in an easy-to-use interactive format.
In e-commerce purchases where EMV 3DS solutions are used, EMV 3DS user interface (UI) and user experience (UX) design refers to the look and feel of the screen that consumers interact with on their device during authentication with their card issuer. This includes how visual components (e.g., logo, colour, iconography, etc.) are displayed in various device layouts, and how information is presented and communicated to guide them through the steps for verifying that they are the legitimate cardholder.
According to an EMVCo-commissioned global market research study1, consistent, familiar and efficient EMV 3DS UI/UX design is key to instilling consumer trust in the authentication process and optimising the checkout experience during shopping. The new guidelines are designed specifically to help card issuers, merchants and EMV 3DS solution providers achieve this objective and deploy user interfaces for EMV 3DS authentication that support a secure and seamless e-commerce checkout experience.
“Authenticating the individual making the payment continues to be key in the fight against e-commerce fraud. The EMV 3DS UI/UX Guidelines support the consistent implementation of EMV 3DS for fraud prevention to deliver an efficient and trusted e-commerce consumer experience, which benefits the entire payment ecosystem,” said Robin Trickel, EMVCo Executive Committee Chair.
The EMV 3DS UI/UX Guidelines are supplemental to the EMV 3-D Secure User Interface Templates, Requirements, and Guidelines chapter in the EMV 3DS Protocol and Core Functions Specification.
1 Methodology: Qualitative and quantitative usability study conducted in 2019-2020. Featured surveys with 650+ participants in UK, Brazil, China, France, Singapore and the U.S.


To learn more, view the EMV Insights post: Optimising the EMV 3DS Payment Experience: UI/UX Design Guidelines.
About EMV 3DS
EMV 3DS is a fraud prevention technology that enables consumer authentication, without adding unnecessary friction to the payment process that often leads to abandoned purchases. The EMV 3DS Specification provides a common set of requirements product providers can use to integrate this technology into their solutions to support seamless and secure e-commerce payments. View the EMV 3DS Press Kit to learn more.

EMVCo Launches EMV 3-D Secure 2.2.0 Testing Programme

Confirms that EMV 3-D Secure products support merchant whitelisting functionality and authentication of additional e-commerce payment scenarios.

25 June 2019 – EMVCo has updated the EMV® 3-D Secure (EMV 3DS) Testing Programme which includes test platform and process updates to support the EMV 3DS 2.2.0 Core Specification and EMV 3DS 2.2.0 SDK Specification released in December 2018.
Using the EMV 3DS Test Platform, EMV 3DS product providers can validate that their products support all the enhancements introduced in EMV 3DS 2.2.0, such as the exemptions to Strong Consumer Authentication (SCA) for the European Second Payment Services Directive (PSD2). Additionally, the test platform will also validate support for FIDO enhancements, and authentication for new payment scenarios, such as mail order and telephone purchase transactions.

“Testing and approving 3DS products using the EMV 3DS Test Platform provides the industry with confidence that 3DS products are aligned with the EMV 3DS specifications to ensure delivery of effective and convenient e-commerce authentication,” comments Karteek Patel, EMVCo Executive Committee Chair. “Our specifications and testing frameworks can’t be static. EMVCo works with industry experts to ensure the 3DS infrastructure supports the latest requirements of e-commerce stakeholders.”


EMVCo’s EMV 3DS Testing Programme, launched in August 2018, has approved more than 100 3DS products to date. This update to the Test Platform references additional features for merchants and issuers to maximise the benefit of the available SCA exemptions, including the ability of a consumer to whitelist a merchant.
EMV 3DS is a messaging protocol that promotes secure, frictionless consumer authentication for card-not-present, e-commerce purchases across channels and connected devices. To learn more about EMV 3DS, please read the FAQ that is available for download from the EMVCo website.

Hotel Third Party Authorization Form Alert

The best hotel third party authorization forms are fully compliant with card brand rules to mitigate chargeback risk, especially for friendly fraud, where cardholder claims they did not authorize the transaction. Fraud liability can be shifted nearly one hundred percent with best practices, plus risk of data breach from employee and other access to card data can be mitigated. Avoid the paper and digital credit card authorization form problems perpetuated by misinformation from people and incorrect internet postings.

Paper credit card authorization forms are dead.

Per Visa Core rule 5.4.2.5, October 2017, a US merchant or its agent must not Request the Card Verification Value 2 data on any paper Order Form. Update, in October 2018, the rule is now in section 5.4.3.1, Merchant Use of Account Number, Cardholder Signature, Card Verification Value 2 (CVV2), or Stored Credential.  I could go on about all the PCI compliance and data breach risk problems related to credit card authorization forms, but because only 3-D secure cardholder authentication, which requires cardholder initiate payment, shifts friendly fraud liability for card not present transactions, there’s no valid reason not to change procedures. Get the cardholder data out of the hands of employees and networks. Secure document services where sensitive cardholder data can be viewed, or decrypted and viewed, for use in another solution are not PCI Compliant.

Web-based third party authorization forms are best for card absent compliance.

More than just PCI compliance, a myriad of rules changes since 2017, and continuing into 2019, impact every hotel. Everyone must change to comply and it’s not automatic. For example, you’re getting a sales deposit, and will definitely or will possibly charge more later. There’s a new set of transaction data standards which include estimate, incremental, and final authorization. While the technical piece is handled by payment gateways, not all have made the modifications required. Additionally, some elements are left to merchants to manage.

  • Comply with Visa 5.8.3.1 Authorization Amount Requirements.  The Merchant must use the Estimated/Initial Authorization Request indicator for the first transaction,
    then the Incremental Authorization Request indicator for interim if applicable, and Final Authorization Request indicator when closing out the transaction; the same Transaction Identifier must be included for all Authorization Requests. Don’t accept an authorization online and then swipe or dip the same card later unless your card present system can tie back to the initial authorization.
  • Stored cards. Are you storing cards for ongoing charges? Comply with Visa Rules Table 5-20: Requirements for Prepayments and Transactions Using Stored Credentials. There are too many variables to list here so I recommend downloading the rules and getting familiar. Two keys when capturing card data for the first time:
    • Obtain express consent per specifications for your refund and cancellation policies, how you’ll use the stored card, when your agreement expires and how the Cardholder will be notified of any changes to the agreement.
    • Perform a cardholder verification either via transaction or zero dollar authorization with the proper indicator.
    • This is a change! Two transactions occur when capturing cardholder data for the first time. Again, technical part can be handled by a payment gateway that supports it, but other elements are left to you.

Hotel third party authorization form solutions.

Contact me for solution that works standalone or integrated with SynXis. Shift friendly fraud liability and potentially qualify transactions for better rates with your existing merchant account. That’s because non-compliance with various rules can result in higher fees.

Here’s some key elements if the initial authorization is not the final authorization. Terminology:

  • PCI compliance- short for Payment Card Industry Data Security Standards. All businesses are mandated to comply with rules which are outlined on the PCI Security Standards Council web site.
  • 3-D secure (3D Secure) is a global XML-based protocol designed to be an additional security layer for online credit and debit card transactions. Each card brand has their own version. For example, Verified by Visa. Merchants register for 3-D Secure with their acquirer; always consult with the payment gateway first for instructions and to confirm they’re registered to offer service. 3-D Secure is invoked automatically by the payment gateway which then based on issuer response may or may not prompt for additional information to authenticate the cardholder.  Friendly fraud liability, “it wasn’t me, I didn’t authorize it”, shifts to the issuer. Because there are many parts to any transaction, including acquirer and issuer communications, plus continually changing rules, it’s possible that it will not be invoked.
  • Link to Visa and all card brand Rules.

Call Christine Speedy, PCI Council QIR certified, for global sales. 954-942-0483, 9-5 ET, CenPOS authorized reseller based out of South Florida and NY. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

Equipment Rental Credit Card Processing Rules Change

Bobcat, Caterpillar, and other companies that offer rental equipment, all are impacted by new credit card processing rules for rentals. equipment rentals credit card processing

While businesses expect their software, including ERP, Point of Sale, and ecommerce shopping carts to help them manage compliance with credit card acceptance rules, the reality is that many don’t. Compliance increases profits; non-compliance increases new chargeback risks, interchange fees, penalty fees and authorization declines.

Traditional desktop terminals don’t support the new transaction data requirements. If merchant is not using EMV chip device, now is the time to upgrade to a cloud-based solution and fix two problems at once. Rental merchants cannot meet both card acceptance and Payment Card Industry Data Security Standards compliance requirements using traditional paper credit card authorization forms. Cloud technology and a compliant payment gateway are needed. For example, pair the Verifone MX 915 with the CenPOS validated Point to Point Encryption (P2PE) solution and use either a standalone or integrated to ERP such as Microsoft Dynamics AX.

Key elements for compliance:

  • Initial authorization transaction must send new transaction indicator that it’s an estimate; the final amount could change for example because the renter kept it longer or damaged the equipment. This is technically managed by the payment gateway.
  • If applicable, send incremental authorizations with related indicator.
  • If storing the card, the Visa Stored Credential mandate outlines the specific requirements for agreement with customer, cardholder authentication, and procedures to use a stored card on file. For example, perform cardholder authentication with either security code or 3-D Secure. 3-D Secure can only be invoked if the customer self-pays; it shifts friendly fraud liability to the issuer and merchants can also qualify some cards for even lower interchange rates.
  • Update language in agreements for opt-in to terms and conditions as required by Visa.

Card issuers and acquirers were mandated to be compliant in 2017, and merchants by October 2017, however, there’s no mandate for payment gateways. Even if an existing payment gateway supports the new requirements, merchants must make changes. Visa is the most complex, however other brands have similar rules.

From tokenization to Express Checkout, CenPOS creates a seamless commerce experience throughout the enterprise. Innovations, including Express Checkout via text or email, help businesses maximize profit in all departments. CenPOS takes the heavy lifting out of payment acceptance offering a range of solutions that simplify every aspect of implementing, operating and maintaining a payment system enabling merchants to focus on their business. CenPOS Express Checkout via text or email includes 3-D Secure capability as part of a layered security approach.

CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships. Powered by its enterprise-class, end-to-end transaction engine, CenPOS’ secure, cloud-based solutions seamlessly integrate with a merchants existing infrastructure minimizing disruption and saving time and money. Committed to a merchant-centric approach CenPOS provides a one-to-one level of service and support, enabling merchants to focus on their core business.

Headquartered in Miami, Florida, CenPOS is reshaping the future of commerce through technology innovation and the secure, flexible and simple solutions this enables. Christine Speedy, CenPOS Global Sales, 954-942-0483.

Reference:

https://usa.visa.com/dam/VCOM/global/support-legal/documents/stored-credential-transaction-framework-vbs-10-may-17.pdf

See also core rules, especially section 5 https://usa.visa.com/dam/VCOM/download/about-visa/visa-rules-public.pdf