This is a great question. Should non-profits have a field on their mail order donor response cards? Reading the 2011 Visa Card Acceptance Guidelines for Visa Merchants, it’s still open to interpretation as to whether to ask for CVV on mailings. Here’s the official excerpts:
General Card-Absent Transaction Procedures
Pg 46 “Always ensure that, at a minimum, you collect the following details from your customer:
- The card account number
- The name as it appears on the card
- The card expiration date as it appears on the card
- The cardholder’s statement address”
Pg 46 “If you are taking an order through the mail or via a fax:
- Obtain a signature on the order form .
- Always retain a copy of the written order .
- Get proof of delivery”
Pg 48 “A cardholder’s CVV2 may never be stored as a part of order information or customer data . The storage of CVV2 is strictly prohibited subsequent to authorization.”
“An initial, or set-up, recurring transaction should be processed the same as any MO/TO or Internet transaction . If set up by mail or telephone, you should submit both AVS* and CVV2** queries with the authorization.
The sales receipt for an initial recurring transaction must include the following information:
- The phrase “recurring transaction.
- The frequency of the charges.
- The period of time the cardholder has agreed to for the charges.”
* In certain markets, CVV2 is required to be present for all card-absent transactions . ** In some markets, if the transaction is approved, but the CVV2 response is a no match, the merchant is protected against fraud chargebacks.
In summary, the merchant can leave the CVV off and reduce risk, but should use the correct indicator for authorizations, “You have chosen not to submit CVV2.”
If the merchant has a history of mail order fraud, then the merchant may want to collect the CVV2 using a lockbox service to reduce risk. If the merchant is retaining response cards, then the response card should be designed so that the CVV can easily be detached after the initial authorization, and securely shredded. If the response card is scanned, the fields with sensitive data cannot be scanned.
Please note PCI DSS compliance rules always take precedence over individual card network rules.
See also, new 2011 card absent receipt requirements.