[ic] CVV2 with Interchange
Mike Heins
interchange-users@interchange.redhat.com
Wed Jan 23 07:50:01 2002
Quoting AddAction New Media (info@addaction.com):
> Many payment gateways like Authorize.net allow the use of CCV2. You can
> choose to use it or not. If you do, the CCV code will be checked and the
> transaction is declined if the check fails.
I think this is included in the payment gateways so that the merchant
can have a local console for customer service.
Once again, I advise against collecting CCV2, and *certainly* against
storing it anywhere. I know quite a few merchant providers who give
discounts for using AVS, but none that give a discount for CCV2.
I know I would not fill my own in on a form; it is my protection
against fraud. If it is not embossed on the card, it should not
be left as an "impression" on the site.
If your payment gateway includes it as a "best practice" item in their
recommended implementation, perhaps they have a rationale in this. At
that point, if you collect and use it in your gateway implementation, I
would strongly recommend putting
FormIgnore mv_credit_card_ccv2
in catalog.cfg. That prevents it from being stored in the session,
just like mv_credit_card_number is not stored now. It could still
be used in the gateway module by bringing it from the $CGI reference.
--
Red Hat, Inc., 3005 Nichols Rd., Hamilton, OH 45013
phone +1.513.523.7621 <mheins@redhat.com>
Friends don't let friends use Outlook. -- Bob Blaylock