[ic] CVV2 with Interchange
Jon Jensen
interchange-users@interchange.redhat.com
Wed Jan 23 10:24:01 2002
On Wed, 23 Jan 2002, Mike Heins wrote:
> Once again, I advise against collecting CCV2, and *certainly* against
> storing it anywhere. I know quite a few merchant providers who give
> discounts for using AVS, but none that give a discount for CCV2.
>
> I know I would not fill my own in on a form; it is my protection
> against fraud. If it is not embossed on the card, it should not
> be left as an "impression" on the site.
>
> If your payment gateway includes it as a "best practice" item in their
> recommended implementation, perhaps they have a rationale in this. At
> that point, if you collect and use it in your gateway implementation, I
> would strongly recommend putting
>
> FormIgnore mv_credit_card_ccv2
>
> in catalog.cfg. That prevents it from being stored in the session,
> just like mv_credit_card_number is not stored now. It could still
> be used in the gateway module by bringing it from the $CGI reference.
Actually, since sometime in the IC 4.7.x timeframe, mv_credit_card_cvv2
has been on the list of CGI variables not to add to the session, like
mv_credit_card_number, so the above shouldn't be necessary.
Jon