Cardholder name & Amex security code

[Ulysses]

Hi,

 

The 4 digit Amex security code is required for us to process Amex card payments through our merchant facility with Amex in Australia.

 

We are now adding existing client details to WHMCS, but there is nowhere to add the card Security Code, or the actual Cardholder Name - which can often be different than the account contact - especially in companies.

 

In CLIENTS PROFILE > Summary > Edit Credit Card Billing Information, there is only Card Type, Card Number and Expiry Date.

 

Where do we add Cardholder Name and card Security Code?

 

Thanks

 

EDIT: typo fixed!

[webarama]

Ouch.

 

I have a feeling AMEX will actually prohibit you from storing the CVV code anywhere online in their terms and conditions, it might be worth checking this.

 

Our gateway does not require either the name nor the CVV code to process AMEX transactions.

[Ulysses]

We don't use third party companies to process credit cards purchases as we have our own merchant facilities.

 

Without a CVV code, Amex will not process the transaction in Australia, so it has to be provided (and therefore added) somewhere.

[trine]

We also need to store billing account details in addition to user account details. This is really needed!

 

In relation to AMEX CVV code, you may want to speak to your merchant bank about that. That just doesn't seem right. First time charges, should normally be accompanied by the CVV, but not subsequent ones.

 

Which gateway are you using?

[webarama]

We have our own merchant facilities also (with Westpac), but we use a payment gateway provider (eMatters) to process these payments securely.

 

eMatters does not require this information. But if you do, then obviously this is a legitimate request, which I am sure Matt will investigate and act on if he can.

[Matt]

It is illegal to store the CVV number in any database according to the VISA and MasterCard rules (and possibly other card types though I don't know for sure) so that is why it isn't currently possible to do this.

 

Matt

[Ulysses]

We also need to store billing account details in addition to user account details. This is really needed!

 

In relation to AMEX CVV code, you may want to speak to your merchant bank about that. That just doesn't seem right. First time charges, should normally be accompanied by the CVV, but not subsequent ones.

 

Which gateway are you using?

We deal directly with Amex and it's their requirement.

[webarama]

When you say you deal directly with Amex, can you explain how you do this? Do you have a payment gateway between your site and Amex? If not, how do you process your transactions?

 

We have a merchant agreement with Amex, and we have a merchant terminal in our office (does not require CVV) and we also use a payment gateway provider to process transactions off our site through to Amex (and again we do not require the CVV)

[Ulysses]

When you say you deal directly with Amex, can you explain how you do this? Do you have a payment gateway between your site and Amex? If not, how do you process your transactions?

 

We have a merchant agreement with Amex, and we have a merchant terminal in our office (does not require CVV) and we also use a payment gateway provider to process transactions off our site through to Amex (and again we do not require the CVV)

After checking the client details, we enter the client provided details via phone or terminal to Amex.

 

Actually eMattrs also requires CVV codes. Most any web form does.

[Ulysses]

It is illegal to store the CVV number in any database according to the VISA and MasterCard rules (and possibly other card types though I don't know for sure) so that is why it isn't currently possible to do this.

 

Matt

This would mean we could not accept Amex, which is silly. Amex requires this information which means we have to ask for it and the purchaser has to provide it. There are thousands of online order forms that require CVV codes. Why should this be an exception?

 

Here's the example from the third party processor that webarama uses - eMatters Credit Card Payment Form. It's not even possible to buy WHMCS without providing a CVV code!

 

If "storing" is considered a security problem, it does not have to be "stored", it can simply be transmitted via SSL to the admin email. In any event, the cards are manually processed offline directly with Amex.

 

We merely need the ability for clients to provide us with ALL their credit card details. Can't be that hard, surely.

[Matt]

This would mean we could not accept Amex, which is silly. Amex requires this information which means we have to ask for it and the purchaser has to provide it. There are thousands of online order forms that require CVV codes. Why should this be an exception?

WHMCS isn't an exception. It does collect and use the CVV number on the first payment of the user as is the requirement with credit card gateways.

 

We merely need the ability for clients to provide us with ALL their credit card details. Can't be that hard, surely.

No, it's not hard to do, apart from the fact it's illegal.

 

Matt

[Ulysses]

No, it's not hard to do, apart from the fact it's illegal.

 

Matt

If it's illegal to provide CVV over the web, so then is your order form WHMCS 2CO Checkout

 

Of course it's not illegal.

[webarama]

Ulysses, let me see if we're talking about the same thing here...

 

When a client places an order through whmcs, they are asked for a cvv code. So your merchant gets the code, and the transaction is all fine. So from that perspective I cannot see an issue.

 

And I can confirm that with eMatters, any subsequent transactions (ie rebilling the client) we do with them DO NOT require the CVV code. So we have no need to store the CVV code. And Amex seems fine with this.

 

If you'd like to discuss it further you can call me on (03) 9725 6300 or you can call Chris Dwyer at eMatters on 1300136966 (he's a top guy and will give you some free advice regardless of your current gateway provider).

[Ulysses]

Dave,

 

What needs to happen is "When a client places an order through whmcs, they are asked for a cvv code. So WE (the Amex merchant) get the code".

 

In my earlier post I made a mistake. I am told they only use the Amex terminal to swipe actual cards, but that mail/phone order transactions are phoned in to a particular automated number.

[webarama]

Ahh OK, so it's a different setup to what we have then. I was assuming this was an automated system.

 

Have you spoken to AMEX about this issue? I am almost 100% sure they would not want the CVV captured in any way.

 

And again, I suggest you call Chris at eMatters. He knows everything there is to know about this stuff, and I'm sure it will be of assistance to you to speak to him.

[Matt]

If it's illegal to provide CVV over the web, so then is your order form WHMCS 2CO Checkout

 

Of course it's not illegal.

Who said anything about it being illegal to enter a CVV number on the web? What is illegal is storing the CVV number that gets entered. It is fine to use it at the time of entry, check it, and then discard it which is what every online system does that asks for a CVV number.

 

Matt

[Ulysses]

Ahh OK, so it's a different setup to what we have then. I was assuming this was an automated system.

 

Have you spoken to AMEX about this issue? I am almost 100% sure they would not want the CVV captured in any way.

We have been an Amex merchant for more than 16 years. Believe me, our accounts people know what Amex wants from their merchants to process transactions. They want the following:

Cardholder name

Card number

CVV code

Expiry date

 

And if we don't get this information, we can't give this information. Needless to say, Amex would not ask us to provide information we were not allowed to see or was illegal in some way. They want it, and we have to give it to them.

 

The illogicality of the problem is that whereas the WHMCS order form actually includes ALL the details we need, it does not pass this information on to us for Offline Credit Card processing.

 

The automated email subject "WHMCS New Order Notification" to admin merely says:

+++++++++++++++++++

"A new order has been placed.

 

Order ID: 1

Client Name: Firstname Lastname

Product/Service: Business Plan (test.com)

 

Login to your WHMCompleteSolution System for more information"

+++++++++++++++++++

 

And in CLIENTS PROFILE > Summary > Edit Credit Card Billing Information it shows the card number as "***********1006" and does not show the CVV.

 

How can a merchant process that?

[Ulysses]

Who said anything about it being illegal to enter a CVV number on the web? What is illegal is storing the CVV number that gets entered. It is fine to use it at the time of entry, check it, and then discard it which is what every online system does that asks for a CVV number.

 

Matt

That's all we need. The question is how do we get it.

[webarama]

How can a merchant process that?

Well normally this information would be passed securely through your gateway provider to the bank for approval and then your bank would respond with an appropriate code indicating the success or otherwise of the transaction.

 

You seem to be wanting this CVV information to be sent to you in an email (not secure) or to be stored somewhere (not allowed).

 

But you've been doing it for 16 years, you're the expert. I will shutup now.

[Ulysses]

Here is the relevant page of the instructions leaflet from Amex that our accounts people use when processing purchases on American Express cards. Express Cap American Express transactions guide

 

I think this clearly and visually explains what we (as merchants) are obliged to provide American Express to process an Amex transaction.

 

This is all we need for "Offline Credit Card" processing. How can we get this from our clients via WHMCS?

[othellotech]

How can we get this from our clients via WHMCS?

Simple answer - you cant.

 

They are the instructions for when you physically have the card in your hand and are manually processing the transactions.

 

It might even be the same as the flowchart for when handling a telephone order where the client is telling you those details real-time.

 

But you are *NOT* allowed to record the CVV code, so you cannot take the details online for processing later. You cant add them to a database, you cant wrte it down.

 

Additionally its *extremely unlikely* that your existing Amex agreement allows you to take online orders, as Amex insist that you use a real-time gateway before they upgrade the account to ITA capable, at which point this all becomes a wasted discussion.

[Ulysses]

Simple answer - you cant.

 

They are the instructions for when you physically have the card in your hand and are manually processing the transactions.

I'm afraid not. Actually, they are for transactions including mail and phone when the card is not present. When the card is present, they use a terminal.

But you are *NOT* allowed to record the CVV code, so you cannot take the details online for processing later. You cant add them to a database, you cant wrte it down.

You probably overlooked the references to examples of web forms. Do have a look at this or this.

 

Judging from all the things you say we can't have, I think you have more than slightly expanded on what it is we actually want to achieve.

[othellotech]

But you are *NOT* allowed to record the CVV code, so you cannot take the details online for processing later. You cant add them to a database, you cant wrte it down.

You probably overlooked the references to examples of web forms. Do have a look at this or this.

Why would i need to look at examples of processing gateways for *ONLINE* transactions rather than "storing it to process as cardholder not present" which is what you're trying and not permitted to do.

[Ulysses]

Why would i need to look at examples of processing gateways for *ONLINE* transactions rather than "storing it to process as cardholder not present" which is what you're trying and not permitted to do.

Clearly, you are not in the same book, let alone on the the same page.

[PPH]

Yes, we have the same problem trying to use Paypal's virtual terminal as we have to enter the cvv for every transaction we process through it which unfortunately, law requires you not to store it. So the only solution, is to call your customer and get the cvv each time you run their card. BTW this is for "all" cards.

 

We had the same problem with other billing software as it simply is not legal to "store it" so how do you send it to someone who manually processes the order? The rules however do not state that it can't be transmitted. Just means that after the transaction is completed there can be no record of it?

 

On the Visa site it states "

And for your added protection, merchants are prohibited from keeping or storing the CVV2 number after the transaction has been completed." So you can store it until you process the transaction?