Jump to content

issue number???? for credit cards???

kurbot

By kurbot
in General Discussion

 Share

Recommended Posts

sisgroup Senior Member

sisgroup

Posted
Posted

Talking of this area of the software what happand to the CCV feild many business need this if they are doing a task like putting card details into a card machine at head office commonly known as a (Customer Not Present) Transaction. But for this not only do they need the normal details that are there in WHMCS but the CCV feild is also required but its not there, Why is this so?

0
Link to comment
Share on other sites
Neil Hennigan Member

Neil Hennigan

Posted
Posted

CCV is collected and passed at checkout. It is not stored, because it is often illegal and usually unnecessary. If it has already been verified at first purchase, there's really no reason to need it again. Unless you've set your gateway to require it every time, which would be complete overkill.

 

If it's required in your billing solution, it does not need to be required at the gateway. Set your gateway only to reject transactions for which CCVs are provided but are either entered incorrectly or not verifiable. Set it to approve if not entered at all.

 

Neil

0
Link to comment
Share on other sites
  • WHMCS CEO
Matt Senior Member

Matt

Posted
  • WHMCS CEO
Posted

Not often, but always - it is illegal to ever store the CVV number in a database according to Visa & MC rules. If your merchant account requires you to enter the CVV number to submit a transaction then your merchant account does not allow you to do customer not present transactions.

 

Matt

0
Link to comment
Share on other sites
Neil Hennigan Member

Neil Hennigan

Posted
Posted

yep... I knew that it is certainly not allowed by MC/Visa.. but wasn't sure about any international differences, including any possible "rules" vs. differing legalities. Common sense would suggest that there's no difference.. but hey.. ya never know.

 

I think some people are also used to offline processing as made available in certain billing/checkout solutions.. where the information is collected and it's left up to the merchant to make sure that it is deleted and not stored. Some might get used to keeping it without ever actually having considered the fact that they aren't supposed to.

0
Link to comment
Share on other sites
sisgroup Senior Member

sisgroup

Posted
Posted

Well my buddy has this fersility at his shop and he is able to take orders for his products over teh phone but he still has to ask for the CVV to be able to process the order. If any of your have an Argos card like me and pay a bill each month then you phone thier card services department up they ask for the CVV number each time you pay your bill via a CC card? explain that. If Argos have to do it then other sure will have to

0
Link to comment
Share on other sites
Neil Hennigan Member

Neil Hennigan

Posted
Posted

There is nothing to explain - - your example is in no way whatsover relevant to WHMCS.

 

We aren't allowed to STORE CCV numbers, and WHMCS does not allow it. You can most certainly (and should) ask if someone is providing a credit card number via phone. The only rule is that you can't STORE them - - nor should you ever need to. There is absolutely no good reason for doing so.

 

Why would you need a CCV more than once? Makes no sense. You already verified the card at time of initial purchase.

 

Neil

0
Link to comment
Share on other sites
  • 2 years later...
  • 11 months later...
NetLink Member

NetLink

Posted
Posted

I'm not fully clear on the regulations on storing CVV numbers. Are you sure that CVV numbers cannot be stored at ALL, or could it be that they can be stored only until the card is authorised?

 

If you look at the Visa guidelines, you'll see the following:

 

"In certain markets, CVV2 is required to be present for all card-absent transactions."

 

My merchant bank charges a fee for all transatctions entered without a CVV number.

0
Link to comment
Share on other sites
HostOrca Senior Member

HostOrca

Posted
Posted
I'm not fully clear on the regulations on storing CVV numbers. Are you sure that CVV numbers cannot be stored at ALL, or could it be that they can be stored only until the card is authorised?

 

If you look at the Visa guidelines, you'll see the following:

 

"In certain markets, CVV2 is required to be present for all card-absent transactions."

 

My merchant bank charges a fee for all transatctions entered without a CVV number.

It is against visa/mastercard rules to store the CVV number. There is no way around it.

 

If you are caught by visa/mastercard storing CVV numbers your merchant bank will terminate your account.

0
Link to comment
Share on other sites
ocosa Member

ocosa

Posted
Posted
It is against visa/mastercard rules to store the CVV number. There is no way around it.

 

If you are caught by visa/mastercard storing CVV numbers your merchant bank will terminate your account.

 

My understanding is that if you are storing CVV numbers you will have to complete a pretty lengthy SAQ in order to be PCI-DSS compliant. Although visa/mastercard prohibits it you can but you will have to separate your web server from your database and complete around a 200 question questionnaire. You will have serious liability placed on your company.

0
Link to comment
Share on other sites
NetLink Member

NetLink

Posted
Posted
My understanding is that if you are storing CVV numbers you will have to complete a pretty lengthy SAQ in order to be PCI-DSS compliant. Although visa/mastercard prohibits it you can but you will have to separate your web server from your database and complete around a 200 question questionnaire. You will have serious liability placed on your company.

 

I think that applies for storing PANs, and other sensitive data, not the CVV code. If you store the PAN on your servers, then you'll need to complete the SAQ-D questionnaire, which, as far as I know, is the most lengthy one.

0
Link to comment
Share on other sites
ocosa Member

ocosa

Posted
Posted
I think that applies for storing PANs, and other sensitive data, not the CVV code. If you store the PAN on your servers, then you'll need to complete the SAQ-D questionnaire, which, as far as I know, is the most lengthy one.

 

This PDF from PCI will make things very clear I think. No matter how many times you read, you find something new.

 

https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf

0
Link to comment
Share on other sites
HostOrca Senior Member

HostOrca

Posted
Posted
My understanding is that if you are storing CVV numbers you will have to complete a pretty lengthy SAQ in order to be PCI-DSS compliant. Although visa/mastercard prohibits it you can but you will have to separate your web server from your database and complete around a 200 question questionnaire. You will have serious liability placed on your company.

No, you are not allowed to store cvv numbers

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept