topic Re: Override CVV validation for CIM account in Integration and Testing

Override CVV validation for CIM account

privateuly — Thu, 04 Jul 2013 00:34:54 GMT

Hi,

Here's is one feature I would really like to have: for customer accounts that we store in CIM, allow for charges to go through without CVV code. At the moment, CVV validation is a global setting. Either you have it for all or for none. The ideal situation for us is to be able to check for CVV validity for new cards/accounts, but once we store that info in CIM we don't require CVV to process charges.

The point of CIM is to make it easy for our customers to make subsequent transactions. It takes away from this convenience if they still have to take their card out to look up their CVV on their subsequent transactions.

Can you (Authorize) please consider this feature? Thank you.

Re: Override CVV validation for CIM account

TJPride — Tue, 09 Jul 2013 01:15:18 GMT

I would like this as well. Makes no sense to require CVV after the initial check.

Re: Override CVV validation for CIM account

RichardH — Wed, 10 Jul 2013 18:46:48 GMT

Thank you privateuly and TJpride for your feedback.

I've passed your suggestion on to our product team for consideration in a future release.

Richard

Re: Override CVV validation for CIM account

privateuly — Thu, 11 Jul 2013 02:17:41 GMT

Thank you Richard. Hope to see this feature in the product.

Re: Override CVV validation for CIM account

murraymcnicol — Mon, 24 Oct 2016 15:15:10 GMT

Hi Richard,

This is a real problem for us - our platform allows caterers to use the CIM to process payments from regular customers.

However, if the caterer wants to use CVV for new/customers without saved cards then he needs to contact the Customer to obtain the CVV for the CIM transactions. This is impractical for high activity/low transaction values as well as an inconvenience to the customer.

Given this conversation was 3 years ago, I'm assuming you're not planning to change as per the suggestion, above?

Is there any way around this?

Re: Override CVV validation for CIM account

RichardH — Mon, 24 Oct 2016 18:08:48 GMT

Hello @murraymcnicol

One possible solution is turning off requiring CVV in the Merchant Interfaceuse and use the new Accept Customer hosted forms with set hostedProfileCardCodeRequired as True.

However, we would strongly recommend discussing this change with your merchant account provider before making any change so you understand possible implications.

Richard

Re: Override CVV validation for CIM account

ngobo413 — Tue, 06 Feb 2018 04:44:05 GMT

Has there been a better workaround or solution for this yet? It has been 5 years.

Re: Override CVV validation for CIM account

mmcguire — Tue, 06 Feb 2018 23:01:34 GMT

Can you help me understand your workflow? CVV is not a required field and the card validation is optional. The answer to your question may depend on how profiles are entered into the Authorize.Net system.

Re: Override CVV validation for CIM account

krobson — Sat, 24 Feb 2018 19:25:04 GMT

I have the same requirement.

We run lots of online card not present sales transactions and want CVV to be required to protect against fraud.

In our case, if customer chooses to save card info in CIM, we don't mind making them enter CVV again when charging to the saved card, althoug ideally, we would let them run charges without it.

But when a customer chooses a multiple payments option for an invoice, we want our merchant to be able to run the saved card, without knowing the CVV. So we'd like a way to send the transaction request with a flag to indicate that we want to skip the CVV check in that case.

This is similar to the caterer use case to allow the merchant to run the saved card to pay for a customer invoice.

So is there any way to do this short of saving the CVV codes in our own database, which defeats the purpose of CIM (for reduced PCI scope)?

Or does auth.net recommed we dump CIM and store all card info ourselves for such cases?

Or, can we flip it around and turn OFF CVV validation for the whole merchant account and then have an override to turn it back on for online end customer entered CNP transactions?

Re: Override CVV validation for CIM account

RichardH — Sun, 25 Feb 2018 17:56:44 GMT

@krobson

When the customer enter their card data the first time, are you using your own form or an Authorize.Net Accept solution?

Also, I should mention it is strictly prohibited by PCI DSS to save a CVV number.

Richard

Re: Override CVV validation for CIM account

krobson — Sun, 25 Feb 2018 18:31:11 GMT

I am just building the CIM solution now and running into the problem I described. We are not using the accept solution yet but I don't see how that makes any difference here.

I played around in the sandbox for hours yesterday trying to figure out how to make CVV required for normal online sales transactions, but not required when paying from a saved payment profile.

First of all, the createCustomerProfileTransaction API request seems to require the cardCode element no matter what, whether non matching CVV triggers a decline or not. I changed my settings both ways on the account and either way, without a cardCode element, I get an error. And a blank value also always returns an error. And a space value returns some invalid data type error.

Further, from the merchant console, when I try to charge the card from the payment profile, it also requires CVV, even with all CVV filters turned off or set to accept txn even on mismatch.

So - what is the point of CIM? If you can't save CVV due to PCI rules and have to get the card code from the customer for every transaction, you might as well have them also tell you the card number and everything else. I guess it's only useful to present save cards to the customer on the payment page and let them enter just CVV to run the charge. But the merchant cannot run a charge against a saved customer card without contacting them for the CVV I guess. Do I have this right?

The main objective of this project was to allow customers to pay large invoices in installments where they authorize us to run the payments on a schedule after customer enters all the card info for the initial payment (and then we save it in CIM). So is there any way to do this without having to contact the customer again for the CVV which defeats the purpose? It seems that even if CVV is not required for regular online transactions, the CIM transaction API still requires it.

Any advice greatly appreciated. This is becoming a giant time sink for me here.

Re: Override CVV validation for CIM account

krobson — Tue, 27 Feb 2018 15:33:02 GMT

ok, I finally figured this out.

The problem was that in my settings for Payment Form / Form Fields, I had the CVV field set to required.

I found another post in the forums here which explained that this setting applies not just to the hosted payment form but to API's as well.

So after unchecking the required checkbox, I was able to submit a transaction to charge a payment profile WITHOUT including CCV code, even though my CCV filters are on and I have the Does Not Match (N) result set to DECLINE.

The transaction was approved with cvvResultCode = P, which means NOT PROCESSED. I do have my filters set to allow reslut code P.

So it looks like I can accomplish what I want here - to require security codes for some transactions and not others. Whew! That took 4 days of research to figure out. I hope this post will save some time.

Re: Override CVV validation for CIM account

Akhack — Tue, 10 Dec 2024 16:44:57 GMT

When you have the card code required on the createCustomerPaymentProfile hosted page but NOT required for every transaction, is it validated initially? The answer seems to be no, as in our testing we can submit a CCV that gives cvvResultCode = P, but it still goes ahead and makes the payment profile and says the validation transaction was successful. So how are we supposed to validate the CVV for CIM?