Users - Credit card security code

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Users - Credit card security code

cjhowe
While it's never wise to follow someone else's policy
without investigating it first, my SBC/Yahoo DSL
account is paid every month by credit card
automatically and they store my CVV number for this
recurring transaction

============ David Jones wrote:

Yes, this is considered _very_ sensitive. Storing it
is actually not  
allowed outside of the scope of a single transaction.
So no, I don't  
think you can use it for recurring payment.

-David


On Feb 27, 2006, at 12:27 PM, Vinay Agarwal wrote:

> Is the storage of securityCode (the 3-4 digit number
either on back  
> or front
> of the card) more sensitive than the credit card
number itself? If  
> so, would
> automatic billing be done without the security code?
>
> Regards,
> Vinay Agarwal
>
> -----Original Message-----
> From: users-bounces at lists.ofbiz.org
[mailto:users-
> bounces at lists.ofbiz.org]
> On Behalf Of David E. Jones
> Sent: Monday, February 27, 2006 10:51 AM
> To: OFBiz Users / Usage Discussion
> Subject: Re: [OFBiz] Users - Credit card security
code
>
>
> Perhaps... but this is something that needs to be
closely guarded.
> Once an authorization is done (succeed or fail) the
securityCode
> needs to be auto-cleared. This is enough of an issue
with credit card
> providers that we should put any of it in until all
of it is in...
>
> -David
>
>
> On Feb 27, 2006, at 11:09 AM, Vinay Agarwal wrote:
>
>> Would it be OK to add optional securityCode (type
id) to the
>> CreditCard entity and the corresponding
createCreditCard?

>>
>>
>> Regards,
>>
>> Vinay Agarwal
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.ofbiz.org
>> http://lists.ofbiz.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.ofbiz.org
> http://lists.ofbiz.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.ofbiz.org
> http://lists.ofbiz.org/mailman/listinfo/users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2466 bytes
Desc: not available
Url : http://lists.ofbiz.org/pipermail/users/attachments/20060227/8dc287bc/smime-0001.bin
 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Users - Credit card security code

Sterling Okura
The storing of CVV2 number (security code) is forbidden by merchant account
agreements.  The purpose of the CVV2 is to demonstrate that the card is in
the hand of the customer, which means reduced risk (affecting approval and
merchant account rates).  Storing the code defeats this purpose and I
believe VISA will charges fines or terminate the agreement of any merchants
caught violating this rule.

Chances are that the DSL account used the code for the initial charge as
extra "insurance" that your card was legit, then just used the card # and
exp. date for further recurring charges.

BBB Online has some info on CVV2 (more geared towards consumers, but might
be helpful).  Your contract w/ your merchant account provider should provide
more info.

http://www.bbbonline.org/eExport/doc/MerchantGuide_cvv2.pdf

Warm regards,
sterling

-----Original Message-----
From: Chris Howe [mailto:[hidden email]]
Sent: Monday, February 27, 2006 4:06 PM
To: [hidden email]
Subject: [OFBiz] Users - Credit card security code

While it's never wise to follow someone else's policy
without investigating it first, my SBC/Yahoo DSL
account is paid every month by credit card
automatically and they store my CVV number for this
recurring transaction

============ David Jones wrote:

Yes, this is considered _very_ sensitive. Storing it
is actually not  
allowed outside of the scope of a single transaction.
So no, I don't  
think you can use it for recurring payment.

-David


On Feb 27, 2006, at 12:27 PM, Vinay Agarwal wrote:

> Is the storage of securityCode (the 3-4 digit number
either on back  
> or front
> of the card) more sensitive than the credit card
number itself? If  
> so, would
> automatic billing be done without the security code?
>
> Regards,
> Vinay Agarwal
>
> -----Original Message-----
> From: users-bounces at lists.ofbiz.org
[mailto:users-
> bounces at lists.ofbiz.org]
> On Behalf Of David E. Jones
> Sent: Monday, February 27, 2006 10:51 AM
> To: OFBiz Users / Usage Discussion
> Subject: Re: [OFBiz] Users - Credit card security
code
>
>
> Perhaps... but this is something that needs to be
closely guarded.
> Once an authorization is done (succeed or fail) the
securityCode
> needs to be auto-cleared. This is enough of an issue
with credit card
> providers that we should put any of it in until all
of it is in...
>
> -David
>
>
> On Feb 27, 2006, at 11:09 AM, Vinay Agarwal wrote:
>
>> Would it be OK to add optional securityCode (type
id) to the
>> CreditCard entity and the corresponding
createCreditCard?

>>
>>
>> Regards,
>>
>> Vinay Agarwal
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.ofbiz.org
>> http://lists.ofbiz.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.ofbiz.org
> http://lists.ofbiz.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.ofbiz.org
> http://lists.ofbiz.org/mailman/listinfo/users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2466 bytes
Desc: not available
Url :
http://lists.ofbiz.org/pipermail/users/attachments/20060227/8dc287bc/smime-0
001.bin
 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users


 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Users - Credit card security code

Andrew Sykes
Sterling,

I know of at least one company who are definitely storing my CVV in
order to take monthly payments.

How would they do this without storing the CVV?
--
Kind Regards
Andrew Sykes <[hidden email]>
Sykes Development Ltd
http://www.sykesdevelopment.com

 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Users - Credit card security code

BJ Freeman
The important point, is it can cause the company large fines.
and anyone that programs that into a system, is opening themselves to
suites.
Those that do it, does not make it right.

Andrew Sykes sent the following on 2/28/06 4:22 AM:
> Sterling,
>
> I know of at least one company who are definitely storing my CVV in
> order to take monthly payments.
>
> How would they do this without storing the CVV?
 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Users - Credit card security code

Andrew Sykes
BJ,

You misunderstand, I'm not arguing the validity of the approach. In fact
I'd agree completely with your comments and hope that they are a
cautionary note to anyone considering this route.

But if a company is being asked for the CVV in order to take a monthly
payment, what should their approach be?
--
Kind Regards
Andrew Sykes <[hidden email]>
Sykes Development Ltd
http://www.sykesdevelopment.com

 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Users - Credit card security code

BJ Freeman
My experience, is most merchants accounts do not require the CVV and
will do transactions with CC#, Expire date, and zipcode. or Complete
address.

However some Merchant accounts do Get a better percentage on
transactions if CVV is provided.

So I would say the first transaction use the CVV to validate that the
person using the CC# has the card in hand. After that use the  CC#,
Expire date, and address. this would give you the AV status.

At least that is the way I have programmed.

BTW. Please turn on the ability to have the previous responses included.
it is easier to follow the conversation.


Andrew Sykes sent the following on 2/28/06 5:08 AM:
> BJ,
>
> You misunderstand, I'm not arguing the validity of the approach. In fact
> I'd agree completely with your comments and hope that they are a
> cautionary note to anyone considering this route.
>
> But if a company is being asked for the CVV in order to take a monthly
> payment, what should their approach be?
 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Users - Credit card security code

Joe Eckard
In reply to this post by Andrew Sykes
Some payment processors have periodic billing options built into their
APIs, which can vary in the amount of communication needed.

In some cases, you submit the card details once along with a billing
frequency and total number of payments and they handle the rest. (Any
errors are sent via email notifications or can be queried via the API)

In others, you need to submit a new transaction for each billing, but
only include the card details on the first transaction. For each
subsequent transaction, you just need to reference the original
transaction and note that it is a recurring payment.

-Joe

On Feb 28, 2006, at 7:22 AM, Andrew Sykes wrote:

> Sterling,
>
> I know of at least one company who are definitely storing my CVV in
> order to take monthly payments.
>
> How would they do this without storing the CVV?
> --
> Kind Regards
> Andrew Sykes <[hidden email]>
> Sykes Development Ltd
> http://www.sykesdevelopment.com
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users

 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users