How do I charge someone a variable amount every 2 months without storing CVV code?

Question

We have a physical product that is shipped every 2, 3, or 4 months depending upon customer preference. In between shipments the user may elect to modify their choices.

Before anyone suggests it - I'm pretty sure a recurring billing system (such as Paypal) is not suited to our needs. For two reasons a system like Paypal's does not seem to be ideal .

• They only let you do monthly, quarterly, annually. Not every 2 or 3 months. [Paypal API document here]
• We want the customer to be able to 'ship now' if they want their products early or later than the normal schedule.
• Since its a physical product we cant split it to be a prorated monthly amount.

I think therefore we will have to rebill using the same mechanism as we do when the initial order is created - with the CC numebr and CVV2 code. But obviously we cant store the CVV2 code for PCI compliance!!

I recently came across 'BrainTrees' payment services - which allow you to create an initial transaction and retrieve a 'token' that represents that credit card number. That token is safe to store because it is useless to a thief. It helps minimize the work needed for PCI compliance.

I'm completely fine using BrainTree's solution. It seems to be perfect for what we need - yet it leaves me confused about Paypal's offering. How would I achieve what i am trying to do with any system other than BrainTree without having to store the CVV2 code ?

Answer 1

You may already know that the cvv2 is used in an avs/csc check that is done by taking the numerics from the customers address, the numerics from the post/zipcode and the numbers from the cvv2 and comparing them with known values held by the card issuer.

The result of the avs/csc check returns a three digit value which lets you know whether the address/cvv2 values match those held on file by the card issuer. The result of this check can then be used to help prevent fraudulent transactions.

Therefore a common way to tackle the issue of not being able to store the actual cvv2 code is instead to store the cvv2 result. This way you can be fairly confident that so long as the address hasnt been altered, the card is still valid. The only downside to this approach is that some acquiring banks deem that authorizations performed without a cvv2 check are insecure, and charge a higher interchange rate. You may need to discuss this with your acquirer to explain that only the first authorization is performed with cvv2 check, and subsequent ones are not.

All said though, you will find PCI compliance a lot easier if you instead use a service provider that allows you to hold token values rather than actual card numbers.

Another issue with recurring payments that I'm not sure if you've considered is the fact that over time cards will expire, be cancelled or re-issued. Visa and MasterCard both have a relatively new service called the Visa Account Updater or MasterCard Automatic Billing Updater to handle this. Its something you'd need to organise with your acquiring bank, or if you go the PSP route it will probably be handled automatically - but worth checking.

Answer 2

It's been a while since I had to do something like this... and I have only used the Verisign Payflow API. You might want to check it out.

To the best of my memory, payment gateways strongly recommend against storage of card details.

The recommended mechanism is to use the reference number from the original transaction, and then to link the new transaction to it; it must be very similar to the way Brain Tree handles it.