Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I charge someone a variable amount every 2 months without storing CVV code?

We have a physical product that is shipped every 2, 3, or 4 months depending upon customer preference. In between shipments the user may elect to modify their choices.

Before anyone suggests it - I'm pretty sure a recurring billing system (such as Paypal) is not suited to our needs. For two reasons a system like Paypal's does not seem to be ideal .

  • They only let you do monthly, quarterly, annually. Not every 2 or 3 months. [Paypal API document here]
  • We want the customer to be able to 'ship now' if they want their products early or later than the normal schedule.
  • Since its a physical product we cant split it to be a prorated monthly amount.

I think therefore we will have to rebill using the same mechanism as we do when the initial order is created - with the CC numebr and CVV2 code. But obviously we cant store the CVV2 code for PCI compliance!!

I recently came across 'BrainTrees' payment services - which allow you to create an initial transaction and retrieve a 'token' that represents that credit card number. That token is safe to store because it is useless to a thief. It helps minimize the work needed for PCI compliance.

I'm completely fine using BrainTree's solution. It seems to be perfect for what we need - yet it leaves me confused about Paypal's offering. How would I achieve what i am trying to do with any system other than BrainTree without having to store the CVV2 code ?

like image 896
Simon_Weaver Avatar asked Aug 10 '09 05:08

Simon_Weaver


People also ask

Can you charge a card without the CVV?

Credit cards that do not have CVVs aren't approved to conduct an online transaction. Credit cards that do not have Security Codes are either not authorized for international transactions or not allowed for transactions online.

Is CVV required for PCI compliance?

CVV data is not necessary for card-on-file transactions or recurring payments, and storage of this data is prohibited by the PCI-Data Security Standard.

What is a recurring Visa transaction?

A recurring card payment is a regular payment taken from your account using your card details, instead of your account number and sort code. They're often used for subscription services like Netflix or Amazon Prime, gym memberships and insurance policies.

Can I bypass the CVV?

Essentially, you can't bypass CVV codes. If you're making an online purchase and they ask for that three-digit CVV code (or in the case of American Express, a four-digit CVV number), you can't just skip that field.


2 Answers

You may already know that the cvv2 is used in an avs/csc check that is done by taking the numerics from the customers address, the numerics from the post/zipcode and the numbers from the cvv2 and comparing them with known values held by the card issuer.

The result of the avs/csc check returns a three digit value which lets you know whether the address/cvv2 values match those held on file by the card issuer. The result of this check can then be used to help prevent fraudulent transactions.

Therefore a common way to tackle the issue of not being able to store the actual cvv2 code is instead to store the cvv2 result. This way you can be fairly confident that so long as the address hasnt been altered, the card is still valid. The only downside to this approach is that some acquiring banks deem that authorizations performed without a cvv2 check are insecure, and charge a higher interchange rate. You may need to discuss this with your acquirer to explain that only the first authorization is performed with cvv2 check, and subsequent ones are not.

All said though, you will find PCI compliance a lot easier if you instead use a service provider that allows you to hold token values rather than actual card numbers.

Another issue with recurring payments that I'm not sure if you've considered is the fact that over time cards will expire, be cancelled or re-issued. Visa and MasterCard both have a relatively new service called the Visa Account Updater or MasterCard Automatic Billing Updater to handle this. Its something you'd need to organise with your acquiring bank, or if you go the PSP route it will probably be handled automatically - but worth checking.

like image 109
PaulG Avatar answered Oct 05 '22 03:10

PaulG


It's been a while since I had to do something like this... and I have only used the Verisign Payflow API. You might want to check it out.

To the best of my memory, payment gateways strongly recommend against storage of card details.

The recommended mechanism is to use the reference number from the original transaction, and then to link the new transaction to it; it must be very similar to the way Brain Tree handles it.

like image 23
Everyone Avatar answered Oct 05 '22 02:10

Everyone