Portico Developer Guide
Card Security Code (CVV2, CVC2, CID)
The Card Security Code (CSC), which is also known as a Card Verification Value (CVV), enhances fraud protection for transactions in order to qualify for the proper interchange rates. It helps to validate the following two things:
The following table describes how each credit card association implements CSC protection:
| Card Brand | CSC Name | CSC Location |
|---|---|---|
| Visa | Card Verification Value | 3-digit number printed in the signature space on the back of the card. |
| Mastercard | Card Validation Code | 3-digit number printed in the signature space on the back of the card. |
| American Express | Cardholder Identification | 4-digit number on the front of the card. It is printed, not embossed like the card number. |
| Discover | Card Identification Number | 3-digit number printed in the signature space on the back of the card. |
CSC protection takes place when a transaction is being processed and the card is not present. For example, when a cardholder makes a purchase over the telephone or on the Internet. The merchant asks the cardholder to read the CSC code from the card. The merchant adds this code to the transaction being sent to Portico. Entering CSC information along with Address Verification Service (AVS) should result in fewer chargebacks and lower Interchange rates.
CSC is strongly encouraged. Visa requires the CVV security code for all keyed and card not present transactions. Discover Card charges a fee for each keyed transaction if CSC is not present at the time of authorization.
Some Issuers may decline the sale if the CSC code does not match what is on file for the cardholder. Others may approve the transaction. If the transaction is approved, the merchant needs to make a decision to go forward with the sale based upon the CSC response. It is strongly recommended that the merchant ask the cardholder for another form of payment if the CSC code does not match ("N" response).
CSC protects the merchant against chargebacks if the response code is returned as a match and later the transaction is found to be fraudulent.
Retaining, archiving, storing, recording, or copying the Card Security Code is strictly prohibited.
The following are the possible CSC response codes returned by Portico:
| Value | Description |
|---|---|
| M | CVV Match |
| N | CVV No Match |
| P | Not Processed |
| S | Should Have Been Present |
| U | Issuer is not certified and/or Issuer has not provided Visa with the CVV2 encryption keys |
| 0 | CVV not requested |
In rare cases, the CSC value is not available. When this occurs, the CVV2Status field should be sent indicating that the value is either Illegible or Not Present on the card.
The following are the possible CSC response codes returned by Portico:
| Value | Description |
|---|---|
| ILLEGIBLE | The value is present but is not readable. |
| NOTPRESENT | Can be used in cases where the value is not present or imprinted on the card for instance. |
When present in the transaction request but null, this field defaults to NOTPRESENT. If the field does not apply to the transaction request, do not send the CVV2Status field in the transaction request.