Card verification value no longer allowed on mail order forms
To protect consumers and the payments network from potential data compromises, Visa mandated that merchants should not include Card Verification Value (CVV2) data in authorisations for mail order transactions effective from 21 April 2017.
In 2008, as a fraud prevention measure, Visa required CVV2data to be included as part of the authorisation messages that merchants send to card issuers in Europe.
CVV code (CVV2 for Visa, CVC2 for MasterCard) is the three digit number located either on the front or back of a credit or debit card. Merchant can request the CVV code from card holders as another way to screen fraudulent transactions
CVV2 verification remains a valuable fraud prevention tool for telephone and eCommerce transactions. However, for mail orders, shoppers’ account number and CVV2 data both appear on the order form, creating a greater risk of data compromise for this type of transaction.
Effective from 21 April 2017, Visa mandated the capture and processing of CVV2 in all card-not-present transactions as follows:
- CVV2 data should not be included in authorisation requests for mail order transactions.
- This is in addition to CVV2 exemptions already permitted under the Visa rules.
- Merchants should cease to capture CVV2 data in a written format – this includes mail order forms or in another physical format.
This reduces potential for that information to be stolen and used fraudulently.