Effective April 14, 2018, Visa card issuers are no longer able to chargeback a transaction if the original authorization was approved but included a CVV2 mismatch response. Let’s look at this in simple terms and understand its implications on merchants and issuer banks.
The CVV2 or Card Verification Value is a 3 digit number located at the back of a Visa card and is separate from the main credit card number itself. It is a secure number that protects merchants from fraudulent transactions in card-not-present situations, including over the phone (MOTO) or online. It serves as proof of possession of the card by the customer, especially since Visa strictly prohibits merchants from storing CVV2 numbers as a part of the customer’s data.
CVV2 numbers come into play when the customer first enters their credit card details. The issuer bank verifies the card details and ensures the customer’s account has the amount needed to make the purchase. Once the verification is completed, the issuing bank ‘authorizes’ the transaction.
Next, the authorization (along with the CVV2 code) are sent to the payment gateway. At this point, the CVV2 code entered by the customer is “matched” with the correct CVV2 code and a response is generated.
These are the response codes:
M – If the codes match
N – No match
P – Not processed; the code was not validated.
S – Should be on card but not indicated; customer left the field blank
U – Issuer does not participate in the CVV2 program
The payment is captured by the gateway if the codes match.
Now, imagine a situation in which the customer complains they have been billed for a transaction that wasn’t done by them. The merchant checks their records and notices that the same transaction was declined at their end. This essentially means that the transaction was ‘authorized’ by the issuer bank but was ultimately declined once there was a CVV2 code mismatch.
Regardless, a chargeback is issued to the merchant. The merchant then looks at the response code to determine whether the customer was in possession of the card for this transaction. If the response received is ‘N’ or a ‘No match’, the merchant seeks protection from the chargeback.
With the new rules implemented by Visa, the issuer can no longer issue a chargeback to the merchant in a situation where the payment has been authorised but the CVV2 code has mismatched.
Key takeaway: As a result, this change will likely lead to an increase in the number of authorization rejections when the CVV2 provided is incorrect, as issuers will take more measures to protect themselves.
If you’re a merchant, please be reminded that the CVV2 should always be used as part of your fraud prevention measures for one-time, card-not-present transactions and continue to capture the correct CVV2 to help ensure that the used card is in the cardholder’s possession.
Learn more about Payscout’s e-commerce solutions and how we help keep our merchants safe and secure: www.payscout.com/eCommerce