Overview
The credit card security code (CVV, CVC, or CID) is required for web or phone-based transactions, and cannot be stored after authorization as it is considered Sensitive Authentication Data (SAD) under PCI security standards.
TravelJoy provides access to the code for a brief period and automatically removes it within 60 days or 7 days from the final payment due date. The code can be recaptured by sending a credit card authorization form or reverting the authorized payment back to unpaid and resending the invoice to the client.
- What is it?
- What are the rules?
- How does this apply to me or my clients?
- How can I recapture the security code when needed?
What is it?
The credit card security code, also known as a CVV, CVC, or CID, consists of a three-digit number on the back of most credit cards or a four-digit code on the front of others. It is often required to process payments when the card is not present, such as web-based or phone-based transactions.
What are the rules?
This code is considered Sensitive Authentication Data (SAD) under PCI security standards, and therefore cannot be stored after authorization.
According to the PCI Security Standards Council:
PCI DSS does not prohibit the collection of card verification codes/values prior to authorization of a specific purchase or transaction. However, it is not permitted to retain card verification codes/values once the specific purchase or transaction for which it was collected has been authorized. Some service providers offer a concierge-style service, where cardholder details are retained by the provider to facilitate potential future transactions. Retention of card verification codes/values for this purpose is also prohibited under PCI DSS Requirement 3.2.
All card verification codes/values must be completely removed from the entity’s systems in order to comply with Requirement 3.2.
How does this apply to me or my clients?
When a security code is collected as part of a signed authorization in TravelJoy, we provide access within a brief period to facilitate the transaction(s) for which the code was collected. This period will not exceed sixty (60) days from the date of collection (for credit card authorization forms) or seven (7) days from the final payment due date (for supplier invoices).
If you complete all transactions before this automatic removal, you should remove the security code from the client's profile by clicking the trash can icon next to the security code.
How can I recapture the security code when needed?
When the code is not on file, the client will automatically be prompted for it the next time they authorize a payment on that card.
If the code expired before you had a chance to pay the supplier, you can recapture the code using one of the two following methods:
Credit card authorization form: Send the client a credit card authorization form and ask them to reauthorize the payment using the same card.
Supplier invoice: Revert the authorized payment back to "unpaid" (see guide and video here), then resend the invoice back to the client so that they can reauthorize using the same card.
Comments
1 comment
tHIS IS NOT ANSWERING THE QUESTION
Please sign in to leave a comment.