Card Security Code (CSC)
The Three or Four digit numeric code that is printed on a card in addition to the card number can be used as security feature to verify the legitimacy of a cardholder during card-not-present transactions. These card-not-present transactions, typically an e-commerce or mail/telephone order (MOTO) are at greater risk for stolen card transactions hence you need to be diligent in your fraud control efforts.
The major card schemes have different names for these Card Security Codes:
Visa: Card Verification Value (CVV, CVV2)
Mastercard: Card Validation Code (CVC, CVC2)
Amex and Discover: Card Identification Code/Number (CID)
JCB: Card Authentication Value (CAV, CAV2).
It is possible to apply CSC verification for all possible card-not-present transactions even if a 3-D Secure authentication is performed. This will act as an additional layer of screening to minimize the fraud.
Ensure that the Sensitive Authentication Data (SAD) are not stored in your platform after an authorization of a transaction. This data includes
Card Security Codes.
PIN and PIN block.
Full magnetic stripe data, as well as any equivalent data on the EMV chip or elsewhere.
Perform CSC verification
To perform a CSC verification, you must obtain the card security code from the cardholder at the time of the transaction initiation and include it in the cardPaymentData.cardData.cardSecurityCode field of create payment request. Also set the cardPaymentData.cardholderVerificationMethod to "CARD_SECURITY_CODE " .
The result of the security code verification performed by the card issuer would be returned in the response field cardPaymentData.ecommerceData.cardSecurityCodeResult . Possible values reflecting the verification outcome are given below
Value |
Explanation |
Recommended action |
|---|---|---|
MATCH |
Cardholder verification by means of CSC is successful. |
Accept the transaction. |
MISMATCH |
CSC verification failed. This can be seen as a sign of potential fraud. |
Evaluate all available information and decide whether to accept with the transaction or decline and investigate further. |
NOT_VERIFIED |
This indicates that the CSC verification couldn't be completed due to technical issues. |
|
CARD_HAS_CARD_SECURITY_CODE |
This can be returned when the CSC is expected by an issuer but the data isn't provided in the request. |
Re-attempt the authorization by providing cardSecurityCode in the authorization request. |
Usage of card security code result allows you to make a informed decision before completing a card-not-present transaction and potentially reduces the fraud. Please take it into account along with the authorization response and decide your next course of action.