Card Verification Value (CVV/CV2) is the three (or four) digits on the back of a payment card. It was introduced to reduce fraud on customer not present (ECOM and MOTO) transactions by Mastercard and Visa in 2001.
Your log in to the Caterpay MMS (under Preferences > AVS/CV2 Checks) allows you to configure your settings to Accept or Decline cards in situations where the CVV provided by the cardholder:
- Is partially matched
- Does not match at all
- Is not provided, so can't be checked
- Is a card where there is no known recorded CVV for that card (some overseas cards)
It's important to understand that any card processed without matching CVV data is viewed by your acquirer as an "Insecure" transaction, and they may well charge a higher processing fee for these, typically an additional 0.5% on top of your agreed rate.
So for a debit card where you are paying 0.8%, this would result in a rate of 1.3% for debit cards with no matched CVV.
Implications for OTA bookings.
Some OTA's have opt-in promotions, where same-day or next-day bookings can sometimes be taken on their site without CVV. So, if you opt-in to these, you would need to ensure that you set MMS to "Accept" cards where CVV is not provided (Not Checked), but understand you are likely to be paying an additional 0.5% in card fees to process these.
In the event these insecure transactions without CVV result in a chargeback, you are less likely to be successful in challenging the chargeback, potentially resulting in lost revenue.
Retrying an OTA guest's card after a declined response.
When we import OTA bookings, we use a secure tokenisation service to swap out the card details in the booking confirmation. Then, when you're ready to verify or charge that card, we present the token back to the proxy, who forward the original card details to the gateway for charging.
After an initial attempt is made to process the token, the CVV is purged from the proxy for security and cannot be presented again, so any subsequent attempts to charge the card are processed without CVV.
So a card which initially declines charging or verification because the CVV does not match, will either fail again (if "Not Checked" is set to "Reject"), or will be processed insecurely (but possibly successfully) without the CVV (if "Not Checked" is set to "Accept").