[ratww]

Yeah, great point. There's lots of assumptions here from American posters.

This depends heavily on the country where the processing is being made and in the bank that issued the card to the customer. The data is (in the cases I saw) passed down to the card issuer via an API and the issuer gets to decide what to do.

In Europe for example, CVV seems to be required, except when the merchant requests an exception, or when a pre-auth token is used. In Brazil I've had my card rejected because of a typo in my name, although "forgetting" the middle name was alright.

It's not as clear cut and as insecure as in America or as people are making it seem here.