[wcfields]

Could someone who deals with PCI compliance please explain some other nuances of credit cards that I've been curious about:

* Fault/Decline Codes returned from processors like CyberSource. How are these factored? How do processors do Regex on names/addresses? [1][2]

* CVV numbers and what they mean/how they are treated in the system? If CVV number is included does this increase chargeback protection?

* How CHIP cards work differently in the processing system, if at all?

* Do "knuckle-busters" (carbon copy physical imprints) follow any sort of compliance anymore?

[1] http://apps.cybersource.com/library/documentation/dev_guides... [2] http://apps.cybersource.com/library/documentation/dev_guides...

[pkteison]

1a) Varies by issuing bank. Your processor sends the transaction viaVisa & MasterCard ("network") which passes along the transaction to the issuer (a large bank), which in turn decided to approve or decline the transaction and passes back a code. Your processor may map that specific code to a more general code, which behavior will often vary per client - some clients just want to get back "Declined" while some want "Invalid expiration date". Unfortunately since decline code behavior varies -by issuer-, it's possible to get back wrong codes, so you can't trust them really. For example, you might see a Mastercard with an invalid zipcode come back as invalid expiration date, while another mastercard with an invalid zipcode comes back with invalid AVS. Then if you present "invalid expiration date" to your end user, they will be confused because the expiration date is fine. In my experience, detailed decline codes are more trouble than they're worth, the customer will have to call their bank to fix anything regardless so just tell them declined - call bank.

1b) Numbers only. See for example http://en.wikipedia.org/wiki/Address_Verification_System and understand that "street address" just means whatever numbers are there at the beginning of the address. Also understand that this is frequently incredibly low quality data, all you can really rely on is the zipcode match part, trying to do any better will result in a lot of false negatives.

2) There are multiple names for this. In the beginning, on mag stripes, CVV/CVC (name varies by network) was developed and it was a way to validate that somebody didn't build a mag stripe based on just knowing the card numbers - it's data that exists only on the mag stripe and is not printed on the card. Then, CVV2/CVC2/CID/etc was developed and it is a way to validate that somebody has seen the actual card - it is data that is printed on the card but is not in the stripe. People usually don't know about the difference and are talking about CVV2/CVC2 when they say CVV or CVC. The key thing that makes this work is that merchants are restricted from storing the CVV2/CVC2/CID data (and they already weren't supposed to store mag stripes, so CVV/CVC also), so if somebody gets a database dump of a bunch of credit cards it shouldn't have CVV2/CVC2 data in it. It also doesn't come for free from an automated skimmer because it isn't on the mag stripe. And, way back in the day, it wouldn't have been on the carbon copies because it was in flat type. So, this really does add some security to a transaction. So what it does for chargeback protection is make it more likely that you are dealing with someone who physically has the card in front of them, because that little bit of data is harder to steal than the other bits of data. It still doesn't let you win a chargeback - for that, you need a signature, which you won't have if you're doing ecommerce, so you'll lose. It just makes the chargeback less likely in the first place.

Additionally, if you are classified as doing ecommerce, some issuers will simply decline any transaction that doesn't have CVV2/CVC2. Varies by merchant category and by issuer.

3) Don't know, I processed cards in America. Debit cards when used with PIN have a completely different technology behind their security, and a completely different set of laws covering them than credit cards do, but I don't know about chip-and-pin.

4) Don't know, because Internet.

[pbreit]

Checks are typically very simple, no regex-ing involved.

First, names are not really checked.

For addresses, usually only the number (and sometimes just first three digits) are checked as well as the zip.

Generally the processor tries to decline as few txns as possible and instead deliver the information to the merchant to make a decision. The merchant can usually pre-configure error codes that it would like the processor to decline. This might be preferable to the merchant from a cost-saving standpoint as well as not needing to "void an auth" in order to free up the cardholders spendability.

The idea behind CVVs is that merchants are disallowed from storing them so they are far less likely to be included in stolen credit card databases. Thus, requiring them significantly decreases fraud risk. And, yes, many gateways/processors charge more for missing or incorrect CVVs.

It's harder to "steal" a chip card since the information is not sitting on an easy-to-read mag-stripe. It's not clear that chip cards would have avoided the Target thing since the fraudsters infiltrated the terminal software. I'm guessing more current terminals/software is simply harder to compromise. "Chip & pin", as is widely used in places such as Canada and Europe, might help a bit since you would need the PIN to shop off-line. But it would have minimal effect for online shopping since PIN is typically not requested.

The reason we still sign receipts and yes, you still see a carbon copy here and there, is mainly because it protects the merchant if the cardholder does a "chargeback". Merchants typically store the receipts and only turn them over if a chargeback is received. Showing the signed receipt to your processor will usually absolve you from any loss.

I think the above is accurate or close to.

[jonknee]

> It's harder to "steal" a chip card since the information is not sitting on an easy-to-read mag-stripe. It's not clear that chip cards would have avoided the Target thing since the fraudsters infiltrated the terminal software. I'm guessing more current terminals/software is simply harder to compromise. "Chip & pin", as is widely used in places such as Canada and Europe, might help a bit since you would need the PIN to shop off-line. But it would have minimal effect for online shopping since PIN is typically not requested.

Limiting the fraud to online only would have greatly reduced the potential damage. There was a reason why carders were making physical cards to use, it's muuuch easier to get a transaction through. Address verification and CVV (not part of Target's dump because it's not on the mag stripe and is not collected by Target) would catch anyone using a stolen number online.

[sliverstorm]

It's not clear that chip cards would have avoided the Target thing since the fraudsters infiltrated the terminal software

From my understanding, chip cards implement challenge-response. So unless the terminal is capable of placing the card in debug mode and dumping any keys, I would expect chip-and-pin would have prevented the Target breach.

(If the terminal is capable of this... well, that is a gigantic hole)

[aestra]

>The reason we still sign receipts and yes, you still see a carbon copy here and there, is mainly because it protects the merchant if the cardholder does a "chargeback". Merchants typically store the receipts and only turn them over if a chargeback is received. Showing the signed receipt to your processor will usually absolve you from any loss.

I wonder what would happen in this case if you turned in one of these?

(taken from the internet archive site apparently went down)

https://web.archive.org/web/20050317031541/http://www.zug.co...

[michaelt]

Can I piggyback on this and ask an unrelated question I'm curious about?

Let's say an online merchant gets a transaction they very strongly suspect is a stolen credit card (perhaps it's from a customer with a long history of using stolen cards) but it validates just fine. Is there any provision in the interface for merchants to ask the credit card company to perform extra fraud checks, like calling the cardholder?

[kevinconroy]

No, there are no such provisions. The card companies have their own fraud prevention/detection departments which mine transactions and look for abnormal behavior. If they spot something out of the ordinary (big purchase, foreign purchase, etc) then they will call you to validate.

[mjwhansen]

Anecdote: I used to work with donation processing, and we had a situation where we had transactions that I knew we're identity theft (email addresses were the same, IP the same, but zip, CVV, name correct, and all submitted in a short timeframe). I refunded the transactions and called the banks to report that the cards had been stolen, and the banks basically threw their hands up in the air.

[kevinconroy]

I work with donation processing. We found the same response from the banks, so we've started trying to look up the identify theft victims in the white pages and calling them. Sadly, we only get a 20% hit rate for working phone numbers and typically only get in touch with half of them.

[bigd]

Which is why, every time I travel, I end up with all the cards blocked. I hate you visa.

[vidarh]

My bank has done the same in the past, but now the offer an interface in online banking to inform them when I'm travelling.

It still annoys me though: Their fraud system keeps flagging regular transactions that I've done for similar amounts to the same companies, at the same times of month or year for years, yet when someone did two transfers of 3000 GBP each to a credit card account in a different bank that I've never dealt with before, in someone elses name, their fraud system did not trigger...

From my perspective, their blocks are nothing but a nuisance.

[yummyfajitas]

Call before you go and tell them you are traveling.

[Daniel_Newby]

Somewhere I read that such a call triggers a fraud red alert.

[csixty4]

Nope. Once the credit card company authorizes the transaction, it's entirely up to the merchant whether to fulfill the transaction and close it out, or refund the customer. The credit card companies will do nothing to assist in making this decision.

But be sure you choose correctly, because they will take the entire payment away from you if there's a chargeback.

[nandemo]

Some processors return a numeric risk score, or a ternary result (OK,Review,Denied). Then the merchant might choose to review the transaction if the risk score is above a certain threshold (or the result is Review), then cancel or capture it accordingly.

For example, merchant's staff calls the shopper. This adds some cost, but for some merchants it might save money overall since chargebacks can be very costly (even if the merchant manages to challenge and win).

[pbreit]

Can't resist a shout out for a friend's new company that makes a lot of sense: http://chargeback.com (outsourced chargeback handling).

[parfitt]

>It's harder to "steal" a chip card since the information is not sitting on an easy-to-read mag-stripe.

Well, yes. But really it's mostly the POS device sending data to the chip which then performs operations and returns a result code or a data block to the POS device.

When you enter a PIN in the POS device it is sent to the chip and it verifies that the PIN is correct. A yes/no result code is returned to the POS device.

In a POS transaction your PIN is not sent to your card issuing bank for it to verify like it is for ATM.

Instead the POS device sends about a dozen data elements about the transaction to the card which runs them through an algorithm and encrypts (maybe not encrypts but that's the best term I can think of right now) it with a key it and the issuing bank knows. The resulting hash is returned to the POS device and is sent to the bank for authorisation. The bank then performs the same algorithm and verfies the hash is valid.

I am not sure if you could literally copy a chip, but it is doing more than just storing data like you have with a mag stripe only card.

"Chip&PIN" would have zero effect for an online transaction as neither the chip or the PIN are in play.

[Bentis2k]

Since the chip verifies the PIN, is it protected against brute force cracking? I know some cards become "blocked" if a wrong PIN is presented three consecutive times. Is this a chip feature, and if so can the chips be "reset" by the bank?

[henrikschroder]

> charge more for missing or incorrect CVVs.

Wait, what? Can transactions still go through without the CVV, except the merchant's transaction fee is a bit higher? They're just not declined outright?

[pfg]

Yes. Quite a lot of merchants do not ask for CVV/CVCs (Amazon being an example).

[thomaslangston]

Yes, the CVV is not required. If you think about it, it is obvious CCV isn't since many self-serve card swipe machines (gas stations, grocery stores, fast food restaurants) don't ask you for it.

[kalleboo]

There are two CVVs: one printed on the card, one on the magstripe. So for swipe transactions they're still getting a CVV.

[pbreit]

CVV is unnecessary for offline payments because the physical card is being presented.

[msherry]

Yup -- you can authorize a card with a missing, or even incorrect, CVV.

I work at Balanced payments, and this frequently trips up a lot of people. If incorrect CVV information is entered, we note that in our response, but it's up to the user of our API to decide if they want to accept that card or not. (We also use this information as one component of many in our internal fraud systems, of course).

[dylz]

Yes. Physical transactions, card present, with chip and pin have lowest txfee.

You can run a card with only a number and exp even. No AVS at all. Just higher cost higher risk.

[notatoad]

Collecting a CVV2 code doesn't increase your chargeback protection (for merchants, there is essentially no chargeback protection. if a customer wants to issue a chargeback, you'll get a chargeback). What it does is reduce your risk profile, which is part of how your processing fees are collected. If you don't collect the CVV2 you're going to have a much higher risk profile, and will either pay a higher processing fee or else be denied the ability to process cards at all.

Chips are the same thing - it reduces the fraud risk, thus reducing your processing fees. the carbon imprint is just like a chip - physical proof that the card was present during the transaction. card-present environment is a much lower risk profile than card not present environment, the difference between the two is often a full percentage point in processing fee.

The address verification is not a regex, it's just a simple lookup. Most merchants don't actually do address verification though because it is fairly expensive.

[virtualwhys]

How do you mean address verification is fairly expensive?

Expensive in terms of lost sales (i.e. users giving up in frustration due to mismatches) or something else?

We've had AVS in place for years and get reduced fees as a result. How many people give up on payment due to AVS mismatches, however, is another matter.

[notatoad]

our payment gateway would charge us more for address verification than our merchant bank would discount us for using address verification.

[joshaidan]

The story behind the CVV is something like this:

CVV is also known as card not present number. Historically it was printed on the back of the card, or on the front using unraised type. This way, if an impression of a credit card was taken (using one of those old fashion swipe back and forth machines), the CVV number would not be included in the impression. This provided some protection for card owners, as it prevented a merchant from using the credit card number obtained from an impression to say place an order using the CC over the phone. This is why you're required (or it's recommended) that you ask for the CVV number for any transaction where the card is not present.

[dylz]

I'm confused, how does this work? There is no raised type on any of my cards whatsoever, how do you take an impression of a flat card?

[vidarh]

In the old days, before most places had machines to swipe the mag stripe, they used to take card imprints. I'm 38, and have had cards for 20 years, and I've never had anyone imprint my cards.

So these days it's not very necessary to have raised type on the cards for most people.