In a card-not-present environment, there are two levels of credit card validation. First, is the Luhn Algorithm which is also known as a ‘mod 10′ check. The Luhn algorithm will validate the number of characters for a particular card type. It doesn’t perform any other type of validation. I’d say almost all payment processing systems have this in place as a standard offering.

If merchants want to further validate the card they can do an authorization request to the issuing bank for 1) address verification (AVS) and 2) cvv2 - the three our four digit code on the card. When the auth is submitted the bank will respond with match or mismatch codes for street address, zip (5 and or 9 digits) and cvv2.

In most payment processing systems merchants can set up acceptance or denial rules so that if an authorization comes back as having an incorrect billing address, zip or cvv2 code, the transaction will be automatically accepted, denied or flagged.

For merchants that want to validate the card upon accepting a new customer but not charge them they can do a $1.00 authorization which will then usually fall off the card in a few days. Note however, that there is no standard in the amount of time a particular authorization stays on a debit or credit card. Issuing banks determine the exact duration but generally speaking, most stay valid for between 3 and 10 days but some up to 30 days. In a situation where a merchant accidentally authorizes a card 10 times for $1,000, tying up a customers entire credit limit, they can call the issuing bank and ask to void the transaction.

A few other related points:
1. AMEX recently stopped returning CID (their version of CVV2) responses leaving address verification as the only validation tool.
2. CVV2 does not affect credit card rates.
3. CVV2 data cannot be stored.

Most merchants mistakenly believe that processing a cardholder’s three or four digit CVV2 value for a ‘card not present’ transaction (e.g. ecommerce) will help qualify for lower credit card rates. The CVV2 value is only valuable to protect against credit card fraud and has nothing to do with rate qualification. CVV2 is most often confused with Address Verification Service (AVS) which can be used to qualify for lower credit card rates.

CVV2 stands for Card Verification Value and was introduced by MasterCard in 1997 and Visa in 2001. For ‘swiped’ transactions, the value is referred to as CVV1. Each of the card brands has its own acronym:

Visa: CVV2 - Card Verification Value
MasterCard: CVC2 - Card Validation Code
American Express: CID – Unique Card Code (and 4 digits)
Discover: CID – Card Identification Number

Merchants are able to configure payment processing systems to accept or decline transaction requests based upon the match or mismatch of CVV2 information. So for example, if a merchant creates a rule to decline all transactions where the CVV2 value does not match, the authorization request could be successful with the issuing bank, but the transaction will be denied by the merchant. Even though the transaction was denied by the merchant, the consumer’s card will still be authorized.

PCI DSS Compliance prohibits merchants from storing the CVV2 code. For recurring billing, merchants can accept and validate the CVV2 value during the initial authorization but cannot store it for additional transactions. After the initial validation, there really is no value in storing it.

Other Related Blog Posts
PCI Prohibits the Storage of CVV2 Data
PCI DSS Compliance Basics
Where do Credit Card Fees Come From?

One of the biggest problems for merchants that charge credit cards on a recurring basis is maintaining accurate credit card information on file. In any given year, roughly 50% of Visa cardholders will change their account information. This places a heavy burden on merchants to reach out to customers and capture the updated information.

There are a number of reasons credit card details change including bank mergers that result in new numbers, identify theft, balance transfers and the regular updating of the card’s expiration date. Regardless of the cause, merchants face an uphill and expensive battle to deal with these changes.

Eight years ago Visa started working on a program they call Account Updater (VAU). They created an automated system that directly interfaces with merchants and updates customers credit card information. Here is how it works:

1. Merchants are enrolled in VAU through their participating Visa Merchant Bank.
2. Visa card Issuers submit electronic files with updates to Visa when a cardholder’s account information changes.
3. Issuers are required to send these file updates within two business days, and are strongly encouraged to send them daily to ensure that account-on-file Merchants have the advantage of the latest authorization data.
4. Participating Merchants submit account numbers, through their Visa Merchant Bank, for customers with whom they have an ongoing payment relationship. VAU processes inquiries against its database and provides responses to the Visa Merchant Bank.
5. Participating Merchants are required to update their customer account database within five business days after receiving VAU updates from their Visa Merchant Bank and to ensure that the updated database is used in future Visa transactions in accordance with Visa Account Updater Terms of Use.

Visa charges a nominal fee for the service which varies according to volume but is in the range of $.30 to $.50 per ‘matched’ file.

The major card brands Visa, MasterCard, American Express and Discover continue to drive usage by offering more reward programs. MasterCard’s latest partnership with Microsoft and Monster is targeted at getting small business owners to use their credit card for online advertising and recruiting. Card holders get a discount for the services they purchase.

MasterCard’s Easy Savings program already has companies such as Intuit, SurePayroll, websitepros, HRTools.com and others.

Participating merchants like it because it drive more business to their front door and MasterCard likes it because they become the card of choice in the consumers wallet.

MasterCard also recently partnered with the state of Illinois to offer 529 College Savings programs.

Illinois has partnered with MasterCard to offer a new innovative credit card rewards program for their Bright Start College Savings Program. Families can now use their Bright Start Futuretrust Mastercard card and receive 1% cash rebate to save and invest money tax free to pay for college expenses. It’s the first and only 529 rewards program.

Bright Start makes a one-time $25 contribution upon the first use of the card as well as enhanced rebates at selected retails such as JCPenny 4%, Barnes & Noble 3%, Lands End 4%, Oversotock 3% and many more.

This move highlights the ongoing high stakes effort by all payment providers, both conventional (Visa, MasterCard, AMEX & DISV) and new entrants (Google Checkout, PayPal, Bill Me Later, Revolution Money, Tempo) to create incentives for consumers and merchants to use their payment instrument as their preferred form of payment.

The new entrants have been vying for a piece of the payment acceptance market and are trying to get a critical level of wide spread acceptance as quickly as possible - or face the high probability of failure. Revolution Money, for example, has bet that their success in the market place will be driven by their lower fees to merchants and for consumers their PayPal like features in the social media and blog space for small dollar payments.

It’s an ongoing challenge to construct the proper balance of driving demand from both the consumer and merchant side. MasterCard’s partnership with the State of Illinois demonstrates that the incumbent credit and debit card providers will continually heavily rely on driving their market dominance through consumer demand.

Visa made a pretty significant announcement today that is aimed at eliminating vulnerable payment applications from the Visa payment system. The objective is to prevent certain prohibited card holder data from being stored and also reduce the number of breaches.

If you’re new to this topic, here is some context to what Visa is trying to address. Over the past few years, certain payment applications (primarily Point of sale systems) used by retailers and restaurants have been a gold mine for criminals stealing credit card. These systems have been targeted because they’re were known to be storing prohibited credit card information - the exact data that criminals need to make fraudulent purchases and manufacture duplicate cards. Merchants are usually not aware that their systems are storing such data, but they’re still held responsible if breached. Credit card information that cannot be stored includes magnetic stripe data, CVV (three digit codes), PIN’s, or encrypted PIN blocks.

To address this security vulnerability, which Visa has cited as the leading cause of breaches among small merchants, they announced that beginning January 1, 2008, the first of five mandates will be implemented to start the process of eliminating non-secure payment applications from processing with Visa. In other words, Visa is announcing to merchants they will be unable to process Visa credit or debit cards if their POS system does not meet required security standards and is still storing prohibited data. You can also check the 2nd pdf posted below to see if you current POS version is compliant.

Read the entire press release here (see second pdf below for Visa’s updated list of vulnerable POS applications).

Here is list of POS systems with information about their compliance status and any newly released software update information:

This effort by Visa is targeted towards addressing data security for ’swiped’ merchants such as restaurants and retailers, which account for the larger portion of the ~3 trillion credit/debit card processing industry. The ‘card not present’ portion of the industry that includes merchants such as ecommerce, business to business, and mail/telephone order will will either choose to do the necessary upgrades internally to meet PCI requirements or our outsource the storage of credit card data.

Other related posts:
PCI DSS Compliance basics for credit card security
PCI DSS Compliance and the cost of a credit card breach

Braintree solutions:
The Smart Approach to PCI DSS Compliance

Verified by Visa is a payer authentication program that allows cardholders to sign up at their issuing banks website and create a password to be used for online transactions. Once enrolled, when buying items online, buyers will be prompted to enter their password prior to completing the transaction. The merchant has to also be participating in the program otherwise you won’t be prompted for your password. It’s designed to be a consumer’s digital signature and help curb fraud losses.

I’ve always found this program interesting because in the first place, since 2002, Visa card holders get automatic fraud protection. From Visa’s site: “Use your Visa card to shop online, in a store, or anywhere, and you’re protected from unauthorized use of your card or account information. With Visa’s Zero Liability policy¹, your liability for unauthorized transactions is $0-you pay nothing.” So without any downside, why sign up?

Visa’s effort to get both merchants and consumers to sign up has been very unsuccessful to date despite trying to offer fraud protection incentives to merchants who use it and marketing it to consumers. Online merchants have been reluctant to add any more steps to the checkout process and jeopardize a sale.

Visa has been trying to tweak the rules and incentives to generate interest but I wouldn’t hold my breath. Buyer authentication is a hot area right now and there are a lot of promising technologies. I just don’t think that password authenication is going to cut it.

For Visa, it’s out with the old and in with the new. As part of a multi-year upgrade to their processing systems, they are in the process of launching Account-Level Processing (ALP) as its new standard for credit card issuance and usage. The change will allow consumers to keep the same credit card number regardless of their stage in life or particular card program. In the past, if you changed credit cards from when you transitioned from being a poor college student to a debt ridden professional, you got a new card with a new number. With Account Level Processing, you’ll keep the same credit card and your bank will be able to change credit limits, rewards, interest rates, and other variables on the back end.

The obviously advantages for banks is that they no longer have to issue new credit cards, which saves them money. They are also more likely to keep you as a long term customer as you move into different stages in life because you will be less likely to shop for a new credit card every time you want something different. The biggest incentive for Visa (and the banks) however is that ALP will allow them to better track your spending habits and then monetize that information to make you offers. Click here to read more about potential uses of targeted promotions and offerings and how this is slated to benefit merchants to help offset credit card processing fees.

Before ALP, only the first six digits on your credit card was used to process and manage transactions. Known as the Bank Identification Number (BIN), these six digits will become a thing of the past as all 16 digits will now be used in processing your transitions.

I was talking to David Fish, Senior Analyst at Mercator Advisory Group about this and his comment was that all the value that is being created by the ALP is now owned by Visa and the issuing banks. He said that processors acquirers (also known as back end credit card processors) should be banging down the doors begging for access to the ALP databases so they can tell their merchants who their best customers are.

Visa dominates the credit card industry maintaining nearly a 70% market share of all U.S. credit cards that are in circulation. Despite their dominance, Visa’s role is usually not well understood by merchants or consumers.

Visa is a privately held, membership association of over 13,000 financial institutions in the U.S. What does this mean? Visa provides much of the necessary infrastructure to support financial institutions in issuing credit cards. Financial institutions like Capital One and your local bank issue credit and debit cards because it makes them money.

Visa does not issue credit cards, set fees or determine the interest rates that will be charged on a Visa branded card. The issuing members have the latitude to determine all of those fees.

Visa USA makes most of their $2.9 billion in revenue two ways. First, they get a fixed .0925 basis points on all money that is spent using their co-branded cards (that’s $.095 cents on a $100 transaction). Their second stream of revenue is from Data Processing, which means facilitating the transaction and settlement of transactions.

Here are some statistics to put their U.S. operations in perspective:

• 6.3 million businesses accept Visa
• $1.3 trillion dollars of goods were purchased with Visa branded cards, up 17% from last year
• Visa processes on average 100 million transactions per day

Card type usage statistics:

• Consumer credit cards - $588MM in sales volume, 282MM cards, 10% growth
• Debit and prepaid cards - $574MM in sales volume, 192MM cards, 23% growth
• Commercial - $159MM in sales volume, 26MM cards, 26% growth

Can you imagine having a business model that would allow you to be unsparingly generous to your customers through rewards and perks and then require someone else to pick up the bill? That’s what banks and other non-bank card issuers have been doing for years.

You’ll remember a few years ago when credit card companies started offering ‘reward’ programs. Incentives to use your credit card included cash back, reward points, travel perks, etc. All of those rewards cost money and business owners who take credit cards ended up footing the bill. The fees that credit card issuers charge have gone up an amazing 117% since 2001. Take a look at an except from a recent Forbes article The Worlds Most Exclusive Cards that was provided to me by Aneace Haddad.

“Though lenders aren’t going to make much in the way of late fees and interest charges (assuming rich people pay their bills on time and in full, which isn’t always the case) they make up for it in the fees they charge to merchants to process transactions. American Express network transactions mean fees of about 4% each purchase, so a $60,000 car charged to a Black Amex could potentially rake in $2,400 in processing revenue. Even if the issuer takes half of that and pays it back to cardholders in the form of outlandish perks, the profits are still good.”