CVV Rules

Card Verification Value (CVV) is a basic fraud prevention and verification tool for credit card processing. Per PCI Compliance regulations, the CVV value can never be stored. Because of this, anyone who has access to a stored credit card number will have a limited ability to issue fraudulent transactions on the credit card. Obtaining a matching CVV value has no effect on credit card processing rates, but it does assist in preventing fraud.

For each transaction, the merchant will receive a CVV response code. This single letter code will indicate if the CVV was provided, to what degree the CVV matched, or if the bank does not participate in CVV. Click here to view a complete list of these CVV codes.

By configuring CVV rules in the gateway, merchants can accept or decline transactions based upon the match or mismatch of the information submitted. CVV rules only apply to the first transaction issued on a particular credit card, so a merchant can enable CVV verification and still run successful transactions on a stored credit card.

By default, no CVV rules are configured in the gateway when an account is set up. These are configured by selecting "Processing" in the control panel.

Setting Up CVV Rules

Merchants are able to fully customize the conditions under which they will reject transactions based on the CVV response. Merchants can choose to reject all transactions that return a particular CVV mismatch response, or only transactions that fall within a customizable set of conditions. Customizable conditions include:

• Merchant Account
  • Any
  • Merchant Account A
  • Merchant Account B

• Card Type
  • Any
  • Visa
  • MC
  • AmEx
  • Discover

• Amount
  • Any
  • Greater Than (Merchant Defined Amount)
  • Less Than (Merchant Defined Amount)

Merchants can add multiple CVV rejection conditions to fully customize their CVV rules.

Recommended CVV Rules

If merchants are concerned about fraud, we recommend they choose to reject all transactions if the CVV does not match (when provided).

Handling CVV Rejection Responses

Because merchants receive the exact reason why a transaction has failed their CVV rules, each failed transaction can be handled uniquely. Referencing the specific code that indicates a CVV mismatch, the merchant can then prompt the customer to re-enter their CVV.

Additionally, the Braintree Gateway automatically passes any non secure customer data back to the merchant in the transaction response. Merchants can use this data to automatically re-populate the forms on their website. This eliminates the need for the customer to re-enter all non secure data after a failed transaction.

CVV Response Codes

• M = Match

• N = Did not match

• U = Not verified

• I = Not provided

• A = Not applicable