Magento Forum

   
Page 1 of 5
Credit card verification code not available in Admin
 
Magnus Wester
Member
 
Avatar
Total Posts:  42
Joined:  2007-09-02
Stockholm, Sweden
 

When I use the built-in “Credit card” payment option I get all the credit card details in the order except the CVC. How do I find the CVC to process the credit card payment?

 
Magento Community Magento Community
Magento Community
Magento Community
 
RoyRubin
Magento Team
 
Avatar
Total Posts:  968
Joined:  2007-08-07
Los Angeles, CA
 

This is by design. CVV/CVC numbers can not legally be stored.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Magnus Wester
Member
 
Avatar
Total Posts:  42
Joined:  2007-09-02
Stockholm, Sweden
 

Hm. So why ask for it? Is this just an example payment processor that will never be used in real life? I thought I would be able to process the payment offline.

 
Magento Community Magento Community
Magento Community
Magento Community
 
RoyRubin
Magento Team
 
Avatar
Total Posts:  968
Joined:  2007-08-07
Los Angeles, CA
 

You ask for it because it gives you a higher sense of security (although at this time we are not validating to make sure the CVV is correct nor do I know if its possible). In any case, you can still accept a credit card transaction without a CVV/CVC number and run it through your virtual gateway.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Magnus Wester
Member
 
Avatar
Total Posts:  42
Joined:  2007-09-02
Stockholm, Sweden
 

Thanks for your help. I’ll see if I can submit payments without actually knowing the CVC.

It’s not your fault, but of course this is a low security solution - the risk of fraud is theoretically much higher.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Scott
Guru
 
Avatar
Total Posts:  333
Joined:  2007-08-31
Northwest Ohio
 

True, it probably isn’t stopping fraudsters. What it the number was sent via email with the order? That’s not technically storing it, right? At least not with the CC number. It would be much more difficult to get a hold of both as a “hacker”. But again, my gateway doesn’t ask for it. But it may be important in a case against a fraudulent charge. Who knows.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Skew
Member
 
Total Posts:  31
Joined:  2007-08-31
Phoenix
 

You don’t want to store any CC information, anyway. All processor APIs give you the option of matching the CVV vs the CC #—there’s no reason to ever save this information in your own database. Even phone orders should be typed in (except on a special user or a custom setup), checked immediately, and dumped after it’s OK’d.

I’ve never seen a site that ever had to store any of this information except to save user’s time—and those extra 5 seconds aren’t worth it.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Scott
Guru
 
Avatar
Total Posts:  333
Joined:  2007-08-31
Northwest Ohio
 

This discussion is meant in regards to those who wish to process credit cards via a terminal rather than a payment processing method. Sometimes there are extra costs associated with payment processing when that already have a terminal which would allow them to process cards by hand for no extra charge. Especially for stores that don’t have a lot of inventory, and sales are nominal.

 
Magento Community Magento Community
Magento Community
Magento Community
 
austinstorm
Member
 
Avatar
Total Posts:  31
Joined:  2007-08-31
Moscow, ID
 

CVV is used to verify the validity of the card through my current auth.net setup (I think?). But yes, you don’t need that number to run the card. Nor do you need the persons name. I’ve shared that with a few friends and it usually surprises them. All I need is a number and an expiration date.

Oh, for all you ever wanted to know (and plenty you didn’t) on CVV2, check out the wiki!

http://en.wikipedia.org/wiki/Card_Security_Code

 
Magento Community Magento Community
Magento Community
Magento Community
 
Brandon
Sr. Member
 
Avatar
Total Posts:  76
Joined:  2007-08-31
Web Developer
 

The way authorize.net works for us is we have the ability to require the CVV2.  If we require it, Authorize.net verifies that the CVV2 code is valid for the card via the API, but it is not stored.  If the customer does not enter the CVV2 or enters an invalid number, Authorize.net declines the transaction.  Via Authorize.net we have access to the credit card numbers, and we are able to rerun the credit card, but we cannot ever see the CVV2.

Like Skew said, you don’t want to store the CC numbers in the Magento database unless you absolutely need it for something.  It can be an expensive mistake if you’re ever compromised.

 
Magento Community Magento Community
Magento Community
Magento Community
 
LFI
Jr. Member
 
Avatar
Total Posts:  7
Joined:  2007-09-25
 

I just found this out after placing a test order and going into admin.

If I can’t collect the CVV number, then Magenta is 100% useless to me. I’m on the road and collect credit card info offline and online. As a representative I HAVE TO collect the CVV number for my vendor. Each vendor has their own policy on this. I have somebody call all the credit card info in to the vendors.

People can ask for the CVV number over the phone, offline merchants have access to seeing it at the close of the sale, yet it’s “not allowed” to be seen over the Internet? That’s ridiculous to me.

Something is fishy. I know that many shopping carts collect the CVV number including a major player with 10’s of thousands of shopping cart owners and it’s called mals-e.com. I can supply a list of other shopping carts that collect the CVV number too.

I’m extremely disappointed in this limitation and feel I’ve totally wasted my time after finding this out. This is a bad idea.

In my opinion, it’s not the shopping carts place to determine which information can and cannot be collected. It should be up to each individual user.

I really hope the developers re-consider this and make it optional. Call it manual swipe/offline credit cards or whatever. Some people take the info from OFFLINE and input it ONLINE (which requires CVV) to process the credit card order to keep all sales together.

There’s no doubt that It’s not illegal to take the individuals CVV number OFFLINE and input it ONLINE. Besides, each State has it’s own jurisdiction. This is not a world government yet and each country is different too.

For now, until I hear otherwise, it’s off to finding another shopping cart that doesn’t want to play attorney or world police. :(

PS: Yes, I’m upset about this. I was really hopeful about this software and this is a huge letdown to me and a complete waste of my and many others’ time.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Johan
Sr. Member
 
Avatar
Total Posts:  104
Joined:  2007-09-01
Sweden
 

In my opinion, it’s not the shopping carts place to determine which information can and cannot be collected. It should be up to each individual user.

No actually. It’s the LAW.

You live by the LAW and die by the LAW, wether you like it or not. wink

It’s not allowed to store CVV information offline either.

They are not playing police, they are just following the law and regulations set by VISA and MasterCard. And the rules are same all over the world.

CVV is just used to authorize the transaction with the payment gateway on the internet, it is not stored at their place either.

 
Magento Community Magento Community
Magento Community
Magento Community
 
jrochman
Jr. Member
 
Total Posts:  24
Joined:  2007-09-05
 

Johan,

I understand that the PCI prohibits the storage of such information, but could you direct me to or provide the citation to the statute/regulation that prohibits the storage of the CVV number?  From my understanding there are some states that have enacted such legislation, but was unable to pull up anything on a federal level that could merit such a broad statement as it being the “law.” Again, I am just looking to read the actual statutory or regulatory text, and a link or citation would be great!

Jesse

 
Magento Community Magento Community
Magento Community
Magento Community
 
Travis
Sr. Member
 
Avatar
Total Posts:  125
Joined:  2007-08-31
 
LFI - 26 September 2007 06:22 AM

For now, until I hear otherwise, it’s off to finding another shopping cart that doesn’t want to play attorney or world police. :(

Is this the end of the world as we know it?  smile

Being open-source, Magento is built to be modified.  If you want to store CW info, modify the app to do it.  For the price you’re paying (NOTHING), there’s no need to hissy-fit about such a minor detail.  When the stable release is available, shell out a couple hundred bucks to have a developer enable you to store this info, at your own risk of course.

 
Magento Community Magento Community
Magento Community
Magento Community
 
LFI
Jr. Member
 
Avatar
Total Posts:  7
Joined:  2007-09-25
 

Yea, I’m upset. Not at the developers of this product but at the over-cautionary attitude of playing big brother to independent business people that should be able to decide what information they want to collect from their willing customers.

(BTW, bankers love to scam everybody else. If most people only knew. I have no mercy when it comes to their methods of usury.)

Anyway, I’d like to see this supposed “law” cited too. I talked with technical support at authorize.net and he said:

“It is against all of the major credit card’s policy (my bolding),Visa, Mast, Disc, Amex, to “store” the cvv2 number in any format, online or offline. The cvv2 number is intended to be used by the physical card holder at the time of the transaction. If one is caught “storing” this number, you can loose your charging privileges.”

You certainly won’t go to jail for it. What is the definition of “store”? How long? One day? Week? Month? Two hours? One second? What? If it gets deleted at some time, then it’s not storing it, right? Do they mean temporary storage or long-term?

If a salesman on the road comes back to the office in two hours or two days with the customers CCV2 number and credit card number to be run through online processing, did he “store” it? The salesman has a tough enough job getting a signature for the deal let alone trying to get ANOTHER signature on a VISA slip. If he can just take the card and write the info down, he doesn’t have to ask for another signature.

IMO, it’s up to the merchant to determine this “risk” of getting caught “storing” information their customer willingly gave them. Or does VISA, MC now rule the customers and merchants life with a new alleged law?

Having it any other way does not help OUR businesses. We have to watch out for ourselves, not VISA, and not the Shopping Carts.

I’m ready to pay somebody to do this modification right now. Any takers?

 
Magento Community Magento Community
Magento Community
Magento Community
 
YoavKutner
Guru
 
Avatar
Total Posts:  491
Joined:  2007-08-08
 

Thanks Travis for your explanation. 

Magento just followed some basic rules (laws, policies, recommendation etc...) that we know from our experience to be the default requirement of online stores. We did not intend to tell people how to run their business. Magento is open source and as such any one is free to use it as they want. At their own risk of course wink.

Thanks

yoav

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
    Back to top
Page 1 of 5