We have got some good feedback and questions relating to last weeks Blog post on recurring payments. This week we will look at recurring payments in more detail in order to answer the questions received.

Is the Card Verification Code (CVC) used for recurring payments?

The first question raised concerned the Card Verification Code (CVC) value and its usage in an online payment transaction. When you make an online purchase with your credit card you are required to enter the CVC value. This value is an important security check when processing an online credit card transaction and provides protection against credit card fraud. Section 3.2.2 of the Payment Cards Industry Data Security Standard (PCI DSS) does not permit the storage of the CVC under any circumstances.

"3.2.2 Do not store the card-verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions."

As a result if you are processing a recurring online credit card transaction you will not have access to the CVC value. Processing transactions without the CVC involves a higher risk of fraudulent transactions occurring. Recurring payments tend to be used in a B2B environment where the merchant knows the customer. In this scenario the risk of fraud is relatively low. If you are a B2C merchant and are using recurring payments in a situation where you believe there may be a risk of fraud then best practice is to take the initial payment as a regular transaction using the CVC value before accepting the customer in your systems as a recurring payments client.

How is the card expiry date handled with recurring payments?

The next question we received relates to the expiry date. A valid expiry date is a required value when processing an online transaction but this date, of course is subject to change. When you add a customers card details to your payment providers secure system, an expiry date is recorded. Of course, over time the customer receives a new card, with a new date. Any recurring transaction will fail as a result of the unchanged expiry date. In this case you, as a merchant, would have to contact your customer to record the new expiry date and update the card details.

Some payment providers will have functionality to help you manage this process built into their system. For example they may alert you when a card has expired so you will be able to contact the customer and update the details in advance of processing the next payment.

 

Are there any other options?

The two items discussed above are limitations with recurring payments. The payments industry has a solution that overcomes these restrictions of recurring payments. Continuous Authority (CA) is a transaction type designed specifically for recurring payments. It deals with the two issues outlined above, the CVC and the expiry date are not required when processing the transaction. The transactions can continue to be processed once the card number does not change. The main advantage to the Merchant is they do not have to worry about the expiry date changing. Once the initial transaction is processed successfully then any repeats of this transaction will be trusted so the CVC and the expiry date do not need to be provided.

CA transactions are not supported by all of the acquirers. Continuous Authority only works with Visa and MasterCard credit cards. As a result of this Continuous Authority is not supported by all payment providers.

Earlier this week WorldNet TPS officially launched NetCollect, their recurring payments solution. There are also offerings available from DataCash, Endeavour, Realex and SagePay. In next weeks Blog post we will look at these recurring payment solutions in more detail.

 

Dave

--

If you liked this article then you should subscribe to our Blog RSS feed.

 

Related Blog Posts:

• Reduce Costs and Improve Cash Flow With Recurring Payments.