Merchant Best Practices for Use of CVV codes.
In the e-commerce and/or mobile commerce industry, ease of payment is very important. Convenient payment methods benefit both merchants and consumers. Transactions where there is no need to re-enter payment information every time a purchase is made translates to less frustration on the customer side and decreased revenue loss on the merchant side. One-click payment and card on file are methods that aim to achieve a better customer journey especially during checkout. Outlined below are the results of this research regarding best practices specifically with the use of CVV codes.
Amazon revolutionized the payment method when one-click payment was introduced. They secured a patent for the method in 1999. Customers enjoy making a purchase with just a simple click of a button. Once payment information including the CVV has been entered and registered once, they don't have to re-enter it in succeeding purchases. Up until 2017 when the patent expired, Apple paid Amazon a license fee for the use of the method. The two giants have raised consumer confidence in mobile purchases.
Some articles have raised issues regarding the security of one-click payments. Improper assimilation may cause confusion when credit card information has expired. The lack of confirmation and verification may also result to fraud and charge backs. It is therefore important for merchants to streamline fraud prevention and charge back measures to create a trusted transaction environment like that of Amazon or Apple.
CARD ON FILE
Most mobile websites utilize the card-on-file method where payment information is "remembered" by the system but verification like entering the CVV is still required for every purchase during checkout to prevent credit card fraud. Obtaining the CVV is still recommended because it cannot be retrieved digitally and only the person who has the card can provide the information.
A good practice in payment forms when asking for CVV is, as Designmodo puts it, making things obvious. For example, retailer Threadless uses a payment form that immediately instructs a customer where the verification or security code can be found. It is also the first credit card payment form that informs American Express users that the security code is in the front of their cards and is composed of four digits. Designmodo has a screenshot of Threadless' design for a user-friendly payment form.
According to 3Delta Systems, a payment systems company, tokenization and encryption are the two strongest methods to protect customers' data and merchants' networks. All credit card information is stored by a secure third-party repository. The merchants will only be given a token that replaces the credit card information. When a customer makes a purchase, the merchant will send that token to the third-party for processing. Encryption, on the other hand, ensures that unprotected data will not be transmitted. Data is encrypted with a code, to be unencrypted by the third party during a purchase.
Whether a merchant chooses to forego or to request customers to enter the CVV during checkout, what's important is that they are PCI-compliant. When choosing a payment system, it is therefore highly recommended for merchants to look for payment gateways with PCI level 1 compliance. It would also be good for merchants to present this information to customers to gain trust and confidence. A company that is level 1 on PCI compliance is reviewed on-site by an internal auditor. A required network scan is also conducted by an approved scanning vendor.
Amazon has set the bar when it comes to easy payment transactions with their hassle-free one-click payment system. Even if verification methods such as obtaining the CVV code for every purchase is unnecessary, customers have learned to trust the system. If a merchant does not make use of a similar method and chooses to request for the CVV code for every purchase, the payment form has to be designed with ease of use in mind. PCI compliance is also an important factor in choosing a secure payment gateway.