The CV2 makes the transaction harder to deny by the cardholder.
That's all.
But only marginally.
He can still get out of the transaction by claiming the product was duff, etc, etc. We had this once, about 5 years ago, for 30 quid. The bank refused (citing the DPA - what a load of w*ankers) to tell us the name of the cardholder whose transaction was chargebacked, and since we had quite a few £30 ones we never found who it was.
This is why a lot of retailers have gone to the Verified by Visa thing, which is pointless because you can bypass it if you know the CV2 and the cardholder's DOB :) I always bypass it because I can never remember the stupid password(s).
The great thing about us not keeping the CV2 is that even if somebody raided our premises (we don't keep CC data on computer, except when people email it to us, and we tell them to NOT send us the CV2) the data would be useless for CNP transactions.
Just poor training, I think. Normally what I would have expected to happen in the case of a "hold for collection" order is that payment be taken in the same way as if it had been mail order. That means a "customer not present" method must be used. It is still advisable to retain the card details so that whoever collects the goods can produce the card as proof of identity. Naturally in such a case, it would be sufficient to retain the card number without any of the related guff like expiry date or CV2 code.
That said, what if goods are not in stock at time of order? It is considered bad form for mail order retailers to debit one's card before the goods are ready for dispatch, and so if they take card details, there is no alternative to recording full details including CV2, is there?
No, Nightjar is correct. "Hold for collection" orders should normally be processed as a standard over-the-counter transaction at the time of collection.
"Cardholder not present" transactions should usually only be processed when the cardholder is not present at any time during the transaction. If the cardholder is present at any time in the process, including collection of an order placed previously, then it ceases to be CNP.
There are exceptions to this, but they would be unlikely to apply to a typical small retailer.
There are two ways of doing it. The first is to debit or reserve funds from the customer's card at the time of the order. In practice, this is the only option available to small and medium-sized retailers that do not have the necessary facilities to be able to legitimately store card details. The second is to validate the card (using the cvv) at the time of order, but then store the card details (excluding cvv) and use them to debit the previously-validated card at the time of dispatch. This requires the facility to securely store card details as well as carry out separate validation and debit transactions, and hence be fully compliant with the PCI-DSS requirements. It is, therefore, expensive to implement and only practical for larger companies.
The idea that retailers shouldn't debit a card until dispatch is, unfortunately, responsible for a lot of bad (and insecure) practice among smaller sellers. While it may well be good customer service to delay debiting, there is no legal requirement to do so and good security practice makes it impractical for many retailers. But, because it's widely perceived by customers as a good thing, many retailers are tempted to do it anyway by storing details insecurely and illegally. And customers in turn, because of their preference for delayed debiting and lack of awareness of both the law and good security practice, connive in this by using retailers which operate illegally and insecurely rather than those which do the right thing.
From my perspective of working within the online retail industry, I have to say that I'd be very suspicious indeed of any small retailer which didn't take my money at the time I placed the order. The inconvenience of paying up front for something which turns out to be out of stock is relatively trivial compared to the very real risk of fraud that I am exposed to by a retailer which stores my card details insecurely.
My Merchant Agreement makes it quite clear that any transaction where the card and cardholder are physically present at the time of the transaction must be dealt with as a Card Present transaction. Had a pre-payment been taken at the time of placing the order, that could legitimately have been treated as a CNP transaction, but then the CV2 should have been destroyed immediately upon authorisation.
It would be sufficient, and compliant with the PCI Data Security Standard, to hold the card holder's name with the first six and last four digits of the card number.
Anyone can retain the CV2, provided it is done within the requirements of the PCI DSS which, for most retailers would mean not putting it on a computer, making sure that it is only available to whoever needs to use it to take the payment and destroying the data immediately after the card has been authorised.
An online retailer using a third party card handler, such as Sage Pay, will never see the CV2 (or indeed the full card number). They can take payment upon dispatch by choosing the deferred payment option, which means that the card is not charged until the retailer sspecifically instructs the card handler to do so. Deferred payment also has the advantage that there is no question of when the order has been accepted and it makes bank reconcilliation easier to charge all cards for one day at the same time.
So, if a customer says s/he's not sure whether they'll collect or want it delivered, but will let the retailer know once the item has been ordered & received by the retailer, then the retailer can't process as CNP on order? (because it might end up being a collection)
Hmmm. Can't process at time of order (see above), yet that's the "only option"!!
To follow the letter of the regulations, the retailer has to insist that the customer makes that decision at the time of placing the order.
A lot depends on whether or not the customer has to pay for delivery. If they do, then most retailers (certainly all online retailers, telesales vendors may be more flexible) will insist that the customer selects either delivery or collection when placing the order. Most online ecommerce systems don't have the flexibility to allow the customer to defer that decision.
Smaller retailers, especially where the order is placed over the phone and the telesales operator has sufficient seniority to override normal procedures (eg, a sole trader) may be more flexible and process it as CNP anyway. Strictly speaking, they shouldn't, but so long as they don't do it too often then it's unlikely to be an issue.
See above. This is one of the situations where security and flexibility have different and conflicting requirements; if the retailer chooses to go with the flexible option then they're almost certainly doing so against the wishes of their card handler.
But not only do they need to make their decision then, they *also* need to not change their decision later!!
... or, alternatively, if they want to switch from "delivery" to "collection", then they could cancel the first order and then re-order as a collection?
It is an inability to distinguish between the possible and the probable that ends up with people saying that children need to wear safety goggles when playing conkers.
I'm not happy when they print out just the last 4 digits of the card number. The other 12 digits would be the easiest to guess if you know the company that issued the card.
And I still wonder how my card details were obtained by a fraudster when I had only used it for a small number of online purchases, all with well known (large) companies and the card had never been near an ATM or C&P machine.
Besides, performing a refund if, for any reason the goods are unable to be dispatched, should be a fairly straightforward process. Any online retailer, no matter how small, who does not know how to do so should not be processing online transactions anyway, IMO.
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.