How to avoid payment processor "lock-in"?

[chris-mac]

Hi,

According to PCI rules (and Vista/MasterCard guidelines) merchants are not allowed to store CVV (CVV2) numbers. To process recurring payments (monthly subscriptions etc.) most payment processors offer "Subscription" payment option, where full credit card details (including CVV) are submitted only during the first (initial) transaction. Subsequent payments are than handled by a payment processor, so merchant don't have to store/resubmit credit card details. This obviously means all subsequent payments have to be handled by the same payment gateway.

Now my question: What if I wanted to change my payment processor? What if my payment gateway (for whatever reason) ceased to exist? Is my only option to ask all my customers to re-submit their card details? How to avoid payment gateway "lock-in" described above?

The solution would be of course to store full card details (including CVV) and submit them in monthly (or whatever other) billing cycles to whichever payment gateway I want. But this is not allowed...

I would very much appreciate any suggestions from eCommerce experts here.

 

[Astaroth]

You cannot store the security code as you say.

The reccuring transactions should go through a second reccuring transaction merchant ID number rather than your Internet or MOTO MID which does not require the expiry/ start date nor the CVV.

You should check with your bank or who ever is providing you with your MIDs but you should be able to switch gateway and continue using the details because your MID remains the same thus avoiding lock in - things may have changed since I left banking though.

 

[chris-mac]

Hi Dan, thanks for your reply. I can see two problems here:

1) What if I want to change my MID provider (acquiring bank)?

2) My current MID told me transactions without CVV will likely have much higher decline rate, as issuing banks tend to decline them more often.

Regards,
Chris

 

[Astaroth]

1) There is certain lock ins that you cannot avoid

2) This is the whole purpose of the recurring transaction MID. You do the first ever payment via your normal MOTO/ Internet MID where CVV is checked and subsequent ones go through the recurring one. Certainly when I was working with a mass market personal lines insurer circa 40% of all their transactions were via CPA (there was 55% DD and the remainder non-reoccuring) and their decline rates were tiny.

 

[Astaroth]

1) There is certain lock ins that you cannot avoid

I guess there would be the option of running the payments against your new Internet MID without CCV checking if you did move but your business case for switching would require to factor in both the increased transaction fee for this run and the higher decline rate.

Really, switching payment providers etc should be a rare and last resort type of action.

 

[chris-mac]

Right, so this could explain why big retailers (like Argos - www [dot] pcpro [dot] co [dot] uk/news/security/356020/argos-exposes-customers-credit-card-numbers-in-emails ) do store CVV numbers to avoid "lock-in" and have a full control over their payment process.

The question is why Argos (and I am sure number of other "big" names) store all CC info against the rules (law?), yet small companies are not allowed to do so, and have no choice but to be "locked" into one Acquiring Bank?

BTW. From a legal point of view, am I allowed to store CVV (of course this means no PCI compliance, higher MID fees etc.) according to the UK law?

 

[Astaroth]

To the best of my knowledge it is in the scheme rules that you cannot store it not "the law".

At the end of the day Visa, Mastercard, Amex etc are independant organisations and commercial in nature. If Argos are storing the numbers then they are breaching the scheme rules and therefore should have their access to the networks removed but realistically is Mastercard or Visa going to go first by banning their cards being used in such a major retailer?

That said the linked artical just says that they were included in the conformation email which I assume would be generated at the same time that payment was taken. Whilst the SMTP server or CRM system "may" store copies of the email you cannot say for certain they are storing CCV numbers.

Also being realistic, if Argos did a tenure process with acquiring banks and said it had 1m reoccuring transactions a month, didn't have CCV numbers stored but didn't want the hit of the first months transaction fees of having to run these as new transactions I doubt any company would think twice about waiving their normal extra fees for the chance of securing the account.

At the end of the day, the bigger you are the easier it is to get what you want.

 

[cjd]

You may store credit card info, but if you do you need to pass a very high (and expensive) set of PCI security tests.

 

[Astaroth]

Not CCV numbers, but the rest of the card number yes

 

[C0ldf1re]

Smith Family Tree & Genealogy

You cannot store the security code as you say...

It's more a "may not" then a "cannot". You are breaking the contract terms, not breaking the law as such.

 

[TotallySport]

You don't need to store the CVV2 number to process recurring transactions after the first purchase. IF its setup properly the system won't need it, if it isn't setup properly it can bring up an error saying it is needed.