CVV2 and recurring bills

I'm just wondering how other folks handle the issue of recurring bills
for those cards whose banks require a CVV2/CID (which cannot be stored
according to card industry rules). I use the Paymenetech Java SDK to
process card transactions through their gateway and haven't had a
problem until a user complained that a transaction could not be
processed because their bank requires a CVV (of course, Paymentech does
not return a specific code to indicate the reason for this particular
decline: it's just a generic "Do Not Honor"). Might I have to outsource
my recurring bill process?

- Kip

On Tue, 06 Sep 2005 10:02:43 -0600, iwtfcf.RemoveThis@yahoo.com wrote:

>I'm just wondering how other folks handle the issue of recurring bills
>for those cards whose banks require a CVV2/CID (which cannot be stored
>according to card industry rules). I use the Paymenetech Java SDK to
>process card transactions through their gateway and haven't had a
>problem until a user complained that a transaction could not be
>processed because their bank requires a CVV (of course, Paymentech does
>not return a specific code to indicate the reason for this particular
>decline: it's just a generic "Do Not Honor"). Might I have to outsource
>my recurring bill process?

Howdy Kip,

This is a sticky area with much confusion. It makes no sense to deny
storage of the CVV or the whole card number when they must obviously be
retained for proper rebilling. You also need the number if you are going to
issue a credit when an order can't be filled or there's another problem.

Somehow they got their wording snarled up.

What the recommendations should read is, "The card number and CVV must not
be stored in a readable fashion." Meaning that any storage which can be
accessed must be encrypted in some fashion so they cannot be used by anyone
succeeding in breaking past the security.

This becomes really scary with a script based (CGI, ASP, PHP, etc) shopping
cart if the script is stolen along with data base. Since the same script
can be found on multiple web sites it's about the same as storing the card
numbers without encryption. It is VERY expensive if you get burned.

I've spent many years researching the best way to handle on-line purchases
in as secure a fashion as possible and built it into my software. It's
compiled and one copy handles all of the sites on the BIZynet servers. Be
glad to add more details for you if needed.

Thanks, Chris www.bizynet.com and www.bizycart.com
BIZynet Coordinator cgunn.RemoveThis@bizynet.com - (505) 586-1225
Moderator of biz.ecommerce, biz.general, biz.marketplace.discussion,
biz.marketplace.web-design, biz.marketplace.international & others