Capital One’s Spark Pay (aka SparkPay) division offers shopping cart software for web sites. They provide the back end that lets our customers put items into a shopping cart and then enter payment information. With a credit card, a merchant might use a payment gateway to charge the card automatically, or the merchant might collect the credit card information from Spark Pay to charge the card manually (offline processing).
The merchant might prefer to do offline processing of the credit card for any number of reasons: to examine payments for fraud attempts, to use a processor which isn’t connected to a gateway that the shopping cart software can interface with, to wait to confirm that an item is in stock or to wait until the item has shipped before charging the card, or to confirm total order amounts before charging a card.
Spark Pay used to offer both options. Starting September 27, that’s over, according to this email from Spark Pay:
We're enhancing security. Starting September 27, 2016, we'll no longer be able to store your CVV data for offline processing. What This Means for You Your customers' CVV data will not be available after September 27th. You'll need to modify your manual offline credit card processing before then to ensure compliance with PCI standards. Capital One(r) will not impose any fees for this change.
What Spark Pay is not mentioning is that processors all require the CVV code in order to charge a card. When Spark Pay no longer gives that CVV data to the merchant, the merchant cannot charge the customer’s card at all. It’s completely unclear why Spark Pay would give the merchant the remaining credit card data, since it’s basically useless without the CVV code. (Note: to be precise, it’s actually the CVV-2 code, which is the security code printed on the card, rather than the CVV or CVV-1 code which is encoded in the magnetic stripe.)
PCI standards (both for PCI-DSS and for PA-DSS) are very clear that merchants and payment applications must not store CVV data after the card is authorized. But if you delete the CVV data before the card is authorized, you’ll never get to charge the card at all. That’s precisely why the CVV data is so important to protect: it’s what lets you use the card to make purchases.
But Spark Pay is insisting that they cannot store CVV data BEFORE authorization, a complete misstatement of the PCI standards. And Spark Pay insists that merchants can still charge credit cards without the CVV code, even though that’s just not true. In fact, their own credit card processing division is perfectly happy to confirm that a charge will be denied without a CVV code. Spark Pay tried last week to identify an alternative processor that does not require a CVV code, and could not find any.
With almost zero notice, Spark Pay is effectively disabling their shopping cart software, while still pretending that merchants will be able to process credit cards without a CVV code even though Spark Pay knows that isn’t true.
Do you use a processor which doesn’t require CVV codes? Please speak up in the comments here. (Though be aware that they’re likely to start requiring CVV codes soon if they don’t already, because everyone else has started doing that in recent years.)
Do you know a payment gateway which doesn’t require PCI compliance paperwork? Please speak up in the comments here. We were delighted to stop having to do PCI compliance paperwork every quarter when we switched from using Elavon to using Square for processing credit cards, but Spark Pay doesn’t offer Square as a payment gateway.
If you are a Spark Pay merchant who is affected by this, give them a call at 1-800-936-9006, Ext. 1, between 8 a.m. and 6 p.m. CT Monday to Friday. Ask for an account manager. Ask for a supervisor. And good luck to us all.
Added on September 18, 2016: If you go to Spark Pay’s support page at http://kb.mysparkpay.com/what-are-cvv-authentication-codes-and-why-are-they-not-stored.aspx you’ll find the following about CVV codes:
Storing CVV-2 Information
This information is not permanently stored because that action is prohibited by law. The Visa USA Inc. Operating Regulations explicitly prohibits merchants and/or their agents from storing the CVV-2 data. The merchant may require this code to complete any transaction, whether it be online, over the phone, or in person. Some merchants chose to process payment on purchase of the item, while others wait until the order has been shipped. To accommodate these methods,Spark Pay online store CVV-2 information until the order payment is obtained, then it is stricken.
Prohibited by law? Technically, our laws are written by Congress, not by Visa USA. Also, the CVV-2 data cannot be stored after authorization. Other than that, this is a reasonable policy that meets the requirements of credit card processing, data security, and common sense. Keep the data only as long as you need it, then delete it. Too bad they aren’t sticking with this policy.
No comments:
Post a Comment