In an effort to combat card not present (CNP) fraud in Canada, Visa has announced an additional card not present mandate. The mandate describes expanded requirements regarding the use of the card verification value (CVV2) for Canadian merchants processing transactions via telephone or through e-commerce environments. Specifically, these changes require the following:

  • All merchants processing e-commerce and telephone transactions must capture and include CVV2 during authorizations to Visa.

  • Issuers who approve a transaction with a mismatched CVV2 will carry the liability for that authorized amount.

  • Canadian merchants processing mail order transactions are prohibited from requesting CVV2 in a written format.

These requirements went into effect for new Canadian merchants in October 2017 and have since been rolled out to include all other merchants in Canada starting October 13, 2018. They’re designed to specifically assist with reducing card not present fraud, which is a significant portion of fraud reported by issuers in Canada.

As a Recurly customer, what do I need to do?

With this mandate, no work is required by Recurly’s customers. Recurly has, and will continue to work with our gateway partners to ensure any necessary changes in our integrations are made to ensure compliance with the guidelines outlined by these mandates.

How does Recurly support this mandate?

Recurly sends the required e-commerce indicator (ECI) flags in transaction requests to correctly identify and tag each request passed from Recurly to the gateway. These ECI flags identify the transaction as an initial transaction (one that includes CVV2) or a recurring transaction (without CVV2 data, as the storage of CVV2 data is prohibited by PCI compliance regulations). In some cases, this may be a simple “recurring” tag indicating the transaction as recurring or not, while in other cases, this may require the inclusion of a gateway assigned identifier that is returned to Recurly with the initial transaction request, which we save to be included for subsequent recurring charges.

Recurly works with all of our gateway partners to ensure that we meet such card brand mandates, so that merchants can focus their attention on growing their business.

What can I expect moving forward?

From a merchant standpoint, the benefits of this mandate include reduced liability for certain fraudulent charges and thus greater confidence during transaction processing. For example, shifting liability onto issuers for amounts approved on transactions with CVV2 data mismatches adds an increased layer of protection for merchants by reducing potential exposure for fraudulent charges. Furthermore, prohibiting the storage of CVV2 data in a written format reduces the likelihood of cardholder information being used fraudulently by way of theft.

Recurly will continue to monitor other card brand mandates, such as the upcoming Stored Credentials Mandate, to remain compliant on behalf of our merchants. This will give our merchants peace of mind knowing that Recurly handles the requirements on their behalf.