Effective 21 April 2017, Visa will update it’s rules to exempt merchants from requesting Card Verification Value 2 (CVV2) data for mail order transactions when that data is provided in a written format.
To protect consumers and the payments network from potential data compromises, effective 21 April 2017, CVV2 data should not be included in authorisations for mail order transactions. This change is in addition to CVV2 exemptions already permitted under the Visa Rules. Effective 21 April 2017, merchants that currently capture CVV2 data in a written format, whether on a mail order form or in another physical format, should cease to do so.
Although CVV2 verification remains valuable for telephone and e-commerce transactions, it may now create a greater risk of data compromise through mail order transactions, as the consumer’s account number and CVV2 both appear on the order form.
Effective from 21 April 2017, Visa mandated the capture and processing of CVV2 in all card-not-present transactions as follows:
- Merchants should cease to capture CVV2 data in a written format – this includes mail order forms or in another physical format.
- CVV2 data should not be included in authorisation requests for mail order transactions.
- This is in addition to CVV2 exemptions already permitted under the Visa rules.
This reduces potential for that information to be stolen and used fraudulently.
Find out more in the Visa Global Payments announcement: PDF