Verifying Credit Cards
Fraud Prevention at Your Fingertips.
Overview
Verifying credit card data can help stop fraudulent transactions and prevent rate downgrades from your authorizer. You can verify a card at any time before performing a transaction, such as when setting up a recurring or scheduled future payment or when creating a token. In the past, card-not-present merchants had to verify cards by sending $1.00 "ghost authorizations," which captured funds while the transaction remained in a pending state before eventually expiring. For merchants, these "ghost authorizations" created support problems, and for issuers, they negatively impacted cardholder spending. Hence, Visa and MasterCard began allowing zero-dollar transactions so that merchants could perform Address and CVV verifications.
Forte’s card verification service ensures that a card is linked to an open, valid account by matching up the following data on file with the customer’s issuing bank:
- Primary Account Number (PAN)
- CVV/CVV2
- Expiration Month and Year
- Cardholder’s Street Address and Zip Code
You can verify credit cards using Forte’s REST API or the Advanced Gateway Interface. NOTE: Only merchants who have Vantiv as their credit card authorizer can pass non-swiped, zero-dollar verify transactions. Contact Forte Technical Support at 866-290-5400 option 5 for information on your authorizer.
The Verification Process
Forte reports and bills/commissions verify transactions normally and provides a postback to merchants indicating Address Verification Services (AVS) and Card Verification Value (CVV) results. No funds are captured and the transactions never go through settlement. Credit card verifications have no impact on SplitFund merchants.
The following diagram provides a high-level overview of this process:
Verifying Card Data in REST
Crafting Requests
Credit cards can be verified by passing transaction parameters or passing swipe data in a POST request to the transactions URI. To create a verify transaction via parameters, use the following values in your request:
authorization_amount=0.00
action=saleoraction=verifybilling_address.first_name
billing_address.last_namebilling_address.physical_address.street_line1billing_address.physical_address.localitybilling_address.physical_address.regionbilling_address.physical_address.postal_code
card.card_type
card.account_number
card.expire_month
card.expire.year
card.card_verification_value
To create a verify transaction via swipe data, use the following values in your request. NOTE: Swiped transactions require an authorization_amount greater than zero. For verification purposes, Forte recommends using the 0.01 value.
authorization_amount=0.01
action=saleoraction=verifybilling_address.first_name
billing_address.last_namebilling_address.physical_address.street_line1billing_address.physical_address.localitybilling_address.physical_address.regionbilling_address.physical_address.postal_code
card.card_reader
card.card_data
NOTE: The verify action for a credit card works differently than an ACH verify. ACH verify requests provide money amount verifications (e.g., authorization_amount=10) with the transaction; whereas, in non-swiped credit card verify requests, the authorization_amount value must be zero and in swiped credit card verify requests, the authorization_amount value must be 0.01. The transaction behaves the same as a zero-dollar sale transaction.
The following POST to the Transaction object indicates a card verification request:
Example - Verify Credit Card Data in REST
Understanding Responses
Forte verifies the data with the issuing bank and sends one of the following responses back in the cvv_result field of the response object. NOTE: CVV testing in the sandbox environment can only simulate the M (i.e., Match) or N (i.e., No Match) responses.
M= MatchN= No MatchE= Error (Unrecognized or Unknown Response)I= Invalid or NullP= Not ProcessedS= Service Not SupportedU= Issuer Unable to ProcessX= No Response
Forte also verifies the address data provided by the customer with the issuing bank and sends one of the following responses back in the avs_result field of the responseobject. NOTE: AVS testing in the sandbox environment can only simulate the Y (i.e., Match: Street Address and 5-digit Zip Code both match) or N (i.e., No Match: Street Address, 5-digit Zip Code, and 9-digit Zip Code all do not match) responses.
X= Match: Street Address and 9-digit Zip Code both matchY= Match: Street Address and 5-digit Zip Code both matchA= Partial Match: Street Address matches, but both 5-digit and 9-digit Zip Code do not matchW= Partial Match: Street Address does not match, but 9-digit Zip Code matchesZ= Partial Match: Street Address does not match, but 5-digit Zip Code matchesN= No Match: Street Address, 5-digit Zip Code, and 9-digit Zip Code all do not matchU= System Unavailable: Address information unavailable. Forte returns this response if the Street Address is a non-US address, if the AVS service is unavailable, or if the AVS service for a particular US bank is not properly functioning.R= System Unavailable: Forte will retry the AVS check because the issuer's system is unavailable or the request times out.E= Invalid: AVS data is invalidS= Not Supported: The US issuing bank does not support AVS checks.
Using Parameters to Test Address Verification Services in REST
The sandbox environment enables you to perform limited AVS and CVV testing using passed parameters. For the avs_result parameter, sandbox testing can only simulate the Y (i.e., Match: Street Address and 5-digit Zip Code both match) or N (i.e., No Match: Street Address, 5-digit Zip Code, and 9-digit Zip Code all do not match) response values. For the cvv_result parameter, sandbox testing can only simulate the M (i.e., Match) or N (i.e., No Match) responses. Use the data values in the following chart when testing:
account_number
|
authorization_amount
|
sales_tax_amount
|
avs_result
|
cvv_result
|
|---|---|---|---|---|
| 4111111111111111 | 0 | 0 | N | N |
| 4111111111112101 | 0 | 0 | N | N |
| 4111111111111111 | 1 | 1 | Y | M |
| 4111111111112101 | 1 | 1 | Y | M |
| 4012888888881881 | 1 | 1 | Y | M |
| 4012888888881881 | 0 | 0 | N | N |
| 4003030000000006 | 1 | 1 | Y | M |
| 4003030000000006 | 0 | 0 | Y | M |
Verifying Card Data in AGI
Understanding AVS Checks
AGI enables merchants to specify what type of data they want to include in their AVS verification checks. Merchants can choose to verify the following data:
- Credit Card Account and Zip Code
- Credit Card Account and Street Number
- State and Zip Code
- State and Area Code
- Anonymous Email
These checks are captured in the pg_avs_method parameter via a 5-digit code that indicates what to verify and what action Forte should take upon verification. The pg_avs_result parameter also relies on this 5-digit code to indicate the result of a verification check. When creating your customized verification check, use the following model:
X1X2X3X4X5
where,
| Value | Type of Verification Check |
|---|---|
| X1 | Credit Card Account and Zip Code |
| X2 | Credit Card Account and Street Number |
| X3 | State and Zip Code |
| X4 | State and Area Code |
| X5 | Anonymous Email |
To define the value of the pg_avs_method parameter, use the following digits to determine what types of AVS checks you want Forte to perform:
| Digit | Description |
|---|---|
| 0 | Do not perform check |
| 1 | Check only; do not decline on fail |
| 2 | Check and decline on fail |
For example, let's assume you want to ensure your customer's credit card account number matches the zip code and street number on file with the issuer. If these values do not match, you want Forte to automatically decline the transaction. For this scenario, you will need a 2 in the X1 and X2 places of your pg_avs_method code and a 0 in the remaining places (X3–X5). Hence, the request parameter and value for this transaction will be pg_avs_method=22000.
Similarly, you will use the following digits to decode the value of the pg_avs_result parameter to determine the result of the submitted verification check(s):
| Digit | Description |
|---|---|
| 0 | Check not performed |
| 3 | Passed |
| 4 | Failed |
Using the example above, only the X1 and X2 places will contain digits. Unless both of these digits are 3 (i.e., the data matched and the verification check passed), this transaction will automatically decline.
Understanding CVV/CVV2 Checks
AGI performs CVV/CVV2 checks for all credit card transactions and uses the same response codes as Forte's REST API to indicate the result of a CVV verification. Forte verifies the CVV data with the issuing bank and sends one of the following responses back in either the pg_cvv2_result or pg_cvv_code parameter in the response message template:
M= MatchN= No MatchE= Error (Unrecognized or Unknown Response)I= Invalid or NullP= Not ProcessedS= Service Not SupportedU= Issuer Unable to ProcessX= No Response
Crafting the Request Message Template
Like REST, you can verify credit cards with AGI via parameters or encrypted swipe data using a transaction request.
To verify credit card data in AGI via parameters, include the following data in your request message template:
pg_total_amount=0.00
pg_transaction_type=10
ecom_billto_postal_first_name
ecom_billto_postal_last_nameecom_billto_postal_street_line1ecom_billto_postal_stateprovecom_billto_postal_postalcodeecom_billto_telecom_phone_numberecom_billto_online_email
ecom_payment_card_type
ecom_payment_card_number
ecom_payment_card_expdate_month
ecom_payment_card_expdate_year
ecom_payment_card_verificationpg_avs_method
To verify credit card data in AGI via swipe data, include the following data in your request message template:
pg_total_amount=0.01
pg_transaction_type=11
ecom_billto_postal_first_name
ecom_billto_postal_last_nameecom_billto_postal_street_line1ecom_billto_postal_stateprovecom_billto_postal_postalcodeecom_billto_telecom_phone_numberecom_billto_online_emailpg_cc_enc_swipe_datapg_cc_enc_decryptor
pg_avs_method
The following request message templates indicates the merchant wants to verify the credit card and if the AVS check fails, automatically decline the transaction. The responses indicate that the card passed verification. Note that pg_avs_result=33000 indicates that the zip code and street address on file for the customer matched his or her credit card account number and the pg_cvv_code=M indicates that the provided card verification value matches the provided credit card account number.
Example - Verify Credit Card Data in AGI