Skip to main content

Hotel Payment Processing Series: CVV Unmasking Security Mandates

Many hotels use Sertifi’s credit card authorization solution to verify the validity of a card and detect potential fraud risk. Via a zero-dollar transaction (card validation), Sertifi processes and stores the card information in a PCI compliant manner, which restricts what information can be stored in our platform and therefore what hotel users have access to. This makes it difficult to use the verified card for future transactions.

In this installment of our hotel payment series, we provide more context around the storage rules and how you can work around them.

What are the PCI DSS requirements for managing cardholder data (CHD)?

To minimize security threats and breaches, PCI DSS stipulates that cardholder data (CHD) must be encrypted during processing and masked during storage. CHD is any information found on a customer’s card, including verification codes:

  • Card Verification Value (CVV) for Visa and Discover cards.
  • Card Security Code (CSC) for American Express cards.
  • Card Validation Code (CVC) for Mastercard payment cards.
  • Card Authentication Value (CAV) for JCB payment cards.

If CHD must be stored, organizations like Sertifi must establish processes for limiting the amount and time it’s stored and securely deleting it when it’s no longer needed.

PCI DSS also mandates that verification codes like CVVs can’t be stored at all. Therefore, Sertifi only transmits this information; we cannot and do not store it.

In cases where the cardholder is present at your property and dips their card in a pin pad, this isn’t an issue. However, in our industry, hotels frequently need to check in a guest who is not the payer or cardholder. Our authorization solution helps hotels determine whether they want to accept a card-not-present transaction from a potential guest by running fraud screens and checking AVS and CVV validity (among other fraud prevention measures). Assuming the transaction completes the gamut, and the hotel wishes to accept that reservation, they must then charge the card.

How can I use a card without access to its CVV?

Many PMS and POS systems now require the CVV to be entered for any manually keyed credit card transactions. So, if the CVV cannot be stored and the cardholder is not present at check-in, how does the hotel process this payment? We get this question all the time.

First off, we always recommend capturing the payment online and as far in advance of the stay as possible. While our authorization solution will provide a high degree of confidence in the validity of a cardholder, you should still request an online payment if you can. The whole point of CVV, along with other protective measures like 3-D Secure (3DS), is to protect you and the cardholder – and as discussed in our last post, you only get those protections by capturing card-not-present payments online.

Capturing a payment in advance provides time for the legitimate cardholder to dispute the charge before the stay if it truly is a fraud situation. Collecting payment using 3DS technology prevents the cardholder from claiming the card was used without authorization, and chargeback liability shifts to the card issuer. Even if you only collect the first-night stay, there is a much higher level of protection than a manually keyed transaction. It’s also a lot cheaper (thanks to reduced card fees) to process online than manually keyed.

All options are possible with Sertifi’s payment solution, which provides an efficient and secure way to immediately process card-not-present transactions. You can also bolster this with our authorizations solution to take advantage of fraud detection tools before you go to process the card, eliminating the back and forth around card declines – not to mention risk of chargebacks.

Get paid faster & reduce payment fraud with Sertifi.

Simplify selling by electronically capturing payments and agreement e-signatures from one secure platform. Behind the scenes, SertifiPay processes payments in a fast, PCI-compliant manner at a lower cost to you. Our customers have saved up to $175k a year in processing fees.

Looking for more payment insights?

About the author

Mike Ryan

Mike Ryan is the enterprise director of payments at Sertifi. Mike brings over 20 years of experience in sales and payment technology. At Sertifi, he manages the strategy and adoption of payment solutions, particularly SertifiyPay, Sertifi’s proprietary payment processor – all aimed to make payments simpler and more secure for the hospitality and travel industry.