Hotel Payment Processing Series: CVV Unmasking Security Mandates

Many hotels use Sertifi’s credit card authorization solution to verify the validity of a card and detect potential fraud risk. Via a zero-dollar transaction (card validation), Sertifi processes and stores the card information in a PCI compliant manner, which restricts what information can be stored in our platform and therefore what hotel users have access to. This makes it difficult to use the verified card for future transactions.

In this installment of our hotel payment series, we provide more context around the storage rules and how you can work around them.

What are the PCI DSS requirements for managing cardholder data (CHD)?

To minimize security threats and breaches, PCI DSS stipulates that cardholder data (CHD) must be encrypted during processing and masked during storage. CHD is any information found on a customer’s card, including verification codes:

• Card Verification Value (CVV) for Visa and Discover cards.
• Card Security Code (CSC) for American Express cards.
• Card Validation Code (CVC) for Mastercard payment cards.
• Card Authentication Value (CAV) for JCB payment cards.
  
  

If CHD must be stored, organizations like Sertifi must establish processes for limiting the amount and time it’s stored and securely deleting it when it’s no longer needed.

PCI DSS also mandates that verification codes like CVVs can’t be stored at all. Therefore, Sertifi only transmits this information; we cannot and do not store it.

In cases where the cardholder is present at your property and dips their card in a pin pad, this isn’t an issue. However, in our industry, hotels frequently need to check in a guest who is not the payer or cardholder. Our authorization solution helps hotels determine whether they want to accept a card-not-present transaction from a potential guest by running fraud screens and checking AVS and CVV validity (among other fraud prevention measures). Assuming the transaction completes the gamut, and the hotel wishes to accept that reservation, they must then charge the card.

How can I use a card without access to its CVV?

Many PMS and POS systems now require the CVV to be entered for any manually keyed credit card transactions. So, if the CVV cannot be stored and the cardholder is not present at check-in, how does the hotel process this payment? We get this question all the time.

First off, we always recommend capturing the payment online and as far in advance of the stay as possible. While our authorization solution will provide a high degree of confidence in the validity of a cardholder, you should still request an online payment if you can. The whole point of CVV, along with other protective measures like 3-D Secure (3DS), is to protect you and the cardholder – and as discussed in our last post, you only get those protections by capturing card-not-present payments online.

Capturing a payment in advance provides time for the legitimate cardholder to dispute the charge before the stay if it truly is a fraud situation. Collecting payment using 3DS technology prevents the cardholder from claiming the card was used without authorization, and chargeback liability shifts to the card issuer. Even if you only collect the first-night stay, there is a much higher level of protection than a manually keyed transaction. It’s also a lot cheaper (thanks to reduced card fees) to process online than manually keyed.

All options are possible with Sertifi’s payment solution, which provides an efficient and secure way to immediately process card-not-present transactions. You can also bolster this with our authorizations solution to take advantage of fraud detection tools before you go to process the card, eliminating the back and forth around card declines – not to mention risk of chargebacks.