Verifying Credit Cards

Fraud Prevention at Your Fingertips.


Overview

Verifying credit card data can help stop fraudulent transactions and prevent rate downgrades from your authorizer. You can verify a card at any time before performing a transaction, such as when setting up a recurring or scheduled future payment or when creating a token. In the past, card-not-present merchants had to verify cards by sending $1.00 "ghost authorizations," which captured funds while the transaction remained in a pending state before eventually expiring. For merchants, these "ghost authorizations" created support problems, and for issuers, they negatively impacted cardholder spending. Hence, Visa and MasterCard began allowing zero-dollar transactions so that merchants could perform Address and CVV verifications.

Forte’s card verification service ensures that a card is linked to an open, valid account by matching up the following data on file with the customer’s issuing bank:

  • Primary Account Number (PAN)
  • CVV/CVV2
  • Expiration Month and Year
  • Cardholder’s Street Address and Zip Code

 

You can verify credit cards using Forte’s REST API or the Advanced Gateway Interface. NOTE: Only merchants who have Vantiv as their credit card authorizer can pass non-swiped, zero-dollar verify transactions. The process for other credit card authorizers will vary. Contact Forte Technical Support at 888-235-4635 option 3 for information on your authorizer.

 

The Verification Process

Forte reports and bills/commissions verify transactions normally and provides a postback to merchants indicating Address Verification Services (AVS) and Card Verification Value (CVV) results. No funds are captured and the transactions never go through settlement. Credit card verifications have no impact on SplitFund merchants.

The following diagram provides a high-level overview of this process:

 

Verifying Card Data in REST

Crafting Requests

Credit cards can be verified by passing transaction parameters or passing swipe data in a POST request to the transactions URI. To create a verify transaction via parameters, use the following values in your request:

  • authorization_amount=0.00
  • action=sale or action=verify
  • billing_address.first_name
  • billing_address.last_name
  • billing_address.physical_address.street_line1
  • billing_address.physical_address.locality
  • billing_address.physical_address.region
  • billing_address.physical_address.postal_code
  • card.card_type
  • card.account_number
  • card.expire_month
  • card.expire.year
  • card.card_verification_value

 

To create a verify transaction via swipe data, use the following values in your request. NOTE: Swiped transactions require an authorization_amount greater than zero. For verification purposes, Forte recommends using the 0.01 value.

  • authorization_amount=0.01
  • action=sale or action=verify
  • billing_address.first_name
  • billing_address.last_name
  • billing_address.physical_address.street_line1
  • billing_address.physical_address.locality
  • billing_address.physical_address.region
  • billing_address.physical_address.postal_code
  • card.card_reader
  • card.card_data

 

NOTE: The verify action for a credit card works differently than an ACH verify. ACH verify requests provide money amount verifications (e.g., authorization_amount=10) with the transaction; whereas, in non-swiped credit card verify requests, the authorization_amount value must be zero and in swiped credit card verify requests, the authorization_amount value must be 0.01. The transaction behaves the same as a zero-dollar sale transaction.

The following POST to the Transaction object indicates a card verification request:

 

Example - Verify Credit Card Data in REST

 

 

Understanding Responses

Forte verifies the data with the issuing bank and sends one of the following responses back in the cvv_result field of the response object. NOTE: CVV testing in the sandbox environment can only simulate the M (i.e., Match) or N (i.e., No Match) responses.

  • M = Match
  • N = No Match
  • E = Error (Unrecognized or Unknown Response)
  • I = Invalid or Null
  • P = Not Processed
  • S = Service Not Supported
  • U = Issuer Unable to Process
  • X = No Response

 

Forte also verifies the address data provided by the customer with the issuing bank and sends one of the following responses back in the avs_result field of the responseobject. NOTE: AVS testing in the sandbox environment can only simulate the Y (i.e., Match: Street Address and 5-digit Zip Code both match) or N (i.e., No Match: Street Address, 5-digit Zip Code, and 9-digit Zip Code all do not match) responses.

  • X = Match: Street Address and 9-digit Zip Code both match
  • Y = Match: Street Address and 5-digit Zip Code both match
  • A = Partial Match: Street Address matches, but both 5-digit and 9-digit Zip Code do not match
  • W = Partial Match: Street Address does not match, but 9-digit Zip Code matches
  • Z = Partial Match: Street Address does not match, but 5-digit Zip Code matches
  • N = No Match: Street Address, 5-digit Zip Code, and 9-digit Zip Code all do not match
  • U = System Unavailable: Address information unavailable. Forte returns this response if the Street Address is a non-US address, if the AVS service is unavailable, or if the AVS service for a particular US bank is not properly functioning.
  • R = System Unavailable: Forte will retry the AVS check because the issuer's system is unavailable or the request times out.
  • E = Invalid: AVS data is invalid
  • S = Not Supported: The US issuing bank does not support AVS checks.

 

Using Parameters to Test Address Verification Services in REST

The sandbox environment enables you to perform limited AVS and CVV testing using passed parameters. For the avs_result parameter, sandbox testing can only simulate the Y (i.e., Match: Street Address and 5-digit Zip Code both match) or N (i.e., No Match: Street Address, 5-digit Zip Code, and 9-digit Zip Code all do not match) response values. For the cvv_result parameter, sandbox testing can only simulate the M (i.e., Match) or N (i.e., No Match) responses. Use the data values in the following chart when testing:

 

account_number authorization_amount sales_tax_amount avs_result cvv_result
4111111111111111 0 0 N N
4111111111112101 0 0 N N
 
4111111111111111 1 1 Y M
4111111111112101 1 1 Y M
 
4012888888881881 1 1 Y M
4012888888881881 0 0 N N
4003030000000006 1 1 Y M
4003030000000006 0 0 Y M

 

Verifying Card Data in AGI

Understanding AVS Checks

AGI enables merchants to specify what type of data they want to include in their AVS verification checks. Merchants can choose to verify the following data:

  • Credit Card Account and Zip Code
  • Credit Card Account and Street Number
  • State and Zip Code
  • State and Area Code
  • Anonymous Email

 

These checks are captured in the pg_avs_method parameter via a 5-digit code that indicates what to verify and what action Forte should take upon verification. The pg_avs_result parameter also relies on this 5-digit code to indicate the result of a verification check. When creating your customized verification check, use the following model:

 

X1X2X3X4X5

 

where,

Value Type of Verification Check
X1 Credit Card Account and Zip Code
X2 Credit Card Account and Street Number
X3 State and Zip Code
X4 State and Area Code
X5 Anonymous Email

 

To define the value of the pg_avs_method parameter, use the following digits to determine what types of AVS checks you want Forte to perform:

Digit Description
0 Do not perform check
1 Check only; do not decline on fail
2 Check and decline on fail

 

For example, let's assume you want to ensure your customer's credit card account number matches the zip code and street number on file with the issuer. If these values do not match, you want Forte to automatically decline the transaction. For this scenario, you will need a 2 in the X1 and X2 places of your pg_avs_method code and a 0 in the remaining places (X3–X5). Hence, the request parameter and value for this transaction will be pg_avs_method=22000.

Similarly, you will use the following digits to decode the value of the pg_avs_result parameter to determine the result of the submitted verification check(s):

Digit Description
0 Check not performed
3 Passed
4 Failed

 

Using the example above, only the X1 and X2 places will contain digits. Unless both of these digits are 3 (i.e., the data matched and the verification check passed), this transaction will automatically decline.

 

Understanding CVV/CVV2 Checks

AGI performs CVV/CVV2 checks for all credit card transactions and uses the same response codes as Forte's REST API to indicate the result of a CVV verification. Forte verifies the CVV data with the issuing bank and sends one of the following responses back in either the pg_cvv2_result or pg_cvv_code parameter in the response message template:

  • M = Match
  • N = No Match
  • E = Error (Unrecognized or Unknown Response)
  • I = Invalid or Null
  • P = Not Processed
  • S = Service Not Supported
  • U = Issuer Unable to Process
  • X = No Response

 

Crafting the Request Message Template

Like REST, you can verify credit cards with AGI via parameters or encrypted swipe data using a transaction request.

To verify credit card data in AGI via parameters, include the following data in your request message template:

  • pg_total_amount=0.00
  • pg_transaction_type=10
  • ecom_billto_postal_first_name
  • ecom_billto_postal_last_name
  • ecom_billto_postal_street_line1
  • ecom_billto_postal_stateprov
  • ecom_billto_postal_postalcode
  • ecom_billto_telecom_phone_number
  • ecom_billto_online_email
  • ecom_payment_card_type
  • ecom_payment_card_number
  • ecom_payment_card_expdate_month
  • ecom_payment_card_expdate_year
  • ecom_payment_card_verification
  • pg_avs_method

 

To verify credit card data in AGI via swipe data, include the following data in your request message template:

  • pg_total_amount=0.01
  • pg_transaction_type=11
  • ecom_billto_postal_first_name
  • ecom_billto_postal_last_name
  • ecom_billto_postal_street_line1
  • ecom_billto_postal_stateprov
  • ecom_billto_postal_postalcode
  • ecom_billto_telecom_phone_number
  • ecom_billto_online_email
  • pg_cc_enc_swipe_data
  • pg_cc_enc_decryptor
  • pg_avs_method

 

The following request message templates indicates the merchant wants to verify the credit card and if the AVS check fails, automatically decline the transaction. The responses indicate that the card passed verification. Note that pg_avs_result=33000 indicates that the zip code and street address on file for the customer matched his or her credit card account number and the pg_cvv_code=M indicates that the provided card verification value matches the provided credit card account number.

 

Example - Verify Credit Card Data in AGI