CVV2 requirement and possible effect on post dated payments

Your merchant processor may be set up to require use of CVV2 - which is a setting you may wish to turn off in their online portal, if you follow the steps below.

Theatre manager cannot store the CVV2 data per the PCI council.

The chart on the right indicates which data can be stored and it is explained further in PCI Requirement 3 rules.

 

Since the vast majority of credit card transactions are real time with a CVV2, most venues will see limited effect for 99% of credit card authorizations:

It will affect:

  • situations where the credit card provider is down or unreachable - a rare occurrence which does happen
  • authorizing existing post dated payments and recurring donations
It may affect:
  • Mail order - since your customers should not write the CVV2 on any form you send to them to remain PCI compliant.

 

Set your MERCHANT SETUP to NOT require CVV2 in their ONLINE PORTAL

Theatre Manager does not store CVV2 data (per PCI compliance). It cannot send CVV2 for post dated payments. You have two ways to address this:

  • Turn OFF CVV2 requirements for your merchant account AT THE BANK
      Log in to your ONLINE merchant profile and
    • Turn off CVV2 requirements at your merchant
    • Leave CVV2 as a requirement in TM's merchant setup
    • Authorize the post dated payment in end of day.
    • This means TM will send one if it has one (for first time authorizations), and the bank will accept a charge if it does not (post dated payments)
  • Use Theatre Manager's Merchant Profiles feature. (note: do not use this feature for Moneris)
    • This is a feature where you initially send all the credit card data to the bank
    • The bank returns a token to Theatre Manager, which is stored in the database
    • From that point on, Theatre Manager will use the token for post dated payments, eliminating the need to store the credit card
    • This works because the token uniquely identifies the merchant (you), the patron, and a specific card.

 

Setting Theatre Manager to Require CVV2

Please confirm the following three settings for your venue:

 

Effect of CVV2 on Emergency Mode

Theatre Manager's Emergency Mode was designed for situations where the credit card company's processing was down or not available. This requirement for CVV2 (plus the inability to store it) means that the Credit Card companies prefer Real Time Authorizations.

 

Note: if a card is declined for lack of CVV2 after emergency mode is tuirned off, it likely would have been declined anyway. you'll need to call the patron to get the CVV2 # when your services come back.

 

Effect of CVV2 on Post Dated Payments

If you can make one post dated payment work (without CVV2), then they will likely all work. Theatre Manager does not store CVV2 data (per PCI requirement 3.3).

A alternative is to explore merchant profiles as mentioned above (do not do this for Moneris)

 

How will Theatre Manager respond to Post Dated Payments?

We have felt for a long time that the unstated direction of the bank industry was elimination of card data storage at a merchant. It is fortunate that we anticipated this as have a project underway to migrate patron card information to the bank and use tokenization instead. Effectively, this means:

  • When a patron use a card for the first time, TM will direct your merchant processor to store the card data and provide Theatre Manager a unique token for that card
  • If you are setting up post dated payments, TM will then refer to the patrons token at the bank for future authorizations - which is consistent with the Bambora statement

 

How will switching merchant providers affect Tokenized Post Dated Payments?

If the post dated payment token is stored at the merchant processor and is unique to your merchant account, it adds a step when switching from one merchant provider to another. You will need to keep your old merchant account active until all future post dated payments set up for your original merchant provider are completed and authorized.