You are here

CVV2 requirement and possible effect on post dated payments

Subscribe to Syndicate
We recently received information that credit card companies will mandate use of CVV2 number (on the back of a credit card), making it a requirement for processing cards in almost all situations.
Since the vast majority of credit card transactions are real time with a CVV2, most venues will see limited effect for 99% of credit card authorizations:

It will affect:

  • situations where the credit card provider is down or unreachable - a rare occurrence which does happen
  • authorizing existing post dated payments and recurring donations
It may affect:
  • Mail order - and we cannot fully comment on that yet as the documents say that mail order can be taken in batch without CVV2.


Setting your ONLINE MERCHANT SETUP to NOT require CVV2

Since Theatre Manager does not store CVV2 data (per PCI compliance), it cannot send CVV2 for post dated payments. You have two ways to address this:

  • Turn OFF CVV2 requirements for your merchant account AT THE BANK
      Log in to your ONLINE merchant profile and
    • Turn off CVV2 requirements at your merchant
    • Leave CVV2 as a requirement in TM's merchant setup
    • Authorize the post dated payment in end of day.
    • This means TM will send one if it has one (for first time authorizations), and the bank will accept a charge if it does not (post dated payments)
  • Use Theatre Manager's feature that supports Merchant Profiles
    • This is a feature where you initially send all the credit card data to the bank
    • The bank returns a token to Theatre Manager, which is stored in the database
    • From that point on, Theatre Manager will use the token for pst dated payments, eliminating the need to store the credit card
    • This works because the token uniquely identifies the merchnat (you), the patron, and a specific card


Setting Theatre Manager to Require CVV2

Theatre Manager has sent CVV2 numbers for many years. Please confirm the following three settings for your venue:


Effect of CVV2 on Emergency Mode

Theatre Manager's Emergency Mode was designed for situations where the credit card company's processing was down or not available. This requirement for CVV2 (plus the inability to store it) means that the Credit Card companies are now requiring Real Time Authorizations. It means they prevent you from running your venue in the event that the merchant provider is down.


Effect of CVV2 on Post Dated Payments

According to an email from Bambora, this appears to directly affect recurring payments. Theatre Manager does not store CVV2 data (per PCI requirement 3.3).

This likely means that trying to authorize a Post Dated Payment or creating a recurring donation will see those payments rejected at some time in the future.


How will Theatre Manager respond to Post Dated Payments?

We have felt for a long time that the unstated direction of the bank industry was elimination of card data storage at a merchant. It is fortunate that we anticipated this as have a project underway to migrate patron card information to the bank and use tokenization instead. Effectively, this means:

  • When a patron use a card for the first time, TM will direct your merchant processor to store the card data and provide Theatre Manager a unique token for that card
  • If you are setting up post dated payments, TM will then refer to the patrons token at the bank for future authorizations - which is consistent with the Bambora statement


How will switching merchant providers affect Tokenized Post Dated Payments?

If the post dated payment token is stored at the merchant processor and is unique to your merchant account, it adds a step when switching from one merchant provider to another. You will need to keep your old merchant account active until all future post dated payments set up for your original merchant provider are completed and authorized.