CVV2 requirement and possible effect on post dated payments

We recently received information that credit card companies will mandate use of CVV2 number (on the back of a credit card), making it a requirement for processing cards in almost all situations.

Since the vast majority of credit card transactions are real time with a CVV2, most venues will see limited effect for 99% of credit card authorizations: It will affect: situations where the credit card provider is down or unreachable - a rare occurrence which does happen authorizing existing post dated payments and recurring donations It may affect: Mail order - and we cannot fully comment on that yet as the documents say that mail order can be taken in batch without CVV2.

Setting Theatre Manager to Require CVV2

Theatre Manager has sent CVV2 numbers for many years. Please confirm the following three settings for your venue:

• 'Send CVV2'/CID number is checked in the merchant profile >Authorization Tab.
• Require Credit Card CID/CCV2 is checked for all credit cards payment methods
• Each employee's security setting in the Employee Access->Function tab is unchecked so that CVV2 is no longer optional for that employee. Since this can't be set for master users, a future update to TM will be forthcoming.

  

 

Effect of CVV2 on Emergency Mode

Theatre Manager's Emergency Mode was designed for situations where the credit card company's processing was down or not available. This requirement for CVV2 (plus the inability to store it) means that the Credit Card companies are now requiring Real Time Authorizations. It means they prevent you from running your venue in the event that the merchant provider is down.

 

Effect of CVV2 on Post Dated Payments

According to an email from Bambora, this appears to directly affect recurring payments. Theatre Manager does not store CVV2 data (per PCI requirement 3.3).

This likely means that trying to authorize a Post Dated Payment or creating a recurring donation will see those payments rejected at some time in the future.

 

How will Theatre Manager respond to Post Dated Payments?

We have felt for a long time that the unstated direction of the bank industry was elimination of card data storage at a merchant. It is fortunate that we anticipated this as have a project underway to migrate patron card information to the bank and use tokenization instead. Effectively, this means:

• When a patron use a card for the first time, TM will direct your merchant processor to store the card data and provide Theatre Manager a unique token for that card
• If you are setting up post dated payments, TM will then refer to the patrons token at the bank for future authorizations - which is consistent with the Bambora statement

 

How will switching merchant providers affect Tokenized Post Dated Payments?

If the post dated payment token is stored at the merchant processor and is unique to your merchant account, it adds a step when switching from one merchant provider to another. You will need to keep your old merchant account active until all future post dated payments set up for your original merchant provider are completed and authorized.