Credit Card Security Code

This issue is not going away and with the relaunch of the PCI-DSS Version 2.0 this month,
(see https://www.pcisecuritystandards.org/)
will come under the spotlight again. I think the issue is now resolved for one off donations, but I think charities would be well advised to think about ending the promotion of regular giving by credit card.

As stated earlier, some banks no longer accept card transactions without the extra 3-digit security code, but as a principle of the DSS standard is that you cannot store the security code, it is logically no longer possible for customers of those institutions to run continuous credit card authorities.

Other institutions are soon to follow suit I hear.
I wondered if anyone on this list had consulted their Acquirer on this and as a result is considering withdrawing this as an option (which means of course moving everyone to the much better medium of DD's), or is the alleged news of the demise of this method of giving somewhat premature?

I've had to take a similar decision myself. Because of the new legislation that has been put in place (or potentially in place), we now need to take the CVV code. However, there is a reluctance to place these details on paper and put in the post. So I took the decision to have 2 three digit boxes printed onour latest literature. One for the Masetro numbers and one for the cvv, although I didn't label either, just positioned them in the approrpaite places on the cc form. The resposne so far, is that people are filling in the cvv numbers. When we recieve and process the coupons, we have a black marker pen and obliterate the numbewr once used. It's not high tech, but it is secure.

Interestingly, I've been looking at the ads that have appeared in the papers requesting donations for the earthquake in Java to see if other charities are still asking for credit card donations.

Quite a few of the big ones (such as Red Cross, Oxfam, Unicef) seem to still ask for credit card donations but don't say anything about security codes. Presumably they must be getting round it somehow - anyone know?

I did see one ad though that had boxes in it for the security code to be written in - can't remember who it was but it was a smaller charity.

So still confusion!

Hello all

We have just made the decision to remove the option to donate by credit / debit card and instead direct the donor to phone or visit our website. The main reason being that it would be so easy to intercept a postal donation and therefore all the information needed to wipe out a donor's account, our view was if we felt un-easy providing our security code via post then our donors would also. Particularly with direct mail where the response mechanism is often so clearly for a charity - we would be asking for fraud making ourselves a very easy target!

This really is irritating. We received a letter from CAF, our credit card processor saying that their processor (Streamline - part of Royal Bank of Scotland) will require the security code at some unspecified date.

It appears that this is a move by MasterCard and Visa. What are the chances of them taking a look at the real requirements of charities? As said, this reduces security, rather than increases it. Maybe MasterCard and Visa could be convinced of this. In theory, you can turn an oil tanker with a paddle, in practice, it takes a lot of paddling.

IOF did condemn this in March but made no noticable impact. Text follows.

Larry Boyd
Tools for Self Reliance

10 Mar 2006

Changes To Credit Card Donation Requirements Could Cost Charities Millions

The Institute of Fundraising (‘Institute’) is today calling on Visa and Mastercard to clarify how changes to credit and debit card donations will impact on charities, following concerns from charities that this will cost them huge sums of money.

The changes, some of which come into effect on 1st April 2006, require the charity to capture the three-digit security code on the back of a credit card or debit card when accepting donations from cardholders that are not present.

Lindsay Boswell, Chief Executive at the Institute of Fundraising, says:
“Our members deal with a range of different banks and they are getting contradictory information. Some acquiring banks are adamant that they will not honour charity donations without the three-digit security code from as early as the 1st April. Others are uncertain as to what the new requirements are.

“The requirement for card security codes to be destroyed after transactions are processed presents a significant challenge for charities whose donation forms also include Gift Aid declarations. In order to benefit, charities must retain donors’ Gift Aid declarations, so the requirement to destruct all or even part of this form could present significant problems for charities when they undergo Gift Aid Audits. This could result in the loss of millions of pounds of vital income to charities.

“It is vital that Visa and Mastercard acknowledge and work with us to address these issues. At a time when the banking industry is reporting record profits and charities are working hard to keep their administration costs as low as possible, the sectors must work together to implement such significant process changes. We are calling on the credit card industry to ensure its messages are clear and to engage with us.'

As well as the Gift Aid issue, the other key challenges presented by these changes, particularly in respect of postal donations, are outlined below:

q The timescale within which charities are expected to restructure, reformat and reprint donations forms in order to comply with the mandate is “unrealistic”.
q Many fundraising organisations will face costs to redesign and reprint donations forms in order to comply with the mandate

The Institute of Fundraising has sought advice from APACS who recommend that each individual charity contact and seek guidance from their acquiring bank.

For further information:
The Institute of Fundraising has published the briefing sheet ‘Fundraising with Debit and Credit Cards’ online at [url]www.institute-of-fundraising.org.uk[/url]

I just spoke to someone at Lloyds TSB Cardnet to find out whether we should be putting boxes for the security code onto our donation forms (we had done this when we first found out about this new process but I'm now reconsidering based on comments above). She checked with her manager who told her it was fine to put boxes for both the credit card numbers and security code on the form but we must destroy or blackout the security code bit once the donation had been processed. When I pointed out that if the donation form was stolen in the post the thief would have access to everything they need to make fraudulent charges, I was told that the donor would be 'covered'.

Basically I see three possible options:
1) Include boxes for credit card and security code on the form, process the donation and then destroy the security code bit as recommended above. As someone mentioned above this is seems rather risky for the donor.
2) No longer ask for credit card donations at all - tell them if they wish to donate by card to call us or do so over the internet - this could affect donations.
3) Ask for their credit card number but not their security code and write back to them when we get the donation asking them to send their security code separately - more admin and may lose donations.

What are other people doing?

We use NatWest Streamline for card proccessing and despite numerous contacts with them, this is their latest reply:
"Thank you for your communication to Streamline regarding the removal of the over-ride for Card Security Codes on Cardholder Not Present Transactions.
Unfortunately, despite many conversations with our Head Office, the over-ride is still going to be put into place. It is seen as a minor risk for credit card fraud."
Initially we were told it was being mandated by the Credit Card companies.
We emailed our NatWest relationship manager with this information on the 4th of April and as yet have had no reply.
Despite them saying the CSC over-ride would be removed from the 1st of April it has not been taken away. We're told it will be phased out, but can be given no date as to when it will happen.
Anyone else using Streamline and been given the same answers?
Kevin
MAF UK

After discussions with someone in the Industry yesterday, they said that the 3 digit code should not be put on any DM materials. In doing so you might as well give a stranger your Cash card with the PIN!

It is true that some banks are saying that you must get this code by re-contacting the donors however the 3 digit code is not mandatory when submitting the details for collection to your Merchant.

The only advice I can give on this confusing situation is to contact your Merchant & get written guidelines on what Visa & MasterCard have requested.

Scott Gray
---
Rapidata Services plc

The same thing happened to us, we bank with Lloyds. The problem I found is that they didn't really understand that we were non-profit and were treating us like a high street retailer that wasn't towing the line. They did give us short term exemption in-lieu of circumstance....but we did have to battle.

After testing capturing vs not capturing the security code, we found that it did make a difference to response rates, i.e. response rates dropped when we asked donors for the code. We wrote a polite letter to the bank saying we've proven that collecting the CSC effects funds and will therefore be moving banks unless they allow us to process donations without the code, they eventually said yes. Speaking/writing to someone high up who’s responsible for winning/losing business helps.

Good luck!

Reuben