如何在不存储 CVV 代码的情况下每 2 个月向某人收取可变金额?
我们有一种实物产品,根据客户的喜好每 2、3 或 4 个月发货一次。 在两次运输之间,用户可以选择修改他们的选择。
在有人建议之前 - 我很确定定期计费系统(例如 Paypal)不适合我们的需求。 由于两个原因,像 Paypal 这样的系统似乎并不理想。
- 他们只让你按月、按季、按年做。 不是每两三个月一次。 [此处为 Paypal API 文档]
- 我们希望客户如果他们想要比正常时间表早或晚的产品,可以“立即发货”。
- 由于它是一种实物产品,我们无法将其拆分为按比例分配的每月金额。
因此,我认为我们必须使用与创建初始订单时相同的机制来重新计费 - 使用 CC 编号和 CVV2 代码。 但显然我们无法存储 CVV2 代码以实现 PCI 合规性!
我最近遇到了“BrainTrees”支付服务 - 它允许您创建初始交易并检索“令牌”代表该信用卡号。 该令牌可以安全存储,因为它对小偷来说毫无用处。 它有助于最大限度地减少 PCI 合规性所需的工作。
我完全可以使用 BrainTree 的解决方案。 它似乎非常适合我们的需要 - 但它让我对 Paypal 的产品感到困惑。 如何在不存储 CVV2 代码的情况下使用 BrainTree 以外的任何系统实现我想要做的事情?
We have a physical product that is shipped every 2, 3, or 4 months depending upon customer preference. In between shipments the user may elect to modify their choices.
Before anyone suggests it - I'm pretty sure a recurring billing system (such as Paypal) is not suited to our needs. For two reasons a system like Paypal's does not seem to be ideal .
- They only let you do monthly, quarterly, annually. Not every 2 or 3 months. [Paypal API document here]
- We want the customer to be able to 'ship now' if they want their products early or later than the normal schedule.
- Since its a physical product we cant split it to be a prorated monthly amount.
I think therefore we will have to rebill using the same mechanism as we do when the initial order is created - with the CC numebr and CVV2 code. But obviously we cant store the CVV2 code for PCI compliance!!
I recently came across 'BrainTrees' payment services - which allow you to create an initial transaction and retrieve a 'token' that represents that credit card number. That token is safe to store because it is useless to a thief. It helps minimize the work needed for PCI compliance.
I'm completely fine using BrainTree's solution. It seems to be perfect for what we need - yet it leaves me confused about Paypal's offering. How would I achieve what i am trying to do with any system other than BrainTree without having to store the CVV2 code ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
您可能已经知道,cvv2 用于 avs/csc 检查,该检查是通过从客户地址获取数字、邮政编码/邮政编码中的数字以及 cvv2 中的数字并将它们与卡持有的已知值进行比较来完成的发行人。
avs/csc 检查的结果返回一个三位数的值,让您知道地址/cvv2 值是否与发卡机构存档的值匹配。 检查结果可用于帮助防止欺诈交易。
因此,解决无法存储实际 cvv2 代码问题的常见方法是存储 cvv2 结果。 这样您就可以相当确信,只要地址没有更改,该卡仍然有效。 这种方法的唯一缺点是,一些收单银行认为未经 cvv2 检查而执行的授权不安全,并收取更高的汇率。 您可能需要与您的收单机构讨论这一点,以解释只有第一次授权通过cvv2检查执行,后续授权则不执行。
尽管如此,如果您使用允许您保存令牌值而不是实际卡号的服务提供商,您会发现 PCI 合规性要容易得多。
我不确定您是否考虑过定期付款的另一个问题是,随着时间的推移,卡会过期、被取消或重新发行。 Visa 和 MasterCard 都有一项相对较新的服务,称为 Visa 帐户更新程序 或 MasterCard 自动计费更新程序 来处理此问题。 您需要与您的收单银行进行协调,或者如果您选择 PSP 路线,它可能会自动处理 - 但值得检查。
You may already know that the cvv2 is used in an avs/csc check that is done by taking the numerics from the customers address, the numerics from the post/zipcode and the numbers from the cvv2 and comparing them with known values held by the card issuer.
The result of the avs/csc check returns a three digit value which lets you know whether the address/cvv2 values match those held on file by the card issuer. The result of this check can then be used to help prevent fraudulent transactions.
Therefore a common way to tackle the issue of not being able to store the actual cvv2 code is instead to store the cvv2 result. This way you can be fairly confident that so long as the address hasnt been altered, the card is still valid. The only downside to this approach is that some acquiring banks deem that authorizations performed without a cvv2 check are insecure, and charge a higher interchange rate. You may need to discuss this with your acquirer to explain that only the first authorization is performed with cvv2 check, and subsequent ones are not.
All said though, you will find PCI compliance a lot easier if you instead use a service provider that allows you to hold token values rather than actual card numbers.
Another issue with recurring payments that I'm not sure if you've considered is the fact that over time cards will expire, be cancelled or re-issued. Visa and MasterCard both have a relatively new service called the Visa Account Updater or MasterCard Automatic Billing Updater to handle this. Its something you'd need to organise with your acquiring bank, or if you go the PSP route it will probably be handled automatically - but worth checking.
我已经有一段时间没有做这样的事情了......而且
我只使用过 Verisign Payflow API。 您可能想检查一下。
据我所知,支付网关强烈建议不要存储卡详细信息。
推荐的机制是使用原始交易的参考号,然后将新交易链接到它; 它一定和 Brain Tree 处理它的方式非常相似。
It's been a while since I had to do something like this... and
I have only used the Verisign Payflow API. You might want to check it out.
To the best of my memory, payment gateways strongly recommend against storage of card details.
The recommended mechanism is to use the reference number from the original transaction, and then to link the new transaction to it; it must be very similar to the way Brain Tree handles it.
大多数网关不需要 cvv 即可工作。 该代码本质上意味着“存在信用卡”,不应用于重复交易。
如果您不想遇到遵守 PCI 的麻烦(我必须这样做,并不难,但需要创建相当多的流程),Braintree 似乎是一个相当不错的选择
Most gateways don't require the cvv to work. That code essentially means 'credit card present' and should not be used for recurring transactions.
Braintree seems like a pretty good option if you don't want the hassle of conforming to PCI (which I've had to do, not hard, but requires a fair bit of process to be created)
本文很好地解释了有关 CVV2 号码定期计费的问题,值得一读:
http://kb.modularmerchant.com/a378-credit-card-security -codes.php
This article explains the issues around recurring billing an CVV2 numbers really well and is worth a read:
http://kb.modularmerchant.com/a378-credit-card-security-codes.php