Add failing scenarios for CVV verification of an existing card#644
Add failing scenarios for CVV verification of an existing card#644jbrowning wants to merge 2 commits intobalanced:masterfrom
Conversation
There was a problem hiding this comment.
I believe that the cvv is inside pci scope, which means that you can not redirect this number through your server (unless you are pci compliant). There needs to be some way of sending this through balanced.js but then reliable reporting the result to the server.
There was a problem hiding this comment.
Yes I was wondering about that. I know the storage of the CVV is prohibited by PCI but I could not find any authoritative answer as to a CVV-only transmission.
There was a problem hiding this comment.
That makes this operation tricky. The CVV would have to be submitted to Balanced by balanced.js, which performs unauthenticated operations, so it would be tricky to operate on a specific card resource. We'd need a way to perform the CVV submission from balanced.js, then attach that information (CVV token?) to an existing card and re-verify server-side.
There was a problem hiding this comment.
the transmission is also going to fall into pci scope
There was a problem hiding this comment.
Perhaps the solution would be to have a CvvVerification resource that can be created via balanced.js and then retrieved server-side to get the verification result.
There was a problem hiding this comment.
that could be a possible way to do this.
There was a problem hiding this comment.
@matthewfl A transmission of the CVV when the card is already tokenized is not in violation of PCI, however, I could see an auditor actually argue both ways here. So, my suggestion is that a generalized tokenization resource would work here.
There was a problem hiding this comment.
right, but as this is written, it appears that the cvv is being passed through our customer servers, which would then fall under pci
There was a problem hiding this comment.
This definitely feels like a gray area. For example, CVV + card token does not by itself give a bad guy enough information to actually charge a card. I could see this being a security concern if they were targeting a specific person/card though.
@mahmoudimus so are you suggesting that we go with submitting the cvv for verification via balanced.js with authenticated retrieval in the backend to get the result? In other words, an almost-identical approach as the existing payment instrument tokenization? If that's the case, then I'm happy to go back to the drawing board and continue the discussion in #11.
|
@matthewfl @msherry any update on this? Thanks! |
|
@jbrowning you haven't really address the issues that we raised earlier |
|
Well I believe we concluded that this approach may not be possible because we can't perform authenticated operations via balanced.js. If that is indeed the case, then we'll need to agree on a different approach, such as the CvvVerification resource that I suggested. How should we proceed? |
|
then you should write up a spec for a cvvverification resource, and then we can have a conversation about that, and possibly rewrite it again |
|
I don't know how other people handle CVV validation. For example, hotels.com does a CVV verification when an existing card is used for booking. It will be really helpful for my marketplace, if you can come up with a solution. Until then, I will have to re-tokenize by getting all the CC information again. |
5 participants
Adds scenarios for the cvv portion of #11.
Address re-verification scenarios will be submitted via a separate PR.