If you are using Recurring Billing (automatic charge to a credit card instead of an automatic invoice without auto-payment), it is critical that you know that ASAP does not maintain CVV numbers. Per PCI-DSS guidelines, ASAP is prohibited from retaining CVV numbers. ASAP requires a customer to enter this data for regular invoice payments on the Public Portal Payment Page to help prevent fraud, but ASAP does not store it for future use in Recurring Billing, Payment Plans or Saved Cards.
IMPORTANT: If you are using your own merchant account/gateway (e.g. Authorize.net, Cybersource, PayPal PayFlow Pro, BluePay, Moneris, Elavon, Stripe), make sure you change the configuration of your gateway to request but not require CVV numbers (I.E. if CVV is provided and does not match, reject).
If you are using ASAP's Merchant Account and you are using recurring billing, this account has been configured to not require CVV numbers.
This way, when the next recurring bills are generated for your students, and payment is attempted, the payment will be processed even though the credit card doesn't have a saved CVV number associated with it.
*** PLEASE NOTE: regardless how you set your merchant account, when a student processes a payment on ASAP, we always require CVV. This protects you for 90+% of your transactions. But when we save the card for "Saved Cards", Recurring Billing or Payment Plans, we do not store the CVV.
We do not have examples of how to set this up for all merchant providers we integrate with, but here are the merchants we do have steps on setting CVV correctly:
AUTHORIZE.NET
- Log in to the administrative console
- Click on Settings and under Security Settings, click Card Code Verification
- Be sure there is only one check mark. Only "Does NOT match (N)" should be checked. Do not mark "Is NOT Processed (P)". This latter one is the key that forces a CVV for every transaction.
- Click Submit
