Tuesday, October 18, 2011

CVV2 Codes, PCI Compliance

There are two merchant account credit issues floating around today.

One, do we have to do any  PCI compliance testing?  I researched this in early 2009 and wrote that as a level 3, 20K-1M online transactions vendor, none stored, there was a level of testing required. I don't list my source for this info but I wrote it up here. I wonder if its still true: PCI Compliance for Level 3 Vendor.

I researched in the beginning of 2009 that I needed to get PCI compliance testing done.  But, I never have. 

As a side story, after I decided that we did need some PCI compliance testing, I tasked my  team to take care of it and that spoke to one vendor who talked us into a whole comarketing thing in which they guaranteed our site and put their bug all over it guaranteeing that it would improve our conversion rate. It didn't improve the rate at all. They made some changes. No improvement. We insisted on getting our money back. Eventually we did but only after a huge investment of time and energy. We were so turned off by the experience that we haven't looked at PCI compliance since then.  

The second question this week relates to CVV2 Codes.   We've found over the last few years that our decline rate on credit cards (and some fees) are creeping upwards.  Since our product is education, there is very little fraud so we have never required a CVV2 code.

Our processor says that if we get the CVV2 code, we'll get less declines and the fees will be a little lower. But we know that many of our customers use cash cards (ie gift cards) which don't seem to have CVV2 codes.  I'm now trying to redesign our sales page to handle this and I'm looking for an example or advice on how other people handle this.  Any input?

No comments: