John,
To have Authorize.Net check the CVV number for you, you need to set
validationMode to "liveMode" or "oldLiveMode" when you send the XML/
SOAP request to Authorize.Net.
This is necessary, because normally Authorize.Net just assumes the
data you provide is valid. Since Authorize.Net (nor any other
gateway) will store the CVV2 number (and neither should you), what
they do is check the CVV2 for you when you create a payment profile
with the card processor. They do this by authorizing $0.01, and then
immediately voiding the transaction. If the authorization is
successful, the CVV2 is know to be valid and the profile is stored.
Otherwise you get an error. The CVV2 is then immediately thrown
away.
The default behavior is not to do this, because depending on your card
processor, you might be charged for these verifications.
Check one of the guides here for more info:
http://developer.authorize.net/api/cim/
Good luck,
Mike