CVV

[fishe...@gmail.com]

Is google storing the CVV? If not, how are you checking the validity of the CVV.

- James

[Alex MacCaw]

That's the one thing they're not storing - users will have to enter that every payment. Unfortunately there's no way to store the CVC and still be PCI compliant. 

Interestingly it may be worth taking the hit for more declines by removing the CVC in lieu of high conversion rates (like Amazon). We're aiming to a/b test this.

On Mon, May 20, 2013 at 7:25 AM, <fishe...@gmail.com> wrote:

Is google storing the CVV?  If not, how are you checking the validity of the CVV.

- James

--
You received this message because you are subscribed to the Google Groups "requestAutocomplete" group.
To unsubscribe from this group and stop receiving emails from it, send an email to requestautocomp...@chromium.org.
To post to this group, send email to requestau...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/requestautocomplete/?hl=en.

--

Alex MacCaw

+12147175129
@maccman

http://alexmaccaw.com

[Albert Bodenhamer]

Thanks for chiming in Alex.

It's actually a bit more complicated than that.  There are 2 cases:

1. If the user chooses "pay without wallet" we store data with Chrome's autofill.  Address, name, phone number get stored and transferred to other devices via sync (if the user has it enabled),  credit card is stored locally but NOT synced, CVV isn't stored at all.  The user should enter it each time and the site should ask for it and use it as part of the auth.
   
2. If the user pays with Wallet we use the initially entered CVV to setup an instrument (+clobb is the expert on how that works).  When the user checks out we issue a new card # and new CVV to go with it.

As Alex points out, if you choose not to ask for CVV you'll get more declines and there is more fraud risk.  If the user is in "pay without wallet" mode we'll still ask for the CVV but there isn't any verification.

Albert Bodenhamer | Software Engineer | abodenha@chromium.org