Cardholder data is the information contained on a consumer's payment card or other payment instrument. Payment cards include credit cards, debit cards or gift cards, and are typically in the form of a plastic card with cardholder data printed on both sides and also contained in digital format on a magnetic stripe or electronic chip embedded in the payment card.
In card-not-present payment transactions, such as payments made remotely by a consumer to a merchant by means of an e-commerce website or system, a consumer typically provides at least three items of cardholder data to an e-commerce merchant: the consumer's card number, expiry date and Card Verification Value (CVV), which may also be called a Card Security Code (CSC), Card Validation Code (CVC) or Card Identification Number (CID). The card number is a 16 digit numeric code called the Primary Account Number (PAN), which is embossed on a front side of the payment card. The expiry date is a 4 digit month and year numeric code also embossed on the front side of the payment card, and the CVV is a 3 or 4 digit security code which is printed on the payment card in a non-embossed manner. The CVV number is used to validate card-not-present transactions.
During card-not-present payment transactions, such as e-commerce transactions, the e-commerce merchant receives these three items of cardholder data—the PAN, expiry date and CVV—and provides them to an acquiring bank, either directly or via an intermediary gateway or switch called a payment service provider. The acquiring bank uses the cardholder data to initiate a payment request to an issuing bank of the consumer through a payment processing network such as those provided by Visa® or MasterCard®. Payment authorization and settlement are facilitated by means of well-known processes by the payment processing network between the issuing bank and acquiring bank.
To minimize loss or theft of consumer cardholder data and prevent unauthorized use thereof, entities handling cardholder data are subject to a set of rules called the Payment Card Industry Data Security Standard (PCI DSS). In terms of current PCI DSS rules governing the storage of cardholder data by merchants and/or payment service providers, although the PAN and expiry date may be stored subject to certain requirements, the CVV may not be stored after authorization, even if it has been encrypted. The CVV may only be held in memory for the time it takes for a particular transaction to be completed. Therefore, when an e-commerce system registers a consumer and stores that consumer's cardholder data for future use, only the PAN and expiry date are stored. In territories in which card-not-present transactions require all 3 items of cardholder data to process a transaction, a consumer must therefore enter the CVV number of the payment card each time the consumer's stored cardholder data is selected and payment is made.
In some territories, issuing and acquiring banks have agreed to process transactions from specific e-commerce merchants without the need for a consumer to enter the CVV number, for example in the case of Amazon.com in the United States. In these cases, a simplified checkout experience is possible in which the consumer simply selects payment without entering further information, and the transaction is able to be processed with a single action by the consumer. However, these transactions are more susceptible to fraud as there is no CVV present and, furthermore, are not available to most merchants or in most parts of the world. For many merchants, there is currently no practical way to avoid the mandatory step of the CVV number being requested from the consumer each time a payment is made. This adds an additional step to an e-commerce transaction which may be inconvenient to the consumer and result in fewer sales for the merchant.
Embodiments of the technology aim to address these and other problems.