1
Until this point, we have not been very strict on the way we verify/validate credit cards. So today I was implementing additional levels of verification and felt like things were getting a little complicated/strict.
Here are the various levels I am working with:
* Typical checks for presences and lengths of fields as well as algorithmic credit card check
* Address Verification Service (AVS) which matches first 5 contiguous street digits along with 5 digit zip code
* Require CVV code (3 or 4 digit code present only on the card itself)
* Attempt $0.01 or $0.00 authorization (and then immediate voiding of transactions)
Note: when a transaction fails to match with AVS, there is an option to "accept and hold for review". However, this seems somewhat meaningless as I would not know whether an address was "valid" or not unless it was clearly fraudulent (i.e. "123 main street" type of stuff)
Main question: When the user initially enters their payment information, should we be performing $0.01 authorizations every time? Also, for stored credit cards, should we ask again for the user to provide the CVV (since it is never part of the stored payment information)?
Just want to make sure that this level of strictness is really necessary. It doesn't feel like most sites that store my payment information require me to constantly reenter my CVV.
Any advice or "here is what we do" type of responses are appreciated.