Implement Dynamic CVV2 control

Overview

This feature strengthens eCommerce authorization security. It generates a one-time-use CVV2 (dynamic CVV2) for each purchase. The End User retrieves it in the issuer application before paying.

Each time the card credentials are displayed to an End User, D1 generates a new dynamic CVV2.

With D1, there are two ways to generate an active dynamic CVV2 for a given card:

Call the issuer backend API getCardCredentials
Use the D1 SDK Secure Card Display feature to display card details to the End User

Secure Card Display documentation is coming soon.

An active dynamic CVV2 must meet all of these conditions:

A dynamic CVV2 has been generated using one of the methods above.
The dynamic CVV2 is not expired.
The dynamic CVV2 has not been used in an authorization.
The number of declined authorizations has not reached the configured maximum (please refer Handle deferred authorizations for more information) .

The expiry delay is configurable at the card product level. After this delay, D1 deletes the active dynamic CVV2 automatically.

Note: There is only one active dynamic CVV2 at a time. If you generate a new one, D1 deletes the previous active value (except for Handle deferred authorizations).

User Experience

Flow

Step 1: Generate and display a dynamic CVV2

Step 2: Purchase using the dynamic CVV2

Setup

Configure these parameters per card product during D1 onboarding:

Dynamic CVV expiry delay: time window before the active dynamic CVV2 expires and is deleted.
Number of tries: maximum number of declined authorizations allowed before the active dynamic CVV2 is deleted. The default is 1.

PreviousDefine card product NextHandle deferred authorizations

Last updated 3 months ago

Was this helpful?