How do you get the 3 digit security code from a saved PaymentInstrument?

[chuan0]

I can save a payment instrument(with a credit card) using OCAPI. The request doc has a security_code field for the 3 digit CVV number.

https://documentation.b2c.commercecloud.salesforce.com/DOC1/topic/com.demandware.dochelp/OCAPI/current/shop/Documents/OrderPaymentCardRequest.html

When placing the order, I need to get the saved PaymentInstrument - PaymentCard and process it through the payment processor. But it doesn't seem to have the security_code(CVV) stored:

https://documentation.b2c.commercecloud.salesforce.com/DOC1/topic/com.demandware.dochelp/DWAPI/scriptapi/html/api/class_dw_order_PaymentInstrument.html

Any idea where I can get the security_code? If there's no way to get it, since OCAPI doesn't keep a session, any idea where I should store the security code?

[jorgehernandezSF]

I think for PCI compliance the CVV number is not stored in the payment instrument. If you look at the SG or SFRA checkout implementations, even a saved card requires the user to enter the cvv. I’m not surprised that OCAPI does the same. Why ask for the CVV on the first request? To verify the cc against the payment provider before storing the card. I might be wrong. Check PCI compliance rules. Thanks, Jorge

On Wed, Aug 14, 2019 at 4:21 PM chuan0 ***@***.***> wrote: I can save a payment instrument(with a credit card) using OCAPI. The request doc has a security_code field for the 3 digit CVV number. https://documentation.b2c.commercecloud.salesforce.com/DOC1/topic/com.demandware.dochelp/OCAPI/current/shop/Documents/OrderPaymentCardRequest.html When placing the order, I need to get the saved PaymentInstrument - PaymentCard and process it through the payment processor. But it doesn't seem to have the security_code(CVV) stored: https://documentation.b2c.commercecloud.salesforce.com/DOC1/topic/com.demandware.dochelp/DWAPI/scriptapi/html/api/class_dw_order_PaymentInstrument.html Any idea where I can get the security_code? If there's no way to get it, since OCAPI doesn't keep a session, any idea where I should store the security code? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <https://github.com/orgs/SalesforceCommerceCloud/teams/community/discussions/108?email_source=notifications&email_token=AJZO4ZUXKFRFJYLCAWGNYN3QERSNRA5CNFSM4ILYSIXKYY3PNVWWK3TUL52HS4DFVZCGS43DOVZXG2LPNZIG643UVJRW63LNMVXHIX3JMTHAAAJKPM>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AJZO4ZX6YVVGTUKPMHIZWXDQERSNRANCNFSM4ILYSIXA> .

-- Jorge Hernandez Director, Global Cloud Alliances mobile: 617-957-9110 email: jorge.hernandez@salesforce.com

[chuan0]

@jorgehernandezSF that makes sense, but the issue is when using ocapi to submit an order, the only considered value from the request body is basket_id (see https://documentation.b2c.commercecloud.salesforce.com/DOC1/topic/com.demandware.dochelp/OCAPI/current/shop/Resources/Orders.html#id1963699716__id650939338). So the payment info including cvv has to be saved somewhere before the order is submitted.

[A-Jarrell]

As @jorgehernandezSF stated, storing the CVV is a touchy subject in regards to PCI. There are ways to do it and still be compliant, but I have never seen a use-case that required it.

If your payment gateway supports tokenization and "authorization by token" then I would research that route. Most implementations I've worked on are using tokens now.

If you do choose to store the CVV, make sure that it is completely destroyed after the authorization call is made. (See PCI DSS requirement 3.2 for more details)

[chuan0]

Thanks @A-Jarrell . I think tokenization is the way to go. I was actually trying that route already. I guess I was hoping there's a way to pass the cvv to the OCAPI order creation endpoint