2 mins read

Protecting merchants and cardholders against fraudsters


Protecting merchants against fraud

As an extra layer of security to protect merchants and cardholders against fraudsters, Omise will be concealing the value of the security_code_check field in the Token API response. This measure will be active from 1 April 2020 onwards.

When creating a token, the API returns information about the tokenized card in the response. This information includes the security_code_check field. Currently, this field indicates whether the card has passed pre-authorization or not. Cards that pass pre-authorization are marked true, and otherwise marked false. A card may fail pre-authorization for several reasons including, but not limited to, having an invalid security code (e.g. CVV) supplied at token creation.  We will no longer provide this data prior to creating a charge.

Why are we doing this?

No room for fraudsters; your account's public key is used to make API calls to create new tokens for a charge. If fraudsters are able to obtain the card number, they can use your public key in combination with their hacking tools to figure out a card's CVV by monitoring the response of the Token API.

To combat this scheme, we will always mark the security_code_check field as returned by the Token API as true irrespective of whether the card actually passed pre-authorization. All tokenized cards will be returned as displayed in the following picture.

Security code check value

What you should do

Moving forward, you will not need to rely on the security code check value to determine the validity of the tokenized card. A charge can be created using the token and you’ll find the results in the response. The same procedure applies when saving cards.

This is a breaking change.  If you have a system that depends on the value of the security_code_check field, from 1 April onwards it will no longer work as expected.

More from us

7 mins read

How PayNow improves payment experiences

3 mins read

Why PayNow matters

6 mins read

Anatomy of a 36-minute downtime

Subscribe to receive the latest updates from Omise
Thank you!

You are subscribed.

Omise uses cookies to improve your overall site experience and collect information on your visits and browsing behavior. By continuing to browse our website, you agree to our Privacy Policy. Learn more