We are using the PHP SDK. The form displays a field for postcode and cvv, however the return we receive is CVV_NOT_CHECKED and AVS_NOT_CHECKED. How can we force the API to check for both and not process payment if either fails?
Currently there isn’t a way to force the API to check both CVV and AVS and not process the payment if one fails. 
Is there a way to check CVV and/or AVS at all? and return the accepted/rejected status? It doesn’t seem to be checking at all as they all return NOT_CHECKED
Is this for a declined payment or a card on file payment? Do you have an example payment_id?
The payment returned successful, with the return CVV_NOT_CHECKED and AVS_NOT_CHECKED This is not using card on file, just typing credit card / expiry / cvv / postcode into the payment form.
Where do I get the payment_id? I can see a receipt number lq8G and the url string contains lq8G5tmPHq4f7y9ZGmKXkrJ4Z3bZY if that helps?
Thanks for providing the information. Like you said the payment was successful but CVV and AVS weren’t checked. Unfortunately there isn’t a way to force the API to check these values all the time. We’re constantly working to improve our features based on feedback like this, so I’ll be sure to share your request to the API product team.
Oh I see. That’s fairly worrying. So just to confirm - that means someone with a card and expiry can put through the order? without any checking in place against CVV and postcode?
If there’s no automated checking, are either of these scenarios possible:
-
Have the API/SDK return the value they enter for the postcode on the payment form (so we can at least check that against the shipping address)?
-
Have the API/SDK return the value of postcode from the bank itself and we check that against shipping address?
Or alternatively - would implementing SCA force checking via 3d secure? bypassing the need to verify via cvv/avshttps://developer.squareup.com/docs/web-payments/sca
According to the team those statuses come from the issuers, not from Square. It means the cardholder’s bank was confident enough that it was a valid transaction that it didn’t bother to check the CVV / AVS.
So in the cases of chargebacks, we have no validation against the card to show we matched the shipping details to the card. Is it possible to implement SCA onto php sdk code for better verification? Is there documentation on that?
I’m not sure I understand what you mean by validating the shipping details to the card? The billing address of a card could be very different from the shipping address of where the products are going too. Also a compromised could still successfully process if the bad actor has all the correct information. That payment is still subject to chargeback. Lastly, we do have Risk Manager and you can set rules for additional security. At this time it’s currently not available in Australia but the team is looking to expand its availability. Unfortunately, we don’t have a public roadmap for it’s availability.