Even if the CVV of the credit card is wrong, a token can be generated, is this correct behavior?

Even if the CVV of the credit card is wrong, a token can be generated, is this correct behavior?

The test numbers listed on this page are used.

Yes, that is correct. The tokenization of a card isn’t a full validation. It’s a light format validation of the information. Only when the token is used to make a payment will it be validated with the information the bank has.

Just for clarity and for anyone reading this in the future, our experience with this error has nothing to do with payments. We are simply:

1. Capturing card token via the embedded Square web form (later used as the source ID in step 3);
2. Creating a Square customer; and then
3. Adding the newly tokenised card to the Square customer record for future use.

It’s the last step where we are seeing this ambiguous error message.