Braintree cvv_response_code does not match with the verification cvv_response_code

[dgross881]

I understand the cvv_response_code shows up correctly in Braintree's verifications but I am wondering if there is any workaround to having Braintree's transactions show and support the correct cvv_response_code. Up until now, every transaction I have had through braintree shows up as risky and all my transactions have cvv_response_code "I" .

This was an earlier post I found explaining the same issue.
https://groups.google.com/forum/#!topic/spree-user/VQXNkw10OMU

[Wootenblatz]

The thread you are linking to is technically a different issue. Back then the Braintree implementation for Spree Gateway was not indicating that new cards should be verified. That has since changed.

I had another person contact me about this via e-mail. I'm not using Spree 3.0 but I looked into it for him.

What you're experiencing likely has to do with the simple approach Spree takes with regard to CVV risk. Payments are considered non-risky if the cvv response is M, nil or if there is a cvv_response_message. This does not take into account whether or not a card has already been verified by the payment processor.

See the current implementation for is_cvv_risky? here:
https://github.com/spree/spree/blob/5c9267dcfddd40d0ff06de5a15c1b6d455fb1ff2/core/app/models/spree/payment.rb#L158

I believe the issue is that CVV information is discarded after a new card is authorized and the payment method token (gateway_payment_profile_id in spree_credit_cards) is used from then on. As such all future interactions with that credit card will return "risky" codes, despite being verified. Perhaps this is a quirk with Braintree but solving it should be possible within Spree. I think that with Braintree a verified credit card that has a valid gateway_payment_profile_id should be excluded from the risky flag.

You could probably accomplish this for yourself by adding the following line (untested) to a decorator for Spree::Payment's implementation of is_cvv_risky?

def is_cvv_risky?
  return false if source.present? and source.class.name == "Spree::CreditCard" and source.gateway_payment_profile_id.present?
  return false if cvv_response_code == "M"
  return false if cvv_response_code.nil?
  return false if cvv_response_message.present?
  return true
end  

Again this is untested code so you might need to tweak it, but hopefully it gets the point across. I'm not using a version of Spree that uses the risky flag so I cannot test how well this works.

[khdegraaf]

I have this issue with Braintree in Spree 2.4. I also verified it is a problem in an uncustomized store in Spree 3.0 with Braintree. The above fix doesn't quite work, as the risky scope needs to be fixed too, so I ended up with the following that I tested to work with my gateway:

scope :risky, -> { where("avs_response IN (?) OR (cvv_response_code IS NOT NULL and cvv_response_code != 'M' and cvv_response_code != 'I') OR state = 'failed'", RISKY_AVS_CODES) }

def is_cvv_risky?
  return false if cvv_response_code == "M" || cvv_response_code == "I"
  return false if cvv_response_code.nil?
  return false if cvv_response_message.present?
  return true
end

It probably needs some refactoring though as it won't work for gateways not using payment tokens. I don't know if other payment token gateways besides Braintree have problems either.

[damianlegawiec]

Hi guys, If you're using Braintree I would recommend you look at the official Braintree v.zero extension https://github.com/spree-contrib/spree_braintree_vzero