Terminal-2 icon

Cardholder Verification Methods

When used on a payment terminal, credit and debit cards can require a cardholder verification method (CVM) to make sure that the person using the card is the legitimate cardholder. Verification is done with a personal identification number or shopper signature.

Personal Identification Number (PIN)

The shopper is prompted to enter their PIN on the terminal. The terminal then verifies the PIN either offline with the EMV chip on the card, or online with the card issuer. Online PIN is always enciphered (encrypted) while offline PIN can be enciphered or plaintext.

Contactless transactions above the CVM limit always require online verification of the PIN . You can find the latest limits in your Customer Area under In-person payments > Terminal settings > Payment features > Limits > Contactless CVM limit.

Some payment methods, specifically eftpos, require authentication with the PIN when the magnetic strip reader is used. Ask our Support Team to configure this for you if you accept such a payment method.

PIN bypass

It is possible to configure the terminal to offer the shopper the option to bypass the PIN. This can speed up your checkout.

Contact our Support Team to enable this feature for you and discuss which cards allow PIN bypass in your region.

When this feature is enabled, and the shopper presents a card that allows PIN bypass, the terminal prompts the option to:

  • Select the Confirm button on the touch screen of the terminal to skip the PIN.
  • Select the Confirm key on terminals with a physical keypad to skip the PIN.

If you want to bypass the PIN per transaction, you send a PaymentRequest and pass tender option BypassPin in the SaleData.SaleToAcquirerData field. This can be useful when you want to be in control over when to offer the shopper to bypass the PIN.

Signature

Whether the terminal prompts for a signature depends on how you configure this. The major card schemes (American Express, Diners, Discover, JCB, Mastercard, Visa, UnionPay) no longer require a signature. They regard a signature as optional for card-present transactions. This means you can speed up your checkout by skipping the signature prompt.

If your business requires it, you can still let the terminal prompt for a signature. The shopper then provides their signature on the touch screen of the terminal or on the printed transaction receipt. This depends on how you configure this setting. It is your responsibility to verify the signature of the shopper with the signature on the card or another form of identification.

To configure signature settings:

  1. Log in to your Customer Area.
  2. Go to In-person payments > Terminal settings > Customization.
  3. Under Signature and device name, configure these settings:
    • Skip signature: select Enable to skip asking for a signature, or Disable if you want the terminal to prompt for a signature.
    • Ask for signature: select On screen to let the shopper draw their signature on the display of the terminal, or On Paper to let the shopper draw their signature on the merchant receipt.

      Be aware that some payment cards do not support using signature as a cardholder verification method. For these cards, shoppers will not be prompted for a signature even if you enabled it in the Customer Area.

Implementing a manual signature check

In a Terminal API integration, the transaction is already authorized when the signature prompt appears. Therefore, the terminal always approves the signature, even when the shopper selects Cancel on the signature screen.

To implement a manual signature check in your POS app:

  1. Retrieve CapturedSignature data from the PaymentResponse.
  2. Make sure that the POS app shows a prompt to check the signature.
  3. Your staff then checks the signature:
    • If a signature is approved, no action is necessary.
    • If a signature is declined, the payment needs to be refunded.

      In this scenario, we recommend setting up a capture delay. This enables you to cancel the authorization instead of having to issue a refund.

CVM lists

The CVM list is encoded in the card. It contains amount thresholds and information about how to apply CVM. For each CVM, the list includes three elements:

  • CVM code: what to do when the CVM fails, either proceed with the next method or fail the CVM process.
  • CVM type: the actual CVM to be performed, such as PIN verification.
  • CVM condition: the conditions that determine when the CVM type is applicable. For example, Always enforce Online PIN for ATM withdrawals.

CVM list live example

The following CVM list is taken from a Mastercard of type "mcredit".

The amount thresholds are not used.
The first CVM is only used for ATMs and cashback transactions.
All other CVMs are used if the terminal supports them. An Adyen-supplied payment terminal supports all CVMs and would select the first available one in the list: CVM 2 Enciphered PIN verification performed by ICC.

Amount Thresholds

  • Amount X: 0
  • Amount Y: 0

Cardholder Verification Method 1

  • CVM code: if this CVM is unsuccessful, fail cardholder verification.
  • CVM type: enciphered PIN verified online.
  • CVM condition: if cash or cashback (includes quasi-cash).

Cardholder Verification Method 2

  • CVM code: if this CVM is unsuccessful, proceed with the next CVM.
  • CVM type: enciphered PIN verification performed by ICC.
  • CVM condition: if terminal supports the CVM.

Cardholder Verification Method 3

  • CVM code: if this CVM is unsuccessful, fail cardholder verification.
  • CVM type: plaintext PIN verification performed by ICC.
  • CVM condition: if terminal supports the CVM.

Cardholder Verification Method 4

  • CVM code: if this CVM is unsuccessful, fail cardholder verification.
  • CVM type: enciphered PIN verified online.
  • CVM condition: if terminal supports the CVM.

Cardholder Verification Method 5

  • CVM code: if this CVM is unsuccessful, fail cardholder verification.
  • CVM type: signature (paper)
  • CVM condition: if terminal supports the CVM.

Cardholder Verification Method 6

  • CVM code: if this CVM is unsuccessful, fail cardholder verification.
  • CVM type: no CVM required.
  • CVM condition: if terminal supports the CVM.

CVM list test example

Adyen has various test cards with "applications" programmed onto it that each simulate a card with a unique brand, language, country/region, and currency. In combination with a specific CVM list, this allows you to test a wide variety of scenarios with a single physical card (see Testing credit and debit cards).

In your test Customer Area, when you view the transaction details for test payments made with your Adyen test card, you can also see the applicable Cardholder Verification Method List. This uses Amount Thresholds, which is not common for live cards but very useful for testing purposes. You can trigger different CVMs by varying the amount in combination with currency conditions from the CVM list.

As an example, the CVM list for one of Adyen's test card applications has the following elements:

Amount Thresholds (in minor units)

  • Amount X: 10000
  • Amount Y: 20000

Cardholder Verification Method 1

  • CVM code: if this CVM is unsuccessful, proceed with the next CVM.
  • CVM type: enciphered PIN verified online
  • CVM condition: if transaction is in the currency of the test card application and is over Y value.

Cardholder Verification Method 2

  • CVM code: if this CVM is unsuccessful, proceed with the next CVM.
  • CVM type: enciphered PIN verification performed by ICC.
  • CVM condition: if transaction is in the currency of the test card application and is over X value.

Cardholder Verification Method 3

  • CVM code: if this CVM is unsuccessful, fail cardholder verification.
  • CVM Type: signature (paper).
  • CVM condition: always.

If the test card application you are using has the currency code EUR and the transaction is for GBP 95 there are two options:

  • The shopper accepts the dynamic currency conversion (DCC) and is charged about EUR 135. This means CVM 2 is selected because EUR 135 is over Amount X and the transaction – after accepting DCC - is in the currency of the test card application.
  • The shopper rejects (or is not offered DCC). This means CVM 3 is selected because the transaction is not in the currency of the test card application and CVM 3 condition Always is applied.

CVM results

The resulting CVM is reported to the POS app in the key cardHolderVerificationMethodResults. The value is a hexadecimal representation of the CVM used to verify the cardholder. For example, 440702. The second character in this string represents the CVM. The following table shows what each possible value of the second character means.

Second character Definition
1 Offline plaintext PIN
2 Online PIN
3 Offline plaintext PIN and signature
4 Offline enciphered PIN
5 Offline enciphered PIN and signature
E Signature
F No CVM performed

Contactless (NFC) transactions and CVM

To make contactless transactions, the card must be capable of near-field communication (NFC). The following terminal settings affect contactless transactions:

  • Contactless CVM limit: the transaction amount (in minor units) above which the terminal requires a CVM.

    Current CVM limits
    CVM limits change sometimes. For example, because of the COVID-19 pandemic card schemes temporarily increased the contactless CVM limits. You can find the latest limits in your Customer Area under In-person payments > Terminal settings > Payment features > Limits > Contactless CVM limit.
    When there is a configuration change, the terminal automatically picks up the changed CVM limits in the next maintenance call.

  • Contactless reader limit: the transaction amount above which the contactless reader does not work and the cardholder needs to insert the card. We recommended leaving this setting at the default, to allow for mobile phone and smart watch payments.
  • Contactless currency: the currency for which contactless transactions are accepted. This is the currency of the country/region where the store is located.
  • Contactless floor limit: the minimum transaction amount for an offline contactless transaction. The default is 0.

If the transaction amount is higher than the contactless CVM limit and the shopper uses an NFC-capable card, the terminal indicates to the card that a CVM is required. The card then indicates to the terminal whether a signature or PIN is required. In the case of PIN, this always means an Online PIN is the actual CVM. This means an NFC transaction over the CVM limit, requiring PIN, cannot be processed offline.