As an extra layer of security to protect merchants and cardholders against fraudsters, Omise will be concealing the value of the "security_code_check" field in the Token API response. This measure will be active from 1 April 2020 onwards.

When creating a token, the API returns information about the tokenized card in the response. This information includes the "security_code_check" field. Currently, this field indicates whether the card has passed pre-authorization or not. Cards that pass pre-authorization are marked "true", and otherwise marked "false". A card may fail pre-authorization for several reasons including, but not limited to, having an invalid security code (e.g. CVV) supplied at token creation.  We will no longer provide this data prior to creating a charge.

Why are we doing this?

No room for fraudsters; your account's public key is used to make API calls to create new tokens for a charge. If fraudsters are able to obtain the card number, they can use your public key in combination with their hacking tools to figure out a card's CVV by monitoring the response of the Token API.

To combat this scheme, we will always mark the "security_code_check" field as returned by the Token API as "true" irrespective of whether the card actually passed pre-authorization. All tokenized cards will be returned as displayed in the following picture.

What you should do

Moving forward, you will not need to rely on the security code check value to determine the validity of the tokenized card. A charge can be created using the token and you’ll find the results in the response. The same procedure applies when saving cards.

This is a breaking change.  If you have a system that depends on the value of the "security_code_check" field, from 1 April onwards it will no longer work as expected.