How do I control information sent to payment gateways when verifying payment methods?
When processing electronic payments in Zuora, you have the option to call the payment gateway or processor ("gateway") to verify the payment method. If you choose to verify the payment method with the gateway, Zuora will submit certain information on the payment method such as the card security code and/or the card holder's address over to the gateway. The gateway will use the information received from Zuora to authorize the payment method and if successful, Zuora will create or update the Zuora payment method. This verification process is called the payment method verification in Zuora. You not only have the ability to control whether to verify the payment method when creating and/or updating the payment method, but you also have the ability to control what data you send as part of the Zuora payment method verification request.
Zuora will pass to the gateway only the card holder information populated on the Zuora payment method which include fields such as the credit card number, account name, address, and card security code.
You can control what information is sent to the gateway by controlling what data is populated on the Zuora payment method. If you do not want to pass certain information to the gateway (such address information), simply do not populate the data in Zuora and the gateway will not use the address information when verifying the credit card.
Gateways, such as Authorize.net, will allow merchants to define whether or not they want to use the address or the CVV/CSC (card verification value/card security code) as part of the payment method verification. Other gateways will perform the authorization based on whatever data you send in.
As a best practice, it is better to pass more information (such as card holder name and address, CVV code) to the gateway so that as much information as possible is used to authorize the card with the issuing bank. A fraudulent user may not have the CVV and/or card holder address, so this adds a layer of protection. Of course, you have to balance any potential friction in the customer acquisition cost, but a best practice is to send more data when verifying payment methods.