Skip to main content

General FAQ


CVNCard Verification Number, also known as CVV / CVC / CSC. It is the 3-digit code on the back of most credit / debit cards, or the 4-digit code on the front of AMEX.
MDRMerchant Discount Rate
FDSFraud Detection System
SDKSoftware Development Kit
MIDMerchant ID (Given to merchant a by their acquiring bank)
MiGSMastercard Internet Gateway Service - Mastercard’s payment processor for banks
CtVCyberSource through Visa - CyberSource’s payment processor for banks

CVN (also known as CVV / CVC / CSC)

  1. Is CVN Optional?

    • CVN is optional but recommended, as it increase chances of success. European Cards will generally decline unless CVN is included.
  2. Does Xendit store the CVN?

    • No one is allowed to store CVN after an authorization attempt. This is why Amazon and Uber do not even ask for it, since they are not allowed to store it.
    • For single-use tokens, we store it only until the first authorization attempt. After that it is deleted from Xendit's system immediately, regardless of whether or not the charge was successful.
  3. Why did the bank decline if CVN is incorrect, but accept if blank?

    • Banks do this because if someone entered the wrong CVN, there's a good chance that it's stolen card info and the person doing the transaction did not have the CVN. So the bank rejects it because it's risky.
    • However, the acquiring bank Xendit works with allows us to make CVN optional (like Amazon / Uber) to support the one-click flow. So if no CVN is sent at all, bank sees that as less risky than wrong CVN.

Mobile / SDKs

  1. Can all these features be applied to mobile apps (iOS & Android)?

    • Yes! You can find our IOS SDK here and our Android SDK here
  2. What is the difference between Xendit's mobile SDK & API?

    • SDKs are for front-end operations only, which use your Public API Key for security. The only front-end operations are Tokenization and Authentication. This way, sensitive data never passes through your (or even our) servers as the libraries directly handle tokenization.
    • All operations that actually affect money flow (Auhtorization, Capture, Refund) must be done from your back-end using your Private API Key.
Was this page helpful?