General FAQ


CVNCard Verification Number, also known as CVV / CVC / CSC. It is the 3-digit code on the back of most credit / debit cards, or the 4-digit code on the front of AMEX.
MDRMerchant Discount Rate
FDSFraud Detection System
SDKSoftware Development Kit
MIDMerchant ID (Given to merchant a by their acquiring bank)
MiGSMastercard Internet Gateway Service - Mastercard’s payment processor for banks
CtVCyberSource through Visa - CyberSource’s payment processor for banks

CVN (also known as CVV / CVC / CSC)

  • Is CVN Optional?
    • CVN is optional but recommended, as it increase chances of success. European Cards will generally decline unless CVN is included.
  • Does Xendit store the CVN?
    • No one is allowed to store CVN after an authorization attempt. This is why Amazon and Uber do not even ask for it, since they are not allowed to store it.
    • For single-use tokens, we store it only until the first authorization attempt. After that it is deleted from Xendit's system immediately, regardless of whether or not the charge was successful.
  • Why did the bank decline if CVN is incorrect, but accept if blank?
    • Banks do this because if someone entered the wrong CVN, there's a good chance that it's stolen card info and the person doing the transaction did not have the CVN. So the bank rejects it because it's risky.
    • However, the acquiring bank Xendit works with allows us to make CVN optional (like Amazon / Uber) to support the one-click flow. So if no CVN is sent at all, bank sees that as less risky than wrong CVN.

Mobile / SDKs

  • Can all these features be applied to mobile apps (iOS & Android)?
    • Yes! You can find our IOS SDK here and our Android SDK here
  • What is the difference between Xendit's mobile SDK & API?
    • SDKs are for front-end operations only, which use your Public API Key for security. The only front-end operations are Tokenization and Authentication. This way, sensitive data never passes through your (or even our) servers as the libraries directly handle tokenization.
    • All operations that actually affect money flow (Auhtorization, Capture, Refund) must be done from your back-end using your Private API Key.

Last Updated on 2023-05-20