Both the GET and POST Tokenize Credit Card API pages say: "Note: cvv check will not happen here and card information will not be validated." Is that true for only one value of "auth", or for any value?
When is the CVV validated, or is it? And if it isn't validated, why is it required?
Related: in the response to the token-based payments service, there's a "cvv2" element whose value is "I". What does that mean?