Interesting situation. One real key here is that your card has not been charged (contrary to your original post). That would have been of real concern. The message you are getting can ONLY be generated by one return code from the QBMS server. That particular code means one of the following occured at the server:

Incorrect Card Verification Code
Incorrect Zip Code
Incorrect Street Address
Incorrect Street Address and Zip Code
Card Verification Code not available
Street Address and/or Zip Code not available

I have a recollection of someone else having a similar issue way back... and the solution was for them to carefully review their "security" settings on their account at QBMS. If you have changed the defaults - then the charge may be rejected (although initially approved according to defaults). Can you check those? If you have very strict security requirements, above and beyond the default QBMS settings on the account, you may see this behavior.

I don't remember off the top of my head what the default is - but it does allow one to be wrong (such as zip) but not two (such as zip AND CVV). That is, in my opinion, the source of the issue. If that is the case, then this isn't an issue with the module - as it's correctly reporting the return codes from QBMS - but rather the sort of strange way that QBMS handles rejections based on non-default security settings.

Make sense?