[thelist] Number of digits in Credit Card Number

Tue Jun 12 20:11:09 CDT 2001

Scott Dexter wrote:
> 
> Anyone else wonder if these powers can also be used for evil?
> 
> Is that something to worry about as a site admin? --What stop gaps are in
> place for that sort of thing?

Actually it IS pretty easy to build a mod 10 generator that will create
correctly formatted credit card numbers. But that doesn't mean they will
pass authorization. The credit card industry does not issue the next
correctly formatted number, they leave holes in the pattern just to
catch someone throwing a string of numbers at them. Try sending 3
correctly formatted but unissued numbers at the call center in a row and
watch your merchant account get frozen (a good reason in its self to use
the test). 

The mod 10 Luhn test is only a guarantee against an input typo. It
should therefore be done client side with an onchange event to the
credit card field. Here's a shortened version of Netscape's original
1995 validator. Pass the number to the cc object isAnyCard(cc). The full
validator which checks for type of card is at
http://developer.netscape.com/library/examples/javascript/formval/overview.html.

	function isCreditCard(st) {
  if (st.length > 19)
    return (false);
  sum = 0; mul = 1; l = st.length;
  for (i = 0; i < l; i++) {
    digit = st.substring(l-i-1,l-i);
    tproduct = parseInt(digit ,10)*mul;
    if (tproduct >= 10)
      sum += (tproduct % 10) + 1;
    else
      sum += tproduct;
    if (mul == 1)
      mul++;
    else
      mul--;
  }
  if ((sum % 10) == 0)
    return (true);
  else
    return (false);
}
function isAnyCard(cc){
  if (!isCreditCard(cc)){
alert("\\nYour Input Was Not A Valid\\nNumber For A Credit
Card\\n\\nRE-ENTER YOUR CREDIT CARD NUMBER\\n\\nEnter no dashes,
spaces\\nor other punctuation\\n");
  }		
}

As for Joel's point about billing addresses, that's called AVS (address
verification service). It is usually an option tha costs the account
holder extra per transaction but does stop fraudulent use of just a card
number and expiration date which appears on most credit card charge
receipts for OTC sales. It may also be required by the merchant account
underwriter depending on the nature of the sales. 

A better method which is now coming into use is the "physical
possession" number that appears on the back of the card. It's that 3
character number in the signature area. It's becoming more common to see
sites requiring that number as proof that you physically possess the
card. Since global AVS seems to be nearly impossible, use of this number
will become required on web purchases probably after the next rollover
of expiring cards.

keith