[thelist] Credit card validation

Keith Davis cache at dowebs.com
Sat May 26 21:06:40 CDT 2001

"Charles F. Johnson" wrote:

> So would I be correct in stating that our client's request is at least
> unusual, and maybe even impossible/illegal? That's what I thought when they
> presented it to us, to be honest...


It's unusual and possibly illegal is correct. But that really depends on
the why and what of their proposal. Could you give us a hint as to why
they need to validate the card and it's open-to-buy? And do they also
need to validate the cardholder's AVS?

There may very well be nothing illegal, but, a rash of validate-only
will certainly make VISA Merchant Services suspicious enough to
investigate, unless the terms of their merchant account calls for that
kind of traffic. Every account is different and very specific about the
kind of activity that it allows. If they are changing the nature of
activity or flow on an existing account they need see about having the
account amended at least.

A validation request can be made on a MO/TO account since the processors
have no idea what kind of account it is, it's just unusual to do so and
finding a gateway that is programmed to send those codes is also
unusual. But don't take my word on that, shop around. Likewise, if they
use an over-the-counter account to just validate that the card is good
and has an open-to-buy, and never charge it based upon the web nature of
the validation request, then there's no illegality. 

But let them validate a bunch of cards and then later charge them and it
will look like an inept MO/TO flow and trigger an onsite visit from
their local ISO. If those turn out to be web sales done on an
over-the-counter account they are in deep sh*t. The underwriter can
demand a return of every cent that has ever been run through the
account, can seize and sell any assets to get that amount (without going
through the courts), and in 16 states ask the state to bring criminal
fraud charges. 

I have a similar situation brewing. A main street lingerie boutique has
"Nice", "Naughty" and "Nasty" sections in their store. In the store the
"Nasty" section is reserved for adults only. They want to do the same
thing on a website. They want to validate AVS to get into the adult
section without charging the card. Then they of course expect to sell
stuff too. Knowing that some third party gateways would not be
programmed to handle a validation-only we called B of A which offers a
direct shot into the processors. They said that programatically they
could do it but they want to use the existing store account for
validation and a new MO/TO account for the sales. The customer will have
to enter their information a second time if they want to buy something.
Not elegant but I think we'll do it if the underwriter approves.

How well do you know your client? Consider this scenario. Sally works at
a mail order house taking orders all day over the phone, putting cc
numbers in her purse as she goes. She sells this growing list to Rocky
in the parking lot on Wednesdays. Months go by. Rocky now has a stash
that he wants to sell to Jocko. Jocko wants to validate that each card
is still good and has at least $500 on it before he gives Rocky a price.
Jocko could do this through Alice's swipe machine at her restaurant but
that black box leaves a hard coded trail to Alice and she nixes using
her swipe, but not her account. So Jocko gets your client to get you to
do the validation over the web and Alice, doing her best to act
indignant, says "What? I got a restaurant here, why would I have a
website, someone's stolen my account number!" Jocko buys the stash,
Rocky buys Sally an expensive gift, only to find out she ran off with
Bob to Florida last Thursday, and the boys down town are looking for the
guy who used Alice's account number. 

Give or take a few details I just described what the FBI estimates was
25% of all credit card theft last year. 

It's easy to say, "Hey I'm just a web designer, I just build what they
ask for." That defense doesn't cut it for a plumber, an electrician, or
a carpenter, and it wont work when a client says, "You were the expert,
you should have told me, I'm suing". E-commerce is different. It's not
just design. I turned down an offer a year ago because I could see the
client in trouble with the state sales tax commission a year down the
road. My archrival built it. The client paid tens of thousands in fines
and sued the designer for building a site that violated the tax code. He
had no proof it was their design, not his. Case settled out of court.


More information about the thelist mailing list