[thelist] php javascrip CC validation (going off topic)

Liam Delahunty ldelahunty at britstream.com
Fri Apr 12 09:06:00 CDT 2002


sasha said:

> Would this even be a wise thing to do?  Any shmuck who
> reads the source could make up their own "valid" credit
> card number.
>
> Christy "sasha" Siepker

It doesn't matter. The rules governing the validation of credit cards are
well known (often known as the Luhn 10 test), indeed they HAVE to be for
programmers to check basic validity. Similarly the use of number ranges by
the major credit cards suppliers are also free for all to know. The security
for is not so much in keeping these processes and numbers a secret but in
checking that cards that do pass the initial test have credit. These tests
are really just to stop typos.
<
http://www.google.com/search?hl=en&q=credit+card+validation+luhn+10&btnG=Goo
gle+Search >

If someone wants to create a card that will pass these tests it's fairly
easy to do and there are several cc number generators out there on the web.

The security process should not be too bothered about if the cards pass the
tests, but instead on other criteria such as:
* do the billing and delivery addresses match, in which case, perhaps you
need to check them out a little more. I run a little web site where we sell
a toy/game at a fiver. (http://www.corx.co.uk) Even at that price we check
out orders where the billing address differs. In every single case the
customer has been pleased that we took the time to check with them by phone.

If possible with your provider validate the billing address (this is not yet
possible in the UK where I am -  at least not with my merchants services
supplier). Some third parties such as world pay require the extra numbers
from the back of the card (can't remember the term), which supposedly makes
their cc number gathering more likely to be a valid card. Others do a check
on the billing address.

I'd be concerned if
* are they ordering a lot?
* are they repeat ordering very quickly after a previous order
* do they want to collect the goods
* are they in a hurry

<rant>
Regrettably the banks completely fsck us over. They charge a percentage of
every transaction, they charge a fee for each end of days tally on the PDQ,
they charge for rental of the PDQ, a set-up fee, and so on. They don't
provide the security checks we need, and if the customer has a problem
they'll take the money back and charge us for that too.
</rant>

What's also bad for us, is that it takes 90 days from the transaction before
we can be relatively sure the money is safe in our bank. The customer may
not receive a bill for a month, then has a month to complain to their cc
provider, then the provider can take a further month before we are even
aware of the problem. sigh...

kr,
Liam

Who's hoping that Fulham win the FA cup semi-finals...
< http://www.fulhamfc.co.uk >




More information about the thelist mailing list