
Why do credit card forms ask for Visa, Mastercard, etc.? - jackhammer2022
http://ux.stackexchange.com/questions/51346/why-do-credit-card-forms-ask-for-visa-mastercard-etc
======
wcfields
Could someone who deals with PCI compliance please explain some other nuances
of credit cards that I've been curious about:

* Fault/Decline Codes returned from processors like CyberSource. How are these factored? How do processors do Regex on names/addresses? [1][2]

* CVV numbers and what they mean/how they are treated in the system? If CVV number is included does this increase chargeback protection?

* How CHIP cards work differently in the processing system, if at all?

* Do "knuckle-busters" (carbon copy physical imprints) follow any sort of compliance anymore?

[1]
[http://apps.cybersource.com/library/documentation/dev_guides...](http://apps.cybersource.com/library/documentation/dev_guides/Reporting_Developers_Guide/reporting_dg.pdf)
[2]
[http://apps.cybersource.com/library/documentation/dev_guides...](http://apps.cybersource.com/library/documentation/dev_guides/AFS_IG/20050726_AFS_IG.pdf)

~~~
pbreit
Checks are typically very simple, no regex-ing involved.

First, names are not really checked.

For addresses, usually only the number (and sometimes just first three digits)
are checked as well as the zip.

Generally the processor tries to decline as few txns as possible and instead
deliver the information to the merchant to make a decision. The merchant can
usually pre-configure error codes that it would like the processor to decline.
This might be preferable to the merchant from a cost-saving standpoint as well
as not needing to "void an auth" in order to free up the cardholders
spendability.

The idea behind CVVs is that merchants are disallowed from storing them so
they are far less likely to be included in stolen credit card databases. Thus,
requiring them significantly decreases fraud risk. And, yes, many
gateways/processors charge more for missing or incorrect CVVs.

It's harder to "steal" a chip card since the information is not sitting on an
easy-to-read mag-stripe. It's not clear that chip cards would have avoided the
Target thing since the fraudsters infiltrated the terminal software. I'm
guessing more current terminals/software is simply harder to compromise. "Chip
& pin", as is widely used in places such as Canada and Europe, might help a
bit since you would need the PIN to shop off-line. But it would have minimal
effect for online shopping since PIN is typically not requested.

The reason we still sign receipts and yes, you still see a carbon copy here
and there, is mainly because it protects the merchant if the cardholder does a
"chargeback". Merchants typically store the receipts and only turn them over
if a chargeback is received. Showing the signed receipt to your processor will
usually absolve you from any loss.

I think the above is accurate or close to.

~~~
henrikschroder
> charge more for missing or incorrect CVVs.

Wait, what? Can transactions still go through without the CVV, except the
merchant's transaction fee is a bit higher? They're just not declined
outright?

~~~
thomaslangston
Yes, the CVV is not required. If you think about it, it is obvious CCV isn't
since many self-serve card swipe machines (gas stations, grocery stores, fast
food restaurants) don't ask you for it.

~~~
kalleboo
There are two CVVs: one printed on the card, one on the magstripe. So for
swipe transactions they're still getting a CVV.

------
jonnathanson
It's certainly not necessary, but my guess is that it follows from the "Don't
Make Me Think" school of UX design. If a majority of consumers have been
conditioned to expect a credit-card-selection menu (or series of clickable
icons), then the absence of such might confuse them and cause measurable drop-
offs in the purchase completion funnel. It seems a little farfetched, but I'm
sure at least someone has done the tests and proven this to be the case. (And
if not, then there is truly no reason for the continued presence of these
menus.)

Anecdotally, I've noticed that more and more sites are using autodetect
features based on the first 4 digits entered. It certainly didn't put me off
as a shopper; in fact, I found it a lot more elegant. But I'm an unusual guy,
as are most people who work in tech. We can't assume that what's appealing or
efficient to us is necessarily the same for the broader masses.

~~~
danudey
I worked for a company which sold goods online and ran their own shopping
cart. We took out the 'card type' drop down and just auto detected it. We had
a bunch of greyed-out logos and once you entered a valid credit card number it
would light up whichever card type it was (Visa, Mastercard, Discover, Amex).

What we found was a huge increase in people typing 'Visa' or 'Mastercard' into
the 'Name on the card' field (whatever the field was called, I don't
remember). People were so used to having to provide that information that they
began to provide it _in lieu of providing the cardholder name at all_.

Think about that for a second; they stopped putting their own name _anywhere_
on the credit card form, and instead started putting the card type in that
field. Conversion went down, customer service issues went up.

We added the field back to the form, even though it was never checked and did
nothing, and it resolved the issue.

~~~
danieltillett
We do a similar thing here in Australia with states and postcodes. Except for
a couple of unusual postcodes the state can be predicted with a 100% accuracy
from the postcode. We found that if we didn't include the ability for the
customer to select a state then they would do silly things like put the state
in the street address or even their own names. We added a functionless state
dropdown and these errors stopped.

------
notdonspaulding
If you only accept the 4 biggest card issuers, you can get away with some
dead-simple code to indicate to the user what card type their number indicates
they are.

Personally, I bind an onkeyup event handler to fade in the appropriate icon
based on the first digit of the number. This is not safe if you accept more
than these 4 card types, (we don't).

    
    
        function detect_cc_type(number){
            return {
                '3': 'american_express',
                '4': 'visa',
                '5': 'mastercard',
                '6': 'discover'
            }[number[0]];
        }

~~~
rmc
_If you only accept the 4 biggest card issuers_

Heads up: If you're in (say) Europe or UK, then American Express and Discover
aren't a "big card issuer"

~~~
aestra
>Heads up: If you're in (say) Europe or UK, then American Express and Discover
aren't a "big card issuer"

Do you only have Visa and Mastercard then?

~~~
sleepyhead
Yes. And local bank debit cards usually combined on the VISA card, in Norway
there is BankAxept, Dankort in Denmark and something else Germany can't
remember. The fees for these transactions are next to nothing compared to
Visa/MC here in Norway. But very rarely accepted online (unfortunately).

~~~
sjwright
This is similar in Australia and New Zealand as well. Visa and MasterCard are
extremely common, AMEX is sometimes offered with fancy accounts (usually as a
second card), and Discover is all but unheard of.

We have a checking account payment system called EFTPOS which has near
universal acceptance, and can be combined on the same card as a Visa/MC/AMEX.

Contactless payment (PayWave and PayPass) is rapidly becoming commonplace
among retailers, and can be used for transactions up to AU$100.

[http://en.wikipedia.org/wiki/Debit_card#Australia](http://en.wikipedia.org/wiki/Debit_card#Australia)

Australia plans to deprecate the use of signature verification for domestic
credit cards later this year, requiring Chip+PIN for all cards issued by
Australian banks. Signatures will still be accepted for foreign cards, because
tourists.

[http://www.lifehacker.com.au/2014/01/credit-card-pin-
number-...](http://www.lifehacker.com.au/2014/01/credit-card-pin-number-
changes-in-australia-everything-you-need-to-know/)

Visa Debit is available and works, but doesn't really have any domestic
advantages over EFTPOS. Maestro and PLUS aren't brands Australians generally
interact with, except when traveling.

Frustratingly, Australian Chip+PIN cards don't seem to travel overseas well --
in ATMs they work fine (with fees galore) but in retail, the terminal often
insists on a signature instead of a PIN.

------
pbreit
I think it was just a convention and made people feel better about having
entered the form correctly. It makes sense to tell a merchant what type of
card you are using even though someone "in the know" might know that it can be
sussed from the digits.

Most payment gateways still require it even though it's probably superfluous.

I've also wondered why forms ask for name on card even though I'm pretty sure
it's not checked by most/all processors and would never lead to a decline.
Worse is that hardly any merchants pre-fill it if they've already collected
your name.

~~~
joevandyk
The name on the billing address is handy if you need to contact the person
making the purchase.

~~~
pbreit
Well, then you'd need to ask for their email or phone which I've never seen.

~~~
joevandyk
most online purchases ask for the person's email address.

Also, you've never shopped at Amazon? They ask for the phone number for the
billing address.
[https://www.monosnap.com/image/4QZmCDNdlsqei8BLIsjw6Z3q00tml...](https://www.monosnap.com/image/4QZmCDNdlsqei8BLIsjw6Z3q00tmlD.png)

~~~
pbreit
I was referring to when merchants ask for the name on your credit card. I
can't recall that ever being accompanied by email or phone. Here's Amazon's
form: [http://imgur.com/Azd1VKZ](http://imgur.com/Azd1VKZ)

------
Domenic_S
I'd like to see an A/B test between the 2 options. It sounds plausible that a
less-sophisticated buyer might see the Visa logo light up after they've typed
the first digit of their card and get confused ("WHAT WITCHCRAFT IS THIS").

~~~
kevinconroy
I don't have published version of data, but I can confirm from running a
checkout flow that's processed $100M that fewer fields = more conversions. If
you light up the logo people understand it when done properly.

It helps that more savvy ecommerce sites are moving to this model so more and
more users are familiar with the experience.

------
marcusr
Why do credit card forms ask you to enter the credit card number without
spaces between the clusters of digits, when it's simple for the machine to
parse with or without them?

~~~
MichaelApproved
I'm going to guess that the most likely reason is that a terrible progranmer
or manager was behind the decision of making the customer do the extra work
instead of the development team spending a little more time to parse it.

I doubt there's a reasonable explanation as to why a CC field can't contain
dashes or spaces. I'd love to hear one but I doubt there is one.

------
danmanstx
Working for nonprofits and church's, I know we do it because AMEX and others
charge higher rates per transaction than say VISA, thus some clients only take
VISA and giving a select list of options, lets the user know to use that type
of card.

~~~
pbreit
Not taking Amex for cost reasons is almost always a bad move. First, it annoys
the person giving you money (always a bad move). Second, Amex cardholder spend
_way_ more than average (frequently a bad move). They may still spend as much
when asked to use Visa instead, but maybe not.

~~~
aestra
I'm an AMEX cardholder. I don't really mind too much when people don't take
AMEX. I understand they are a "premium" brand and I adjust my expectations
accordingly. That being said 99.9% of the time they take AMEX.

>giving a select list of options, lets the user know to use that type of card

No. AMEX cardholders know they aren't welcome 100% of the time, and they know
to look for an AMEX logo before typing in their info. You need to have the
proper logos or lists of payment methods right next to your way to pay.

~~~
ycombobreaker
Seconded. I know to look for an AMEX or Discover logo at a cash register or on
the bill cover at a restaurant/bar. Those cards are accepted at many more
businesses than they were ten years ago, but acceptance will never hit 100%
due to the fee differences for merchants.

------
frankus
For a good example of how to do this right, see skeuocard:

[http://kenkeiter.com/skeuocard/](http://kenkeiter.com/skeuocard/)

~~~
sleepyhead
Good example? It is an interesting concept but while it resembles the physical
object it does not fit in with the normal way of filling out a form on a
webpage. And has anyone used this in production? I really like to see some
stats on how this performs.

------
wil421
Worked in restaurants for years while I was in college. All but 1 restaurant I
worked at had systems that asked for the type of card.

I dont think this is limited to web forms.

~~~
i386
Probably to add the surcharge? Vendors pay AMEX a % of the purchase.

~~~
wil421
Could be a possibility, in the situation where I didnt have to select a card
type the system would automatically register the correct type as soon as I
swiped the card.

------
excitom
This has always been a pet peeve of mine, it's totally unnecessary to ask for
the card type.

Also, it bothers me that I can't type in my card number _exactly_ as it
appears on the card, with embedded spaces for readability. Stupid form! Don't
tell me the number is invalid since it has spaces in it! If you don't like my
spaces, take them out!

------
1337Coder
If anyone is curious about the luhn algorithm, here is one I made in C# from
the example in the question:

static bool IsValidLuhn(string numbers) { if (numbers == null) throw new
ArgumentNullException("number", "number must have a value.");

var allNumbers = numbers .Where((c) => c >= '0' && c <= '9') .Reverse()
.Select((c, i) => (i % 2 == 1) ? ((Convert.ToInt32(c) - 48) * 2).ToString() :
c.ToString());

return allNumbers.Count() > 0 ? allNumbers.Aggregate((x, y) => x + y).Sum((c)
=> Convert.ToInt32(c) - 48) % 10 == 0 : false; }

Edit: Can sum one link me to HackerNews markdown?

~~~
bjconlan
I also did one in javascript (i've requested it be ammended to the accepted
response but we'll see how it reviews) anyway here it is:

    
    
      function validateCC(ccNumber) {
        var ccNumber = ccNumber.replace(/ /g, '');
    
        console.log(
          /^3[4|7]\d{13}/.test(ccNumber) ? 'AMEX' :
          /^6011\d{12}/.test(ccNumber) ? 'Discover' :
          /^5[1-5]\d{14}/.test(ccNumber) ? 'MasterCard' :
          /^4[\d{12}|\d{15}]/.test(ccNumber) ? 'Visa' : 'Unknown',
          ccNumber,
          ccNumber.split('').reverse()
            .map(function (v, i) { return v * (1 + i % 2) })
            .reduce(function (agg, v) { return agg + v; }, '').split('')
            .reduce(function (agg, v) { return agg + +v; }, 0) % 10 === 0 ? '(valid)' : '(invalid)');
      }
    

btw to markup simply append 2 spaces to the front of the newline

------
ahallock
I think it's one of those things where convenience for those looking at the
underlying data has bled over into the UI. While you can deduce the type from
the number, it's not easy for humans to do that at glance while looking over
SQL query results. I could be wrong, but often, we ask users for more input
than we need to because elegant UIs take lots of work.

~~~
ii
Is it really hard for anyone in 2014 to get the type of a card from the first
2 digits of a card number and add a field to an INSERT query?

~~~
ahallock
It's not difficult, but quite a few developers I've worked with were unaware
of that algorithm, which is one reason I think they pushed it into the UI.

~~~
ii
All developers I know of, including myself, do have this unawareness of simple
things, but I prefer to call it for what it is: simple human laziness.

------
robotcookies
Might also be that some people will try to enter an amex or discover card
number if you don't do this. Even if you state that only visa or mc can be
used, people don't always read it. Having to select an option is how you can
be sure that they are aware of it. Kind of like having to check off the "I
agree to the terms" checkbox.

------
mastersk3
I wonder if this was used to discourage AmEX cards(Higher processing fee), as
to my knowledge these forms have originated in pre-checkout JS era and have
just been copied thereafter. Would be helpful if we could get a look at the
processing rates 6-7 years back.

------
ansimionescu
[http://creditcardjs.com/](http://creditcardjs.com/)

------
kogir
The same reason forms make your enter your phone number in a particular
format.

It's easier to make the user do all the work, and lazy developers can't be
bothered to do simple things like strip all non-digits from a phone number.

------
the_mitsuhiko
Mostly it's because of PCI DSS and dinosaurs in the market leaving very little
customizability of the iframes they provide.

------
dschiptsov

       if (strcmp($POST['cardtype'], "mastercard")) {
          $Processor = $PaymentProcessorFactory.InstantiateByType("mastercard");
          $Processor = $PaymentProcessorFactory.InstantiateByType("visa");
       }
       $Processor.process($POST);

Sorry, cannot simulate "real-world" (lame enough) PHP OO code, but you got the
idea.)

