

Ask HN: Advice on strictness of credit card validation - mburnett

Our business is such that we authorize credit cards ahead of time, and then do a bulk capture (actually submitting to "charge" the accounts) at the end of the day. We also allow the user to "store" there credit card on a third-party, PCI compliant provider.<p>Until this point, we have not been very strict on the way we verify/validate credit cards. So today I was implementing additional levels of verification and felt like things were getting a little complicated/strict.<p>Here are the various levels I am working with:<p>* Typical checks for presences and lengths of fields as well as algorithmic credit card check<p>* Address Verification Service (AVS) which matches first 5 contiguous street digits along with 5 digit zip code<p>* Require CVV code (3 or 4 digit code present only on the card itself)<p>* Attempt $0.01 or $0.00 authorization (and then immediate voiding of transactions)<p><i>Note</i>: when a transaction fails to match with AVS, there is an option to "accept and hold for review".  However, this seems somewhat meaningless as I would not know whether an address was "valid" or not unless it was clearly fraudulent (i.e. "123 main street" type of stuff)<p><i>Main question</i>: When the user initially enters their payment information, should we be performing $0.01 authorizations every time? Also, for stored credit cards, should we ask again for the user to provide the CVV (since it is never part of the stored payment information)?<p>Just want to make sure that this level of strictness is really necessary.  It doesn't feel like most sites that store my payment information require me to constantly reenter my CVV.<p>Any advice or "here is what we do" type of responses are appreciated.
======
codeslush
This whole entire business is in dire need of a major disruption - it's
ridiculous and takes an Einstein to even figure out the charges. That said...

1\. I read a thread on here a while back (<3months) talking about address
verification and why NOT to do it. You'll have to do your own search - but I'm
reasonably confident that it was related to 37signals in some way.

2\. CVV verification reduces your fraud levels and it is a MUST have for web
transactions, IMO, but you'll need to check with your merchant account to see
if it also reduces your charges per transaction. I'm thinking that the CVV
verification does reduce it. Why wouldn't you need this on a recurring
transaction? Presumably, the recurring transaction already has done the
verification??? The way it's processed isn't really a new transaction, but a
recurring. If you do a new purchase, even with same company, I think you'll be
asked for CVV again. I honestly don't know, but I bet it has something to do
with this. Never have done recurring transactions before, but someone here
will be able to answer.

Why void the authorization? Again, this stuff is all relatively cryptic to me,
but I thought the purpose of the auth was to at some point actually charge?
The gas station I use always charges .01 - I see it on my account before the
actual charge goes through. I'm sure they are just verifying the CC info is
accurate. I don't think they void it though. Anything wrong with authorizing
the entire purchase amount you expect to charge, and then just process it at
the appropriate time? For sure, the auth is good for more than the "one work
day" you outlined above.

Myself, I've always wondered about the authorization transaction. I thought
that I got charged some fee just for doing that, then another fee to run it.
I'm probably wrong on that, but I was so confused by how I got charged and
what percentages that I did the absolute minimum necessary. Customer has a
rewards card? Great, we charge you extra for that! Amex is the worst with
charge backs. Sorry...you've brought back some bad memories! :-)

EDIT: Here, I did the search I mentioned above.
<http://news.ycombinator.com/item?id=1953137>

------
JonathanWCurd
Yes to CVv.

Only use AVS if your shipping.

Authorize only for 1.00 to verify card for subscription billing or authorize
the card for full amount if you are batch end of day processing. The
authorization holds the money for a period so you can capture it and if you
never do it releases it back. It only affects a cards available credit and
does not affect you or the consumer unless you capture it.

