
Ask HN: How can companies charge a CC with only card number and expiry? - citricsquid
I talked to a friend about the recent PSN credit card information leak and he said he was not concerned as PSN would not store the CVV code required to make charges, however in my experience it is possible to charge a credit card (and debit card) with only the expiry date and number.<p>Github is an example of this happening, they only require the number and expiry.<p>How are they able to do this and can anyone do it?
======
cperciva
It all depends what deal you have with your credit card processor. Large
companies with a long history of low fraud rates can do things which
small/new/riskier companies aren't allowed to do. (Including charging a credit
card after its recorded expiry date, as I recently discovered when I forgot to
update the credit card attached to one of my development accounts at AWS).

For companies in the middle of the risk spectrum, it can sometimes depend on
how much you're willing to pay in fees -- I've seen e.g., "2.15% without CVV
codes, or 2.05% with CVV codes" advertised.

~~~
tzs
Anyone can charge cards past the recorded expiry date. The only date check
generally is that it be in the future, so if the on-file card date is in the
past, just make up a future date. The recommendation I've seen from some
gateways is to add multiples of 3 years until the date is in the future.

What larger companies can do is access the Visa Account Updater or the
Mastercard Automatic Billing Updater. These are services that allow the
merchant to submit card numbers and get updated information. Basically, the
merchant sends a list of cards, and gets a report back. For each card
submitted, the response is one of:

1\. No response. The card never shows up in a returned report.

2\. Notification that no updated information is available.

3\. Notification that the account is closed.

4\. Notification that the account has a new number and/or expiration date, and
those are provided.

The fees for this are surprisingly cheap. One of them has a one-time sign up
fee of a couple hundred bucks, and the other has no sign up fee. After that,
it is something like $0.10 per card that results in updated information. No
charges that come back with no updates or do not get a response.

I suspect this has surprised a lot of people whose bank changes their card
number every three years, and so thought that they could just not bother
canceling some subscription service because the old number would stop working.

~~~
cperciva
_The only date check generally is that it be in the future_

That doesn't always work -- I've had my credit card rejected because I typoed
the expiry date.

~~~
shadowpwner
> The recommendation I've seen from some gateways is to add multiples of 3
> years until the date is in the future.

Did you read the rest of the post?

------
matthew-wegner
Credit card companies don't require CVV checks, although your gateway might
(or may only require it for transactions above a certain amount).

Credit card companies _do_ prohibit storing CVV numbers, however. This means
that charges without CVV are actually quite common (ie all
recurring/subscription charges, even if they require it on initial payment).

<http://en.wikipedia.org/wiki/Card_security_code>

~~~
originalgeek
That's not exactly true. You'll get torched on a chargeback if you didn't
match the CVV code.

------
tzs
As others have noted, the CVV is generally optional. The only major exception
I'm aware of is that Visa requires it in Europe for the initial charge on the
card. For subsequent charges, you then use your gateway provider's "reference
transaction" option, which lets you submit additional charges against a prior
charged card.

If the merchant does collect and submit CVV it doesn't necessarily have to be
the right CVV. It is up to the bank that issued the card what happens with the
wrong CVV. The bank can decline the transaction, but many do not. They just
inform the merchant that the CVV did not match, and leave it up to the
merchant to decide if they want to treat that as a fatal error or not.

------
jsatok
It depends on your merchant account. I recently opened an Authorize.net
account, and they gave me a couple different options, though it was suggested
to me to collect the full name, address, zip and CVV, it's a matter of
balancing risk on your end as well. With my Authorize.net account, the fees
remain the same regardless of which pieces of information I collect, but if
there begins to be a bunch of fraudulent transactions, my processing account
will come under question, and it's possible I won't be able to continue
processing until it's cleared up.

I ended up deciding to collect full name, zip and CVV, but not address. It's a
matter of balancing UX and fraud. Recurly does a pretty good job explaining
Address Verification and Credit Card Verification in their documentation:
<http://docs.recurly.com/payment-gateways/authorize-net#avs>

------
originalgeek
You are making an assumption that PSN is not storing the CVV code, and may be
incorrect. Though PCI guidelines explicitly forbid storing this field, there
are some who flout the guidelines.

To answer your question, it is similar to places like Starbucks, that do not
require a signature when you make a purchase. In such cases, the merchant has
cut a deal where they agree in advance to accept all chargebacks without
dispute.

------
jhaglund
among the other routes here, people print fake credit cards (and ids) and use
them at cash registers. the magnetic strip doesn't need to work, just need
those raised numbers and the logos. cashier will enter the digits and
expiration. generally no cvv necessary. often, neither is ID, depending on
cashier.

(for educational information only -- doing this would be illegal)

