

Ask HN: Verifying the accuracy and validity of credit card numbers - abhishektwr

Hi everyone, I am looking for a web service where I can verify the credit card entered by my clients and some associated details such as Expiry date, Address Verification Service (AVS) and Card Verification Value (CVV). I have no  payment processing requirements, in other term I am not looking for the payment gateways or services such as Paypal, Chargify,  Cheddargetter etc. Actually I have no clue  how things work behind the scene. Is it possible to verify some of these fields algorithmically? Will appreciate your input.
======
patio11
It is impossible to verify the validity of any information on a credit card
without charging it. (You can verify whether a credit card number is _well-
formed_ and matches the card type fairly trivially -- Google [luhn credit card
validation].)

The inability to do verification without charging is by design, since "Yes,
that information is valid" is a security risk. Suspicious behavior with
charges is easier to track, and processors will use any whiff of "Hmm, those
transactions don't smell right" as a reason to shut down your account.

Your mental model of what you're needing might need some work. All of the
following things could potentially make the card "invalid":

1) The credit card does not exist, and your client is lying to you.

2) The card's details were mistyped.

3) The credit card does exist, but your client has stolen it, and the
transaction is unauthorized.

4) The credit card does exist, and the transaction is authorized, but some
factor about the transaction will trip a fraud alert at the issuing bank, and
it will be denied anyhow.

5) The credit card does exist, and the transaction is authorized, and the bank
doesn't have any particular issue with it, _but_ the client does not have
sufficient credit to cover it.

6) The credit card does exist, and the transaction is authorized, and the bank
doesn't have any particular issue with it, and the client has sufficient
credit, _but_ a person with authority over the card has restricted it from
being used at services like yours. (Not uncommon on corporate/government
cards, depending on your merchant classification.)

7) The credit card does exist, and the transaction is authorized, and the bank
doesn't have any particular issue with it, and the client has sufficient
credit, and the card is not restricted from being used to buy your services,
_but_ at the instant you try to actually charge the card, one or more services
between you and the bank is not functional.

8) A card was fine when you got the information (with regards to your
transaction) but hits any of the above when you actually try to charge it.
This is _absurdly_ common for SaaS businesses, due primarily to card
expiration and secondarily to patterns of customer behavior with regards to
changing CCs.

~~~
abhishektwr
Thanks Patio, very clear explanation. Is it possible to make a very small
transaction as a process to verify the card? (similar to Paypal which deposits
$0.01 or similar small amount in your account or card and later ask you to
verify that amount). I think my problem lies in category 8, I am more worried
about card expiration and credit limits.

~~~
jonah
Not sure what you're trying to achieve specifically but I can assume you want
to collect a customer's billing information to keep on file until they do
something in your app which you'd charge them for.

You will need to set up a merchant account/gateway to do this but it's quite
easy to pre-authorize[1] a card for a small amount - $1.01 or some such and
then never capture the payment. That way, you verify the account is valid and
active and passes CVV and AVS yet you don't actually collect any money.

I assume you'll be charging people eventually otherwise I'm guessing your
processor won't be too happy about you only pre-authing transactions.

[1] A note about debit cards used pin-less: When you pre-auth a credit card, a
hold is placed on the money until you either capture it or the hold falls away
(usually after a few days). BUT when you pre-auth a debit card the money is
actually taken out of the checking (or whatever) account tied to the card. It
will only be returned if the hold expires.

------
ig1
You can verify some of them algorithmically, but there are plenty of
generators available online which will generate fake credit card details that
will pass these checks.

Also it's worth noting that you're not allowed to display the Mastercard/Visa
logo without specific permission from them (normally you get this
automatically when you get a payment gateway, etc.)

If you do have a processor then you can do a pre-authorization credit check
(does this person have the money to pay for it?) without actually charging
them.

