Christopher Ostmo wrote:
> Dr. Evil pressed the little lettered thingies in this order...
>
> >
> > I know that credit cards have standard formats: There's a standard
> > number of digits, and whether the card is Visa, MC, Amex, etc is
> > encoded in the number, and there is some kind of checksum, and I think
the
> > expiration is also encoded in the number. All of this is obvious stuff
> > that anyone designing such a system would do.
> >
> > I'm wondering if anyone can refer me to a site that describes what
> > this format is, so I can write some PHP code that will check to see if a
> > credit card number format is correct. I don't even want to try to run
the
> > card through my merchant account if the format is obviously wrong. I
> > assume that banks check the rejection rate on their merchant accounts,
and
> > too many bogus cards would not look good.
> >
> > I did a quick search on the web, and there are a vast number of
> > "hacker" credit card number generators, but that isn't exactly what
> > I'm looking for.
> >
> > Thanks
> >
There are many misconceptions about credit cards. I am certainly no
expert, but I have done some research in the area.
> The only 100% certain thing about credit card numbers is the fact that
> they are 16 numbers.
Credit card numbers vary in length based on the type of card. Some
cards do not use the same number length all the time.
For example: Visa numbers can be 13 characters or 16 characters
in length
> By law, the numbers are supposed to be
> generated at random and not generated by any kind of algorithm or
> formula. Doing otherwise would make credit card numbers "guessable"
> and therefore inherantly insecure.
Credit card numbers are inherently insecure and follow patterns.
Most cards have a standard prefix. i.e. The first letter for a
Visa number must be 4, Mastercard uses 5, etc..
With most card types, the number must validate via the Luhn formula
(See http://webopedia.internet.com/TERM/L/Luhn_formula.html)
> Most (all?) credit cards now also
> have a three digit "CCV2" number which is only printed on the back of
> the card and is supposed to be a form of digital signature. Several
> processing companies are requiring that this number be sent with online
> transactions. If you're taking credit card payments from untrusted
> sources, you would be wise to also get the CCV2.
Yep. Heck if know how/if they work with the primary card number. :)
> The only way to pre-check a credit card number is to check for a valid
> number of characters and the lack of alpha characters. i.e:
> if (strlen($CCNum) < 16 OR !ereg("[0-9]{16}",$CCNum)) {
> ... invalid CC code here ...
> }
> (or something similar, depending on your initial script)
Actually, using the Luhn formula, you can validate most credit
card numbers (and Canadian Social Insurance Numbers FTM).
I have a script that:
- validates credit card numbers
- determines the credit card type based on the number
- cleans CC numbers before processing (which allows the user to
enter spaces for readability, without buggering the validation.)
- see http://www.zend.com/codex.php?id=31&single=1
> Unless it becomes absolutely ridiculous, I don't think that your bank is
> going to complain for too many bad cards. After all, they're still making
> money off of you. If they do get upset, you ought to find a new bank.
> Seriously. Many banks would be very happy to have your business, bad
> credit card requests and all.
Validating cards does reduce the hassle for the customer though. :)
--zak
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
