Please talk to me about credit cards.

Davidc316

Hello,
here's the deal... so far I have struggled my way through some PHP books and I've finally put together a very basic (but functional) online catalogue with a checkout script too (for adding items and so on).

But I'm finding it very difficult to find some information about dealing with credit cards. Can I hit you with the following questions?;-

Do banks give penalty charges to any merchant who submits duff bank card details to them? (i.e., if some shopper comes to the merchant's site then types in the wrong card numbers and places an order).
I know all about the need for collecting card details on a secure server but once the user has entered card info is there any method(s) I can use to check that they've entered some valid card details??? If so, then what are the best methods?
Do I absolutely NEED to verify that the card details are correct in the first place or should I just to take my chances and let the bank worry about that after I've submitted the details to them?
Is there any way that I could integrate my shopping cart (and the trolley details) with another company which takes care of taking customer details, bank charges etc? Any recommendations?
Would you recommend that I go down the road of integrating my cart with a 3rd party program (for processing bank cards, customer details and so on) OR is it a case of, "you've gone this far, you might as well go the whole hog????"

Getting answers to any of the above questions would make the decade worth while. Thanks in advance!

Davidc316

I should have said... please assume that the shopping cart is for a real (bricks and mortar) shop which happens to have a credit card swiping/punch in machine in the building.

So, in other words, once the card details come in, the shop keeper can just punch them into his machine.

All I'm trying to do is figure out the concepts of how such a system would work.

BuzzLY

There are so many ways for you to take credit card orders... it's really not that easy to answer your questions. If you are submitting credit card info via a shopping cart, then I would look at using shopping cart applications, like Interchange or Agora. If you are looking for a credit card validator, there are many available. For a PHP solution, try here. To build one yourself, or learn how a validator works, go here.

I do recommend that you at least use the validator. That way, if someone keys in the wrong information, you can catch the error and require it again.

However, if you are looking to validate a credit card against the user's home address, that's a little more involved. I suggest you start by going here first.

Hope that gets you started!

Davidc316

Thanks. I shall check those links out as soon as I've finished typing this.

You see, something just occurred to me.

I am totally confident that I can build a secure form that collects the customer's details. So, if I already have a credit card number punching machine in the office, does that not mean that I can just punch in the details and forget about validating scripts and all that nightmare?

BuzzLY

You are thinking in terms of how easy it is to code. Try to think in terms of ease of use of the application for your customers. Imagine this:

Your customer visits your site to place an order. After keying in all the relevant information (including accidentally transposing two digits of his Visa number), a merchant (sometime later?) attempts to key it in to the punching machine. It doesn't validate. Now... do you have the means to call the customer? If so, now you have to call them back, get the right number, and key it in. A little more work, to be sure, but even more important, your customer is thinking "geez, if it was wrong, why didn't the computer tell me? I mean, it's the 21st century, and most sites do tell me if the credit card number is wrong."

Not good. In the long run, you make more work for yourself and your customers. Put in the validator, and at least you eliminate that potential problem. Now if it doesn't go through, it's for a different reason, like the card has been cancelled, or the person is using a faked card.

Davidc316

You're right!

You're absolutely right and thank you for pointing that out to me.

I've already skimmed through one of those articles you linked to and it's very good indeed. Can I just ask... does that formala for checking bank numbers work for any bank card anywhere in the world?

Davidc316

Infact, can I ask another question...

This is a really stupid question, but I'm just trying to get my head round the basic concepts-

Ok, now that you and I know what this (magical!) formula is for checking credit cards- what's to stop guys like us from going to websites and maliciously placing loads of duff orders?

Would I be right in saying that the answer to the above question is that the owner of the ecommerce website would be unable to tell if we were "genuine" or not BUT the final safeguard would be the fact that the bank could check their records and verify that the credit card details were fake?

So with that in mind, is it safe to say that even with our fancy number checking programs and so on, the best bet is for the shopkeeper to always wait for a thumbs up from the bank before posting out any goods?

BuzzLY

Depending on which code you are referring to... each card has its own method of number validation. If you are coding a process to check card numbers, you have to code each one seperately. That is why when you enter a credit card number on a website, you usually have to indicate what card you are using. MasterCard and Visa use the same scheme, so usually, one of your choices is "MC/Visa." Not because they are affiliated in any way, but because the validation checking scheme is identical for both cards.

The validator is really only there to make sure the proper number has been entered -- that the customer didn't type the wrong digits. It's complicated enough to prevent average users from faking cards, but you could certainly reverse-engineer the validator to create "valid" credit card numbers. In fact, when e-commerce first started, there were many problems with fraud.

It is NOT intended as a security measure. You should rely on the bank to tell you it's valid before sending merchandise. And do a check on the address on record with the credit card. If the user posts the correct address, then you can be relatively sure you have a valid customer card. Beyond that, it's really up to the customer to protect his/her card, and contact the bank if they lose it.

Davidc316

Well listen, I just want to thank you for your help.

Can I just ask one question before I call this thread resolved...

Based on the articles you've recommened, it seems to me that the only real loophole is if someone "steals" an identity then has the goods posted out to a different address from the billing address that is associated with the card.

So, I ask... does the (merchant's) bank check to see if the shipping address matches the billing address for the card?

BuzzLY

There are some merchants that do this, but I don't know if it's part of validation, or not. I think 1-800-flowers does it -- but I couldn't find information on their website on what they use for CC validation.

You might want to check this page for more information -- but at this point I think I have exhausted all my avenues. If you have more specific questions, I suggest contacting a credit card validation company like TSI for more info.

Good Luck!

andymoo

http://www.netpg.co.uk/