This is truly a serious issue to contend with.

I believe that the Verified by Visa and MasterCard SecureCode aim to combat that, however it is still a bit green to run live I think.

A good thing to do, if you don't do it already, is to make certain not to process cards with invalid or unavailable CVV2/Cid numbers. One thing you can do to attempt to avoid the approx. half-dollar per transaction authorization fees on failed cards (pure skimming imho), is to check the card type and make sure that American Express cardholders present a four digit security code that is not the first four or last four digits of the card. Make sure Visa, MasterCard and Discover cardholders provide a three digit CVV2/CID numbers that are not the first three or last three digits of the card.

Be certain to tell your customers that the American Express Card has a four digit security code on the front of the card, to the upper right of the credit card number. Visa, Discover, and MasterCard have a three digit security code on the back side of the card, in the signature area. The security code follows the credit card number. Some cards display the entire credit card number, however sometimes they only print the last four digits of the card number before the security code.

You should be able to do it in the same script that verifies the mod10 checksum of the card number. Make certain not to store the CVV2 or Credit Card Number data in any database.

Best Regards,

Waitman Gobble

[edited by: TallTroll at 9:36 am (utc) on Aug. 11, 2003]
[edit reason] no sigs please [/edit]

Just a heads up.

Thank you. I have reviewed the TOS and do not feel that I am in violation.

I have always included accurate contact information in my posts in case someone has a question about something I said, or in case they find a need to correct me or notify me of a misleading error.

I had no intention of advertising, and hopefully you do not find it blatent.

Nonetheless, I will respectfully remove such from these posts if instructed to do so by the site moderators.

Thank you,

Waitman

You should be able to do it in the same script that verifies the mod10 checksum of the card number.

You can't verify the CVV/CID using an algorithm. The only way to verify that number is to use a real time gateway that processes CVV/CID, or call the issuing bank's security department and verify it. American Express doesn't seem to verify CID electronically, so you would have to call to do so.

I have always included accurate contact information in my posts in case someone has a question about something I said, or in case they find a need to correct me or notify me of a misleading error.

Very nice, but not necessary at WW. We have a "Sticky" system here. If someone doesn't correct you in the thread about something you said (which is the usual way we conduct discussions here), someone can also contact you via sticky.

Pretty cool.
;)

AVS code was 000 - exact match

Zeros ususally mean "not supported".
Exact match would be 222.

some banks allow card holders change their billing address online

Sounds worrying, but I would imagine that if the banks don't confirm the change (via snail mail, etc), they will eventually end up being blacklisted by the major payment processors.

but you can check to see if it is the last or first four digits of the card number.

i have seen quite a bit of people enter this for cvv2.

if you send the cvv2 in the auth request, and it is incorrect, you gotta pay for the auth request even though it failed.

i know you can't verify a cid/cvv2 with a script.

but you can check to see if it is the last or first four digits of the card number.

i have seen quite a bit of people enter this for cvv2.

if you send the cvv2 in the auth request, and it is incorrect, you gotta pay for the auth request even though it failed.

Ah, I see what you are saying.

I don't get the part about paying for auth request even though CVV failed. You do know that you will get a valid authorization code (approval) even when the CVV is bad. It's up to the merchant to decline those orders or configure thier gateway (if they are using real time processing) to reject charges where CVV does not match.

Zeros ususally mean "not supported".
Exact match would be 222.

Every payment processor/gateway does not use the same response codes for the same responses.

But also, AVS only verifies the numeric portion of addresses. I don't think most merchants realize this. It does not verify street name, city or state. Just numeric portion of the address and the zip code. So you could have 11 Main street Anycity, OH 55000 and 11 Broad Street AnotherCity OH 55000 and you'd get AVS match. Some thieves count on the zip code being corrected during shipping (which it usually is).

when a card is presented with an incorrect cvv2 number, the thing gets rejected. if i take the cvv2 off completely, the charge may get approved but it ends up in a "manual approve" process.

i know for a fact that i am charged quite a bit each auth request, failed or successful. you will see something on your statement like 356 authorization fees, and only 250 transactions, etc.

i just noticed on my last statement that i was being charged 50 cents for every transaction that did not include the cvv2 number. this was new for me, so i called about it.

all i can say is get ready for some big changes in the credit card processing game, if you haven't noticed any yet.

Thanks

i just noticed on my last statement that i was being charged 50 cents for every transaction that did not include the cvv2 number. this was new for me, so i called about it.

Are you in the US? Discover has instituted a 0.50 cent fee for authorization requests that do not include CVV, but to my knowledge, it's not mandatory for internet merchants until later this year. Are these fees you are being charged from the issuers themselves (MC, Visa, Am Ex or Discover) or is your processor charging these fees, because I can tell you that as a 100% internet merchant, I'm not being charged the fifty cents.

i know for a fact that i am charged quite a bit each auth request, failed or successful. you will see something on your statement like 356 authorization fees, and only 250 transactions, etc.

My processor does not charge a fee for authorization requests. My gateway (Authorize.net) does charge per transaction.

chuladi, can you name processors which supports FULL address check?

I don't know of any that do. It's not the processor, per se, it's the issuing bank that maintains the database. The processor just basically says, is this information correct? There is not any forced standardization of addresses. So how would you handle it? The system would have to use some type of fuzzy logic. For example, what if I live on Redwood Street? Is it Red Wood St. Red Wood Street, Red Wood Drive, Redwood Dr? There are so many different ways you can actually present and address and the mail actually gets there. This is one of the reasons I suspect that there are no word matches with electronic verification. They won't give you the cardholder's address, only a yes or no to the information you provide. So how would you indicate all the different variants of an address? Part of the reason (at least I think) that they don't verify cardholder name with an authorization request. You could have all the wrong information and still get an AVS match. Not that it's common, but a crook knows how to work the system.

i don't know about paying / not paying auth fees with other accounts. when i check out my merchant bank they had competitive rates across the board. plus i knew the guy that sold it to me.

regarding the avs question the other guy had, i am hunting down a site that provides such a thing. it is primarily for mass mail marketing, you buy the addresses in bulks of 5,000 but it is very inexpensive ($50 for 5,000 addresses).

you can easily write a script to poll their server. you send it an address and it either gives you back the proper and preferred US POSTAL address format, or tells you that the address is invalid.

i think there are some international ones but they are quite pricey.

when i find the info i will post it.

take care,

[geocode.com...]

the one that is $50 for 5,000 is

[name-searching.com...]

but i haven't used it before, can't vouch for it. (it does seem too cheap to offer the service for international addresses from what i have seen other companies charging).

the geocode will do the job for us based addresses.

take care,