| > What is the proper way to validate credit cards?
A) If you are asking that question, you really should use something like https://stripe.com/radar But assuming you don't want to: 1) Validate against the standard checksum formulas (this catches legit typos) 1b) https://en.wikipedia.org/wiki/Luhn_algorithm 1c) Regardless of what happens next, send an order confirmation and play dead. 1d) If it fails any of the following steps, send a politely worded "issue with the order" e-mail and to contact you (after 24 hours). Use a reason that sounds generic rather than credit card specific. 2) Check GeoIP and compare against potentially geographic space. (this catches VPNs, etc. For instance, shipping to a US freight forwarder from a Russian IP is likely highly probably fraud. The customer can call/e-mail you if they get caught in this.) 2b) Services like https://www.maxmind.com/en/minfraud-services qualify for this. 3) Check address locations against known US freight forwarders / PO boxes / UPS Stores / etc. Force additional customer verification, like for IP addresses. 4) To validate repeat card usage, fingerprint cards that were successfully charged and you didn't receive a chargeback after the window closes: https://security.stackexchange.com/questions/63248/hashing-a... You can use Stripe/Braintree tokens or your own implementation. 5) If it fails step 4: 5a) Run whatever business heuristics/signals that might be true for your customer base. Too specific to get into really. 5b) Actually charge the card and see what happens. If its declined by the credit card company, send the generic contact e-mail. |