Ask HN: Advice on strictness of credit card validation

6 points by mburnett 15 years ago | 2 comments

Our business is such that we authorize credit cards ahead of time, and then do a bulk capture (actually submitting to "charge" the accounts) at the end of the day. We also allow the user to "store" there credit card on a third-party, PCI compliant provider.

Until this point, we have not been very strict on the way we verify/validate credit cards. So today I was implementing additional levels of verification and felt like things were getting a little complicated/strict.

Here are the various levels I am working with:

* Typical checks for presences and lengths of fields as well as algorithmic credit card check

* Address Verification Service (AVS) which matches first 5 contiguous street digits along with 5 digit zip code

* Require CVV code (3 or 4 digit code present only on the card itself)

* Attempt $0.01 or $0.00 authorization (and then immediate voiding of transactions)

Note: when a transaction fails to match with AVS, there is an option to "accept and hold for review". However, this seems somewhat meaningless as I would not know whether an address was "valid" or not unless it was clearly fraudulent (i.e. "123 main street" type of stuff)

Main question: When the user initially enters their payment information, should we be performing $0.01 authorizations every time? Also, for stored credit cards, should we ask again for the user to provide the CVV (since it is never part of the stored payment information)?

Just want to make sure that this level of strictness is really necessary. It doesn't feel like most sites that store my payment information require me to constantly reenter my CVV.

Any advice or "here is what we do" type of responses are appreciated.

codeslush 15 years ago |

This whole entire business is in dire need of a major disruption - it's ridiculous and takes an Einstein to even figure out the charges. That said...

1. I read a thread on here a while back (<3months) talking about address verification and why NOT to do it. You'll have to do your own search - but I'm reasonably confident that it was related to 37signals in some way.

2. CVV verification reduces your fraud levels and it is a MUST have for web transactions, IMO, but you'll need to check with your merchant account to see if it also reduces your charges per transaction. I'm thinking that the CVV verification does reduce it. Why wouldn't you need this on a recurring transaction? Presumably, the recurring transaction already has done the verification??? The way it's processed isn't really a new transaction, but a recurring. If you do a new purchase, even with same company, I think you'll be asked for CVV again. I honestly don't know, but I bet it has something to do with this. Never have done recurring transactions before, but someone here will be able to answer.

Why void the authorization? Again, this stuff is all relatively cryptic to me, but I thought the purpose of the auth was to at some point actually charge? The gas station I use always charges .01 - I see it on my account before the actual charge goes through. I'm sure they are just verifying the CC info is accurate. I don't think they void it though. Anything wrong with authorizing the entire purchase amount you expect to charge, and then just process it at the appropriate time? For sure, the auth is good for more than the "one work day" you outlined above.

Myself, I've always wondered about the authorization transaction. I thought that I got charged some fee just for doing that, then another fee to run it. I'm probably wrong on that, but I was so confused by how I got charged and what percentages that I did the absolute minimum necessary. Customer has a rewards card? Great, we charge you extra for that! Amex is the worst with charge backs. Sorry...you've brought back some bad memories! :-)

EDIT: Here, I did the search I mentioned above. http://news.ycombinator.com/item?id=1953137

JonathanWCurd 15 years ago |

Yes to CVv.

Only use AVS if your shipping.

Authorize only for 1.00 to verify card for subscription billing or authorize the card for full amount if you are batch end of day processing. The authorization holds the money for a period so you can capture it and if you never do it releases it back. It only affects a cards available credit and does not affect you or the consumer unless you capture it.