How is the validity of credit card tested in online payment systems?

General Questions
#1

I tried entering fake credit card information in the registration system of an online newspaper to be able to read an article. The first few tries were not accepted. Then I found another website which generates fake credit card information. Using the information from this particular website worked.

I am pretty sure the credit card number is not charged because the first one month of the subscription was free.

Now, my question is, how did my last try succeed although he first two tries got rejected by the system? I thought the system checks whether all the entered information is valid, i.e.: First Name, Last Name, Security Number on the back of the credit card, expiration date and the credit card number have to be valid and match together.
How is the validation/verification test done by the system? Do all systems do it in the same way or do they differ?

#2

The system checks to see whether the card number has the right “check figures”.

An American Express number is always 15 digits, the first two digits are always “37”, the third-to-last digit is always a zero, and the second-to-last digit is zero or an odd number.

A Discover number is always 16 digits, and the first four digits are always “6011”.

A Visa is always 16 digits, and the first digit is always “4”. There are one or two other check digits in there somewhere, but I don’t remember what they are.

A MasterCard is always 16 digits, and the first digit is always “5”. I don’t remember what the other check digits are.

#3

That’s mostly it, there’s at least one other (new) first digit. MC started using “2” for the first digit on some class of cards, I’ve never seen one, but the penalty for not updating your equipment to accept it, was absurdly high…like would put you out of business high (though I think some gov agency would step in if they charged anyone.

I don’t recall if there’s any checksums in the number.

As for the fake number, the site either a) gave you a real (stolen) number, gave you one that fit all the criterias so a website that didn’t actually process it, wouldn’t kick it out or knows some of the numbers that web devs use in their sandbox. I know on my site I have a handful of fake numbers that will let me continue on to the next page. My terminals have a few as well. They’re all pretty clearly fake though. Many of them of 8-12 repeating digits.

#4

I just looked it up, the fines for not accepting the new numbers, that begin with a 2 are: $2500 each time someone swipes one and it declines in the first 30 days. The next 60 days, they fine you $10,000 each time, after that it’s $20,000 each time one doesn’t go through.

When I got the letter I called them up, had them verify that my machines were good (and they were) and mentioned how surprised I was that they didn’t give the merchants some easy way to figure this out on their own. Either tell us what software version the machine should have and/or give us a test number to try it out with.

#5

Google LUHN checksum. It’s in all credit card numbers.

#6

Many years ago, we used to be able to simulate a Visa with 4444-3333-2222-1111. My company’s software doesn’t accept that one anymore, though.

#7

I sure it’s different for everyone. I know when I have to call about my machine, they have a few numbers to use for testing and the shopping cart on my site has a few numbers to use, really for no other reason so that you can progress through the purchasing process.

#8

These check digits and checksums that people are talking about are built into the structure of the card number itself. They only tell you that this card number is the valid format and could be a valid card number. They do NOT tell you that it actually is a valid, working credit account.

Most online systems do much more than that now.
The major credit card processors have online systems that merchants or websites can connect to, and which verify that it is a valid credit account, that it is in a working (paid up) status, and that the amount being charged is within the credit limit for that account. Quite a thorough check.

They also do checks based on your location, and your spending habits. Go on an overseas trip and use your card in a foreign country, without having notified the card company beforehand, and yoiu might well receive a call from the card company asking for verification.

And merchants use this, because if they verify accounts this way, they get some protections from the credit company from chargebacks.

#9

This is usually the correct answer these days. Companies might use the checksum for client-side verification (i.e. “Did you enter your card number right?”) but if that passes, they’ll usually do a second “authorization” step where they pre-authorize a hold by electronically contacting your credit card issuer and making sure you have the funds available.

If the bank authorizes it, you can finish checkout. Then the hold will change into your final purchase amount in a moment or two. Otherwise it’ll fall off your account in a couple days, if you don’t finish checkout. If the bank denies it (because your credit is maxed or they suspect fraud or you got the ZIP or CVC wrong or something), you normally won’t be able to finish checkout. But of course some payment processors might not be that careful, especially for low-value swipes. Or maybe you got lucky with the random credit card number generator and actually charged someone else’s card… don’t do that! It could be fraud.

#10

I have several merchant accounts and have never heard of this, they aren’t doing a good job of informing people.

I can’t imagine Mastercard will collect many $20,000 fees, I’d just quit accepting Mastercard before I’d pay that.

#11

If they actually validate your credit card - many sites require the postal code or zip code. When using my credit card in the states - some gas pumps (and Redbox0 ask for the zip code. For a Canadian card, entering 00000 works. (Although I did run across a gas station, of all places near the Orlando airport, that claimed it could not accept out-of-country credit cards.)

Also a side note - for cards that verify and require the security code - I read once that it is strictly forbidden for merchants to store that security code anywhere on the system - thus making a stolen number scraped from a database less useful. They can only take the security code and pass it on immediately for the transaction at hand.

#12

In theory yeah, but I’ve seen small businesses just write it down in a separate field or on paper.

The proper way to do it for PCI compliance is to send it to a third-party payment processor that stores all credit card information for you. Online, this means that the credit card fields on many websites is actually an iframe that sends your CC info to the payment processor directly. The company you’re doing business with never even sees your card number, much less security code.

#13

Required not to retain the verification code after the transaction has been completed. Not required to be “immediate”.

There is probably some requirement for timely submission of authorization and completion, but I’ve never had to consider that, because in practice merchants don’t want to hand over the service without authorization, and always want the money as soon a possible,

#14

The type of validation described in the OP is to catch data entry errors, not fraud. The Luhn algorithm is good to detect a wrong digit, or twiddled digits, probably the two most common data entry errors.

This was true when I was managing the online payment systems for a large web-based merchant. We stored credit card numbers and expiration dates for recurring charges but were prohibited from storing the security codes (which were a very new thing at the time). However, there were no enforcement mechanisms in place, and I suspect there are companies that violate this, or do not properly encrypt the data they do store.