Merchant Account Services

Integrate the Authorize.Net Payment Gateway with PHP

Integrate the Authorize.Net payment gateway seamlessly into your ecommerce website

 

Author: Jim Conners

Rating: 10.0

Pages: 1|2|3|4|5|6|7|8|9|10

Before We Process the Transaction

Although at the beginning of this article we stated that we will assume that you know how to validate data submitted by the customer. This much is still true. However, you may not necessarily know how to validate credit card specific information as you have never encountered it before. Below we provide techniques for validating the essential elements of a credit card.

Credit Card Number

Credit card numbers are never longer then 16 digits. The INPUT form field used to collect this data should have a MAXLENGTH of 16 (maxlength='16') set to prevent users from entering more digits then is allowed for any credit card issuer.

  • Visa

    Visa credit cards are always 16 digits long and start with a four (4). Users may enter this in any of the following formats:

    • XXXX-XXXX-XXXX-XXXX
    • XXXX XXXX XXXX XXXX
    • XXXXXXXXXXXXXXXX

    Here is our code to validate a Visa credit card:

    if (preg_match('/^4\d{3}[ \-]?\d{4}[ \-]?\d{4}[ \-]?\d{4}$/i', $visa_number))
    {
    // Visa number is correct
    }
    else
    {
    // Visa number is incorrect
    }
  • MasterCard

    MasterCard credit cards are always 16 digits long and start with a five (5). Users may enter this in any of the following formats:

    • XXXX-XXXX-XXXX-XXXX
    • XXXX XXXX XXXX XXXX
    • XXXXXXXXXXXXXXXX

    Here is our code to validate a MasterCard credit card:

    if (preg_match('/^5\d{3}[ \-]?\d{4}[ \-]?\d{4}[ \-]?\d{4}$/i', $mastercard_number))
    {
    // MasterCard number is correct
    }
    else
    {
    // MasterCard number is incorrect
    }
  • American Express

    American Express credit cards are always 15 digits long and start with three (3). Users may enter this in any of the following formats:

    • XXXX-XXXXXX-XXXXX
    • XXXX XXXXXX XXXXX
    • XXXXXXXXXXXXXXX

    Here is our code to validate a American Express credit card:

    if (preg_match('/^3\d{3}[ \-]?\d{6}[ \-]?\d{5}$/i', $amex_number))
    {
    // American Express number is correct
    }
    else
    {
    // American Express number is incorrect
    }
  • Discover Card

    Discover Card credit cards are always 16 digits long and start with 6011. Users may enter this in any of the following formats:

    • XXXX-XXXX-XXXX-XXXX
    • XXXX XXXX XXXX XXXX
    • XXXXXXXXXXXXXXXX

    Here is our code to validate a Discover Card credit card:

    if (preg_match('/^6011[ \-]?\d{4}[ \-]?\d{4}[ \-]?\d{4}$/i', $discover_cc_number))
    {
    // Discover Card number is correct
    }
    else
    {
    // Discover Card number is incorrect
    }

So how do we wrap this all together into something coherent that can be practically applied to a website? We will take the credit card number and look at the first number of the credit card number. We will then validate it based on whether it is a 3, 4, 5, or 6. If it isn’t any of the four we’ll just tell the user to try again.

$cc_number = trim($_POST['cc_number']); $first_number = substr($cc_number, 0, 1);
switch ($first_number) { case 3: if (preg_match('/^3\d{3}[ \-]?\d{6}[ \-]?\d{5}$/', $cc_number)) { // American Express number is correct. Process the credit card. } else { // error } break; case 4: if (preg_match('/^4\d{3}[ \-]?\d{4}[ \-]?\d{4}[ \-]?\d{4}$/', $cc_number)) { // Visa number is correct. Process the credit card. } else { // error } break; case 5: if (preg_match('/^5\d{3}[ \-]?\d{4}[ \-]?\d{4}[ \-]?\d{4}$/', $cc_number)) { // MasterCard number is correct. Process the credit card. } else { // error } break; case 6: if (preg_match('/^6011[ \-]?\d{4}[ \-]?\d{4}[ \-]?\d{4}$/', $cc_number)) { // Discover Card number is correct. Process the credit card. } else { // error } break; default: // error }

Verifying that a credit card has the correct number of digits and starts with the correct number is a good start to verifying a credit card number. But it is still fairly easy to work around. Any 16-digit number starting with a 4, 5, or 6 will pass this check. To help eliminate erroneous credit card numbers from being submitted there is one more check that can be performed. All of the major credit card institutions use a checksum to validate their credit cards. Each digit of the credit card is multiplied by 1 or 2. The last digit of the multiplication is added for each number in the credit card. If the resulting number is divisible by 10 it is a valid credit card number.

Here is the PHP code:

// The credit card number
$cc_number = "4000123498762345";

// Our starting checksum
$checksum = 0;

// Alternating value of 1 or 2
$j = 1;

// Process each digit one by one starting at the right
for ($i = strlen($cc_number) - 1; $i >= 0; $i--)
{
// Extract the next digit and multiply by 1 or 2 on alternative digits.
$calc = substr($cc_number, $i, 1) * $j;
//
// If the result is in two digits add 1 to the checksum total
if ($calc > 9)
{
$checksum = $checksum + 1;
$calc = $calc - 10;
}

// Add the units element to the checksum total
$checksum += $calc;
//
// Switch the value of j
if ($j == 1)
{
$j = 2;
}
else
{
$j = 1;
}
}

// If checksum is divisible by 10 the credit card number is valid
if ($checksum % 10 == 0)
{
// It's a valid credit card number
}
else
{
// It's not valid
}

How can you tell if a credit card is legitimate?

After reading how to validate a credit card number you may think if a credit card passes validation that it is a legitimate credit card. This is not the case. Obviously a credit card in an improper format is not legitimate. But a credit card number may be in proper format and still be illegitimate.

So, how do you verify a credit card number is legitimate? The only way is to verify the legitimacy of a credit card is to authorize a sale. This requires using the payment gateway to send a transaction to the processing bank. The best way to do this is to do an AUTH ONLY transaction. This is similar to a sale transaction but does not charge the customer. It only freezes the funds on the customer’s credit card for a short period of time (no more then 30 days) and they are completely unaware of it as it does not appear on their statement. This makes it ideal for verifying their credit card is legitimate.

So, to verify a credit card is legitimate without actually charging, do an AUTH ONLY transaction for $1.00 and see if it is approved. If it is, the credit card is legitimate.

Methods | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | More Data Validation