Archive for the 'Programmers Toolbox' Category

When accepting credit cards through a website, collecting the CVV2 number is essential. (If you don’t know what CVV2 is, read the blog entry “What is CVV2?“). In the ecommerce world it is an important indicator as to the potential for fraud for a transaction.

As covered in our previous blog entry, this value may be three or four digits depending on which credit card the customer is using. So how do we validate it? By checking to see which credit card the customer is using and then looking for the correct amount of digits. We’ll find out which credit card the customer is using by looking at the first number of the credit card. We’ll specifically look for American Express cards as they are the odd balls and have a four digits CVV2 number. Visa, MasterCard, and Discover Card each have a three digit CVV2 number.

We’ll take the first digit of the credit card number and then check to see if it is a three. (We didn’t do it here but you should first validate that you do indeed have a valid credit card number. See “Verifying Credit Cards Numbers Are Valid” and “Verifying Credit Cards Numbers Are Valid (Part 2)” for how you can do this). If it is a three, check to see if the CVV2 code is four digits long. Otherwise, check to see if the CVV2 code is three digits long.

Below is some sample code in PHP:


$cc_number = $_POST['cc_number'];
$cvv2 = $_POST['cc_cvv'];
$first_number = substr($cc_number, 0, 1);
if ($first_number == 3)
{
if (!preg_match("/^\d{4}$/", $cvv2))
{
// It's an American Express card but its
// CVV2 code is not four digits long.
}
}
else
{
if (!preg_match("/^\d{3}$/", $cvv2))
{
// It's not three digits long.
}
}


The Authorize.net gateway is so popular that every major shopping cart, and minor ones, too, offer built in support for its services. But not every ecommerce solution uses an out-of-the-box solution. In these cases their developer coding the project will need to write their own code to interact with Authorize.net’s API. Typically interacting with any API is moderately difficult to do and can be above the technical capabilities of some coders.

Fortunately, the process of interacting with the API offered by Authorize.net can be greatly simplified and the learning curve shortened thanks to the great support offered by Authorize.net. Outlined below are the tools offered by Authorize.net to developers to make integrating their gateway as simple as possible.

Step 1 – Request a Test Account

Naturally it is very difficult to develop any application without having all of the necessary components available for testing. A web developer who is integrating the Authorize.net gateway into an existing merchant account can use their instance of the merchant’s gateway and turn on test mode to test their application. But if you are a web developer who is developing your own software that will need to integrate with Authorize.net gateway, like a shopping cart, or wish to get into the ecommerce development arena, you will not have an Authorize.net account to test your code on.

Fortunately the developers at Authorize.net had the foresight to understand that not every developer will have an Authorize.net account to test on and will not want to wait until they have a customer to start writing their code. (Plus having a testing environment available for developers allows more applications to be certified thus potentially growing their marketshare). For these developers Authorize.net has a system in place for allowing developers to have fully functional test accounts to test their integration code.

You can request a test account by going to http://developer.authorize.net/testaccount/ and completing their short application. It takes about one business day to receive your account credentials which is why I recommend doing this step first. While you wait you can start writing your code using what can be found on step 2…

Step 2 – Download the Implementation Guide

While you wait for your test account credentials to be provided to you by Authorize.net, you should download the documentation which explains how to communicate with their API. Their documentation is in pdf format and can be downloaded here: Advanced Integration Method Integration Guide. It offers a clear explanation of all of their API calls and should explain what you need to do to communicate successfully.

Step 3 – Sample Code

If reading boring documentation is not the best way for you learn, Authorize.net offers yet another way to learn more about their API. You may request sample code to demonstrate how to connect successfully to their API. They offer sample code for ASP (VBScript), ASP.Net (Using C# or VB.NET), Cold Fusion, Java, Perl, and PHP. The code samples work so writing code to work with their API can be as simple as modifying their code.

As we discovered in Part 1 there is a set pattern to credit card numbers as well special identifiers for each card type (i.e. Visa cards start with a four). Knowing this allows us to validate a credit card number before we send it to the payment gateway to be sent to the processing bank and saves us time dealing with errors.

Unfortunately it is fairly common knowledge which credit cards start with which numbers so validating credit cards based on their starting number and length is not enough alone to prevent bogus credit cards from being submitted with a transaction. So how else can a web developer verify a credit card number is valid before submitting it to the payment gateway? All of the major credit card institutions use a checksum to validate their credit cards. Each digit of the credit card is multiplied by 1 or 2. The last digit of the multiplication is added for each number in the credit card. If the resulting number is divisible by 10 it is a valid credit card number.

Here is the PHP code:


// The credit card number
$cc_number = "4000123498762345";
//
// Our starting checksum
$checksum = 0;
//
// Alternating value of 1 or 2
$j = 1;
//
// Process each digit one by one starting at the right
for ($i = strlen($cc_number) - 1; $i >= 0; $i--)
{
// Extract the next digit and multiply by 1 or 2 on alternative digits.
$calc = substr($cc_number, $i, 1) * $j;
//
// If the result is in two digits add 1 to the checksum total
if ($calc > 9)
{
$checksum = $checksum + 1;
$calc = $calc - 10;
}
//
// Add the units element to the checksum total
$checksum += $calc;
//
// Switch the value of j
if ($j == 1)
{
$j = 2;
}
else
{
$j = 1;
}
}
//
// If checksum is divisible by 10 the credit card number is valid
if ($checksum % 10 == 0)
{
// It's a valid credit card number
}
else
{
// It's not valid
}


After blogging about verifying credit card numbers it became apparent that some web developers may think if a credit card passes validation that it is a legitimate credit card. This is not the case. The validation presented in that blog entry as well in tomorrow’s entry only verify that a credit card number is in a proper format. Obviously a credit card in an improper format is not legitimate. But a credit card number may be in proper format and still be illegitimate.

So, how do you verify a credit card number is legitimate? The only way is to verify the legitimacy of a credit card is to authorize a sale. This requires using the payment gateway to send a transaction to the processing bank. The best way to do this is to do an AUTH ONLY transaction. This is similar to a sale transaction but does not charge the customer. It only freezes the funds on the customer’s credit card for a short period of time (no more then 30 days) and they are completely unaware of it as it does not appear on their statement. This makes it ideal for verifying their credit card is legitimate.

So, to verify a credit card is legitimate without actually charging, do an AUTH ONLY transaction for $1.00 and see if it is approved. If it is, the credit card is legitimate.

Performing address verification (AVS) is a must for any non-retail business, especially Internet-based merchants. Popular gateways like Authorize.net make performing AVS easy. You only need to send over the customer’s zip code and full street address to perform AVS successfully. However, other less popular and advanced gateway like the LinkPoint API require you to provide it with the house number of a customer’s street address. (e.g. if the street address is 123 Main Street the house number is 123).

AVS works by validating the house number provided by the customer against the house number of the billing address the card issuing bank has on file. However, the house number is not necessarily in the typical format demonstrated above. A PO Box or Rural Route will not have the house number first in the street address.

So how do you get this number from the street address if the number may appear anywhere in the street address? With regular expressions of course! The solution is pretty simple although an explanation of how the regular express works will not be provided (but I will tell you it does provide you with the first set of digits it finds in the street address). The regular expression used will work in any language that support Perl Compatible Regular Expressions (PCRE). The code is written in PHP.


// The street address provided by the customer
$address = "123 Main Street";


// The regular expression that gets the first set of digits in the address
$number = preg_replace('/^.*?(\d+).*$/i', '$1', $address);


// Echo out the house number
echo $number;