My company currently accepts orders online.  During the order process,
we ask for a credit card number and the cvv2.  The card is not
authorized at this time. The number is only checked for validity
(correct number of digits, no letters and a few other calculations)
but it is a custom script that is not updated. The orders are then
authorized later in a more manual process.

Recently, we have have received customer feedback that working cards
are being rejected.  Unfortunately, our application's error reporting
does not show what the problems are.

If we are to replace this intitial verification script, whoat should
we replace it with?

Is real-time authorization viable or is speed an issue?

Do the CC Processors have solutions specific for online shopping
carts?  If so, what are they?

We have relationships with PaymentTech and Cybersource, but their
services are used offline.

I'm a business owner that needs to communicate a solution to technical
partners, so please include enough technical implimentation detail.

Thanks,

John

---

Clarification of Question by jckos-ga on 08 Mar 2005 09:05 PST

this is the javascript we are using:

function Mod10(ccno) {

	vlengthgood=0;
	ccsum=0;

	//strip everything but digits
	ccno = ccno.replace(/[^0-9]/g, '');
	cclen=ccno.length;

	if (cclen<13)
	{
		alert("Credit cards must have at least 13 digits.");
		return(false);
	}
	else
	{
		for (i=1; i<cclen; i++)
		{
			ccdig=parseInt(ccno.charAt(cclen-(i+1)));
			if (i%2==1)
			{
				ccdig*=2;
				if (ccdig.toString().length==2)
				{
					ccdig=(parseInt(ccdig.toString().charAt(0))+parseInt(ccdig.toString().charAt(1)));
				} 
			}
			ccsum+=ccdig;
		}
		ccsum+=parseInt(ccno.charAt(cclen-1));
		if (ccsum%10==0)
		{
			cc_type_id = 'UNKNOWN';

			if (ccno.match(/^4/) )
				{
				cc_type_id = 'VISA';
				if (cclen==13 || cclen==16) {vlengthgood=1;}
				 else {vlengthgood=0;}
				}

			if (ccno.match(/^50|^56|^57|^58|^6/) )
				{
				cc_type_id = 'MAESTRO';
				if (cclen>=13 || cclen<=19) {vlengthgood=1;}
				 else {vlengthgood=0;}
				}

			if (ccno.match(/^51|^52|^53|^54|^55/) )
				{
				cc_type_id = 'MASTERCARD';
				if (cclen==16) {vlengthgood=1;}
				 else {vlengthgood=0;}
				}

			if (ccno.match(/^413733|^413734|^413735|^413736|^413737|^4462|^453978|^453979|^454313|^454313|^454432|^454433|^454434|^454435|^454742|^456725|^456726|^456727|^456728|^456729|^45673|^456740|^456741|^456742|^456743|^456744|^456745|^46583|^46584|^46585|^46586|^46587|^484409|^484410|^49096|^49097|^492181|^492182|^498824/)
)
				{
				cc_type_id = 'DELTA';
				if (cclen==16) {vlengthgood=1;}
				 else {vlengthgood=0;}
				}

			if (ccno.match(/^450875|^484406|^484407|^484408|^484411|^484412|^484413|^484414|^484415|^484416|^484417|^484418|^484419|^48442|^48443|^48444|^484450|^484451|^484452|^484453|^484454|^484455|^49173|^49174|^49175|^491880/)
)
				{
				cc_type_id = 'ELECTRON';
				if (cclen==16) {vlengthgood=1;}
				 else {vlengthgood=0;}
				}

			if (ccno.match(/^405501|^405502|^405503|^405504|^405550|^405551|^405552|^405553|^405554|^415928|^424604|^424604|^427533|^4288|^443085|^4484|^4485|^4486|^4715|^4716|^4804/)
)
				{
				cc_type_id = 'VISA PURCHASING';
				if (cclen==16) {vlengthgood=1;}
				 else {vlengthgood=0;}
				}

			if (ccno.match(/^490300|^490301|^49031|^49032|^490330|^490331|^490332|^490333|^490334|^49034|^49035|^49036|^49037|^49038|^49039|^49040|^490419|^490451|^490459|^490467|^490475|^490476|^490477|^490478|^4905|^491103|^491104|^491105|^491106|^491107|^491108|^491109|^49111|^49112|^49113|^49114|^49115|^49116|^491170|^491171|^491172|^491173|^491183|^491184|^491185|^491186|^491187|^491188|^491189|^49119
|^4928|^4987/) )
				{
				cc_type_id = 'VISA ATM ONLY';
				if (cclen==16) {vlengthgood=1;}
				 else {vlengthgood=0;}
				}

			if (ccno.match(/^6011/) )
				{
				cc_type_id = 'DISCOVER';
				if (cclen==16) {vlengthgood=1;}
				 else {vlengthgood=0;}
				}

			if (ccno.match(/^63345|^63346|^63347|^63348|^63349|^6767/) )
				{
				cc_type_id = 'SOLO';
				if (cclen==16 || cclen==18 || cclen==19) {vlengthgood=1;}
				 else {vlengthgood=0;}
				}

			if (ccno.match(/^490302|^490303|^490304|^490305|^490306|^490307|^490308|^490309|^490335|^490336|^490337|^490338|^490339|^491101|^491102|^491174|^491175|^491176|^491177|^491178|^491179|^491180|^491181|^491182|^4936|^564182|^63330|^63331|^63332|^63333|^63334|^6759/)
)
				{
				cc_type_id = 'SWITCH';
				if (cclen==16 || cclen==18 || cclen==19) {vlengthgood=1;}
				 else {vlengthgood=0;}
				}

			if (ccno.match(/^34|^37/) )
				{
				cc_type_id = 'AMEX';
				if (cclen==13 || cclen==15) {vlengthgood=1;}
				 else {vlengthgood=0;}
				}

			if (ccno.match(/^3528|^3529|^353|^354|^355|^356|^357|^358/) )
				{
				cc_type_id = 'JCB';
				if (cclen==15 || cclen==16) {vlengthgood=1;}
				 else {vlengthgood=0;}
				}

			if (ccno.match(/^300|^301|^302|^303|^304|^305|^36|^380|^381|^382|^383|^384|^385|^386|^387|^388/)
)
				{
				cc_type_id = 'DINERS CLUB';
				if (cclen==14) {vlengthgood=1;}
				 else {vlengthgood=0;}
				}

			if (ccno.match(/^389/) )
				{
				cc_type_id = 'CARTE BLANCHE';
				if (cclen==14) {vlengthgood=1;}
				 else {vlengthgood=0;}
				}

			if (ccno.match(/^2014|^2149/) )
				{
				cc_type_id = 'ENROUTE';
				if (cclen==15) {vlengthgood=1;}
				 else {vlengthgood=0;}
				}

			if(cc_type_id == 'UNKNOWN')
			{
				alert('Your credit card is of no known type.');
				return(false);	
			}

			if(vlengthgood == 0)
			{
				alert('Your credit card has the wrong number of digits.');
				return(false);	
			}
			
			//alert(cc_type_id);
			return(true);
		} 
		else
		{
			alert('Your credit card appears to be invalid.');
			return(false);
		}
	}	
}

---

Clarification of Question by jckos-ga on 08 Mar 2005 10:23 PST

My initial question assumed that this home grown script was not the
best approach (especially since the developer who wrote it is no
longer with the company).

To clarify -

1. Are these kind of home grown initial checks industry standard?

2. Should this script be modified and used or thrown out?

3. If not, what other solutions exist and what are their pros and cons
(we already use paymenttech and cybersource for CC processing)?

Thanks!

On the issue of your script errors:

When you say "few other calculations", I'm assuming this is what you mean:
http://www.beachnet.com/~hstiles/cardtype.html
http://www.merriampark.com/anatomycc.htm

where a validity algorithm is calculated from the credit card numbers.

I would guess that the credit card type is not one that supports a
validity algorithm or that your script doesn't support the validity
algorithm for that card type.

What are the types of cards that are being rejected?
It would help if you post your script.

On the issue of real-time authorization:
What kind of server are you using?

Real time authorization is very fast, about 3-10 seconds, so speed is not an issue.

Ok. From looking at the script, first a checksum is calculated
starting at the line "for (i=1; i<cclen; i++)" then once the checksum
is valid, it check for the length of the credit card numbers and the
starting digits of each credit card type. If you have access to a
rejected credit card number, could you post the first 6 digits. (You
don't have to worry about any kind of theft since the first 6 digits
for some credit cards are the same).

What I'm suspecting is that the first digits are not the ones
recognized by the script. For example, Visa credit cards start with a
number 4, Visa purchasing start with a number 405501, etc. If you
don't want to post the 6 digit credit card number, you can go through
the script and try to match the first numbers. For example, say you
have a declined credit card starting with numbers 123456. Go through
the script trying to match these number. Like so:

if (ccno.match(/^4/) ), not verified, our first digit is 1, not 4
if (ccno.match(/^50|^56|^57|^58|^6/) ), not verified, our first digits
are 12, not 50 or 56, etc.

1) I believe the industry standard is real-time authorization. I have
bought a vast number of goods over the internet. Every internet site I
have purchased an item from has real-time authorization. After I enter
my credit card number and submit the order, the web site displays an
authorizing page. After the authorization goes through, I am emailed
an order number with an order invoice. I can immediately see that a
temporary withdrawal of the fee on my credit card account. After
shipment, they finalize the temporary withdrawal.

Real-time authorization would save you the time of entering in number
by hand. Also, if there is an error, you would not have to contact the
customer to obtain another number. There are certain fees associated
with real-time authorization. (for example:
http://www.bizwiz.com/merchant/authorizenet_intro.htm) There should be
a number of out-of-box solutions that you should be able to implement
easily, these would probably provided by the authorizing agent.
Perhaps a Google Researcher can do the research you require, since I
do not work for or as a Google Researcher.

Here is some preliminary information:
http://www.advantagecommunication.com/e_commerce_cc.htm 

2) You should throw out the script if it starts to reject a vast
number of credit cards. Or you could do away with the script all
together, and force the user to enter the number twice, such as with
passwords. The script just calculates that the number conforms to a
certain checksum algorithm, and does not verify funds or validity of
the credit card.

3) You do have some other options such as Paypal (www.paypal.com).
Where Paypal does all verification/authorization, and deposits the
funds in your account. Users just click on the Paypal link, they are
taken to a credit card entry form where they enter their information.
Everything is handled by Paypal. It is probably the easiest option to
implement with regards to real-time authorization.

For example:
https://www.paypal.com/en_US/pdf/bluejeanscableCaseStudy.pdf

What do I don once I'm satisfied with an answer?  I don't know how to close it out.

jckos-ga,

If the comments above are fully satisfactory as an answer, you may
want to cancel your question. Official, compensable answers can be
posted only by Google Answers Researchers, and neutron_coding-ga is
not a Google Answers Researcher. Sometimes excellent information is
offered free of charge by helpful site users.

If you cancel, your account will be charged only the fifty-cent
listing fee. To cancel your question, click the grey box in the upper
right of the screen that says "Cancel Question."