How can I verify a phone number against a known address? - authentication

Paypal offers an identity verification feature where a cell phone is checked against a given billing address.
I would like to have a similar verification system in my website. What do I need to do to get this type of validation in place?

Cell phones numbers aren't intrinsically linked to mailing addresses; the association is stored by the company that does the billing.
So if you want to verify the phone against the cell provider's billing address, then you would have to get that information from the cell provider. If you want to verify it against the billing address of the credit card the phone company uses, then you'd have to ask the credit card company (once you have the card number from the phone company).
As a rule, companies don't make address information available for you to query. The exception is credit card companies, which will do address verification as an anti-fraud measure. This verification happens through your merchant account through which you process card transactions, and may be subject to certain conditions worth paying attention to.

Related

Ways of verifying someones identity on website?

We're running a directoy website where users can claim listings we have pre-populuated.
As we want to each listing have it's rightful owner, we are trying to figure out a way how can we verify that the Person who claimed a certain business or location is actually person of authority of that business?
Not all businesses have websites so we could authenticate by sending an email matching the business domain, phone number verification is also not an option as owning a phone number doesn't proves anything, I think.
We would love to have this process somehow automated, but we have no experience or ideas how to make this work.
Any suggestions are welcome!
The users need to register with you. They send you enough information to verify that they are who they say they are, eg, passport, driver's licence, credit card statements, electricity bills with address etc. You can then verify that this information is correct. In particular, their physical address must be verified.
You then mail a letter with a code that you choose to their physical address. When they have received it, send a link to their email address. The link is to a page where they must enter the code you mailed to them. They can then register with a userid and password of their choice. This only needs to be done once. After that, they can identify themselves with the userid and password they chose.
This technique relies on the fact that you can verify someone's physical address. Anyone can call you and claim to be someone else but the credit card company and the electricity company know their customer's correct address. It is possible to use someone else's credit card number and provide a different address but the credit card company will be able to tell you if the physical address they gave you is wrong.

Multiple Credit Cards that are Shared

I'm having a data issue I'm not sure how to handle.
Scenario: A company has a shared credit card. Which means, it is one account, but two people have access to the account, each person with his own credit card with his name on it. Let's call these people Charles and David, and assume they have a Chase account.
When I add this Chase login to Yodlee, it pulls the account THREE times, as:
"Chase - Credit Card - CREDIT CARD"
"Chase - Credit Card - DAVID"
"Chase - Credit Card - CHARLES"
It does this even though they are the same account. (I guess when you login to Chase it shows up multiple times).
All three are coming in with different ID numbers. So there is no way for me to know they are all the same account. My code thinks they are three different accounts, because they have different names and ID numbers.
As a result the account gets stored in my app three times, and the transactions three times.
What do you recommend?
Here are some suggestions:
First thing is to look for a particular site i.e., if Yodlee supports the Business Card site for that particular institution or not. As sometimes some of these Bank websites have a different login URL which can be either accessed by a different credentials or might be by the same and that will show you only 1 actual credit card account instead of 3.
In case the Business site is either not available or not supported by Yodlee(though you can request Yodlee to support the site and it could be prioritized based on the business use case), else you could call deactivateItemAccount API. This will deactivate a particular itemAccount and you can call this for those duplicate accounts.

Programmatically sending money (from a business) via Paypal with just a users email address

We're trying to setup an incentive program in our work place, we want to setup a self service incentive program where each user gets "points" for completing various tasks and then after a certain threshold be able to convert them points into money. But we just want to use email addresses/phone numbers as the method to pay them. Just like the inbuilt Paypal send money feature.
Is this possible to do via one of their APIs? I've looked through their API's and I can only see receiving money, not sending money....
I would have liked to use Square Cash but that is not available in my country (we're not strictly tied to PayPal if there is an alternative service that will accomplish the goal)
If you have a US Business PayPal account you can use MassPay to send payments from your account by specifying the email address.
https://developer.paypal.com/webapps/developer/docs/classic/products/mass-pay/
The other option is to use Adaptive Payments to send Implicit Payments from your account to another user. You can specify email address, and if you want to pay the fees for the transaction you can specify that in the call.
https://developer.paypal.com/webapps/developer/docs/classic/adaptive-payments/gs_AdaptivePayments/

Why credit card payment pages ask for expiration date?

I can understand why credit card have an expiration date (reasons such as limiting frauds, the issuer being able to substitute the physical cards, and so on).
However, why all websites accepting payments ask the user to enter the expiration date?
Can the user enter a future date despite what is written in the card?
Shouldn't the payment gateway already know the expiration date given the card number?
Checking the expiration date of the card is part of the process of verifying that the user is in possession of the card. Essentially, the month/year of the card's expiration become four "verification digits" in the card's number that one shouldn't be able to guess without seeing the card itself. One could think of it as a four-digit "password" assigned to the owner by the credit card company.
Expiration date has been part of verification scheme before e-commerce came along, when credit cards where used for placing phone orders. Once this level of protection has been deemed insufficient, credit cards added a CCV number to tighten the verification process even further.

Do I have to create an Account, Merchant Account, or just a customer to Credit a Balanced Bank Account?

Balanced payments documentation is unclear about debits and credits. You have merchants, customers and accounts. It now says accounts are deprecated and to use customer. Can someone shed light on any corrections I have in my workflow:
Form with CC fields tokenizes card.
Create customer for buyer and add card.
Debit buyers card.
Create another Customer object.
Add a bank account to the Second customer object.
Credit Second Customer object
Do I need the merchant fields on the second customer object (dob, postal code, etc)?
Do I need to do underwriting to second customer object?
Your workflow is correct.
The Customer resource abstracts away from you the pain the Account resource had when dealing with underwriting a merchant. Underwriting is required as part of the KYC (Know Your Customer) operation requirements Balanced needs to follow. Each Customer has an attribute named is_identity_verified where you can know if the Customer's identity was verified. Ideally you want to make sure the identity is verified for each Customer to which you will be crediting. While you can still perform credits (I believe up to a certain limit) to Customers whose identity is not verified, you run the risk of increased fraud and there may eventually be consequences to your marketplace.
Also, feel free to stop by #balanced on IRC. You'll probably get much faster answers to your questions there directly from developers.