I can understand why credit card have an expiration date (reasons such as limiting frauds, the issuer being able to substitute the physical cards, and so on).
However, why all websites accepting payments ask the user to enter the expiration date?
Can the user enter a future date despite what is written in the card?
Shouldn't the payment gateway already know the expiration date given the card number?
Checking the expiration date of the card is part of the process of verifying that the user is in possession of the card. Essentially, the month/year of the card's expiration become four "verification digits" in the card's number that one shouldn't be able to guess without seeing the card itself. One could think of it as a four-digit "password" assigned to the owner by the credit card company.
Expiration date has been part of verification scheme before e-commerce came along, when credit cards where used for placing phone orders. Once this level of protection has been deemed insufficient, credit cards added a CCV number to tighten the verification process even further.
Related
(Not sure if this is the right place to ask. Please point out other forums if that's not the case).
I'm based in Europe, and I've set up an invoicing system for a client of ours which uses a tokenization system provided by his bank, as part of the bank's secure payment services. (In other words, this is not any of the big american services like Paypal, Braintree, Stripe...).
The problem is that, in order to input a credit card into the system, this
bank needs to charge an initial amount of 0.01 € to it... and when it does that, the credit card owner gets a text message code to approve that charge, without which the card number cannot be introduced. This is not practical for my client, for a variety of reasons. We have asked the bank, and they say that this is all dependant on the card issuing bank, and they can't do anything about it.
My question is...: what do we do to avoid this? From what I remember, other tokenization system I've used also had an initial 0.01 cent charge, and yet I never received any text messages from them (this was a few years ago, admittedly, before 2FA became widespread). How do the big payment processors (Authorize.net, Stripe, etc.) manage to store credit cards without making an initial charge and triggering two-factor authentication in the process?
Thanks.
The reason behind performing an authorisation (not a charge) is to ensure the card is valid before it is stored.
However, the $0.01 authorisation is now considered 'the old way' of doing this. Most card acquirers now allow an authorisation value of $0.00 to be used solely to check the card is valid. This shouldn't trigger any 2FA where it is supported.
Obviously though, this is payment processor dependant on whether they support this 'new' functionality. A small number are still stuck in their ways
The other alternative is just to process the full transaction value. It shouldn't be necessary to submit the card for tokenisation before using it, though admittedly this depends on your business use case.
Paypal offers an identity verification feature where a cell phone is checked against a given billing address.
I would like to have a similar verification system in my website. What do I need to do to get this type of validation in place?
Cell phones numbers aren't intrinsically linked to mailing addresses; the association is stored by the company that does the billing.
So if you want to verify the phone against the cell provider's billing address, then you would have to get that information from the cell provider. If you want to verify it against the billing address of the credit card the phone company uses, then you'd have to ask the credit card company (once you have the card number from the phone company).
As a rule, companies don't make address information available for you to query. The exception is credit card companies, which will do address verification as an anti-fraud measure. This verification happens through your merchant account through which you process card transactions, and may be subject to certain conditions worth paying attention to.
I'm doing a paypal Express Checkout operation with SOAP API using the payment action Authorization.
The authorization period is automatically set to 29 days. How can i change it?
The credit card authorization that a bank places on the buyers credit card, is really up to the card issuing bank. It's not anything you can really change. The actual hold period can vary slightly as well from one card issuing bank to the next.
I'm not sure this is the right place to ask but anyway:
I have an e-commerce platform that I want to monetize based on a percentage of revenue made (eg. a store that uses my platform has an order for $100, so I get 1% or $1, while they get $99).
Currently I offer paypal and credit card payments (via my merchant bank) to all stores on the platform (ie. all payments made, regardless of the store, are through the same paypal and merchant account). I then pay these stores per month which is ok for the moment because there are only a few stores using the platform.
Moving forward I want to automate this process and ideally have it operate in real time.
Paypal have an "Adaptive Payments" API that allows chained or parallel payments on a single transaction processed in real time. This means I can skim my 1% and pass the rest of the money along my customer in real time.
I was wondering if there is a similar real-time service for Credit Card processing*? If not, is there a bank/merchant that allow API payment access so I can automate payments per day or week? OR should I just transfer all money from my bank to paypal and use this to pay my customers?
*I realise you can process credit card payments through Paypal without having to sign up, but this is less than ideal. I want the credit card processing to happen on my page as at the moment I'm seeing about 70% of orders using this over paypal.
I was wondering if there is a similar real-time service for Credit Card processing?
No there isn't. True merchant accounts do not allow for split payments. Only one entity can receive a payment and it must be the business the merchant account has been set up for. Receiving the payment for someone else is called factoring and is against all of the major credit card issuers' rules. If a merchant account is found to be factoring it will be closed and the merchant who owns the account will be blacklist. This will prevent them from ever having a true merchant account again. Additionally, there is no way to send money with a merchant account other then issuing a refund for prior purchases.
If not, is there a bank/merchant that allow API payment access so I can automate payments per day or week? OR should I just transfer all money from my bank to paypal and use this to pay my customers?
Other then using adaptive payments, this is definitely the easiest and most straight forward way to accomplish this.
I work for a non-profit organisation and have created and online donations page. Recently this donations page has been used to validate stolen credit card details via the process known as Carding.
The way it works is that a slacker get hold of a whole bunch of credit details but doesn't know which numbers are good or not. So they go to a donations page and attempt a small donation ($5 or less) with the stolen card number. If the donations goes through then they can use the number for bigger purchases.
Carding can cost a non-profit a lot of money as most these "donations" will end being reversed and in some cases a charge back fee will be charged by the bank.
Has anyone else had experience with this? Also, what are some ways that I could stop it?
Off-topic, but I'll bite:
Don't accept "small" donations.
Don't accept "many" donations from the same IP address in a "short" time span.
Consider buying credit card fraud insurance.
What "small," "many," and "short" means is up to you.
If you're not doing this already, consider using PayPal exclusively for accepting credit cards.
With no programming skills required, our Donate button is an easy and affordable way to start accepting donations online.
Discounted rates for 501(c)(3) status
Your donors don't even need a PayPal account
Accept all major credit cards
Source
What they say about fraud protection:
If there's one thing people know about PayPal, it's how seriously we take security. Behind the scenes, we work to help keep you and your donors safe from fraud.
Automatic Fraud Screening
Guard your business with our relentless fraud screens, address (AVS) and card verification (CVV2) checks, and 128-bit encryption—all included at no extra charge.
PCI & CISP Compliance
PayPal adheres to international PCI (Payment Card Industry) and CISP (Cardholder Information Security Program) standards for data protection. These standards are designed to help protect your business from fraud and loss of data. Because we handle the payment card information, you don't have to worry about meeting compliance standards yourself or storing your customers' sensitive financial information.
Full disclaimer: I have no affiliation with PayPal or any credit card company. I do not run, or have any first-hand experience with, an e-commerce site, nonprofit site, or any other web site which accepts electronic payments. I am not a lawyer. I'm just a programmer.