E-commerce businesses are at a distinct disadvantage in their ability to verify the validity of credit and debit cards presented for payment by customers, compared to their brick-and-mortar counterparts. Still, businesses operating in a card-not-present environment have a fair number of tools at their disposal to help mitigate, if not completely eliminate, the fraud risk. Credit and debit cards bear several identification features that make them unique and help both merchants and cardholders prevent their fraudulent use. Some of these features form the basis on which the transaction authorization process is based.
- Card type and account number. Request that customers provide both the account number and the card type and ensure that they match.
- Request that customers select their card’s type (Visa, American Express, MasterCard, Discover, etc.) before they enter the card’s account number.
- Verify the validity of the provided account information by comparing the selected card type and the first digit of the provided card number. The credit card companies use different account numbering systems. The first digit of each card identifies its type. Listed in the table below are the first digits that the major U.S. card brands place in their account numbers.
Card Type First Digit of Account Number American Express
- Display an error message if there is a mismatch between the selected card type and the provided account number and request that the customer re-enters the information.
- Allow customers to enter card account numbers with or without hyphens, with or without spaces between digits, or clearly identify your preferred format.
- Card expiration date. Request that customers provide their card’s expiration date. You can either provide a blank field to be filled in by the customer or a pull-down menu from which the customer can select the month and year. If you choose the latter option, make sure that you do not provide a default month and year of the expiration date to prevent the customer from erroneously select it. The default date will most likely be different from the actual one and the transaction will be declined.
- Card security code. Require that customers provide their card’s security code. Card security codes are the three-digit numbers found in the signature panels on the back of Visa (CVV2), MasterCard (CVC 2) and Discover (CID) cards and the four-digit numbers found above and slightly to the right of the account numbers of American Express (CID) cards. Unlike an account number, a card security code cannot be distinguished by any of the numeric digit it is comprised of. This number is generated when the card is issued, by hashing the account number and expiration date under a key known only to the card issuer. The card security codes are used primarily in card-not-present transactions to ensure that the customer is in a physical possession of the card at the time of the transaction. Be advised that you are not allowed to store these numbers with the other account information.
Image credit: Corratech.com.