Developing PHP Credit Card Validation Applications

Web sites developed to handle eCommerce need to accept and handle payments, usually paid by credit cards. Since everyone knows credit cards can be stolen or forged, it is obvious that credit card validation is mandatory. PHP web developers can program pre-validation applications to validate credit cards using PHP programming before sending validated credit card data to merchant handlers. The quality of the merchant requests with credit card information is increased dramatically.

Credit cards have a few different pieces of information to identify the account and customer’s identity to the merchant handler. The customer’s name is printed clearly on the credit card, else possibly a company name. The credit card number is obviously important. Then there is the CCV (card check value) and the card expiration month and year. All these values must be validated and cleansed prior to connecting and handing the credit card information to the processor.

Names should only contain letters and the space character. PHP can look for non-alpha characters, ignoring the space character, to identify invalid names for credit cards. The length of the name should not be too short nor too long. If the name on the credit card is invalid, PHP should reject the credit card submission and message the credit card holder to correct their name.

We’ll discuss the credit card number below and address the easy credit card elements first. Expiration dates on credit cards are validated simply by being current to the current month. If the year is current and the month is current or future, the credit card expiration is fine, else rejected. If the expiration date is current or future, it should pass credit card validation.

Credit card check values are simple enough to validate since they are 3-4 digit numbers, so simply disallowing non-numerical values works well. Numerical values pass credit card validation easily.

The type of credit card can be automatically detected and/or requested from the customer. There is a limited set of credit card types, such as American Express, MasterCard, VISA, Discover, etc. Disallowing a subset of these credit card types depends on the business model, so some credit card types may cause rejection during validation.

Now on o the exciting part of validating credit cards… The credit card number itself. Obviously, credit card numbers must be numerical only to pass card validation. Customers will submit credit card numbers with delimiters such as space or hyphen characters. Simply filter the card number to numerical only before processing for validation.

The credit card number dictates which card type based on the card number character count, which numbers it started with, and what it ends with. The first step to validating credit card numbers is to check the character count. This dictates which card type to validate into. If the card number character count doesn’t match known credit card validation lengths, the number is rejected. If it does match, proceed to the next check.

The starting and sometimes the ending numbers must match a particular credit card type such as VISA. If there is not a match, the credit card can be rejected. Else, the card number can proceed to true credit card number validation processes.

The fundamental root of validating credit card numbers is the Modulus-10 validation method. This is a simple set of number manipulations that reverse the order of the credit card number, beak the number up and recombine the digits, perform basic manipulations and result in a test value. The test value passes to Modulus-10, also called Mod-10, for final card number validation.

Mod-10 is extremely simple by definition. If a number is perfectly divisible by 10, it passes the Mod-10 test. If there is a remainder, it fails validation. Numbs like 10, 20, and 30 are valid. Numbers like 11, 23, or 69 will fail. That’s all there is to it.

Credit card pre-validation essentially checks some expected values and data formats, then validates the credit card number resides within a subset of valid credit card numbers. This does not mean the card will pass bank approval, have sufficient funds, or even be a real credit card. It simply means you have pre-validated what the customer submitted so you send valid credit card profiles to be verified and potentially debited by the appropriate money handlers.

Reversing the Mod-10 calculation will generate valid credit card numbers, which will process orders in poorly created eCommerce websites. The rate of success is expected to be very low and depends on how well the credit card processing programming has been developed on the site. Our intent is to prevent fraud, disable security vulnerabilities, and protect the sellers from hackers. Credit card pre-validation provides a first step in protecting websites from credit card fraud and reducing bogus credit card submissions to merchant handlers.