Christopher Ostmo wrote:
> Dr. Evil pressed the little lettered thingies in this order...
> >
> > I know that credit cards have standard formats: There's a standard
> > number of digits, and whether the card is Visa, MC, Amex, etc is
> > encoded in the number, and there is some kind of checksum, and I think
> > expiration is also encoded in the number.  All of this is obvious stuff
> > that anyone designing such a system would do.
> >
> > I'm wondering if anyone can refer me to a site that describes what
> > this format is, so I can write some PHP code that will check to see if a
> > credit card number format is correct.  I don't even want to try to run
> > card through my merchant account if the format is obviously wrong.  I
> > assume that banks check the rejection rate on their merchant accounts,
> > too many bogus cards would not look good.
> >
> > I did a quick search on the web, and there are a vast number of
> > "hacker" credit card number generators, but that isn't exactly what
> > I'm looking for.
> >
> > Thanks
> >

    There are many misconceptions about credit cards. I am certainly no
    expert, but I have done some research in the area.

> The only 100% certain thing about credit card numbers is the fact that
> they are 16 numbers.

    Credit card numbers vary in length based on the type of card. Some
    cards do not use the same number length all the time.

    For example: Visa numbers can be 13 characters or 16 characters
    in length

> By law, the numbers are supposed to be
> generated at random and not generated by any kind of algorithm or
> formula.  Doing otherwise would make credit card numbers "guessable"
> and therefore inherantly insecure.

    Credit card numbers are inherently insecure and follow patterns.

    Most cards have a standard prefix. i.e. The first letter for a
    Visa number must be 4, Mastercard uses 5, etc..

    With most card types, the number must validate via the Luhn formula

> Most (all?) credit cards now also
> have a three digit "CCV2" number which is only printed on the back of
> the card and is supposed to be a form of digital signature.  Several
> processing companies are requiring that this number be sent with online
> transactions.  If you're taking credit card payments from untrusted
> sources, you would be wise to also get the CCV2.

    Yep. Heck if know how/if they work with the primary card number. :)

> The only way to pre-check a credit card number is to check for a valid
> number of characters and the lack of alpha characters.  i.e:
> if (strlen($CCNum) < 16 OR !ereg("[0-9]{16}",$CCNum)) {
> ... invalid CC code here ...
> }
> (or something similar, depending on your initial script)

    Actually, using the Luhn formula, you can validate most credit
    card numbers (and Canadian Social Insurance Numbers FTM).

    I have a script that:
     - validates credit card numbers
     - determines the credit card type based on the number
     - cleans CC numbers before processing (which allows the user to
       enter spaces for readability, without buggering the validation.)
     - see

> Unless it becomes absolutely ridiculous, I don't think that your bank is
> going to complain for too many bad cards.  After all, they're still making
> money off of you. If they do get upset, you ought to find a new bank.
> Seriously. Many banks would be very happy to have your business, bad
> credit card requests and all.

    Validating cards does reduce the hassle for the customer though. :)


PHP General Mailing List (
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to