cellio: (Default)
Monica ([personal profile] cellio) wrote2022-12-29 04:57 pm
  • Add Memory
  • Share This Entry
Entry tags:

online payments and credit cards: I have questions

As I make the rounds doing year-end donations, I'm reminded of two things that have long puzzled me:

  1. Some web sites auto-detect the type of credit card based on the number. Apparently all credit-card numbers that begin with "4" are Visa. (I don't know if the reverse is true: do all Visa numbers start with 4?) Being me, I've cycled through the other nine digits and nothing else produces a match based on a single digit. What are the patterns for other providers? And are all these sites using some standard library for this, or are programmers really coding that by hand?

  2. Years ago, a three-digit code ("CCV") was added to cards to mitigate fraud. On a physical credit card, this number is stamped rather than embossed, so those old-style manual credit-card gadgets that took an imprint of your card (on actual paper, with a carbon!) couldn't record it. Um, that's fine I guess, but online, that number isn't any more secure than the card number itself. And someone who steals your physical card has the number; it's not a password. Does that number have another purpose?

Flat | Top-Level Comments Only
sine_nomine: (Default)

[personal profile] sine_nomine 2022-12-29 10:17 pm (UTC)(link)
All Amex start with 3. All Visa start with four. All MasterCard start with five. All discover start with six. I don't know how they program all of this. Each credit card processing program is different. Some require the CVV, and some don't. Depending on the form that I am using at work sometimes it asks for it and sometimes it doesn't. I just always ask the donor for it. So that they don't say but last time I didn't have to give it. The form always has it it's just not always required.
cellio: (Default)

[personal profile] cellio 2022-12-29 11:01 pm (UTC)(link)

Interesting. I wonder why forms that auto-detect Visa when I type "4" don't auto-detect the others when I type "3" or "5" or "6".

Thanks for the information.

metahacker: A picture of white-socked feet, as of a person with their legs crossed. (Default)

[personal profile] metahacker 2022-12-29 10:33 pm (UTC)(link)
The CCV identifies the specific piece of plastic, so it might help in the time between cards or during fraud somehow?

Honestly the security model is a complete joke and I am grateful for the legislation requiring credit companies to have the liability. Sending the magic password in the clear never made any sense! Chip and pin seems slightly more secure...
cellio: (Default)

[personal profile] cellio 2022-12-29 11:05 pm (UTC)(link)

Yeah, if the credit-card provider weren't liable for fraud, my online payment habits would be different. I'm not quite sure what they'd be, but not this.

Way way back when the web was young and security was (even more) sketchy, I got a separate credit card to use exclusively for online transactions and gave it a modest credit limit. I figured concentrating all the risk in one place, and not co-located with a card where I'd ever signed for a purchase in a store, might help. No idea if that made any difference; mostly I rely on it being their responsibility to protect me. And I eventually raised that credit limit so I could buy the occasional large item, though I kept it below the ridiculous limits Visa was happy to offer.

(Anonymous) 2022-12-29 10:46 pm (UTC)(link)

https://www.forbes.com/advisor/credit-cards/what-does-your-credit-card-number-mean/ and https://www.discover.com/credit-cards/card-smarts/what-is-a-credit-card-number/ (especially the latter) address the issue of the initial digits in the card number. If those are to be believed, then yes, Visa card numbers always and exclusively begin with 4, and MasterCard card numbers always and exclusively begin with 5.

/The Internet Dog :)

cellio: (Default)

[personal profile] cellio 2022-12-29 11:07 pm (UTC)(link)

Thanks! Those both look very useful.

Edited 2022-12-29 23:10 (UTC)
watersword: Keira Knightley, in Pride and Prejudice (2007), turning her head away from the viewer, the word "elizabeth" written near (Default)

[personal profile] watersword 2022-12-29 11:42 pm (UTC)(link)
There are a number of libraries devs can use to validate card numbers & associated providers, the one I've used is https://github.com/PawelDecowski/jquery-creditcardvalidator.
gingicat: (Default)

[personal profile] gingicat 2022-12-30 12:00 am (UTC)(link)
1 - Visa is 4, MasterCard is 5.
cellio: (Default)

[personal profile] cellio 2022-12-30 12:06 am (UTC)(link)

Oddly, many sites auto-fill Visa for 4, but I haven't yet bumped into one where testing with 5 (or 3) produced a match. Weird.

goljerp: Photo of the moon Callisto (Default)

[personal profile] goljerp 2022-12-30 12:57 pm (UTC)(link)
I think Discover numbers all start with 60 (or is it 6011)? Back in $OLD JOB, I had to deal with credit cards a bit, and I remember having fun coding the check digit. :-)

Here's my pet peeve: why doesn't everyone ask for the zip code before the city/state? Some forms now do that, and then auto-fill the city/state (although presumably you can still override that). Since zip code maps to state in the US always, and to a city usually, I don't see why everyone doesn't do this (other than the expense of programmers...)
mdlbear: blue fractal bear with text "since 2002" (Default)

[personal profile] mdlbear 2022-12-30 05:00 pm (UTC)(link)

Actually the only thing that's needed is the zipcode, and some forms only ask for that. It's possible that city/state are used to cross-check the zipcode.

sine_nomine: (Default)

[personal profile] sine_nomine 2022-12-30 07:15 pm (UTC)(link)
My zip code, on those lists, often codes to the wrong city. If I can override it that's one thing but, if not, it is a royal pain.
goljerp: Photo of the moon Callisto (Default)

[personal profile] goljerp 2023-01-02 05:15 am (UTC)(link)
Yeah, that's why I said "usually" maps to a city; I was aware of the "one zip code is in 2 different town/cities" problem but you have a good point about lists being wrong. That's why, IMHO, one should be able to override the auto-fill. That way, most people will save time, and the folks in your unortunate position at least won't be worse off than before. (Well, I guess you'd have to delete the wrong city/state, so it would be a bit more time...but hopefully not that bad.)
sine_nomine: (Default)

[personal profile] sine_nomine 2023-01-02 12:42 pm (UTC)(link)
Oh yeah I wasn't arguing your point. Just providing alternate viewpoint. And I left out the one where a person on the phone literally insisted my building (with something like 240 units) didn't exist because they couldn't find my address on the autofill. I am guessing user error on that one...

I totally agree that autofill can be helpful!
goljerp: Photo of the moon Callisto (Default)

[personal profile] goljerp 2023-01-02 02:06 pm (UTC)(link)
It's good for programmers to remember that just because they have a list which claims to map X to Y, doesn't mean that it's always correct.

(Un)Fortunately for me, I bump against this fairly frequently at work: we deal with locations, and use the UN Location codes (UN/LOCODE). But the list isn't complete; it's possible to find towns which have a US zip code, but aren't in the UN/LOCODE list. So my company (since before I started) fakes up a UN/LOCODE for the place and uses it internally. But that means that there's duplication, inconsistancies, and when a place gets a real UN/LOCODE, there's no easy way to update our database...
madfilkentist: (Default)

[personal profile] madfilkentist 2023-01-08 11:38 am (UTC)(link)
The one benefit I can think of for the CCV is that it makes brute-force guessing harder. Prefix digits narrow down the space for a card number from a specific issuer. I think the numbers include a checksum digit, because some sites immediately tell me I've got an invalid number if I mistype a digit, and that further narrows the number of valid numbers. Anything that increases the number of possibilities helps against brute-force attacks.
Flat | Top-Level Comments Only