Local credit card number validation -- why bother?

Submitted by solarian on Sun, 06/15/2008 - 09:13

Posts: 56
Joined: 04/20/2008

Having looked at the current credit card number validation routine, the method of identifying the card type by the first digit is incorrect. To have a full validation routine (such as the one here) would seem both difficult to maintain and also completely unnecessary. In my view, it's for the acquiring bank to determine if they like the card number -- all we have to do is check that it's numeric (re: this issue).

This will effectively put the onus on the individual payment gateways to provide feedback based on the error they receive from the card processing service.

permalink #1 Sun, 06/15/2008 - 14:01

Posts: 931
Joined: 11/05/2007

uc_credit does a few things to check a number, scattered throughout the code. However, the number validation routine was written mainly to compute a checksum on the card number. This is a very important check, and is something that is *not* done by the routine you linked to above.

That other code only checks trivial things like the first digit and the number of digits. Ubercart does most of those simple-minded checks, but makes no pretention about being comprehensive in the list of card types it knows about. As long as it doesn't reject a good card type, these sanity checks can't hurt, but may help. If UC *is* rejecting valid cards based on an ambiguity of the first digit, that's a bug that should be fixed and should be brought up in the Issue Tracker.

As for the reason to do a check at all: Many gateways will charge you if you send them improperly-formed numbers. Don't want that. Also, some stores collect card numbers for off-line processing, so you want to check up-front that the card number looks valid, to catch any mistakes the customer might make entering the number. Otherwise you would find the mistake at some later time when you processed the card, then you'd have to contact the customer to straighten things out. Much easier to help them get it right the first time.

<tr>.

permalink #2 Thu, 06/19/2008 - 01:59

Langcliffe

Posts: 1
Joined: 06/19/2008

With respect, the braemoor routine *DOES* check the checksum of the card number, and I am a little surprised that you should come out with such an unambiguously incorrect statement. To quote the comment in the code:

This routine checks the credit card number. The following checks are made:

1. A number has been provided
2. The number is a right length for the card
3. The number has an appropriate prefix for the card
4. The number has a valid modulus 10 number check digit if required

A brief inspection of the code shows that it does exactly what it says on the label.

permalink #3 Thu, 06/19/2008 - 13:28

torgosPizza

Posts: 1314
Joined: 08/14/2007

+1 for implementing the braemoor routine or something similar to do a full check of card number validation. Here's the current _valid_card_number function:

<?php
function _valid_card_number($number) {
  $id = substr($number, 0, 1);
  if (($id == 3 && !variable_get('uc_credit_amex', TRUE)) ||
      ($id == 4 && !variable_get('uc_credit_visa', TRUE)) ||
      ($id == 5 && !variable_get('uc_credit_mastercard', TRUE)) ||
      ($id == 6 && !variable_get('uc_credit_discover', TRUE)) ||
      !is_numeric($number)) {
    return FALSE;
  }

  for ($i = 0; $i < strlen($number); $i++) {
    $digit = substr($number, $i, 1);
    if ((strlen($number) - $i - 1) % 2) {
      $digit *= 2;
      if ($digit > 9) {
        $digit -= 9;
      }
    }
    $total += $digit;
  }

  if ($total % 10 != 0) {
    return FALSE;
  }

  return TRUE;
}
?>

Along with the integration of the braemoor routine, I would like to see some extra Logging for invalid or bad credit cards. We oftentimes get orders placed multiple times because a card is rejected by the cart, but not by authorize.net. One thing that would help us track the issue would be an entry in Watchdog whenever an invalid card is submitted. (May be a good idea to include Captcha on those types of forms, in that event.)

My two cents.

"Pain don't hurt." - Dalton

Mike Nelson's RiffTrax! www.rifftrax.com

permalink #4 Thu, 06/19/2008 - 15:40

Posts: 931
Joined: 11/05/2007

Langcliffe wrote:

With respect, the braemoor routine *DOES* check the checksum of the card number, and I am a little surprised that you should come out with such an unambiguously incorrect statement

I was wrong. I retract that half-sentence in my above post: ~~and is something that is *not* done by the routine you linked to above.~~

Langcliffe wrote:

To quote the comment in the code:

Yes, it's in the code comments, although the page cited above (which I did read before I posted) doesn't come out and say that a checksum is being calculated.

Regardless, it's totally irrelevant to the point. The OP asks "Local credit card number validation -- why bother?", specifically mentioning the first-digit check and pointing to a page (braemoor) that does a more-detailed first-digit check.

And my response was, more important than the first-digit is the checksum, which Ubercart already does, and if there are problems with the first-digit check in Ubercart let's fix it, not throw out all validation whatsoever.

<tr>.

	Drupalcon DC
	Vote now to learn more about Ubercart in these sessions: Ubercart on Drupal 6 Advanced Ubercart Usage Starting Your Own Ubercart Store

	Ubercart Affiliates
	Find payment and hosting services in our Affiliate Directory that support Ubercart development.

	User login
	Username: * Password: * Create new account Request new password

	Fast Invoicing
	We use and recommend FreshBooks for project time tracking and client invoicing.

Ubercart

Local credit card number validation -- why bother?

Navigation

Drupalcon DC

Ubercart Affiliates

User login

Fast Invoicing