[freeside] cust_main.cgi and Credit Card Number Display

David Richardson isp at derdev.com
Thu Jun 27 15:38:37 PDT 2002 

It is common IMHO to obfuscate all but the last 4-5 numbers of the card - usually just 4 are not blurred.  I don't know if Freeside is taking in the verification number on cards, but that number should NOT be shown - although it is usually provided in a verbal transaction and is done after the full CC number.  

The verification number is used to (theoretically) verify physical posession of the card.  It isn't part of the algorithm to do the card numbering, but is some 3-4 digit number printed elsewhere on the face or back of the card that is sometimes requested by an order taker.  I am lead to believe that at _least_ Authorize.net has the capability to accept this number.  

Merchants would provide this number as a means to reduce their "clip" (discount rate) by adding extra proof that the transaction isn't subject to fraud.  (Why physical posession of the card is that much better is beyond my interpretation.)

Dave.
---------- Original Message ----------------------------------
From: Dave Burgess <burgess at mitre.org>
Reply-To: ivan-freeside at sisd.com
Date: Thu, 27 Jun 2002 16:12:17 -0500

>
>
>ivan wrote:
>
>> On Thu, Jun 27, 2002 at 12:05:50PM -0400, Stephen D. Bechard wrote:
>> > This recommendation comes from the Accounting Department. :)
>> >
>> > Credit Cards are normally tracked and verified by the
>> > last 4 digits of not the first 4, so they wanted to see
>> > xxxxxxxxxxx8906 instead of 1234xxxxxxxxxxx
>>
>> How about a reference?  Failing that, how about confirmation from
>> other folks?
>
>Confirmed here.  In fact, I noticed the other day that all of the credit card
>receipts I've received in the past couple of weeks were like this - even the one
>from the gas pump.  My ATM receipts say the same thing.  I also just ordered
>something from an on-line company, and they use the same scheme on their order
>confirmation E-Mails.
>
>Actually, it makes sense.  I know lots of people with three or four Visa cards,
>all of which have the same first four digits.
>
>> > They also informed me that not all Credit Card numbers have the
>> > same amount of digits, so I used the length of $payinfo to get
>> > the start and end points of sbstr. Seems to work okay.
>> >
>> > What do you think?
>>
>> Aren't there a few other places you'd need to make this chane also?
>
>It will be a problem anyplace we print out an obfuscated CC number.  Everywhere
>else, it shouldn't make any difference.
>
>> --
>> _ivan
>
>Dave
>
>
>

More information about the freeside-users mailing list