[freeside] cust_main.cgi and Credit Card Number Display

ivan ivan at 420.am
Thu Jun 27 15:59:51 PDT 2002 

Neither Freeside (nor Business::OnlinePayment) has provisions for CVV/CVM
yet, so this is irrelevant. 

On Thu, Jun 27, 2002 at 06:38:34PM -0400, David Richardson wrote:
> It is common IMHO to obfuscate all but the last 4-5 numbers of the card
> - usually just 4 are not blurred.  I don't know if Freeside is taking in
> the verification number on cards, but that number should NOT be shown -
> although it is usually provided in a
> verbal transaction and is done after the full CC number.  
> 
> The verification number is used to (theoretically) verify physical
> posession of the card.  It isn't part of the algorithm to do the card
> numbering, but is some 3-4 digit number printed elsewhere on the face or
> back of the card that is sometimes requested by an order taker.  I am
> lead to believe that at _least_ Authorize.net has the capability to
> accept this number.  
> 
> Merchants would provide this number as a means to reduce their "clip"
> (discount rate) by adding extra proof that the transaction isn't subject
> to fraud.  (Why physical posession of the card is that much better is
> beyond my interpretation.)
> 
> Dave.
> ---------- Original Message ----------------------------------
> From: Dave Burgess <burgess at mitre.org>
> Reply-To: ivan-freeside at sisd.com
> Date: Thu, 27 Jun 2002 16:12:17 -0500
> 
> >
> >
> >ivan wrote:
> >
> >> On Thu, Jun 27, 2002 at 12:05:50PM -0400, Stephen D. Bechard wrote:
> >> > This recommendation comes from the Accounting Department. :)
> >> >
> >> > Credit Cards are normally tracked and verified by the
> >> > last 4 digits of not the first 4, so they wanted to see
> >> > xxxxxxxxxxx8906 instead of 1234xxxxxxxxxxx
> >>
> >> How about a reference?  Failing that, how about confirmation from
> >> other folks?
> >
> >Confirmed here.  In fact, I noticed the other day that all of the credit card
> >receipts I've received in the past couple of weeks were like this - even the one
> >from the gas pump.  My ATM receipts say the same thing.  I also just ordered
> >something from an on-line company, and they use the same scheme on their order
> >confirmation E-Mails.
> >
> >Actually, it makes sense.  I know lots of people with three or four Visa cards,
> >all of which have the same first four digits.
> >
> >> > They also informed me that not all Credit Card numbers have the
> >> > same amount of digits, so I used the length of $payinfo to get
> >> > the start and end points of sbstr. Seems to work okay.
> >> >
> >> > What do you think?
> >>
> >> Aren't there a few other places you'd need to make this chane also?
> >
> >It will be a problem anyplace we print out an obfuscated CC number.  Everywhere
> >else, it shouldn't make any difference.
> >
> >> --
> >> _ivan
> >
> >Dave
> >
> >
> >

-- 
_ivan

More information about the freeside-users mailing list