If you are involved in e-commerce, you probably know the importance of credit card validation. And if you work with Service Objects, you may have at least a passing familiarity with our DOTS BIN Validation service, which helps you fight fraud by checking the validity of incoming credit card numbers. But do you know how BIN validation works, or where it fits in the overall ecosystem of credit card verification strategies?
This is one area where knowledge is truly power. You see, there is no single “best” approach to credit card validation. If you use a strict approach to flag suspicious cards, you may also lose a lot of sales (and still have fraud issues). If you try to maximize your sales through more relaxed business rules, you may get eaten alive by fraudulent transactions and chargebacks – or even lose your merchant account and ability to do business. So knowing your business needs and your options are the keys to being an educated and protected credit card processing merchant.
It all starts with the number
Ever wonder why you can’t just make up 16 random digits and call it a credit card number? Because the various parts of this number each have specific roles, ranging from the type of issuer in the first digit, to a checksum digit at the end based on a mathematical formula involving the other digits. These 16 digits pack a lot of useful information about the card besides its account number.
Your first line of defense in preventing fraud lies with first six digits of this credit card number, commonly known as Bank Identification Number (BIN), but increasingly being called by the broader term of Issuer Identification Number (IIN). Under either name, here are some fun facts about the BIN, courtesy of Sapling:
- Most true credit cards start with a 4 or 5, signifying financial institutions. But your American Express card starts with a “3,” because of its history as a so-called “travel and entertainment” card.
- Other values of this first digit are reserved for other types of issuers such as airlines, gas stations, and retailers.
- The next five digits are used to specify the issuing institution as well as the type of card, such as credit, debit or gift cards.
How to validate a credit card: the short course
What is the best way to validate a credit card? You would probably expect us to say “ours.” And often, of course, that would be correct. (We’re a little biased.) But we are just part of the best practices you should have in place to protect your business. Let’s look at the pros and cons of different approaches, how they interact with each other and explain why we recommend BIN validation be part of your strategy for most applications.
Luhn Check
Remember that checksum we mentioned earlier? This is the simple algorithmic check that generates it. It is great for catching typos on cards and saving sales in real-time, and is generally built into most e-commerce platforms or easily added. This is your first line of defense and costs nothing. Good, immediate error messaging to your customer is the most effective way to save a sale from a bad typo. The Luhn check does little to protect you from stolen and fraudulent credit cards, as it is easy to create numbers that can fool this simple check.
Address Verification System (AVS)
AVS requires you to connect with the credit card companies, through their merchant processing portals to perform a real-time check. It compares the address on file for the credit card to the address entered at the time of the order. This is stronger than the Luhn check because it will flag cards where the address doesn’t match the one on file. However, it is prone to both false positives (most stolen cards are acquired with valid addresses) and false negatives (legitimate cards with user typos), where the risk of lost sales can outweigh its fraud prevention benefits.
(Pro tip: Our DOTS Address Validation suite, checks the validity of any address in the world and, if needed, corrects it. These validation services are often low-cost ways to guard against false negatives, where we can correct the address before submitting for AVS, helping preserve legitimate sales.)
Real-Time Card Validation
This check can normally be performed through the merchant processor with the card issuer, where the card is validated to ensure that the account is real, has not been flagged for fraud or theft, and that funds are available. This check is often used in parallel with AVS. However, this process can put a hold on a cardholder’s funds – particularly in the case of debit cards – and it does NOT provide guaranteed prevention from fraudulent cards from being used.
BIN/IIN Validation
Based on data returned from the BIN look-up, (brand, card type, sub-type, issuer, country), you can create business logic on how you want to handle each scenario, particularly high-risk ones. For example, you can:
- Decline to accept pre-paid credit cards for a monthly subscription product (because they are finitely funded).
- Flag an order for further review if the issuing country or bank is outside of accepted boundaries.
- Review transactions where the issuer location raises suspicion relative to the customer address.
In cases like these, you have options such as asking for a different card in real-time, or escalating the issue to your customer care team to call the customer directly before shipping product or providing service.
The importance of credit card validation
It is important to note that whenever fraudulent cards are used, the merchant loses. The customer of a stolen credit card is not on the hook, and the credit card companies generally do not take the hit. However, the merchant is usually out the product or service supplied, as well as the resources it takes to discover the fraud and fight the credit card company. And if too many fraudulent transactions happen, you can incur higher processing fees, expensive chargebacks, or even ultimately lose your merchant account and your ability to do business.
But you can mitigate these risks with the help of a little automation – and we can help! Simply contact us, and we’ll be happy to help you create a personalized strategy for fighting fraud while maximizing your credit card sales.