Author: Jim Conners
Rating: 10.0
The expiration date is not very difficult to validate compared to the credit card number and CVV2 number (see below). You really only have two issues to be concerned about:
Authorize.Net expects you to submit a four digit number as the expiration date for the credit card. The format they are expecting is MMYY. If the month is a single digit number (e.g. 1-9 for January through September) you must prefix it with a zero. The year is the last two numbers of the year. So, if the credit card expires in the year 2010 then you would drop the '20' and keep the '10'. So, a credit card that expires in August 2010 would have an expiration date of '0810'.
An easy way to do this is to use two SELECT menus in your HTML. One for the month, one for the year the card is set to expire. That way you can have the form send you the date in the format you prefer and all you need to do is concatenate the two values:
<select name="expire_month">
<option value="01">January</option>
<option value="02">February</option>
<option value="03">March</option>
<option value="04">April</option>
<option value="05">May</option>
<option value="06">June</option>
<option value="07">July</option>
<option value="08">August</option>
<option value="09">September</option>
<option value="10">October</option>
<option value="11">November</option>
<option value="12">December</option>
</select>
<select name="expire_year">
<?php
// Set the year to be the current year up to ten years from now
for ($i = date("Y"); $i < date("Y") + 10; $i++)
{
echo "<option value=\"" . date("y") . "\">" . date("Y") . "</option>";
}
?>
</select>
$expiration_date = $_POST['expire_month'] . $_POST['expire_year'];
Naturally an expiration date should be a future date. Any date from the past should automatically flag the credit card as being invalid. The current month is considered a future date as a date is not considered expired until the full month is over. That means if a credit card has an expiration date of September 2010, its implied expiration date is September 30, 2010 at 23:59:59. We will compare the current year with the expiration date's year. If it is sooner then this year, the date is invalid. If the year is the same as this year we will check the month to see if it has passed as well. If it hasn't, we have a valid expiration date.
$current_month = date("m");
$current_year = date("y");
if ($_POST['expire_year'] < $current_year)
{
// Invalid date
}
else
{
// Check if the same year,
// if so, make sure month is current or later
if ($_POST['expire_year'] == $current_year)
{
if ($_POST['expire_month'] < $current_month)
{
// Invalid date
}
else
{
// Valid date
}
}
}
CVV2 is a credit card security measure aimed at reducing fraud for card not present transactions. It is a three or four digit number that is only present on the credit card. Theoretically, this is used to verify that the credit card being used in a purchase in the in the possession of the purchaser at the time of the transaction making the sale more secure.
This code can be found in varying places on a credit card and is called different names by each of the major credit card companies:
Visa places their three digit code, which they call “Card Validation Code” (CVC2) on the back of the credit card in the signature panel. Usually at the very top-right most corner.
MasterCard places their three digit code, which they call “Card Verification Value” (CVV2) on the back of the credit card in the signature panel. Usually at the very top-right most corner.
American Express places their four digit number, which they call “Card Identification Number” (CID) on the front of the credit card, usually toward the end of the credit card number.
Discover Card places their three digit number, called “Cardmember ID”, on the back of the credit card in the signature panel. Usually at the very top-right most corner.
When accepting credit cards through a website, collecting the CVV2 number is essential. In the ecommerce world it is an important indicator as to the potential for fraud for a transaction. But as we've seen above, a CVV2 value may be three or four digits depending on which credit card a customer is using. So how do we validate it? By checking to see which credit card the customer is using and then looking for the correct amount of digits. We’ll find out which credit card the customer is using by looking at the first number of the credit card. We’ll specifically look for American Express cards as they are the odd balls and have a four digits CVV2 number. Visa, MasterCard, and Discover Card each have a three digit CVV2 number.
We’ll take the first digit of the credit card number and then check to see if it is a three. If it is a three, check to see if the CVV2 code is four digits long. Otherwise, check to see if the CVV2 code is three digits long. Here's some simple PHP code that does this:
// The credit card number
$cc_number = $_POST['cc_number'];
// The CVV2 number
$cvv2 = $_POST['cc_cvv'];
// Extract the first number of the credit card
$first_number = substr($cc_number, 0, 1);
// If the first number is a '3 it's an American Express Card
// And we need to verify the CVV2 number is four digits long
// otherwise check to see if it is three digits long
if ($first_number == 3)
{
if (!preg_match("/^\d{4}$/", $cvv2))
{
// It's an American Express card but its
// CVV2 code is not four digits long.
}
}
else
{
if (!preg_match("/^\d{3}$/", $cvv2))
{
// It's not three digits long.
}
}
Validating Our Data | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | Using our Class