Merchant Account Services

Merchant Account Blog


Verifying Credit Cards Numbers Are Valid

Any good web developer will tell you that you must always validate user input before doing anything with it in your software. The primary reason for this is to prevent malicious users from entering bad data that can harm your website. But another reason for this is honest users may erroneously enter invalid data. This bad data may cause errors in your software preventing it from functioning properly and causing your users to be frustrated. In ecommerce, that frustration means losing a customer every time.

So what data might you need to validate in an ecommerce environment? Typically user demographic information (i.e. telephone numbers, email addresses) and credit card information (i.e. credit card number, expiration date). In this blog entry we will focus on validating credit card numbers. Examples will be in PHP but the regular expressions used will work in any language that support Perl Compatible Regular Expressions (PCRE).

Credit Card Numbers
Credit card numbers are never longer then 16 digits. The INPUT form field used to collect this data should have a MAXLENGTH of 16 (maxlength=”16″) set to prevent users from enterring more digits then is allowed for any credit card issuer.

Visa
Visa credit cards are always 16 digits long and start with a four (4). Users may enter this in any of the following formats:

  • XXXX-XXXX-XXXX-XXXX
  • XXXX XXXX XXXX XXXX
  • XXXXXXXXXXXXXXXX

Here is our code to validate a Visa credit card:

if (preg_match('/^4\d{3}[ \-]?\d{4}[ \-]?\d{4}[ \-]?\d{4}$/i', $visa_cc_number))
{
// Visa number is correct
}
else
{
// Visa number is incorrect
}

MasterCard
MasterCard credit cards are always 16 digits long and start with a five (5). Users may enter this in any of the following formats:

  • XXXX-XXXX-XXXX-XXXX
  • XXXX XXXX XXXX XXXX
  • XXXXXXXXXXXXXXXX

Here is our code to validate a MasterCard credit card:

if (preg_match('/^5\d{3}[ \-]?\d{4}[ \-]?\d{4}[ \-]?\d{4}$/i', $mastercard_cc_number))
{
// MasterCard number is correct
}
else
{
// MasterCard number is incorrect
}

Discover Card
Discover Card credit cards are always 16 digits long and start with 6011. Users may enter this in any of the following formats:

  • XXXX-XXXX-XXXX-XXXX
  • XXXX XXXX XXXX XXXX
  • XXXXXXXXXXXXXXXX

Here is our code to validate a Discover Card credit card:

if (preg_match('/^6011[ \-]?\d{4}[ \-]?\d{4}[ \-]?\d{4}$/i', $discover_cc_number))
{
// Discover Card number is correct
}
else
{
// Discover Card number is incorrect
}

American Express
American Express credit cards are always 15 digits long and start with three (3). Users may enter this in any of the following formats:

  • XXXX-XXXXXX-XXXXX
  • XXXX XXXXXX XXXXX
  • XXXXXXXXXXXXXXX

Here is our code to validate a American Express credit card:

if (preg_match('/^3\d{3}[ \-]?\d{6}[ \-]?\d{5}$/i', $amex_cc_number))
{
// American Express number is correct
}
else
{
// American Express number is incorrect
}

So how do we wrap this all together into something coherent that can be practically applied to a website? We will take the credit card number and look at the first number of the credit card number. We will then validate it based on whether it is a 3, 4, 5, or 6. If it isn’t any of the four we’ll just tell the user to try again. (The following code is PHP).


$cc_number = trim($_POST['cc_number']);
$first_number = substr($cc_number, 0, 1);
switch ($first_number)
{
case 3:
if (preg_match('/^3\d{3}[ \-]?\d{6}[ \-]?\d{5}$/', $cc_number))
{
// American Express number is correct. Process the credit card.
}
else
{
// error
}
break;
case 4:
if (preg_match('/^4\d{3}[ \-]?\d{4}[ \-]?\d{4}[ \-]?\d{4}$/', $cc_number))
{
// Visa number is correct. Process the credit card.
}
else
{
// error
}
break;
case 5:
if (preg_match('/^5\d{3}[ \-]?\d{4}[ \-]?\d{4}[ \-]?\d{4}$/', $cc_number))
{
// MasterCard number is correct. Process the credit card.
}
else
{
// error
}
break;
case 6:
if (preg_match('/^6011[ \-]?\d{4}[ \-]?\d{4}[ \-]?\d{4}$/', $cc_number))
{
// Discover Card number is correct. Process the credit card.
}
else
{
// error
}
break;
default:
// error
}

2 Responses to “Verifying Credit Cards Numbers Are Valid”

  1. Tomer

    Sweet article, will use it on my eCommerce website that I’m developing now, can never have too much checks.

  2. Appreciater

    Great work!
    Thanks for posting this.

Leave a Reply