Verifying CVV2 Numbers
When accepting credit cards through a website, collecting the CVV2 number is essential. (If you don’t know what CVV2 is, read the blog entry “What is CVV2?“). In the ecommerce world it is an important indicator as to the potential for fraud for a transaction.
As covered in our previous blog entry, this value may be three or four digits depending on which credit card the customer is using. So how do we validate it? By checking to see which credit card the customer is using and then looking for the correct amount of digits. We’ll find out which credit card the customer is using by looking at the first number of the credit card. We’ll specifically look for American Express cards as they are the odd balls and have a four digits CVV2 number. Visa, MasterCard, and Discover Card each have a three digit CVV2 number.
We’ll take the first digit of the credit card number and then check to see if it is a three. (We didn’t do it here but you should first validate that you do indeed have a valid credit card number. See “Verifying Credit Cards Numbers Are Valid” and “Verifying Credit Cards Numbers Are Valid (Part 2)” for how you can do this). If it is a three, check to see if the CVV2 code is four digits long. Otherwise, check to see if the CVV2 code is three digits long.
Below is some sample code in PHP:
$cc_number = $_POST['cc_number'];
$cvv2 = $_POST['cc_cvv'];
$first_number = substr($cc_number, 0, 1);
if ($first_number == 3)
{
if (!preg_match("/^\d{4}$/", $cvv2))
{
// It's an American Express card but its
// CVV2 code is not four digits long.
}
}
else
{
if (!preg_match("/^\d{3}$/", $cvv2))
{
// It's not three digits long.
}
}