Carding Authorization [Tutorial]
Hi friends,
How are u today ? Hope ur all fine & happy.
Alright, I would like to share little tips on how to card something so that u can do it successfully. Well, our hope is the item u carded can be delivered to ur drop address "safely" (from ur point of view). Basically, what we are talking about is CNP (Card Not Present)/online-based transaction.
Little introduction on credit card types
There are many credit card types in the world, such as Visa/Visa Electron, Mastercard, American Express (AMEX), JCB (Japan Credit Bureau), BankCard, China Union Pay, Diners Club Carte Blanche, Diners Club enRoute, Diners Club International, Diners Club US & Canada, Discover, Laser (debit card), Maestro (debit card), Solo (debit card), Switch (debit card). Each of the card types has its own unique 6 prefixs (digits). This is known as IIN (Issuer Identification Number). Credit card digit length are various from 12 - 19 digits, depends on the card type.
Can we make a code to identify a card type ?
Yes ofcourse we can !
We can design the algorithm using Luhn algorithm and then code it with almost all programming/webprogramming languages to be a credit card digit validation tool. U can do this with Python, Perl, Delphi, C/C++, VB/VB.NET, PHP, AJAX, etc. I won't explain more about Luhn Algorithm, since it relates with mathematical. And I think u can understand it within several minutes. Here's the link u can review it later :
hxxp://www.beachnet.com/~hstiles/cardtype.html
0x0010 : Understanding merchant account, payment gateway, and third-party payment gateway
Now u should hv understood yet about credit card type and how to validate it (the digits) using ur own great tool.
We'll take a look at the difference between merchant account, payment gateway, and third-party payment gateway.
1. An e-Commerce merchant account allows any (or almost) online business (also known as an e-Business or e-Commerce business) to accept credit cards/debit cards, gift cards and other forms of payment cards online based on the CNP (card not present) transaction principals, including MOTO (mail order/telephone order) transactions. e-Commerce merchant accounts can also be referred to as: online credit card payment accounts, online credit card processing accounts, credit card transaction accounts, and others. An e-Commerce merchant can get an e-Commerce merchant account from a merchant bank or a merchant service provider in his/her local area (city, state, country) or in another country (offshore/international e-Commerce merchant account).
2. A payment gateway is an e-commerce application service provider service that authorizes payments for e-businesses, online retailers, bricks and clicks, or traditional brick and mortar. It is the equivalent of a physical point of sale terminal located in most retail outlets. Payment gateway protects credit cards details encrypting sensitive information, such as credit card numbers, to ensure that information passes securely between the customer and the merchant and also between merchant and payment processor.
3. Third party processors are what e-Commerce merchants get when getting third party merchant accounts. Basically, third party processors are connected via an additional secure payment gateway to a direct credit card payment processor. A third party processor contributes to the work of the direct processor, sharing its expenses, i.e. paying much less. Many third party processors make up a network of e-Commerce merchants sharing one secure direct merchant account.
And how it works actually ? Okay, below performs procedures which used by the payment processor gateway to charge customer's credit card until there's full settlement of funding to the merchant. U should really understand well these procedures !
* A customer places order on website by pressing the 'Submit Order' or equivalent button, or perhaps enters their card details using an automatic phone answering service.
* If the order is via a website, the customer's web browser encrypts the information to be sent between the browser and the merchant's webserver. This is done via SSL (Secure Socket Layer) encryption.
* The merchant then forwards the transaction details to their payment gateway. This is another SSL encrypted connection to the payment server hosted by the payment gateway.
* The payment gateway forwards the transaction information to the processor used by the merchant's acquiring bank.
* The processor forwards the transaction information to the card association (i.e., Visa/MasterCard)
* If an American Express or Discover Card was used, then the processor acts as the issuing bank and directly provides a response of approved or declined to the payment gateway.
* Otherwise, the card association routes the transaction to the correct card issuing bank.
* The credit card issuing bank receives the authorization request and sends a response back to the processor (via the same process as the request for authorization) with a response code. In addition to determining the fate of the payment, (i.e. approved or declined) the response code is used to define the reason why the transaction failed (such as insufficient funds, or bank link not available)
* The processor forwards the response to the payment gateway.
* The payment gateway receives the response, and forwards it on to the website (or whatever interface was used to process the payment) where it is interpreted and a relevant response then relayed back to the cardholder and the merchant.
* The entire process typically takes 2-3 seconds
* The merchant must then ship the product prior to being allowed to request to settle the transaction.
* The merchant submits all their approved authorizations, in a "batch", to their acquiring bank for settlement.
* The acquiring bank deposits the total of the approved funds in to the merchant's nominated account. This could be an account with the acquiring bank if the merchant does their banking with the same bank, or an account with another bank.
* The entire process from authorization to settlement to funding typically takes 3 days.
There are many third-party payment gateways in the world today. I'm sure most of u are familiar with Paypal, WorldPay, Verepay, Authorize.Net, Click2Buy, SagePay, PPI.Inc, 2CheckOut, GoogleCheckout, YahooWallet, CCBill, MoneyBooker, etc...
The conslusion is the merchant can choose between using its own payment gateway to process the transaction directly to the merchant's bank or using payment gateway from third-party payment gateway (with a "little fees" ofcourse).
0x0011 : All things about payment security
Since the customer is usually required to enter their personal details, such as :
- First Name
- Last Name
- Address
- City
- State/province
- Country
- ZIP/postal code
- Telephone number
- Card type
- Card number
- Customer's bank account (usually asked on Paypal, GoogleCheckout, YahooWallet when there's a fraud detection)
- Start Date (not common)
- Expired Date
- CVV/CVV2
- Card holder name
Then, he/she might be thinking that this part is important to be really safe. Yes, to make customer feels safe while doing online transaction using credit card, the merchant has to provide a secure connection between the payment gateway to the merchant's acquiring bank. This is to make sure that the data will not be intercepted by illegal guy on its way. On merchants (webshops) which are using theirs own payment gateway, usually the site use SSL (Secure Socket Layer) 128 ****, in an HTTPS site format. On the other hand, most of merchants are not using HTTPS for theirs website, but third-party payment gateway will do this for processing the transaction later.
Due to high volume of online credit card fraud transaction recently, many merchants start to aware about this. They do such procedures to avoid charge-back from the bank.
These are all things that merchant/webshop administrator will (usually) do to prevent credit card fraud :
- Call the buyer based on cardholder's phone number filled
- Check the buyer's phone number with YellowPages/phone directory book
- Confront cardholder's real location againts buyer's IP address using GeoIP location tool
- If the shipping address differs with the billing address, then it might be suspicious order
- Shipping item to PO BOX usually not accepted by most merchant/webshop
- Order shipped to African, East Europe, Russia, and several Asia countries usually need to be confirmed via phone
- Order items in large volume sometimes be flagged as a high risk fraud
- Order items with urgency shipping time sometimes be flagged as a high risk fraud
etc..
While the payment processor gateway usually do check frequently count of the card being charged at the same payment processor gateway. The result will then be used to make a decision whether the transaction is going to be approved or declined.
Hi friends,
How are u today ? Hope ur all fine & happy.
Alright, I would like to share little tips on how to card something so that u can do it successfully. Well, our hope is the item u carded can be delivered to ur drop address "safely" (from ur point of view). Basically, what we are talking about is CNP (Card Not Present)/online-based transaction.
Little introduction on credit card types
There are many credit card types in the world, such as Visa/Visa Electron, Mastercard, American Express (AMEX), JCB (Japan Credit Bureau), BankCard, China Union Pay, Diners Club Carte Blanche, Diners Club enRoute, Diners Club International, Diners Club US & Canada, Discover, Laser (debit card), Maestro (debit card), Solo (debit card), Switch (debit card). Each of the card types has its own unique 6 prefixs (digits). This is known as IIN (Issuer Identification Number). Credit card digit length are various from 12 - 19 digits, depends on the card type.
Can we make a code to identify a card type ?
Yes ofcourse we can !
We can design the algorithm using Luhn algorithm and then code it with almost all programming/webprogramming languages to be a credit card digit validation tool. U can do this with Python, Perl, Delphi, C/C++, VB/VB.NET, PHP, AJAX, etc. I won't explain more about Luhn Algorithm, since it relates with mathematical. And I think u can understand it within several minutes. Here's the link u can review it later :
hxxp://www.beachnet.com/~hstiles/cardtype.html
0x0010 : Understanding merchant account, payment gateway, and third-party payment gateway
Now u should hv understood yet about credit card type and how to validate it (the digits) using ur own great tool.
We'll take a look at the difference between merchant account, payment gateway, and third-party payment gateway.
1. An e-Commerce merchant account allows any (or almost) online business (also known as an e-Business or e-Commerce business) to accept credit cards/debit cards, gift cards and other forms of payment cards online based on the CNP (card not present) transaction principals, including MOTO (mail order/telephone order) transactions. e-Commerce merchant accounts can also be referred to as: online credit card payment accounts, online credit card processing accounts, credit card transaction accounts, and others. An e-Commerce merchant can get an e-Commerce merchant account from a merchant bank or a merchant service provider in his/her local area (city, state, country) or in another country (offshore/international e-Commerce merchant account).
2. A payment gateway is an e-commerce application service provider service that authorizes payments for e-businesses, online retailers, bricks and clicks, or traditional brick and mortar. It is the equivalent of a physical point of sale terminal located in most retail outlets. Payment gateway protects credit cards details encrypting sensitive information, such as credit card numbers, to ensure that information passes securely between the customer and the merchant and also between merchant and payment processor.
3. Third party processors are what e-Commerce merchants get when getting third party merchant accounts. Basically, third party processors are connected via an additional secure payment gateway to a direct credit card payment processor. A third party processor contributes to the work of the direct processor, sharing its expenses, i.e. paying much less. Many third party processors make up a network of e-Commerce merchants sharing one secure direct merchant account.
And how it works actually ? Okay, below performs procedures which used by the payment processor gateway to charge customer's credit card until there's full settlement of funding to the merchant. U should really understand well these procedures !
* A customer places order on website by pressing the 'Submit Order' or equivalent button, or perhaps enters their card details using an automatic phone answering service.
* If the order is via a website, the customer's web browser encrypts the information to be sent between the browser and the merchant's webserver. This is done via SSL (Secure Socket Layer) encryption.
* The merchant then forwards the transaction details to their payment gateway. This is another SSL encrypted connection to the payment server hosted by the payment gateway.
* The payment gateway forwards the transaction information to the processor used by the merchant's acquiring bank.
* The processor forwards the transaction information to the card association (i.e., Visa/MasterCard)
* If an American Express or Discover Card was used, then the processor acts as the issuing bank and directly provides a response of approved or declined to the payment gateway.
* Otherwise, the card association routes the transaction to the correct card issuing bank.
* The credit card issuing bank receives the authorization request and sends a response back to the processor (via the same process as the request for authorization) with a response code. In addition to determining the fate of the payment, (i.e. approved or declined) the response code is used to define the reason why the transaction failed (such as insufficient funds, or bank link not available)
* The processor forwards the response to the payment gateway.
* The payment gateway receives the response, and forwards it on to the website (or whatever interface was used to process the payment) where it is interpreted and a relevant response then relayed back to the cardholder and the merchant.
* The entire process typically takes 2-3 seconds
* The merchant must then ship the product prior to being allowed to request to settle the transaction.
* The merchant submits all their approved authorizations, in a "batch", to their acquiring bank for settlement.
* The acquiring bank deposits the total of the approved funds in to the merchant's nominated account. This could be an account with the acquiring bank if the merchant does their banking with the same bank, or an account with another bank.
* The entire process from authorization to settlement to funding typically takes 3 days.
There are many third-party payment gateways in the world today. I'm sure most of u are familiar with Paypal, WorldPay, Verepay, Authorize.Net, Click2Buy, SagePay, PPI.Inc, 2CheckOut, GoogleCheckout, YahooWallet, CCBill, MoneyBooker, etc...
The conslusion is the merchant can choose between using its own payment gateway to process the transaction directly to the merchant's bank or using payment gateway from third-party payment gateway (with a "little fees" ofcourse).
0x0011 : All things about payment security
Since the customer is usually required to enter their personal details, such as :
- First Name
- Last Name
- Address
- City
- State/province
- Country
- ZIP/postal code
- Telephone number
- Card type
- Card number
- Customer's bank account (usually asked on Paypal, GoogleCheckout, YahooWallet when there's a fraud detection)
- Start Date (not common)
- Expired Date
- CVV/CVV2
- Card holder name
Then, he/she might be thinking that this part is important to be really safe. Yes, to make customer feels safe while doing online transaction using credit card, the merchant has to provide a secure connection between the payment gateway to the merchant's acquiring bank. This is to make sure that the data will not be intercepted by illegal guy on its way. On merchants (webshops) which are using theirs own payment gateway, usually the site use SSL (Secure Socket Layer) 128 ****, in an HTTPS site format. On the other hand, most of merchants are not using HTTPS for theirs website, but third-party payment gateway will do this for processing the transaction later.
Due to high volume of online credit card fraud transaction recently, many merchants start to aware about this. They do such procedures to avoid charge-back from the bank.
These are all things that merchant/webshop administrator will (usually) do to prevent credit card fraud :
- Call the buyer based on cardholder's phone number filled
- Check the buyer's phone number with YellowPages/phone directory book
- Confront cardholder's real location againts buyer's IP address using GeoIP location tool
- If the shipping address differs with the billing address, then it might be suspicious order
- Shipping item to PO BOX usually not accepted by most merchant/webshop
- Order shipped to African, East Europe, Russia, and several Asia countries usually need to be confirmed via phone
- Order items in large volume sometimes be flagged as a high risk fraud
- Order items with urgency shipping time sometimes be flagged as a high risk fraud
etc..
While the payment processor gateway usually do check frequently count of the card being charged at the same payment processor gateway. The result will then be used to make a decision whether the transaction is going to be approved or declined.