Page 1 of 1
credit card validation
Posted: Tue Apr 05, 2005 12:33 am
by ellakai
Hi everyone,
have written a script where i recieve credit card details from the customer.
the input info is in 4 fields cc1 cc2 cc3 cc4. the two middle numbers are emailed to me & rest is stored in a db. all ssl
I now need to find a validation for the cc number .. is there a way i can combine the numbers into a single number so i can use one of the many validation scripts availble?
any help would be appreciated . thanks
Posted: Tue Apr 05, 2005 12:36 am
by feyd
string concatenation operator.
...and I hope you got storage authorization from the credit card companies and passed their security audits..
Posted: Tue Apr 05, 2005 12:49 am
by ellakai
ok .. so it doesn't seem like a good solution...?
what would you suggest i do?
thanks
Posted: Tue Apr 05, 2005 12:56 am
by feyd
considering the liability of taking credit card numbers and storing them... I'd suggest a third party clearing house/processor..
Posted: Tue Apr 05, 2005 1:00 am
by ellakai
the thing is that this credit card number will not be charged .. it is just to secure a booking (for an accommodation place) .. payment will be made face to face upon arrival .. so i don't actually need a service to "process" the cards ..
does this still fall into the same category?
thanks for your time..
Posted: Tue Apr 05, 2005 2:25 am
by timvw
if its not needed... why store it then??
Posted: Tue Apr 05, 2005 3:16 am
by ellakai
well because the form is an ssl environment, & recovered in an ssl environment i thought it's more secure than just emailing the results through...???
would it be just as secure to email?
thanks for your time

Posted: Tue Apr 05, 2005 9:06 am
by Trenchant
Maybe a better way would be to request a downpayment for prebookings and then when they pay face to face they get it back
Posted: Tue Apr 05, 2005 10:20 am
by feyd
the credit card number is often used as a "unique identifier" in a lot of smaller booking businesses and things. What I would do is generate a somewhat short, globally unique (to your site at least), and email that ID to the user as their confirmation number. Require them to supply full name information when booking of one person in the party that will be using the reservation. Request that the person bring a photo identification (they have to anyways to use a credit card.) Verify the name against that supplied. It's best to get a phone number (or three) too during reservation so you can call the person who made the reservation if the person who shows up isn't that person, or whatever.
Posted: Tue Apr 05, 2005 6:58 pm
by ellakai
thanks for your input guys ... much appreciated
i'll explain what i've currently done
the customer goes to a booking form and requests accomodation for
arrival
departure
# people
requested room
their contact details name email phone address etc
a reservation (unique id)is assigned
then submit their cc info
cctype
number (in 4 separate fields)
expiry
All this is in an SSL environment & is done to just to secure their booking .. Because in the case of a "no-show" they will be charged a nominal fee.
the accomodation place then recieves an email with all booking details & 2 fields of the cc card. They log into the secure server to retrieve the other 2 cc fields in the database which when put together (in an order they only know) will give the full ccnumber.
So in effect the full ccnumber is never stored in the db.
Hope this sounds clearer

Posted: Wed Apr 06, 2005 12:12 am
by AGISB
Sounds rather complicated to me.
Does the hotel actually require the cc number when you call them to get a room?
The only reason I see is that the hotel wants to charge a fee if the customer does not arrive.
Problem on hand is the cc card policy and you might get better advice of what is allowed and what not when you call each of the accepted cc card companies and ask them.
If you store the numbers annonymously meaning just confirmation number, cc card number and expiration date might actually be allowed.
The hotel could get it with the confirmation number but for a hacker it would be a problem as the name is missing in the database. However as the email part is the least secure you might still look at a security nightmare.
Posted: Wed Apr 06, 2005 1:52 am
by ellakai
yes .. that's right the hotel does require card details just in case of the customer not fulfilling the booking.
Have had had a read up of cc policies and have a much better perspective now ..
I'll give the card companies a call and see what i can come up with.
thanks
Posted: Sat Apr 09, 2005 10:05 am
by phpScott
The other option is to store with each accomidiation the 'nominal' fee for the no show and charge the client that basic amount through a c.c. processor, then if the client is a now show then the accomidation has their nominal fee and when the client shows up the hotel has to just charge the differnce between the two.
Of course you should generate a reciept and urge the client to print it out and take it with them to the hotel with their unique booking id, the fee's paid so far and what the balance is.
I set up a similar system before and every one seemed to be reasonable happy.
