4

In our website we have: - user registration (data includes name and last name) - an embedded payment system (powered by Stripe)

Users can purchase items online and we want to be sure that the card they use to pay is actually owned by them, i.e. the card owner first name and last name match the user's name and last name (if it's not so we ask our users to update their personal data or to use another card). We use Stripe as a payment services provider (btw, amazing!) but the question is platform independent. I was told that there is no actual way to achieve this (since payments can be processed without name and last name and bank don't return them), except than passing name and last name to the bank along with the card numbers in the charge request and hope that the issuer bank will perform a match control over them too and if wrong they reject the payment (but that's not guaranteed, many banks don't do it).

On the strength of that, what is the best practice to get user identity verified when charging a payment?

Marco Gagliardi
  • 565
  • 1
  • 8
  • 24

1 Answers1

5

You're right in that there is no validation of card name when performing authorization. There are other options however.

CV2/CVC/AVS

One simple option is perform a CV2 check (also known as CVV - Card Verification Value, CVC - Card Verification Check, or AVS - Address Verification Service). To do this you would take the numerics from the users address, numerics from the zip code, and the three digits from the back of the bank card (four digits on Amex) and submit them whilst performing authorization.

The payment service provider will respond with a CV2 result that informs you which parts match/dont match. Ie 'ALL MATCH' or 'ADDRESS MATCH ONLY' and so on. You can then use this to decide whether you want to accept the payment, or send a reversal to cancel the authorization.

https://support.stripe.com/questions/what-is-avs

3DSecure/VBV/SecureCode

There are additional identification services developed jointly by Visa/Mastercard which are common in Europe (and I believe now introduced to the US). This shared technology is known as 3D-Secure, but is branded by Visa as 'Verified by Visa', by MasterCard as 'Mastercard SecureCode', by Amex as 'SafeKey' and so on.

This first requires the cardholder to configure a password with their bank. Then at the time of online authorisation, the card holder is redirected from the payment page to the cardholders bank, which displays a custom greeting and (optionally) asks the user to confirm their password.

http://en.wikipedia.org/wiki/3-D_Secure

PaulG
  • 13,871
  • 9
  • 56
  • 78
  • Hey PaulG, thank you for the useful overview about 3Dsecure and AVS! (it's always great to receive pragmatic explanations about banking systems). Anyway it's seems that although there are several ways to ensure that a payment is "safe" (i.e. authorized by the owner) asking for some further information supposed to be know only by the owner himself, there is no chance to use a credit card payment to identify a person (or to confirm someone's identity) since the owner could be anyone. The case is closed? – Marco Gagliardi Apr 28 '15 at 13:22
  • @PaulG is correct but I just wanted to clarify that CV and AVS are 2 separate systems and will return their own respective validation responses. CV is the 3 or 4 digit code on the back (sometimes on the front with AMEX) and AVS will verify anything from just the house number to the entire address with suite or apt, as well as the zip/postal code depending on the system. These systems are in place to allow you to be reasonably certain they are authorized to use the card. You may want to look into any fraud settings with your account holder offers to flag/decline CV/AVS validation failures. – Ian Link Apr 28 '15 at 15:22