Ever designed a website and wondered how you can check if a number is valid?
Or, wanted to validate credit card numbers on the fly, before contacting a gateway with them to confirm their validity?
Well, there’s apparently.. a way.
Credit card numbers can be validated using an algorithm, known as the Luhn algorithm.
Basically, here’s how you validate a Credit Card number, without the use of a remote gateway.
Get the number off the user, assign it to a variable. So, 1234567890123456 (nope, that’s not mine).
Take that number, and reverse it. So, 65 43 21 09 87 65 43 21.
With that number, you can take every second digit, and times it by two.
5 x 2 = 10, 3 x 2 = 6, 1 x 2 = 2, 9 x 2 = 18, 7 x 2 = 14, 5 x 2 = 10, 3 x 2 = 6, 1 x 2 = 2
We take the results, and add them together:
10 + 6 + 2 + 18 + 14 + 10 + 6 + 2 = 68
We take the 68 number, and divide by 10.
68 / 10 = 6.8
Now, using the modulus of 10, you should end up with no remainder on a valid credit card, and a remainder on an invalid credit card.
As you can see, 6.8 means its invalid. If the sum of the final numbers was 70, it would validate. As would any other multiple of 10.
The validation works well against those that bunch any old number into a form and expect it to validate, and saves the page from any fees on unsucessful transactions, should you incur fees.
The advantage further to this is, you can save valuable time with the CC gateway by processing such data yourself, and confirming it with the customer, who should have the right data in front of them.
And the good news is, the entire function in both ASP or PHP would use just 50ms – 150ms of processing time. Wait, they are giving you the details to process a payment, not have a frag match, so those times, should be plenty acceptable.
I would expect some more programs, even, OsCommerce for example, to start taking advantage of that algorithm, it works with every card, apparently, and internationally too. It works with all Australian Credit Cards, as well as American Express cards, and any other card you can throw at it.
Should save businesses costs in following up bad credit card numbers, and as already exampled, time processing cards that are invalid.
Other top things to check on a CC form include expiry date, no point going to the gateway with expired dates. Save time, check it yourself. The other item, if your gateway supports it, is the CVV2 code, very valuable code, only the card holder has it, no random generator can guess them on the fly within 3 – 10 shots, which should be a limit on the number of attempts a session a user is given to get the CC details right, to prevent guessing attacks.
Very useful algorithm to say the least.