top | item 2502380

Ask HN: How can companies charge a CC with only card number and expiry?

19 points| citricsquid | 15 years ago | reply

I talked to a friend about the recent PSN credit card information leak and he said he was not concerned as PSN would not store the CVV code required to make charges, however in my experience it is possible to charge a credit card (and debit card) with only the expiry date and number.

Github is an example of this happening, they only require the number and expiry.

How are they able to do this and can anyone do it?

11 comments

[+] cperciva|15 years ago|reply

It all depends what deal you have with your credit card processor. Large companies with a long history of low fraud rates can do things which small/new/riskier companies aren't allowed to do. (Including charging a credit card after its recorded expiry date, as I recently discovered when I forgot to update the credit card attached to one of my development accounts at AWS).

For companies in the middle of the risk spectrum, it can sometimes depend on how much you're willing to pay in fees -- I've seen e.g., "2.15% without CVV codes, or 2.05% with CVV codes" advertised.

[+] tzs|15 years ago|reply

Anyone can charge cards past the recorded expiry date. The only date check generally is that it be in the future, so if the on-file card date is in the past, just make up a future date. The recommendation I've seen from some gateways is to add multiples of 3 years until the date is in the future.

What larger companies can do is access the Visa Account Updater or the Mastercard Automatic Billing Updater. These are services that allow the merchant to submit card numbers and get updated information. Basically, the merchant sends a list of cards, and gets a report back. For each card submitted, the response is one of:

1. No response. The card never shows up in a returned report.

2. Notification that no updated information is available.

3. Notification that the account is closed.

4. Notification that the account has a new number and/or expiration date, and those are provided.

The fees for this are surprisingly cheap. One of them has a one-time sign up fee of a couple hundred bucks, and the other has no sign up fee. After that, it is something like $0.10 per card that results in updated information. No charges that come back with no updates or do not get a response.

I suspect this has surprised a lot of people whose bank changes their card number every three years, and so thought that they could just not bother canceling some subscription service because the old number would stop working.

[+] matthew-wegner|15 years ago|reply

Credit card companies don't require CVV checks, although your gateway might (or may only require it for transactions above a certain amount).

Credit card companies do prohibit storing CVV numbers, however. This means that charges without CVV are actually quite common (ie all recurring/subscription charges, even if they require it on initial payment).

http://en.wikipedia.org/wiki/Card_security_code

[+] originalgeek|15 years ago|reply

That's not exactly true. You'll get torched on a chargeback if you didn't match the CVV code.

[+] tzs|15 years ago|reply

As others have noted, the CVV is generally optional. The only major exception I'm aware of is that Visa requires it in Europe for the initial charge on the card. For subsequent charges, you then use your gateway provider's "reference transaction" option, which lets you submit additional charges against a prior charged card.

If the merchant does collect and submit CVV it doesn't necessarily have to be the right CVV. It is up to the bank that issued the card what happens with the wrong CVV. The bank can decline the transaction, but many do not. They just inform the merchant that the CVV did not match, and leave it up to the merchant to decide if they want to treat that as a fatal error or not.

[+] jsatok|15 years ago|reply

It depends on your merchant account. I recently opened an Authorize.net account, and they gave me a couple different options, though it was suggested to me to collect the full name, address, zip and CVV, it's a matter of balancing risk on your end as well. With my Authorize.net account, the fees remain the same regardless of which pieces of information I collect, but if there begins to be a bunch of fraudulent transactions, my processing account will come under question, and it's possible I won't be able to continue processing until it's cleared up.

I ended up deciding to collect full name, zip and CVV, but not address. It's a matter of balancing UX and fraud. Recurly does a pretty good job explaining Address Verification and Credit Card Verification in their documentation: http://docs.recurly.com/payment-gateways/authorize-net#avs

[+] originalgeek|15 years ago|reply

You are making an assumption that PSN is not storing the CVV code, and may be incorrect. Though PCI guidelines explicitly forbid storing this field, there are some who flout the guidelines.

To answer your question, it is similar to places like Starbucks, that do not require a signature when you make a purchase. In such cases, the merchant has cut a deal where they agree in advance to accept all chargebacks without dispute.

[+] jhaglund|15 years ago|reply

among the other routes here, people print fake credit cards (and ids) and use them at cash registers. the magnetic strip doesn't need to work, just need those raised numbers and the logos. cashier will enter the digits and expiration. generally no cvv necessary. often, neither is ID, depending on cashier.

(for educational information only -- doing this would be illegal)