Credit Card Security
-
Hi, I have an asp.net web application in which we have to do some credit card # and expiration date and cvv # validations. Is it safe to use javascript or jaquery or is it better to use server side validations. Because if I retreive the Credit Card #, expiration date and cvv # in client side script, is it safe or vulnerable from hackers? If its not safe can anybody please advise me how can I restrict the user from not entering characters, two digits for month and two digits for year etc client script validations. Please give me your advise how can I resolve this? Any link or code snippet or even advise also greatly helpfull, I am googling in this mean time. Thanks in advance.
Thanks & Regards, Abdul Aleem Mohammad St Louis MO - USA
-
Hi, I have an asp.net web application in which we have to do some credit card # and expiration date and cvv # validations. Is it safe to use javascript or jaquery or is it better to use server side validations. Because if I retreive the Credit Card #, expiration date and cvv # in client side script, is it safe or vulnerable from hackers? If its not safe can anybody please advise me how can I restrict the user from not entering characters, two digits for month and two digits for year etc client script validations. Please give me your advise how can I resolve this? Any link or code snippet or even advise also greatly helpfull, I am googling in this mean time. Thanks in advance.
Thanks & Regards, Abdul Aleem Mohammad St Louis MO - USA
You can choose to run this on client side, but you will always want to do it again on client side as well, just in case the user disables JavaScript or messes with the HTML of the page. There is a regular expression that you can use to validate that the credit card number is in a "valid format" and as far as the month and year, your best bet would probably use drop down boxes to restrict their input choices.
-
Hi, I have an asp.net web application in which we have to do some credit card # and expiration date and cvv # validations. Is it safe to use javascript or jaquery or is it better to use server side validations. Because if I retreive the Credit Card #, expiration date and cvv # in client side script, is it safe or vulnerable from hackers? If its not safe can anybody please advise me how can I restrict the user from not entering characters, two digits for month and two digits for year etc client script validations. Please give me your advise how can I resolve this? Any link or code snippet or even advise also greatly helpfull, I am googling in this mean time. Thanks in advance.
Thanks & Regards, Abdul Aleem Mohammad St Louis MO - USA
You can do the initial credit card validation client side with javascript if you want, but you also need to do the validation server side. Credit Card Validation: 1. Credit Card Number - The credit card number can be validated using the Luhn algorithm[^]. 2. Credit Card Number - You can also validate based on length and prefix if you only accept certain cards[^]. 3. CVV - For most cards it is 3 digits, except American Express which is 4 digits 4. Expiration Date - Date must be greater than or equal to current month and year. Year can be either 2 or 4 digits depending on the Processor API. Month can be either 1 or 2 digits depending on the Processor API. If you are sending the Credit Card information back to the server to process it with the CC Processor, then you need to make sure you are using SSL. Never send Credit Card information over the internet without using a secure connection. Never store credit card information, there are a lot of rules that you need to follow to be PCI Compliant. You agree to be PCI Complaint just by signing up with a Credit Card Processor. The potential fees associated with violations are not worth it, and time required to be fully PCI Complaint. The safest thing to do is only store the TransactionId (or whatever you API calls it), usually that is all you need if later you need to do anything else like void, credit, etc with the Credit Card API. If you want to be able to store the card information so that the user does not have to re-enter the information again, then some Credit Card Processor offer a Customer Manager where they card information is stored on the credit card processors server which would be PCI Complaint. You would then store some sort of Id(s) returned by the Processor and pass those back to the Processor in the future when you want to make another transaction.
-
Hi, I have an asp.net web application in which we have to do some credit card # and expiration date and cvv # validations. Is it safe to use javascript or jaquery or is it better to use server side validations. Because if I retreive the Credit Card #, expiration date and cvv # in client side script, is it safe or vulnerable from hackers? If its not safe can anybody please advise me how can I restrict the user from not entering characters, two digits for month and two digits for year etc client script validations. Please give me your advise how can I resolve this? Any link or code snippet or even advise also greatly helpfull, I am googling in this mean time. Thanks in advance.
Thanks & Regards, Abdul Aleem Mohammad St Louis MO - USA
Well let's think about this. Hackers can only monitor activity during the transmission of data, so Javascript is safe. It's the users responsibility to keep their computer clean. Security is only as safe as your ssl certificate, and the level of encryption your using. In the long run, validating credit card information is not worth it. Just make sure they enter their name, card number and whatever else you need to process a AUTH_ONLY or AUTH_CAPTURE. Validating card information will be the least of your problems during checkout. For you hard card card processors out there Years of experience at this has lead me to think that too much validation confuses people when entering card data, and you will get a phone call for help, or the validation may result in a false flag. Worse case, your error message will be misunderstood.
-
Well let's think about this. Hackers can only monitor activity during the transmission of data, so Javascript is safe. It's the users responsibility to keep their computer clean. Security is only as safe as your ssl certificate, and the level of encryption your using. In the long run, validating credit card information is not worth it. Just make sure they enter their name, card number and whatever else you need to process a AUTH_ONLY or AUTH_CAPTURE. Validating card information will be the least of your problems during checkout. For you hard card card processors out there Years of experience at this has lead me to think that too much validation confuses people when entering card data, and you will get a phone call for help, or the validation may result in a false flag. Worse case, your error message will be misunderstood.
Excellent answer, if you dont mind which country you are from? - Is it Democratic, socialistic, secularistic, independent state of India :) - this is what the description of india from indian constitution.
Thanks & Regards, Abdul Aleem Mohammad St Louis MO - USA
-
Excellent answer, if you dont mind which country you are from? - Is it Democratic, socialistic, secularistic, independent state of India :) - this is what the description of india from indian constitution.
Thanks & Regards, Abdul Aleem Mohammad St Louis MO - USA
I'm going to private message that answer to you. I wasted too much time on card validation in the past, and should of focused on the User Interface in whole. Card Validation is no good if you can't get them to fill in the data in the first place. If you blast too many messages, then they get frustrated, and give up, resulting in lost sales. You have to make the customer feel like a rock star, so when they check out, they think they are computer king. Of course, we simply made it super easy for them, but they don't need to know that. All the information has to be there, 100% accurate. If they see a mistake, they will leave real quick. You have to gain the trust of the customer with your user interface, and it should be very clear and organized. Now you can write some Jquery to help the process out, a little reminder here, a arrow there, but real gentle like. So work on your user interface first, test it on people, then add validation one at a time. Of course get your main code working as well, then keep polishing the product until it's silky smooth and easy to use. For validating, just paint the border of the textbox a light red, so it can be noticed, but is not shouting at them. Look at Twitter, or the Guardian Newspaper, where you can leave a comment. They are great examples of validation.
-
I'm going to private message that answer to you. I wasted too much time on card validation in the past, and should of focused on the User Interface in whole. Card Validation is no good if you can't get them to fill in the data in the first place. If you blast too many messages, then they get frustrated, and give up, resulting in lost sales. You have to make the customer feel like a rock star, so when they check out, they think they are computer king. Of course, we simply made it super easy for them, but they don't need to know that. All the information has to be there, 100% accurate. If they see a mistake, they will leave real quick. You have to gain the trust of the customer with your user interface, and it should be very clear and organized. Now you can write some Jquery to help the process out, a little reminder here, a arrow there, but real gentle like. So work on your user interface first, test it on people, then add validation one at a time. Of course get your main code working as well, then keep polishing the product until it's silky smooth and easy to use. For validating, just paint the border of the textbox a light red, so it can be noticed, but is not shouting at them. Look at Twitter, or the Guardian Newspaper, where you can leave a comment. They are great examples of validation.
-
You can do the initial credit card validation client side with javascript if you want, but you also need to do the validation server side. Credit Card Validation: 1. Credit Card Number - The credit card number can be validated using the Luhn algorithm[^]. 2. Credit Card Number - You can also validate based on length and prefix if you only accept certain cards[^]. 3. CVV - For most cards it is 3 digits, except American Express which is 4 digits 4. Expiration Date - Date must be greater than or equal to current month and year. Year can be either 2 or 4 digits depending on the Processor API. Month can be either 1 or 2 digits depending on the Processor API. If you are sending the Credit Card information back to the server to process it with the CC Processor, then you need to make sure you are using SSL. Never send Credit Card information over the internet without using a secure connection. Never store credit card information, there are a lot of rules that you need to follow to be PCI Compliant. You agree to be PCI Complaint just by signing up with a Credit Card Processor. The potential fees associated with violations are not worth it, and time required to be fully PCI Complaint. The safest thing to do is only store the TransactionId (or whatever you API calls it), usually that is all you need if later you need to do anything else like void, credit, etc with the Credit Card API. If you want to be able to store the card information so that the user does not have to re-enter the information again, then some Credit Card Processor offer a Customer Manager where they card information is stored on the credit card processors server which would be PCI Complaint. You would then store some sort of Id(s) returned by the Processor and pass those back to the Processor in the future when you want to make another transaction.
An SSL Certificate, also called a Digital Certificate, creates a secure link between a website and a visitor's browser. By ensuring that all data passed between the two remains private and secure, SSL encryption prevents hackers from stealing private information such as credit card numbers, names and addresses. If you sell products or services on your website and accept credit cards online, you need an SSL Certificate for website security. If you don't sell online but want to add credibility to your website, a Site Confirm Seal may be sufficient.
ClickSSL.com offer EV SSL, Code Signing Certificate, UCC Certificate, Wildcard SSL & more certificates.