Security checks on cards

Before we contact the payment gateway with the instant payment request Evergiving performs some validations on the form when the card is input.

We Check:

  • Card is not expired (by date that is input)
  • Card expires X months from today (X is configurable, default is 1 month)
  • CVV length is correct (3 digits, or 4 for Amex)
  • Card number length is within bounds (usually 15 digits for Amex/Diners, 16 for MC/Visa/others)
  • Card number check digit validates Luhn Algorithm (this prevents mistyped cards)
  • BIN lookup presents information on screen (brand, level, issuing bank)
  • if BIN is prepaid it would be blocked by default (optionally this can be enabled per campaign/agency)

After the card passes pre-checks we will send for 1st payment to the payment gateway, they will forward the transaction to the card issuer for approval, the card issuer will check (this list is not definitive but covers standard authorisation checks).

They check:

  • card is not restricted (lost/stolen/etc)
  • transaction does not appear fraudulent
  • CVV matches
  • address matches (address verification service - AVS)
  • account has funds for this transaction

Usually a card issuer would not decline a transaction if the address does not match but they will indicate in their response that the address doesn't match; this shifts liability to the merchant/NPO so if it does turn out to be fraudulent you would be liable to reimburse funds and pay a penalty. The risk of fraud is very low in a F2F situation as a fraudster would typically try their card on less secure websites or physical stores where they are harder to trace (gas stations, convenience stores, etc).

Most payment gateways offer the option to not complete transactions when the issuer indicates the address does not match to reduce your exposure.