we're currently using CIM and AIM. i would like to know, what is the best way to validate that the first and last name provided by the customer exactly matches the first and last name associated with the credit card? we actually did a test in production and to our surpise, we could enter a fake name and Auth.net still authorized the transaction. for our particular application, since we do not want to allow multiple customer accounts using the same name and billing address information associated with a particular credit card (for fraud reasons), we need to verify that the name they provided exactly matches the name on the card. is there a way to do this using AIM/CIM? i looked into AVS but that seems to only validate the billing address, but we need name matching as well.
01-25-2012 12:13 PM
You can't. It isn't sent over to the credit card processor for verification nor is there any way to verify it.
01-25-2012 01:02 PM
The name on the card is really unimportant. It's very easy to get someone's name, therefore the only items that really matter from a security standpoint are the card number, expiration date, and perhaps billing address (if you're using AVS). What's wrong with ignoring name and just checking for duplicate address / credit card? It ought to be ok to store a one-way hash (perhaps MD5) of the credit card number and billing address / zip code - it can't be reversed, and you can use it to check if anything new matches what's already in your database. The PCI DSS level of a fully-hashed credit card number is equal to or lower than that of AIM or CIM, so it won't increase your security requirements.
01-25-2012 06:54 PM