Reply to post: Re: Luhn Check to Retrieve card details

TalkTalk downplays extent of breach damage, gives extra details


Re: Luhn Check to Retrieve card details

"Or explain how Amazon manages get payments authorised without storing the full card details?"

Yes you can store full credit card details with encryption and expiry dates. You are not allowed to store the CV2, even if encrypted, with the credit card number.

However, you can make further transactions, as a retailer, using existing card details. You store the basic card details - masked and associate with an ID. When a customer confirms that they want to pay using Visa 44433xxxxxxx1111 you send the request to your merchant services using the ID instead of the actual card number (which you don't hold). Your merchant services company uses this ID to actually send the card details on to the acquirer to make payment. This is ID is linked to you as a merchant and could be used by other companies as a separate merchant/ID combination will point to a different card number. It can also be set to expire after a certain length of time to make it temporary, a different merchant would not, generally, be able to process that ID though so stealing it has little benefit.

The IDs are also generally the same style as a credit card number and pass the Luhn check so back end systems can accept them with little or no development work.

It's called tokenisation.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019