I noticed something odd recently. It appears Authorize.net does not take the "Name on Card" info that is obligatory to pretty much every payment form ever made. No input field for it that I can find. I'm assuming they use the first/last name fields instead, but I always thought the name on card was done separately to ensure perfect matches. For instance, I sign most everything Dan Kaplan, but my cards usually are under DANIEL D KAPLAN or DANIEL DAVID KAPLAN. Without inputting my name the way it's written on the card, I could see a transaction potentially failing due to the mis-match.

Am I missing something simple, or is that really the way Authorize.net does it? Is that typical for all gateways?

Dan

Without inputting my name the way it's written on the card, I could see a transaction potentially failing due to the mis-match.
I'd be very interested to know if you have any data that show this has actually happened.

The cardholder name requirement is one issue I have never quite got a complete answer to, but the following is what I believe to be true:

(1) The cardholder name has never been a part of the authorization process. The basic authorization contains only the card number and the amount. (Remember, that the bankcard system assumes that it is the merchant's obligation to confirm the customer's identity.)

(2) When AVS is used the transaction data includes the additional address and zip code information. However, even this information is not complete. On many issuer's systems, only the numeric part of the address line, if any, is compared to the numeric portion of the address-on-file.

<edit>
Let me rephrase my second paragraph slightly. I KNOW that the above items #1 and #2 are true. The cardholder name is not needed to autorize transactions. However, what I don't know is that if the name is included in the transaction data whether the issuer can actually see the data or if they do anything with the data if they can see it.
</edit>

Wow, this merchant stuff is a real eye opener. With all the attention being given to internet fraud, it sure would be nice if some of these long established policies would be scrutinized a bit more publicly. Of course, there's probably a huge lobbyist push to keep that from happening, both for fear of having to change and to keep too many people from knowing the cracks in the system. The problem is that most of the crooks probably know the flaws but few of the honest customers and merchants do. That's a dangerous combination.

When AVS is used the transaction data includes the additional address and zip code information. However, even this information is not complete. On many issuer's systems, only the numeric part of the address line, if any, is compared to the numeric portion of the address-on-file.
That actually makes a good deal of sense, although I didn't know that's how it is done. I raised an earlier AVS question about rejecting based on address mismatches (such as "Ln." vs. "Lane" in my case). The above would seem to address it. The odds of a numerical match of a wrong address are probably far less than an alpha mis-match of correct one.

I'd be very interested to know if you have any data that show this has actually happened.
No, it was just a hypothetical question. I'm putting together a payment page separate from my cart in case clients want to pay that way instead of check, and it occurred to me while doing so that there's nowhere to send the 'name on card' to Authorize.net.

In this case, I don't really think I need to verify things because I pretty much know who someone is before they use the payment form, and people I have a working relationship with aren't likely to pay on a stolen card...

Dan

The odds of a numerical match of a wrong address are probably far less than an alpha mis-match of correct one. That and the fact that entering it manually on a credit card terminal would be excruciating. All the machine expects is the street number (or PO box) and zip, though it gets a bit hairy sometimes if there's an apartment number involved.

I've often wondered if asking for the name was more of a cover-your-butt tactic on the merchant's part rather than a bank requirement, since so many sites don't ask for it.

Randall

since so many sites don't ask for it.
Really? I don't think I've ever seen a payment form that doesn't ask for it, although now that I think about it, it often isn't asked for when paying over the phone.

Dan

I think they may be asking for it more often than not these days, but it's not universal. Buy.com is one example of a site that doesn't.

Randall