Payment Page Code

Payment Page Code Best Practice

If you are using one of MyGate's Enterprise solutions and hosting your own payment page, you may find the below code and script examples helpful.

These examples can help to you to develop a more secure payment page and can also enhance the customer payment checkout experience aiding in a higher conversion rate.

Validating Credit Card Information

Credit Card Type Identification

The below provides information about identifying a credit card type from a card number's numeric range and number of digits.

American Express

First digit must be a 3 and second digit must be a 4 or 7. Valid length: 15 digits.

Diners Club and Carte Blanche

First digit must be 3 and second digit must be 0, 6, or 8. Valid length: 14 digits.

Discover

Valid length: 16 digits. First 8 digits must be in one of the following ranges:

60110000 through 60119999

65000000 through 65999999

62212600 through 62292599

enRoute

First four digits must be 2014 or 2149. Valid length: 15 digits.

JCB

First two digits must be 35. Valid length: 16 digits

MasterCard

First digit must be a 5 and second digit must be in the range 1 through 5 inclusive. Valid length: 16 digits.

Visa

First digit must be a 4. Valid length: 13 or 16 digits.

PHP Code Sample


				
<?php
	//Sets a card number. This would typically be entered by the card holder on your website.
	$cardNumber = "4111111111111111";
	//This will print out the returned card type from the identifyCreditCard function.
	echo(identifyCreditCard($cardNumber));
	function identifyCreditCard ($number)
		{
		//Removes any spaces or hyphens on the card number before validation continues.
		$number = preg_replace("/\D/", "", $number);
		//Checks to see whether the submitted value is numeric (After spaces and hyphens have been removed).
		if(is_numeric($number)) {
			//Splits up the card number into various identifying lengths.
			$firstOne = substr($number, 0, 1);
			$firstTwo = substr($number, 0, 2);
			$firstThree = substr($number, 0, 3);
			$firstFour = substr($number, 0, 4);
			$firstFive = substr($number, 0, 5);
			$firstSix = substr($number, 0, 6);
			
			if($firstOne == "4") {
			return "Visa";
			}
			if($firstTwo >= "51" && $firstTwo <= "55") {
			return "MasterCard";
			}
			if($firstTwo == "34" || $firstTwo == "37") {
			return "American Express";
			}
			if($firstTwo == "36") {
			return "Diners Club International";
			}
			if($firstFour == "2014" || $firstFour == "2149") {
			return "Diners Club enRoute";
			}
			if($firstThree >= "300" && $firstThree <= "305") {
			return "Diners Club Carte Blanche";
			}
			if(($firstFouß≈r == "6011") || ($firstSix >= "622126" && $firstSix <= "622925") || ($firstThree >= "644" && $firstThree <= "649") || ($firstTwo == "65")) {
			return "Discover Card";
			}
			if($firstTwo >= "35") {
			return "JCB";
			}
			
			//If the above logic does not identify the card number, return this message.
			return "Other / Unknown Card Type";
			}
			else {
			//If the incoming card number is not numeric, return this message.
			return "Unknown Card Type / Number";
			}
		}
?>                
Download

Credit Card Number Validation

Credit card number validation can be performed using a check sum that verifies the credit card number is valid and not a random number before sending it for authorization. This self-checking method is referred to as a Luhn Check or Mod-10 Method and is an international standard for validating credit card numbers. All credit cards issued today are based on a modulus 10 algorithm and will pass the Luhn Algorithm. This means a made up credit card number will fail the Luhn Algorithm while a valid one will pass.

Please note: If a credit card number passes the Luhn check this only means the number is in a valid format and does not in any way indicate if the credit card is valid or that the transaction will be approved. transaction must be processed for authorization for approval. Using the Luhn check will enable the error to be displayed to the user faster and reduce the number of unnecessary transactions the merchant has to pay for.


                
<?php
	//Sets a card number. This would typically be entered by the card holder on your website.
	$cardNumber = "4111111111111111";
	//If statement that calls the luhn_check function and will print whether or not the card is valid on the screen.
	if(performLuhnCheck($cardNumber) == TRUE) {
		echo("Valid Card");
	}
	else {
		echo("Invalid Card");
	}
	//luhn_check function. Named as such because the algorithm used to check the validity of the credit card is known as the Luhn or MOD10 check.
	function performLuhnCheck($number) {
		//Removes any spaces or hyphens on the card number before validation continues.
		$number = preg_replace("/\D/", "", $number);
		//Checks to see whether the submitted value is numeric (After spaces and hyphens have been removed).
		if(is_numeric($number)) {
			//Set the string length and parity
			$number_length = strlen($number);
			$parity = $number_length % 2;
		
			//Loop through each digit and perform checks
			$total = 0;
			for ($i = 0; $i < $number_length; $i++) {
				$digit = $number[$i];
				//Multiply alternate digits by two
				if ($i % 2 == $parity) {
					$digit*=2;
				if ($digit > 9) { 
					$digit-=9;
				}
			}
		// Total up the digits
		$total+=$digit;
		}
		
		//If the total mod 10 equals 0, the number is valid. There can be instatnces where false credit cards will pass this function (test cards, etc). These will however be declined by the merchant bank during the authorization process.
		return ($total % 10 == 0) ? TRUE : FALSE;
		}
		else {
		return FALSE;
		}
	}
?>
                
Download

Expiry Dates Validation

Make it clear to the card holder which box is month and which is year. The recommended option is to have the user select their expiration date from two separate drop down menus. One for month and one for year. If the card holder does not select a month or year, the payment page validation will request them to do so. This will ensure that the card holder makes a selection prior to clicking on "pay now".

Expiration Year

Ensure that you do not offer previous years in your selection menu. This can be automated within your code so that each year you don't have to come back to remove the previous year and add new years.

CVV Validation

The card security code (CSC) sometimes called Card Verification Data (CVD), Card Verification Value (CVV or CVV2), Card Verification Value Code(CVVC), Card Verification Code (CVC or CVC2), or Card Code Verification (CCV)[ are different terms for security features for credit or debit card transactions, providing increased protection against credit card fraud.

As additional account security, every credit card comes with a special three- or four-digit code generally known as a CVV2 or CVV number. Cardholders will be requested to enter this when processing an online payment. An identity thief who has come across credit card information illegally will not have access to the CVV number if they do not have physical access of the card.

Visa, MasterCard, and Discover Card use a three digit CVV number and place it on the back of their credit cards. American Express uses a four digit number and places it on the front of their credit cards. The purposes of the below code is to see if CVV number contains the correct amount of digits for its credit card type.


                
<?php
	//Sets a card number and CVV. This would typically be entered by the card holder on your website.
	$cardNumber = "4111111111111111";
	$CVV = "123";
	//If statement that calls the validateCVV function and will print whether or not the CVV is valid on the screen.
	if(validateCVV($cardNumber, $CVV) == true) {
		echo("Valid CVV");
	}
	else {
		echo("Invalid CVV");
	}
	function validateCVV($cardNumber, $cvv) {
		//Removes any spaces or hyphens on the card number and CVV before validation continues.
		$cardNumber = preg_replace("/\D/", "", $cardNumber);
		$cvv = preg_replace("/\D/", "", $cvv);
	
		//Checks to see whether the submitted value is numeric (After spaces and hyphens have been removed).
		if(is_numeric($cardNumber)) {
			//Checks to see whether the submitted value is numeric (After spaces and hyphens have been removed).
			if(is_numeric($cvv)) {
			//Splits up the card number into various identifying lengths.
			$firstOne = substr($cardNumber, 0, 1);
			$firstTwo = substr($cardNumber, 0, 2);
	
			//If the card is an American Express
			if($firstTwo == "34" || $firstTwo == "37") {
			if (!preg_match("/^\d{4}$/", $cvv)) {
			// The credit card is an American Express card but does not have a four digit CVV code
			return false;
		}
	}
	else if (!preg_match("/^\d{3}$/", $cvv)) {
		// The credit card is a Visa, MasterCard, or Discover Card card but does not have a three digit CVV code
		return false;
	}
		return true;
	}
	else {
		return false;
	}
	}
	else {
		return false;
	}
	}
?>
                
Download

Helpful Payment Page Scripts

Disable Right Click

When added between the and tags on your website, this script disables the right mouse button, which adds another element of security to your web pages by restricting access to the source code, properties, and other aspects.

Example Java Script:


                
<script type="text/javascript"> 
	var message="Sorry, right-click has been disabled";
	function clickIE() {
		if (document.all) {
			(message);
			return false;
		}
	}
	function clickNS(e) {
		if (document.layers||(document.getElementById&&!document.all)) { 
			if (e.which==2||e.which==3) {
				(message);
				return false;
			}
		}
	}
	if (document.layers) {
		document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;
	} 
	else {
		document.onmouseup=clickNS;document.oncontextmenu=clickIE;
	}
	document.oncontextmenu=new Function("return false") 
</script>
                
Download

Disable Shift Click

This piece of JavaScript stops people from opening links on your web pages in new browser windows. This is especially useful if you use frames to add another layer of security to your websites.

Example Java Script:


                
<script language="JavaScript">
	<!-- Script below checks to see if both the Shift key and a mouse click is pressed. If it is, It alerts a message and returns false.--->
	function mouseDown(e) {
		var shiftPressed=0;
		var evt = e?e:window.event;
		if (parseInt(navigator.appVersion)>3) {
		if (document.layers && navigator.appName=="Netscape") {
		shiftPressed=(evt.modifiers-0>3);
	}
	else { 
		shiftPressed=evt.shiftKey;
	}
	if (shiftPressed) {
		alert ("Shift-click is disabled.");
		return false;
	}
	}
	return true;
	}
	if (parseInt(navigator.appVersion)>3) {
		document.onmousedown = mouseDown;
		if (document.layers && navigator.appName=="Netscape") {
		document.captureEvents(Event.MOUSEDOWN);
		}
	}
</script>
                
Download

Disable Double Clicks

To prevent users from double clicking the "Pay Now" button on your website and then being billed twice on their credit card, the following JavaScript can be implemented. To prevent users from double clicking the "Pay Now" button on your website and then being billed twice on their credit card, the following JavaScript can be implemented.

This code only allows a button to be clicked once, if clicked again a dialog is displayed and no additional payment is processed.

Example Java Script:


                
<script type="text/javascript">
	//Javascript function that gets called onSubmit. It disables the button and replaces the text with "Please wait...".
	function checkForm(form) {
		form.myButton.disabled = true;
		form.myButton.value = "Please wait...";
		return true;
	}
</script>
<!--- The below form is a basic illustration of a form POST to a website that will not allow the user to click the submit button more than once --->
<form method="POST" action="https://www.mygateglobal.com" onsubmit="return checkForm(this); false;">
<input type="submit" name="myButton" value="Submit">
</form>
                
Download

This script prevents URLs from appearing in the status bar at the bottom of the browser when the mouse is hovering over links. This is especially useful if you use frames to add another layer of security to your websites.

Example Java Script:


                
<script type="text/javascript">
	var statusmsg=""
	function hideStatus(){
		window.status=statusmsg;
		return true;
	}
</script>
<!--- This will not work in all browsers due to browser limitations. --->
<a href="https://www.mygateglobal.com" onMouseover="hideStatus();" onMouseout="hideStatus();">Click here to go to MyGate Global.</a>
                
Download