Using the Luhn algorithm to validate credit cards
Today’s post is inspired by this blog post. The author posted a number of regular expressions for the different types of credit cards. I’m sure there are cases when they are useful, but there is typically a better way!
The Luhn algorithm was designed exactly for the purpose of validating credit cards. It’s basically a checksum check for the exact purpose of verifying that a credit card number was entered correctly. It does not pick up all errors, but it’s perfectly fine for real world use.
The best part is that we can easily use the Luhn algorithm in an ASP.NET validator. To do so, you’ll first need to add the Luhn JavaScript to your page. You can use a scriptblock on your page, or put it in a separate js file and include it. The script that I have tested and use is available on this site.
Here is an outline of the JavaScript you could use:
function ccValidator(sender, args)
{
var ccString = args.Value.replace("-", "");
args.IsValid = luhn_check(ccString);
}
function luhn_check(s)
{
//Insert Luhn algorithm here.
//Example at: http://www.brainjar.com/js/validation/default2.asp
}
The next step is to add an ASP.NET validator:
<asp:CustomValidator
runat="server"
ControlToValidate="txtCCNumber"
ClientValidationFunction="ccValidator"
ErrorMessage="Invalid credit card number"
Display="Dynamic"
EnableClientScript="true" />
You’ll need to change the "ControlToValidate" property to match the TextBox control that you’re validating.
Now you’ll have a validator that can check the credit card number in real time, before a postback! You’ll still need to determine how you’re going to do validation on the server if the client doesn’t support client-side validation.
There is only one other thing worth mentioning. If you’re running an e-commerce site, you typically want to avoid any issues that could cause you to lose an order. Over-validating is one of them. In many cases, even if the credit card does not get charged successfully, you should let the order go through. You can then contact the user and try to correct the situation. It might just be worth the sale!
Greg Jorgensen said,
Wrote on April 16, 2008 @ 4:18 pm
There are a couple of reasons I can think of to use a regex before or along with the Luhn validation: The regex checks can figure out what kind of card the number is from (Visa, Mastercard, AMEX, etc.), and it can make sure the card number is the correct length for the card type.
If my ecommerce site doesn’t accept Discover, for example, it’s better to figure that out and tell the user. The number they entered may be a valid card number (it passes the Luhn check) but my payment processor doesn’t let me accept it.
Not all credit card numbers are the same length. It’s possible for someone to enter a number that passes the Luhn test but is not a valid card number.
Use regext + Luhn if you site isn’t doing real-time credit card authorizations, or if your payment processor is slow, or penalizes you for attempting to auth a bad card number, or if you want to give my customers better messages about what went wrong.
I have a long article about the Luhn algorithm and checking credit card numbers in Javascript here.