10

I am customer of a large European bank, but I have found the following happening consistently with multiple past banks.

Basically, I have always been able to pay using my legitimate card(s), credit or debit, under a fake name.

When you are prompted online for your card information, you will normally select

  • Circuit (Visa, Mastercard, etc, sometimes optional as the merchant will deduce from the first digits)
  • PAN
  • Expiration date
  • CVV2/security code
  • Card holder

Well, I found I can consistently use a fake name when other fields are consistent. I can easily get my payment approved. Often I am redirect to secondary verification (OTP) and pass that brilliantly.

I am writing here because this makes me a bit confused. Often merchants say "Please type your name as displayed on the card" so that you think they (someone) will do a strong check on the record and refuse the transaction if you omit/enter a second name inconsistently or use apostrophes/accents inconsistently, exactly like what happens often in airline travel when boarding card doesn't match passenger name as displayed on passport/ID. To make a counterexample...

But here I am speaking about completely different names. The only time I was called by my bank "Sir, we are detecting a number of attempted charges" I was using my real name with a brand new card (you know... you have to move all your online subscriptions). I was never called, no card ever blocked for "Sir, someone could have stolen your card details".

Question time: in the technical world of credit card payment, 1) what is the importance of the card holder name if it's not consistently checked? 2) who should be responsible for checking? bank, merchant or transaction processor?

Note: I know very well that just using a pseudonym does not make me anonymous. Of course the transaction can be tracked back to an individual, but that requires a lot of juridical power (and legitimate interest, speaking about Europe).

usr-local-ΕΨΗΕΛΩΝ
  • 5,310
  • 2
  • 17
  • 35
  • I'm using a service providing virtual prepaid (MasterCard) cards for online use. This service does not show a card holder name on the virtual cards, proving that it is useless. I've used another service to generate one-time use prepaid cards (Visa), and despite displaying my family name on it, I used it consistently with other names. The name seems to be just security theater, even though I do not have strong evidence to support this claim. – A. Hersean Nov 05 '19 at 12:59

2 Answers2

11

Ultimately, it is the responsibility of the merchant to do whatever they can to verify that the card is not being used fraudulently - because if the transaction is later found to have been made fraudulently, the transaction is reversed by the processor.

There are many things the merchant can do to attempt verify that the card being used is not stolen, such as address verification, cvv code verification, etc. However, name verification is not one of these, as this does not even get sent over the wire when the transaction is submitted to the processor. See https://community.developer.authorize.net/t5/Integration-and-Testing/how-to-validate-name-on-credit-card/m-p/22163 for more info.

mti2935
  • 19,868
  • 2
  • 45
  • 64
  • Online, even if the name on the card was forwarded to the merchant, the merchant could do nothing to prove the identity of the card holder. Indeed, the one buying the service (the card holder) needs not to be the same person as the end user: it can be an acquaintance. The website has nothing to compare the card holder name to. – A. Hersean Nov 05 '19 at 12:55
  • Interesting feedback. Indeed, it's not completely uncommon to buy something on behalf of somebody else, especially if that "somebody" is partner, very close friend or family member. "as this [cardholder name] does not even get sent over the wire" is a good point – usr-local-ΕΨΗΕΛΩΝ Nov 05 '19 at 13:10
  • I agree. Having performed credit card integrations through a number of different processors, there is rarely an option to verify the name of the card holder even if you wanted to. It might be worth adding *why* they ask for the name when it doesn't even matter and they clearly don't check it. – Conor Mancone Nov 05 '19 at 13:17
  • 1
    Thanks for the feedback, Conor. I think it's more to do with 'security theater' than anything else. – mti2935 Nov 05 '19 at 14:14
5

mti2935's answer is entirely correct - under most circumstances, the name is simply for the merchant's records, and not sent anywhere or validated in any way. But there are two edge cases I know of where the name may matter.

American Express supports name validation in addition to address and CVV validation. There's examples here and here of what they can return, and AmEx even offers an online web-based tool for merchants to type it in to verify.

The other case is if the merchant is using a third-party fraud check service, such as Accertify (which is run by AmEx). Services like that work by taking as much data as the merchant can give them, and then returning a risk level, which the merchant can use to choose whether to reject the transaction. I'm pretty sure that name is something they can validate, at least under some circumstances.

Bobson
  • 1,456
  • 10
  • 12