Carding Authorization Tutorial – Step-by-Step Guide

Carding Authorization Tutorial – Step-by-Step Guide

Alright, I would like to share little tips on how to card something so that u can do it successfully. Well, our hope is the item u carded can be delivered to ur drop address “safely” (from our point of view). Basically, what we are talking about is CNP (Card Not Present)/online-based transactions.

A little introduction to credit card types

There are many credit card types in the world, such as Visa/Visa Electron, Mastercard, American Express (AMEX), JCB (Japan Credit Bureau), BankCard, China Union Pay, Diners Club Carte Blanche, Diners Club enRoute, Diners Club International, Diners Club US & Canada, Discover, Laser (debit card), Maestro (debit card), Solo (debit card), Switch (debit card). Each of the card types has its own unique 6 prefixes (digits). This is known as IIN (Issuer Identification Number). Credit card digit lengths are various from 12 – 19 digits, depending on the card type.

Can we make a code to identify a card type Yes of course we can!

We can design the algorithm using the Luhn algorithm and then code it with almost all programming/web programming languages to be a credit card digit validation tool. You can do this with Python, Perl, Delphi, C/C++, VB/VB.NET, PHP, AJAX, etc. I won’t explain more about Luhn Algorithm, since it relates to mathematics. And I think u can understand it within several minutes. Here’s the link u can review it later :

Carding Authorization Tutorial

Understanding Merchant Accounts, Payment Gateway, and Third-Party Payment Gateway

Now u should have understood yet about credit card type and how to validate it (the digits) using ur own great tool.

We’ll take a look at the difference between merchant accounts, payment gateway, and third-party payment gateway.

1. An e-Commerce merchant account allows any (or almost) online business (also known as an e-Business or e-Commerce business) to accept credit cards/debit cards, gift cards, and other forms of payment cards online based on the CNP (card not present) transaction principals, including MOTO (mail order/telephone order) transactions. e-Commerce merchant accounts can also be referred to as online credit card payment accounts, online credit card processing accounts, credit card transaction accounts, and others. An e-Commerce merchant can get an e-Commerce merchant account from a merchant bank or a merchant service provider in his/her local area (city, state, country) or in another country (offshore/international e-Commerce merchant account).

2. A payment gateway is an e-commerce application service provider service that authorizes payments for e-businesses, online retailers, bricks and clicks, or traditional brick and mortar. It is the equivalent of a physical point-of-sale terminal located in most retail outlets. Payment gateway protects credit card details by encrypting sensitive information, such as credit card numbers, to ensure that information passes securely between the customer and the merchant and also between the merchant and payment processor.

3. Third-party processors are what e-Commerce merchants get when getting third-party merchant accounts. Basically, third-party processors are connected via an additional secure payment gateway to a direct credit card payment processor. A third-party processor contributes to the work of the direct processor, sharing its expenses, i.e. paying much less. Many third-party processors make up a network of e-Commerce merchants sharing one secure direct merchant account

How Does it Work Actually?

Okay, below performs procedures used by the payment processor gateway to charge the customer’s credit card until there’s the full settlement of funding to the merchant. You should really understand well these procedures!

* A customer places an order on the website by pressing the ‘Submit Order’ or equivalent button or perhaps enters their card details using an automatic phone answering service.
* If the order is via a website, the customer’s web browser encrypts the information to be sent between the browser and the merchant’s webserver. This is done via SSL (Secure Socket Layer) encryption.
* The merchant then forwards the transaction details to their payment gateway. This is another SSL-encrypted connection to the payment server hosted by the payment gateway.


SSL Encrypted Connection

  1. The payment gateway forwards the transaction information to the processor used by the merchant’s acquiring bank.
  2. The processor forwards the transaction information to the card association (i.e., Visa/MasterCard)
  3. If an American Express or Discover Card was used, then the processor acts as the issuing bank and directly provides a response of approved or declined to the payment gateway.
  4. Otherwise, the card association routes the transaction to the correct card issuing bank.
  5. The credit card issuing bank receives the authorization request and sends a response back to the processor (via the same process as the request for authorization) with a response code. In addition to determining the fate of the payment, (i.e. approved or declined) the response code is used to define the reason why the transaction failed (such as insufficient funds, or a bank link not available)

How Does It?

  1. The processor forwards the response to the payment gateway.
  2. The payment gateway receives the response and forwards it to the website (or whatever interface was used to process the payment) where it is interpreted and a relevant response is then relayed back to the cardholder and the merchant.
  3. The entire process typically takes 2-3 seconds. The merchant must then ship the product prior to being allowed to request to settle the transaction.
  4. The merchant submits all their approved authorizations, in a “batch”, to their acquiring bank for settlement.
  5. The acquiring bank deposits the total of the approved funds into the merchant’s nominated account. This could be an account with the acquiring bank if the merchant does their banking with the same bank or an account with another bank.
  6. The entire process from authorization to settlement to funding typically takes 3 days.

There are many third-party payment gateways in the world today. I’m sure most of u are familiar with Paypal, WorldPay, Verepay, Authorize.Net, Click2Buy, SagePay, PPI.Inc, 2CheckOut, GoogleCheckout, YahooWallet, CCBill, MoneyBookers, etc…

The conclusion is the merchant can choose between using its own payment gateway to process the transaction directly to the merchant’s bank or using a payment gateway from a third-party payment gateway (with a “little fee” of course).

0x0011: All things about payment security

Since the customer is usually required to enter their personal details, such as :
– First Name
– Last Name
– Address
– City
– State/province
– Country
– ZIP/postal code
– Telephone number
– Card type
– Card number
Customer’s bank account (usually asked on Paypal, GoogleCheckout, YahooWallet when there’s a fraud detection)
– Start Date (not common)
– Expired Date
– Cardholder name

Then, he/she might be thinking that this part is important to be really safe. Yes, to make customer feels safe while doing online transaction using a credit card, the merchant has to provide a secure connection between the payment gateway to the merchant’s acquiring bank. This is to make sure that the data will not be intercepted

by an illegal guy on its way. On merchants (webshops) which are using their own payment gateway, usually the site use SSL (Secure Socket Layer) 128 ****, in an HTTPS site format. On the other hand, most merchants are not using HTTPS for their websites, but a third-party payment gateway will do this for processing the transaction later.

Due to the high volume of online credit card fraud transactions recently, many merchants start to be aware of this. They do such procedures to avoid chargeback from the bank.

These are all things that merchant/webshop administrators will (usually) do to prevent credit card fraud :
– Call the buyer based on the cardholder’s phone number filled
– Check the buyer’s phone number with YellowPages/phone directory book
– Confront the cardholder’s real location against the buyer’s IP address using the GeoIP location tool
– If the shipping address differs from the billing address, then it might be suspicious order
– Shipping items to PO BOX is usually not accepted by most merchants/webshops
1 Order shipped to Africa, East Europe, Russia, and several Asia countries usually needs to be confirmed via phone
2 Order items in large volume sometimes are flagged as a high-risk fraud
3 Order items with urgent shipping time sometimes are flagged as a high-risk fraud

While the payment processor gateway usually does check frequently count of the card being charged at the same payment processor gateway. The result will then be used to make a decision on whether the transaction is going to be approved or declined.

You can also buy instant:


Cashapp Money Transfer Click here

Paypal Money Transfer Click here

Western Union  Money Transfer Click here

Venmo Money Transfer Click here

Bank Money Transfer Click here to Contact Us


Leave a Reply