E-Commerce Best Practices: For declined credit cards, how much info is too much?

Question

My colleagues are having a debate as to how specific to be for credit card transactions that were declined. We get a lot of details about the transactions from our card processor, and we're trying to decide how much info to pass on to the user.

For example, do you tell the user that their card was declined because it's expired or the CCV number is wrong, or is there too much fraud potential in that? And when we return the user to the page where they provide payment details, do we pre-fill in the fields with the data they entered previously or not?

Answer 1

In the past I have tried to be as general as possible. For example, if you tell that the CVV2 number is incorrect. Sure, that helps the valid cardholder out by letting them know it's the CVV2 that's incorrect. It also lets an undesirable know that the credit card number IS correct. If they do keep failing perhaps you prompt them to contact someone.

When you are talking about pre-filling fields are talking about after they fail and retry or on a completely separate occasion?

If it's after they have failed it seems to me that the secure way to do it would be to not display it again, but you would need to make sure that they couldn't click back and get the same info, otherwise there's no point. It might not matter that much, though.

If you are talking about a completely separate occasion you need somewhere to store that info. If it's on your servers I suggest you have a look at PCI-DSS. Even if you just transmit the data to a gateway you are required to be in compliance.

Answer 2

I participated in a PCI Compliance review about 4 years ago, and the policy then was to simply return an Accepted or Rejected, and the transaction ID to the user. If the transaction was rejected we added a note "For more information contact your credit card provider and quote this number ...".

The reasoning is that if someone is trying to generate card numbers you don't want to provide them any information as to what to change to get a valid card. If it is a real person, there are too many things that go wrong with a transaction you are in no position to fix, just tell them to contact their card provider. Even if the transaction response is "Card Expired" it could be something else, you don't know so don't guess.

Also, if you return to a page with payment fields, don't prefill them, leave them blank. Customers might go paranoid thinking "Hey, is this thing remembering my credit card info!?" The most likely reason the card was rejected is that they typed something in wrong, and by prefilling it with the wrong info again you are just tempting them to click Submit over and over again until their credit limit is exceeded. Been there, done that.

Answer 3

In the past I have given as much information as possible and made it as easy for someone to correct as possible. Don't want to stop a potential sale (or in my case donation). As for dealing with fraud, don't try to deal with it by hoping that cluing them into a bad CCV number is going to slow them down, deal with it in other ways, like tracking how often a session is attempting to process a card (and failing), if it is too many times in X amount of time, blacklist them. That is a separate question though.