Skip to main content

Verify a Card

Streamline card verification with a secure, proxy-powered solution.

Verifying a card is the process of confirming that the card details provided are valid and can be used for transactions. This operation, also known as card authentication, pre-authorization, or $0 authorization, typically involves sending a request to the card networks and issuers to validate the card's number, expiration date, and status. It ensures the card has not been reported lost or stolen and, in some cases, checks the availability of funds or credit.

Verify a Card Diagram

This guide will show you how to use the Proxy to verify a card with your chosen Payment Service Provider (PSP) while offloading PCI compliance scope with ease. We’ll explore a variety of processor-specific standards and their unique verification quirks, offering practical examples you can adapt to your selected PSP.

If you are not yet collecting your customers' cards with Basis Theory, here are a few guides you can explore:

Getting Started

To get started, you will need to create a Basis Theory Account and a TEST Tenant.

Make sure to use your work email (e.g., john.doe@yourcompany.com)

Private Application

You will need a Private Application to allow your backend to call Basis Theory APIs. Click here to create one using the Basis Theory Customer Portal.

This will create an application with the following Access Controls:

  • Permissions: token:use, token:create
Save the API Key from the created Private Application as it will be used later in this guide.

Verify a Card

Different payment service providers (PSPs) may use varying workflows or terminology for this operation ($0 auth or ZDA, account verification, card validation, card ping, etc.). Regardless of the approach, card verification can enhance security, reduces fraud risks, and improves the reliability of payment processing.

Given you have previously created a Token Intent:

Token Intent sample
{
  "id": "d2cbc1b4-5c3a-45a3-9ee2-392a1c475ab4",
  "type": "card",
  "tenant_id": "4aee08b9-5557-474b-a120-252e01fc7b0f",
  "fingerprint": "BKJYqf2tcvhTHSXN7EvBJLviN3PBYRgwoJgce8VAfnSr",
  "card": {
    "bin": "424242",
    "last4": "4242",
    "expiration_month": 10,
    "expiration_year": 2028,
    "brand": "visa",
    "funding": "credit",
    "authentication": "sca_required",
    "issuer_country": {
      "alpha2": "GB",
      "name": "UNITED KINGDOM OF GREAT BRITAIN AND NORTHERN IRELAND",
      "numeric": "826"
    }
  },
  "created_by": "0bc89db5-fadd-4d57-af93-10472e35ebd3",
  "created_at": "2025-03-10T14:23:56.5580574+00:00",
  "expires_at": "2025-03-11T14:23:56.5580575+00:00"
}

Here is how you can leverage the Ephemeral Proxy, a tool that transparently performs detokenization, to share the sensitive cardholder data to the Payments Processor or Acquirer API.

In Checkout.com, you can verify a card without charging it by calling the /payments API.

Verify a Card
curl 'https://api.basistheory.com/proxy' \
-X 'POST' \
-H 'BT-API-KEY: <PRIVATE_API_KEY>' \
-H 'BT-PROXY-URL: https://api.sandbox.checkout.com/payments' \
-H 'Authorization: Bearer <CHECKOUT_SECRET_KEY>' \
-H 'Content-Type: application/json' \
--data '{
  "source": {
    "type": "card",
    "number": "{{ token_intent: d2cbc1b4-5c3a-45a3-9ee2-392a1c475ab4 | json: \"$.data.number\" }}",
    "expiry_month": "{{ token_intent: d2cbc1b4-5c3a-45a3-9ee2-392a1c475ab4 | json: \"$.data\" | card_exp: \"MM\" }}",
    "expiry_year": "{{ token_intent: d2cbc1b4-5c3a-45a3-9ee2-392a1c475ab4 | json: \"$.data\" | card_exp: \"YYYY\" }}",
    "cvv": "{{ token_intent: d96b9925-85d7-495e-88fe-a9c3ecb23b61 | json: \"$.data.cvc\" }}",
    "store_for_future_use": true
  },
  "currency": "USD",
  "processing_channel_id": "pc_svyx12xvaaduraq3ckb2gwnvzq"
}'
Verification Response
{
  "id": "pay_myvj6zxrt45edgrswrliyxbtnq",
  "approved": true,
  "status": "Card Verified",
  "source": {
    "type": "card",
    "id": "src_gguer4xlawke3ctljczft7573a",
    "avs_check": "G",
    "cvv_check": "Y",
    ...
  },
  "scheme_id": "647537243670773",
  ...
}
You are not restricted to the Payment Processors listed above. As long as your partner can accept cards through an API endpoint, you can invoke it using the Ephemeral Proxy.

We are working to add more full-featured processor-specific examples. Please refer to Proxy examples for more request samples.

Don't hesitate to contact us if you need assistance with performing card transactions against a specific processor.

Save a Card

Once a card has been processed for the first time, merchants can store details in the long-term for future use and enable express checkouts, repeat transactions for subscription services, recurring payments and consumption-based charges. Merchants are responsible for obtaining explicit customer consent before saving card details, ensuring compliance with data protection regulations and fostering trust.

To do that, we can convert the Token Intent into a Token, by calling the Create Token API and passing the token_intent_id.

Create Token
curl "https://api.basistheory.com/tokens" \
  -H "BT-API-KEY: <PRIVATE_API_KEY>" \
  -H "Content-Type: application/json" \
  -X "POST" \
  -d '{
    "token_intent_id": "d2cbc1b4-5c3a-45a3-9ee2-392a1c475ab4"
  }'

This operation returns a new or existing persistent Token depending on your fingerprinting and deduplication options:

Token sample
{
  "id": "1cd9c8bf-99fd-4784-ba69-68b15b301019",
  "tenant_id": "74eca6ab-f94d-49bc-9f3c-6144eb3415ac",
  "type": "card",
  "card": {
    "bin": "42424242",
    "brand": "visa",
    "last4": "4242",
    "expiration_month": 12,
    "expiration_year": 2025,
    "funding": "credit",
    "authentication": "sca_required"
  },
  "fingerprint": "BKJYqf2tcvhTHSXN7EvBJLviN3PBYRgwoJgce8VAfnSr",
  "_extras": {
    "deduplicated": false
  },
  ...
}
Click here to learn more about the token conversion behavior.

What you should store in your database:

  1. (Required) The token id, associating it with the rightful customer account.
  2. The card details (brand, last4, expiration_month, and expiration_year) if your plan to use it for things like rendering a stored card to your customer.
  3. The Processor Token if you plan to directly charge that card with the Processor (without going through Basis Theory Proxy).
  4. The Network Transaction identifier returned by the processor during the initial transaction;
    • This allows you to seamlessly charge the card with new processors or acquirers in the future and achieve the best approval rates.
    • Refer to your current processor’s documentation or support for guidance on accessing this value.