Should I use the CreditCardAttribute to validate credit card numbers?

Question

Should I use Microsoft's CreditCardAttribute to validate credit card numbers like so?

[Required, CreditCard]
public string CreditCardNumber { get; set; }

Or should I let the payment gateway handle it, or do something else? I ask this after discovering some customers have been unable to submit payment with their credit card information. Fortunately, I was able to work with one of these customers, and found that their Visa card was processed without a problem after removing the CreditCardAttribute.

In part, this question is rhetorical, but I would like to benefit from other developer's thoughts and experiences, and make other developers aware of the risks of using the CreditCardAttribute by asking the question.

Answer 1

In the code behind the credit card attribute, it is simply performing a Luhn check.

All payment cards(*) currently follow ISO/IEC/7812 standard, which has a luhn check digit as the final digit.

This luhn check is simply used to prevent transpositional errors though. It is useful as a sanity check prior to submitting card numbers to a payment gateway, but not suitable to absolutely validate whether a number is a valid card number.

Valid card number ranges change monthly, and the only way to absolutely verify a number is to validate it via a payment gateway. If only attempting to validate a card (rather than charge it) this should be done with a zero value 'authorisation only' style check.

(*) The only exception to this is a card type in China known as China UnionPay
(Historically there was also a Diners Club 'enRoute' brand which was withdrawn in 1992)