Where the card was issued vs where the request came from
The first 6–8 digits of a card number — the BIN, or IIN — identify the issuing bank and therefore its country. Compare that to the country the request’s IP resolves to. A Nigerian card presented from a Pakistani IP is not proof of fraud, but it is a strong, cheap signal worth a second look.
Why geo APIs miss it
A plain geolocation API turns an IP into a place and stops there. It has no concept of a card, so it cannot compare the two. Surfacing the mismatch requires understanding payments, not just networks — which is exactly the seam a commerce-intelligence API sits on.
Use it as a signal, not a verdict
Mismatch is three-valued: true, false, or unknown when either side can’t be resolved. Feed it into a score alongside VPN and datacenter detection; keep your own threshold and your own party-level screening. Never send a full card number anywhere to compute it — the BIN is enough.
Keep reading_
More from the blog
Why JPY has no decimal places — and what it costs you to get wrong
Treating a zero-decimal currency like a two-decimal one is a 100× error. Here is why minor units differ, and how to stop assuming.
Read postCentral-bank FX vs reseller rates: provenance you can name
When you quote a customer an exchange rate, can you say where it came from? Central-bank rates are public, free and defensible.
Read post