accept-sample-app icon indicating copy to clipboard operation
accept-sample-app copied to clipboard
verified publisher icon AuthorizeNet

Add Feature To Validate Card Expiration and CVV/CVC Code

Open volomike opened this issue 7 years ago • 2 comments

According to your documentation:

"Accept.js contains built-in data type validation for these fields. While Accept.js validates the data, it doesn’t do any authorization of the card number or any check to see if the expiration date, postal code, or card code are correct for that card. Those steps will happen later in the process when you submit the payment nonce as part of a transaction request." SOURCE: https://developer.authorize.net/api/reference/features/acceptjs.html#Integrating_Accept.js_into_Your_Payment_Form

This becomes a problem on subscriptions. On payments, you see an immediate failure right away when that Accept.js nonce tries to execute a charge. Not so on subscriptions, at least immediately like payments. So, I can setup a subscription with a bad expiration date and bad CVV/CVC code, and if my receipt does something like issue a software license key then, then my customer can use the product. But then, when that first charge happens on the 20th of the month, and fails, a webhook fires and tells my license server that the payment failed and thus the software license should be cancelled. Okay, fine, but there's a whole lot of confusion there because a customer will tell us that they paid, that their card was accepted, but their software product became unlicensed for some unknown reason. Sure, our call center reps can chase the transaction down and see that their card failed. However, the customer will ask why the card was accepted in the first place if it had a bad expiration date or CVV/CVC code on it.

I propose that you change Accept.js so that you check card expirations and CVV/CVC codes as well.

volomike avatar Mar 20 '19 05:03 volomike

Hi, Thank you for your interest in our product.

Firstly, I would like to clear one thing up so that we are on the same page. The payment nonce generated by Accept.js is valid for 15 minutes.

If you want to have a subscription system on your servers, then you cannot store the same Accept.js payment nonce as it will expire in 15 minutes. You can probably store the card information on your systems (while maintaining PCI compliance) but then you would need to regenerate the Accept.js payment nonce for every time you want to do a charge for the subscription. This again defaults to a normal payment transaction.

If you want to use our Automated Recurring Billing feature for managing your subscriptions, then you will need to store the card information on our servers (to avoid PCI non-compliance). This process does perform a check on the expiration date and card code when you create the subscription. In this case, you do not need to use Accept.js to generate a payment nonce.

Hope this helps!

gnongsie avatar Mar 20 '19 09:03 gnongsie

"I propose that you change Accept.js so that you check card expirations and CVV/CVC codes as well."

Is this planned?

boylec avatar Oct 12 '22 21:10 boylec