https://community.developer.cybersource.com/t5/Integration-and-Testing/Update-Payment-Profile-with-CVV-using-Accept-js-method/m-p/62088#M36463 <P>I know this&nbsp;post is quite dated but just to confirm, if you want to update the expiration date only then there is no need to update the CVV and if you make a call to&nbsp;<EM>updateCustomerPaymentProfileRequest&nbsp;</EM>and only pass the expiration date (not the CVV) then this is still PCI-compliant?</P> Tue, 13 Mar 2018 00:48:03 GMT blackwood821 2018-03-13T00:48:03Z https://community.developer.cybersource.com/t5/Integration-and-Testing/Update-Payment-Profile-with-CVV-using-Accept-js-method/m-p/55585#M30452 <P>We are currently updating our front-end to be fully PCI compliant (i.e. no sensitive data will flow through our network) using the Accept.js method.</P><P>&nbsp;</P><P>The only remaining issue seems to be with sending CVV information when updating an existing payment profile. Per</P><P>&nbsp;</P><P>&nbsp;</P><P><A href="https://developer.authorize.net/api/reference/features/acceptjs.html" target="_blank">https://developer.authorize.net/api/reference/features/acceptjs.html</A></P><P>&nbsp;</P><P>In order to create a payment nonce the Accept.dispatchData() method will only accept a full CC number. However if the user is only updating the expiration date we would still like the user to enter the CVV number as it has probably changed if the expriation date has changed.&nbsp;</P><P>&nbsp;</P><P>On the server side I've been able to successfully use the masked card number and CVV only to update the CC profile.</P><P>&nbsp;</P><PRE> final PaymentType payment = objectFactory.createPaymentType(); anetapi.xml.v1.schema.anetapischema.CreditCardType creditCard = objectFactory.createCreditCardType(); creditCard.setCardNumber("XXXX0012"); creditCard.setExpirationDate("2030-10"); creditCard.setCardCode("900"); payment.setCreditCard(creditCard); paymentProfile.setPayment(payment);</PRE><P>However for this to work the CVV number would have to be sent over our network which we want to avoid. Shouldn't Accept.dispatchData() also accept masked CC numbers for this use case?</P><P>&nbsp;</P><P>Otherwise what should we do?</P><P>&nbsp;</P><P>Thanks</P> Mon, 29 Aug 2016 17:07:50 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/Update-Payment-Profile-with-CVV-using-Accept-js-method/m-p/55585#M30452 blackbeltdev 2016-08-29T17:07:50Z https://community.developer.cybersource.com/t5/Integration-and-Testing/Update-Payment-Profile-with-CVV-using-Accept-js-method/m-p/55588#M30455 <P>I should add that we don't want to force the end user to enter the CC number just to change the expiration date and enter the CCV. That would also give the user an opportunity to completely change which card is associated with the payment profile which we feel could be more confusing.</P><P>&nbsp;</P><P>Thanks</P> Mon, 29 Aug 2016 18:47:56 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/Update-Payment-Profile-with-CVV-using-Accept-js-method/m-p/55588#M30455 blackbeltdev 2016-08-29T18:47:56Z https://community.developer.cybersource.com/t5/Integration-and-Testing/Update-Payment-Profile-with-CVV-using-Accept-js-method/m-p/55598#M30465 <P>Hello&nbsp;<a href="https://community.developer.cybersource.com/t5/user/viewprofilepage/user-id/14211">@blackbeltdev</a></P> <P>&nbsp;</P> <P>Accept.js cannot be used to collect just the expiration date. &nbsp;You can collect and update the expiration date&nbsp;only without any significant PCI ramifications&nbsp;using UpdateCustomerProfile request.</P> <P>&nbsp;</P> <P>Richard&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 29 Aug 2016 22:27:57 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/Update-Payment-Profile-with-CVV-using-Accept-js-method/m-p/55598#M30465 RichardH 2016-08-29T22:27:57Z https://community.developer.cybersource.com/t5/Integration-and-Testing/Update-Payment-Profile-with-CVV-using-Accept-js-method/m-p/55600#M30467 <P>Hi Ricard,</P><P>&nbsp;</P><P>Let me make sure I understand you fully. So here's the scenario:</P><P>&nbsp;</P><P>1) You add a new card to the system: Card #1234... which&nbsp;expires 1/1/2016 with CVV 123.</P><P>2) You are able to make purchases using normal ANET calls (create auth transaction, etc. via <SPAN>the SOAP CIM API)</SPAN></P><P>3) Your card expires and bank sends you new card (same Card #1234... but with new expiration date of 1/1/201 7and new CVV of456)</P><P>&nbsp;</P><P>If the user updates their profile (via&nbsp;<SPAN>UpdateCustomerProfile XML API) and only updates the expiration&nbsp;date, i.e.</SPAN></P><P>&nbsp;</P><PRE> final PaymentType payment = objectFactory.createPaymentType(); anetapi.xml.v1.schema.anetapischema.CreditCardType creditCard = objectFactory.createCreditCardType(); creditCard.setCardNumber("XXXX0012"); creditCard.setExpirationDate("2030-10"); payment.setCreditCard(creditCard);</PRE><P>Will they be able to create new auth transactions (e.g. SOAP CIM API) without any further action even though the CVV has changed?</P><P>&nbsp;</P><P>Thanks!</P> Mon, 29 Aug 2016 22:58:20 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/Update-Payment-Profile-with-CVV-using-Accept-js-method/m-p/55600#M30467 blackbeltdev 2016-08-29T22:58:20Z https://community.developer.cybersource.com/t5/Integration-and-Testing/Update-Payment-Profile-with-CVV-using-Accept-js-method/m-p/55683#M30528 <P>I never got an answer to my last question.</P><P>&nbsp;</P><P>Thanks</P> Wed, 07 Sep 2016 22:04:12 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/Update-Payment-Profile-with-CVV-using-Accept-js-method/m-p/55683#M30528 blackbeltdev 2016-09-07T22:04:12Z https://community.developer.cybersource.com/t5/Integration-and-Testing/Update-Payment-Profile-with-CVV-using-Accept-js-method/m-p/55685#M30529 <P>Hello&nbsp;<a href="https://community.developer.cybersource.com/t5/user/viewprofilepage/user-id/14211">@blackbeltdev</a></P> <P>&nbsp;</P> <P>In #3, if you simply create a new transaction using the updated profile, the CVV is not sent since it is never stored by Authorize.Net.</P> <P>&nbsp;</P> <P>Richard</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 08 Sep 2016 00:21:21 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/Update-Payment-Profile-with-CVV-using-Accept-js-method/m-p/55685#M30529 RichardH 2016-09-08T00:21:21Z https://community.developer.cybersource.com/t5/Integration-and-Testing/Update-Payment-Profile-with-CVV-using-Accept-js-method/m-p/55719#M30562 <P>Thanks. I kind of figured that was what would be ok&nbsp;but since we sent the CVV when the CC was added initially I wasn't sure if that would put in a different "validation" state of some kind. I understand it is a violation to store this number.</P><P>&nbsp;</P> Mon, 12 Sep 2016 20:30:48 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/Update-Payment-Profile-with-CVV-using-Accept-js-method/m-p/55719#M30562 blackbeltdev 2016-09-12T20:30:48Z https://community.developer.cybersource.com/t5/Integration-and-Testing/Update-Payment-Profile-with-CVV-using-Accept-js-method/m-p/62088#M36463 <P>I know this&nbsp;post is quite dated but just to confirm, if you want to update the expiration date only then there is no need to update the CVV and if you make a call to&nbsp;<EM>updateCustomerPaymentProfileRequest&nbsp;</EM>and only pass the expiration date (not the CVV) then this is still PCI-compliant?</P> Tue, 13 Mar 2018 00:48:03 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/Update-Payment-Profile-with-CVV-using-Accept-js-method/m-p/62088#M36463 blackwood821 2018-03-13T00:48:03Z