cancel
Showing results for 
Search instead for 
Did you mean: 

Accept.js - duplicate detection and CVV code

We have encountered a problem in the sandbox and live gateway that the CVV code does not work as expected regarding duplicate transaction checking. If a customer enters an invalid CVV code and submits the payment, the attempt is declined as expected (according to the merchant's CVV settings).  If the customer then immediately corrects the CVV code and submit the payment again, the customers see the duplicate transaction error message. The customer then has to wait for the duplicate transaction window to expire (120 seconds by default we believe) and then attempt the payment again. We have not found any other fields that cause the same issue.  If we enter an invalid credit card number and then we correct the card number, the second attempt is not considered a duplicate. If we enter an invalid zip code and then correct the zip code, the second attempt is not considered a duplicate.


Due to the CVV/duplicate detection issue, we are lowering our duplicate detection window to 10 seconds (and we'd like to leave this at the default value).

willimus
Member
1 ACCEPTED SOLUTION

Accepted Solutions

Hi @willimus,

 

What you've reported isn't something you'd see only with Accept.js, but with all uses of the API. As part of PCI-DSS requirements, the card code can't be stored by anyone in the process of using that card, so we don't store it either. Since we don't store it, we have nothing to compare the card code in the subsequent transaction to. The workaround is as you've described: Either lowering the duplicate window for the account, or sending duplicateWindow set to a low value for transactions using the card code.

 

I'd love to find a way around this for the future, though. I don't know for sure that the PCI-DSS requirements would permit this, but I'd love to instead compare a hash of the first transaction including card code to a hash of the subsequent transaction.

 

 

I'd encourage you to post this onto our Ideas Forum where others can take a look, contribute feedback, and vote for new features. That can help make a stronger case for such an improvement in the future.

View solution in original post

Aaron
All Star
2 REPLIES 2

Hi @willimus,

 

What you've reported isn't something you'd see only with Accept.js, but with all uses of the API. As part of PCI-DSS requirements, the card code can't be stored by anyone in the process of using that card, so we don't store it either. Since we don't store it, we have nothing to compare the card code in the subsequent transaction to. The workaround is as you've described: Either lowering the duplicate window for the account, or sending duplicateWindow set to a low value for transactions using the card code.

 

I'd love to find a way around this for the future, though. I don't know for sure that the PCI-DSS requirements would permit this, but I'd love to instead compare a hash of the first transaction including card code to a hash of the subsequent transaction.

 

 

I'd encourage you to post this onto our Ideas Forum where others can take a look, contribute feedback, and vote for new features. That can help make a stronger case for such an improvement in the future.

Aaron
All Star

Hello, how were you able to lower the detection window? I can't seem to find this in the docs. Thank you