Showing results for 
Search instead for 
Did you mean: 

Hosted CIM, validationMode set to none, and automatic ValidateCustomerPaymentProfile transactions

After a frustrating chat with Authorize live support, they directed me here. Hoping someone at Authorize can answer this.


Our application uses the CIM XML to manage customer and payment profiles, as well as issue charges, voids, and refunds against those profiles. When we want to add a card on file for one of our members, we call the createCustomerProfileRequest function, passing along <validationMode>none</validationMode> as required on page 21 of the CIM_XML_guide.pdf: "When you call createCustomerProfileRequest, then you must use a value of none (or leave the value blank) if the request does not include any payment profile information."


Once the customer profile has been added to CIM, we use the Authorize hosted CIM form to collect the cardholder data. We call getHostedProfilePageRequest to get the token, and use the token to forward to Authorize as specified in the docs. Note that there is no validationMode allowed in this request.


When the cardholder data is entered, there is an immediate ValidateCustomerPaymentProfile transaction issued against that CIM payment profile. We didnt ask it to do that, nor do we want it to do that (the point of my question here).


The question:

How do we turn off this validation? If we were not using the CIM hosted form, I assume we would call the createCustomerPaymentProfileRequest function, which does take the validationMode element. We are using the hosted CIM so we are not collecting any cardholder data on our servers at all.


I think the problem is the hosted form (which we have no control over) is submitting the validation request on its own.


Authorize folks -- how can we use the Hosted CIM solution and not run the validation transactions?


Your help is appreciated.




I just looked through the documentation and did a bunch of searches and didn't turn up anything, this is the first time anyone has asked this particular question as far as I know. Guess we have to wait for a mod to weigh in.


Currently, the validation mode cannot be modified when using the hosted CIM forms.  We do appreciate the feedback and will keep it in mind for future updates, but I'm afraid that I can't offer an immediate resolution.


Please provide some workaround for this issue, it is causing several customers (at to not be able to enter their card info because their banks deny transactions under $1 for security reasons (like Paypal does, if I remember correctly).  I was happy to use the hosted CIM solution to keep out of the PCI envelope but if the customers cannot use it then we'll need to do something else (and maybe somewhere else).



Why is this thread marked as solved?  It is clearly not solved.

It solved because the the person who started the thread got his or her answer that at this time, you can not override the validationMode.

I agree that "Solved" is not the best choice of words. The issue is a major problem for us, but we have to file it under the "what can we do about it" category of Authorize issues.


I guess I should post a followup conversation I had with Authorize support about this -- if we would be charged fees for this forced validation call.


Hello, my name is Kristine H. How may I assist you today?

Tim Lux:  I have a very specific question about CIM and our charged fees.

Kristine H:  Sure, no problem.

Tim Lux:  We use *hosted* CIM to collect cardholder data. When a card is saved to a customer profile in CIM using the *hosted* CIM, there is an automatic validateCustomerPaymentProfile call run which charges the card and immediately voids it.

Tim Lux:  I asked on the developer forums if this could be turned off, and the answer was no, it cannot. The hosted CIM cannot turn off the validation. So my question is...

Tim Lux:  When using AIM previously, when we received a new card from a member, we would charge an amount and immediatley void it, causing hundreds of dollars in extra processing fees. Are there ANY processing fees with the required validateCustomerPaymentProfile that the hosted CIM solution runs automatically?

Kristine H:  Your not required to validate the card before its saved in CIM. Your developers would need to read through our CIM integration guide for the information on not sending that request. You will be charged processing fees for any transactions submitted, even the validation of the card before saved in CIM.

Kristine H:  Here is the link to the CIM integration guides. You can provide this link to your developers.

The agent is sending you to

Tim Lux:  you are not listening to me

Tim Lux:  Read this link

Tim Lux:

Tim Lux:  when using the hosted CIM option provides, we have NO CONTROL OVER THE VALIDATION CALL. It just does it. So again, the question is... are we charged any fees for this forced validation?

Kristine H:  You are not charged fees when it validates the profile.

Tim Lux:  We are not charged fees when it validates the payment profile?

Kristine H:  No you are not.

Tim Lux:  OK I will pass that along to our accounting dept to verify in the next statement. Thanks for your time.


If it turns out we are charged fees, my management has already discussed possibilities of a lawsuit. Will let you know.




The most you'll get out of that is your transaction fees back and perhaps (if you're very lucky) the cost of developing your web site to work with Lawyer fees will eat that in the first week. Seems to me that bad press would have more of a point than a lawsuit.

I think she got it wrong. That why most of the time they will said to go the forum for developer issue.

Not sure about the lawsuit, did you save the eula when you signup the CIM? It will be interested to see what in it. And I don't think it is a fee from but a fee from the merchant bank.


If you are doing AIM before, why use the hosted CIM?

We were using AIM before, however, so we can be fully PCI compliant on our end, we moved to hosted CIM. That gets us out of transmitting or collecting the cardholder data altogether. Our applications actually integrate with several other companies (Sage, Beanstream are a couple) that offer similiar solutions to Authorize's CIM.


I don't have any faith the rep I chatted with was correct about there not being any fees. That's one issue. The second is if there are fees, we are forced to encounter them based on how Authorize has (or has not) setup their CIM product.