Hi All,
We are using {createCustomerProfileRequest} to add Customer profiles and {createCustomerPaymentProfileRequest} method to add customer payment profiles.
Now my question is if we want to use {createTransactionRequest} to charge that customer's profile how should we pass CVV for each transaction?
Thanks
Solved! Go to Solution.
โ09-10-2018 03:18 PM
Hi @shah9il
You can pass it along with the paymentProfileID as below
<profile>
<customerProfileId>27388924</customerProfileId>
<paymentProfile>
<paymentProfileId>25000332</paymentProfileId>
<cardCode>123</cardCode>
</paymentProfile>
</profile>
Check the Request fields under https://developer.authorize.net/api/reference/index.html#payment-transactions-charge-a-customer-prof...
Thanks
โ09-10-2018 04:05 PM
Hi @shah9il
You can pass it along with the paymentProfileID as below
<profile>
<customerProfileId>27388924</customerProfileId>
<paymentProfile>
<paymentProfileId>25000332</paymentProfileId>
<cardCode>123</cardCode>
</paymentProfile>
</profile>
Check the Request fields under https://developer.authorize.net/api/reference/index.html#payment-transactions-charge-a-customer-prof...
Thanks
โ09-10-2018 04:05 PM
Are you saying that we have to store the CCV/CVC value ourselves and send that through every time we want to charge a payment profile?
This surely violates PCI compliance rules and goes against the point of the customer pay profile mechanism?
I ask because I have a similar-sounding setup detailed in my question here: https://community.developer.authorize.net/t5/Integration-and-Testing/AcceptJS-not-passing-through-CV...
โ10-04-2018 04:22 PM
if you have found the solution can you help with what will be the PHP code for this?
โ08-09-2019 06:21 AM - edited โ08-09-2019 06:21 AM
The logic and process we have decided to implement is to validate the CVV and AVS at the time we create the Customer Payment Profile. The CVV will not change if the credit card is still valid (i.e. if the credit card is not expired). I suppose there is the possibility that if the user has lost their credit card and a new credit card is issued, then the CVV will change and the stored profile will not contain a valid CVV.
I donโt think this happens very often and of how often that may occur, how likely is it that the credit card is compromised and used on your website or in your app? If the user attempts to update their credit card we also validate the CVV and AVS responses, so I think the only loophole would be if the credit card has been lost and the CVV is changed. A new CVV is issued when the credit card has expired, but we will not let the user charge a credit card with an expiration in the past.
This seems to be the trade off. You, as the merchant, offload all PCI responsibility to Authorize.net, so that the merchant is not taking on the extra PCI scrutiny and staying in a lower PCI level.
This approach requires the fraud filter restrictions to be altered, which require a CVV to be present only when it is provided. We only check CVV when we create or update a Customer Payment Profile, which is when we ask the user to provide all relevant data to store a Customer Payment Profile in CIM.
CCV Handling Filter:
Tools โ Fraud Detection Suite โ Enhanced CCV Handling Filter
Change this setting:
P is NOT Processed from Decline โ Allow
Our Enhanced Card Code Verification settings:
N Does NOT Match โ Decline
P is NOT Processed โ Allow
S Should be on card, but is not indicated โ Decline
U Issuer is not certified or has not provided encryption key โ Decline
This means that when you charge a Customer Payment Profile and the CVV is not provided, the transaction will not trigger the filter (Authorize.netโs response is P). This way you wonโt have to store the CVV or ask the client for a CVV every time there is a purchase. If you want to be safe and validate the CVV every time, you would have to ask the client to provide it as it violates PCI compliance to store a CVV. I suppose you could ask in a pop-up for the CVV. I have seen this implemented in websites, but it doesnโt provide a very friendly user experience.
I hope this helps! If you have another solution, I would love to hear about it.
โ08-07-2020 10:35 AM
Hi,
Were you actually able to get this to wokr? I tried your suggestd settings with no luck. We are using the API to try to create/charge CIM and if the filter is turned on and CVV check box required on form we can not submit CIM payments without recollecting CVV and if I uncheck the required box the CVV doesn;t get validated.
โ05-29-2021 11:58 AM