We are currently updating our front-end to be fully PCI compliant (i.e. no sensitive data will flow through our network) using the Accept.js method.
The only remaining issue seems to be with sending CVV information when updating an existing payment profile. Per
https://developer.authorize.net/api/reference/features/acceptjs.html
In order to create a payment nonce the Accept.dispatchData() method will only accept a full CC number. However if the user is only updating the expiration date we would still like the user to enter the CVV number as it has probably changed if the expriation date has changed.
On the server side I've been able to successfully use the masked card number and CVV only to update the CC profile.
final PaymentType payment = objectFactory.createPaymentType(); anetapi.xml.v1.schema.anetapischema.CreditCardType creditCard = objectFactory.createCreditCardType(); creditCard.setCardNumber("XXXX0012"); creditCard.setExpirationDate("2030-10"); creditCard.setCardCode("900"); payment.setCreditCard(creditCard); paymentProfile.setPayment(payment);
However for this to work the CVV number would have to be sent over our network which we want to avoid. Shouldn't Accept.dispatchData() also accept masked CC numbers for this use case?
Otherwise what should we do?
Thanks
08-29-2016 10:07 AM
I should add that we don't want to force the end user to enter the CC number just to change the expiration date and enter the CCV. That would also give the user an opportunity to completely change which card is associated with the payment profile which we feel could be more confusing.
Thanks
08-29-2016 11:47 AM
Hello @blackbeltdev
Accept.js cannot be used to collect just the expiration date. You can collect and update the expiration date only without any significant PCI ramifications using UpdateCustomerProfile request.
Richard
08-29-2016 03:27 PM
Hi Ricard,
Let me make sure I understand you fully. So here's the scenario:
1) You add a new card to the system: Card #1234... which expires 1/1/2016 with CVV 123.
2) You are able to make purchases using normal ANET calls (create auth transaction, etc. via the SOAP CIM API)
3) Your card expires and bank sends you new card (same Card #1234... but with new expiration date of 1/1/201 7and new CVV of456)
If the user updates their profile (via UpdateCustomerProfile XML API) and only updates the expiration date, i.e.
final PaymentType payment = objectFactory.createPaymentType(); anetapi.xml.v1.schema.anetapischema.CreditCardType creditCard = objectFactory.createCreditCardType(); creditCard.setCardNumber("XXXX0012"); creditCard.setExpirationDate("2030-10"); payment.setCreditCard(creditCard);
Will they be able to create new auth transactions (e.g. SOAP CIM API) without any further action even though the CVV has changed?
Thanks!
08-29-2016 03:58 PM
I never got an answer to my last question.
Thanks
09-07-2016 03:04 PM
Hello @blackbeltdev
In #3, if you simply create a new transaction using the updated profile, the CVV is not sent since it is never stored by Authorize.Net.
Richard
09-07-2016 05:21 PM
Thanks. I kind of figured that was what would be ok but since we sent the CVV when the CC was added initially I wasn't sure if that would put in a different "validation" state of some kind. I understand it is a violation to store this number.
09-12-2016 01:30 PM
I know this post is quite dated but just to confirm, if you want to update the expiration date only then there is no need to update the CVV and if you make a call to updateCustomerPaymentProfileRequest and only pass the expiration date (not the CVV) then this is still PCI-compliant?
03-12-2018 05:48 PM