A place for community members to contribute product ideas and suggestions.
A place for community members to contribute product ideas and suggestions.
Have your own great idea for a new API feature?
or maybe a suggested improvement to an existing one? Share it and become a god of the developer world.
Just posting here in case someone finds my post before wasting further time on this issue.
I have an app that uses authnet's API to take payments. I also use their fraud detection suite, specifically for many of the IP address-related filters (velocity, shipping mismatch, regional blocking, etc). I'd been conducting business like normal for some time, no issues. I recently had my web host enable IPv6 for my site to get the benefits it providers for mobile shoppers who often see faster performance over v6 due to not having to go through carrier NAT for IPv4 in high density areas. Everything seemed like it was working fine initially, but then I heard from a customer who could not pay.
After some debugging, we found that my payment code was populating the authorize.net API field customerIP / x_customer_ip with the customer's IP, which is obviously what it is intended for. I was populating it with both IPv4 and IPv6 addresses. The field is only usable for IPv4 ;if you pass IPv6, it will decline the transaction.
What's worse, is that since I have fraud suite features enabled, I have to pass an IP. So what to do for an IPv6 shopper? I can't pass a placeholder IPv4 address, such as always passing my site's own IP when the shopper is IPv6, because I'd end up triggering the velocity filter. So ended up having to go back to not having my site IPv6 enabled.
I found someone asking about IPv6 and that field as far back as 2011, and authnet still hasn't caught on. Comcast is IPv6-enabled nationwide, as is nearly every 4g cell network, so this isn't just a fringe customerbase I'm wanting to support.
Currently, to avoid most PCI compliance, the hosted CIM is the suggested solution. The problem with this solution is that it is very clunky and does not integrate well with any custom interface. It uses an Iframe solution in which you have no control over the appearance of the form fields.
Idea: A read-only key that can be generated specifically for the Transaction Details API.
We are developing an app that only uses the Transaction Details API.
Which means we are only reading information.
From a liability standpoint, we want to avoid saving a write-capable transaction key.
Ideally a separate "read-only" transaction key could be created when a user turns on the Transaction Details API.
As we build out our integration we noticed it would nice to have some additonal search types added to the getCustomerPaymentProfileListRequest endpoint. The most useful for us would be to search by customerProfileID. Also an expiration date range would be nice along with a paymentType (credit card or bank account)
A future request i could see is having the ability to have multiple searchTypes like customerProfileID and and an expiration month/year or range, or customerProfileID and paymentType.
A customer on my site just attempted to place an order with a valid Discover card number that is 19 digits long. Apparently, Discover and Visa have begun rolling out valid cards with 19 digits. The card passed my Luhn algorithm validation and was passed to Authorize.NET for authorization. The XML request was sent succefully; however, I received the following error response from Authorize.NET:
The 'AnetApi/xml/v1/schema/AnetApiSchema.xsd:cardNumber' element is invalid - The value XXXXXXXXXXXXXXXXXXXXX is invalid according to its datatype 'String' - The actual length is greater than the MaxLength value.
I checked on the Authorize.NET documentation, and it appears that only card numbers between 13 and 16 characters long are supported. When will this be changed to accommodate 19 digit card numbers?
Following our recent Gap Analysis for PCIDSS Compliance, it was suggested that at the point of entering the Credit/Debit card details for payments, the PAN should be masked. This would then take away the opportunity for screen scraping where the user could screen shot the full details, or copy and paste them somewhere else.
After getting in touch with the dev team at Authorize, they have advised that this would be a good idea to get rolling and the best way to do this is to add it here. So here we are!
Hello Authorize.net Community. We have recently implemented the new Accept hosted mobile optimized forms and we wanted to know if anyone has any success in hiding some of the following fields:
Unfortuantely that function the option to show or not show the billing address options and that is by setting the property for hostedPaymentBillingAddressOptions https://developer.authorize.net/api/reference/features/accept_hosted.html#Requesting_a_Token allows us to disable all of the billing fields and our challenge is that we only want to enable the address fields that are required (i.e. Street Address, Zip & Phone). Based on our research and your responses from your forum, it looks like this is not possible. Hopefully your teams can consider these non-required fields as definable options separately in the future.
Thank you in advance for your consideration.
There needs to be a feature that allows you to get subscription information like when was the last valid payment, all attempt of card processing and whether it failed or went through, etc etc etc. ARB really is tiny with no usefull functions other than create and cancel subscriptions. Even the update is useless with the amount of things u can update about a transaction. So please add some features that gives users some idea of what is going on with their subscription. Is there a better payment processor than authorize.net that does this?
Would like to be able to customize the pop up for managing payment profiles. It would be great if the Payment Form Fields configuration checkboxes applied to this, so that for example we could turn off the shipping address. A seperate place to configure this would also be fine.
Created from previous thread: https://community.developer.authorize.net/t5/Integration-and-Testing/refundTransaction-requires-expi...
Currently, to refund a transaction, you must provide both the masked credit card number and expiration date. Yet this information adds nothing to the request -- in fact, if you no longer have this information, you must issue a separate getTransactionDetail transaction to fetch this information. Rather than requiring two separate transactions to perform a single task, only require the original transaction id.
With Accept Hosted, when a successful transaction is done, a message displays that says, "Thank-you for your business!"
This message should be editable, as it assumes a particular type of transaction just took place, when it could be many things.
Please allow us to fully customize the email receipts. You finally allowed us to change the description of the normal recipt. Now expand that to allow customization for recipts from transactions flagged by the fraud filter.
In 2015 I can't even comprehend this restriction of not letting the customer dictate what the recipt should say.
I have a scenario where I'm performing an authorization with a payment nonce, then creating a profile from that successful authorization, and later capturing the authorized amount. This is a nice workflow because I only create a payment profile if the authorization succeeds.
But unfortunately, this workflow is not possible because the authorization is not associated with the payment profile, and doesn't show up under its history. In a scenario where we're using a profile for recurring transactions, it's a big deal to us to have the initial payment in the history.
See this thread for more details as to alternatives that are less ideal.
It'd be very helpful if, when I create a profile from a transaction, if that transaction became the initial transaction in the payment profile's history, and I was able to capture it as though it had been issued from that profile.
The CIM iframe works great but lacks some display options. For example, I use it at a newspaper where the billing and shipping info are both useful to have. Unfortunately we cannot change the name of "Shipping" to delivery. In the case of a newspaper, this might imply we will mail the subscription which is not the case. It would also be nice to be able show or hide the shipping field if it wasn't needed.
The iframe should also support a responsively designed site. It will position further down on the page by default when viewed on a mobile device.
As noted in the FAQ, Authorize.net waits 10 seconds to receive a response from DPM POST requests:
It also notes that "On occasion, timeouts will occur that are outside of the control of your script or our servers. Typical reasons for these timeouts are Internet traffic, merchant server overload or malfunctions, or Internet routing issues. Depending upon your server location and what route is used to send data, it is possible that you may occasionally receive a time out message."
It appears that Authorize.net does not retry a failed POST, even if the 10 second timeout has not been reached. This was confirmed by an admin in the forums ("We currently do not retry failed posts").
I propose that this behavior be changed. If an Authorize.net POST request fails, prior to the 10 second cut-off, the POST should be retried, possibly with a short backoff (e.g., wait a second or two to reinitiate, to prevent a flood of requests).
As background, we have been using DPM successfully for a couple of years now, but we do occassionally see "timeout" errors. Crucially, it does not appear that these are actually caused by timeouts. The first thing we do in handling the response is log receipt of the request. But we see no evidence of having received the requests in our logs. Which suggests that the problem is happening outside of our network.
As it currently stands, Authorize.net's POST request could fail immediately due to some extremely transitory issue (perhaps even within their network). They would immediately receive a "connection reset by peer" error or whatever. And even though virtually none of the 10 second timeout period has been consumed, the customer receives a timeout error.
The DPM process should make more of an effort to communicate the transaction status and prevent this failure scenario.
Possibly related to this request would be additional logging facilities, so that both Authorize.net and its customers could have more insight into what exactly is occuring. IOW, it would be very helpful to have some visibility into *why* Authorize.net's POST request failed, and how long it took. It could provide much needed stats to discover how often the "timeout" problem is happening and whether these suggested changes are actually making a difference.
We operate as a service provider, rather than a single merchant. A lot of our merchants are not too tech savvy so asking them to generate a public key (we're switching almost all merchants to Accept.JS from AIM) is like pulling teeth most of the time. Maybe when a merchant signs up a public client key is automatically generated for them or there could be an API request that generates a key for them so we can obtain the key from a 'getMerchantDetailsRequest'.
Also once again: love your service, your API is much better documented than a lot of your competitors, it's much more robust and the Accept.js library is easy to handle.
The identifying information that's included in Silent Posts (x_cust_id, x_subscription_id, etc) should always be in webhook transactions, if not just everything in Silent Posts. I know about refId but that's of no use to companies using ARB for recurring billing, which is 99% of our transactions.
This is making my migration to Webhooks difficult. Your support staff has obviously been instructed to push everyone to webhooks if they're using Silent Post right now but the glaring omissions of functionality in webhooks is just absurd.
The only solution is to query the Authnet API for information on the transaction ("getTransactionDetailsRequest"). The response that comes back from that query is very detailed. That detailed response should just be webhook. Why the heck not? Come on now.
It would be convenient if Authorize.net would create and support an npm package that contained the production and sandbox versions of Accept.js.
I am implementing a solution in Angular and currently have copied and pasted the file contents and put them in my application.
The ID of a duplicate customer profile is returned, but not when it is a payment profile: "A duplicate customer payment profile already exists." These requests date back to 2009, it forces us to loop through the payments and try to guess at which one is the duplicate and doesn't always work since customers can still generate duplicates anyway by updating existing profiles. It would be nice if there was a way to get the ID of the duplicate payment profile, or if there was a way to disable the duplicate verification check completely, since what some merchants really need is just a "I give you a PAN, you give me a token" level of tokenization instead of futzing with profiles. Thanks.