08-03-2011 01:53 PM
I know that CIM only sends back masked data for credit card expiration due to PCI requirements. However, I wonder if Authorize.net would add an object to the returned XML that would allow us to see the credit card is expiring soon.
For example, perhaps they add an option called "cardExpiringSoon". It would be false if the card expiration date does not need to be updated. If the expiration date is indeed closing in (within some secretly pre-defined number of days or weeks before the card is about to expire) then the "cardExpiringSoon" would have a string of "true", otherwise it would be a string of "false".
This would allow programmers to build a flag into their applications to inform the end users that they need to soon take action.
Also, if the credit card is expired already, that would be nice information to be able to access. For example, "cardExpired" could be used to tell us if the card is already expired or not.
So, in summary, I would love to see Authorize.net add two new fields for payment profiles. "cardExpiringSoon" and "cardExpired" that could be set to true/false strings based on the date that is stored for the payment profile.
How would I got about putting that feature requiest in? (Sorry, I am a newb). Also, does that sound like something others would like to see? Is there a PCI compliance problem with that?
08-08-2011 01:53 PM
Thanks for the suggestion!
I'll pass that on to our development teams for consideration in a future update. I'm not sure if that would be a PCI issue or not--I kinda don't think so, but don't quote me--but I do know something like this would be helpful to others for sure.
Developer Community Manager
08-08-2011 04:51 PM
Maybe you could have a callback URL that gets notified when a card is x days from due. The only other option is a true/false on whether the card is 7 days from expired, and that wouldn't be customizable enough.
Short of that, just try to charge and send an email on failure. Sure, there won't be any warning, but it's not the end of the world as long as you're not selling something vital like water or electricity.
08-19-2011 04:04 PM
TJPride, is your comment directed at me or Authorzie.net? Are you saying I should charge and then upon failure send an email to the client? I could do that, that's probably the best solution that exists now. However, from a customer (end-user) perspective, if I am on your website, buying your product, and I click "charge" and then it doesn't go through and then I get an email notifiying me the card is expired, which requires me to log back in and change my card info, I would be frustrated. I mean, if I was just in there, why didnt they tell me my card was expired?
I don't think my original solution would have PCI compliance issues (although I am certainly no PCI expert). At the very minimum, the "cardExpired" flag of true/false would be a HUGE help. The "cardExpiringSoon" that would let us know the card is expiring soon would be icing on the cake. Authorize.net doesn't have to tell us the exact number of days before an expiration that the flag would show "true", they keep that to themselves. They just flag us, so we can flag the consumer.
Thanks for the responses!
08-19-2011 08:27 PM
The customer will never run into this problem when they're actually ON your site. You can validate the credit card by using validation mode, so you know it's good at the time at which it's originally entered and then for any immediate successive charges. The only time you'll run into an expired card is if their profile is charged when they're not there, like with a subscription, and for that it's probably ok to email them.
Incidently, having a flag for "card expiring" could be a PCI issue during the narrow window when the card is expiring but not yet expired. Since expiration dates are always the first of the month, if you have a flag that gets set a week before or 15 days before or whatever, it's fairly obvious that as soon as the flag is set, the expiration date is the first of next month, meaning you now know what the expiration date is before the card is actually expired. It's only about 1/50 the security leak that giving you the expiration date would be, but if you process thousands of credit cards, that's only a matter of degree.