cancel
Showing results for 
Search instead for 
Did you mean: 

CIM updateCustomerPaymentProfile is not validating expiration date - Bug?

Using the Authorize.net SDK (PHP) on api.authorize.net with validationMode set to liveMode, when I call updateCustomerPaymentProfile with a valid card, but enter an incorrect expiration date, the direct response comes back as "This transaction has been approved" when it really should be declined for having the wrong expiration date. Here's the request / response (with sensitive user/address data obfuscated)

 

----Request----
<?xml version="1.0" encoding="utf-8"?>
<updateCustomerPaymentProfileRequest xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd"><merchantAuthentication><name>xxxxxxxxxxx</name><transactionKey>xxxxxxxxxxxxxxxx</transactionKey></merchantAuthentication><customerProfileId>12345678</customerProfileId><paymentProfile><customerType>individual</customerType><billTo><firstName>First</firstName><lastName>Last</lastName><address>Street</address><city>City</city><state>State</state><zip>12345</zip><country>Country</country><phoneNumber>5555555555</phoneNumber></billTo><payment><creditCard><cardNumber>XXXX1111</cardNumber><expirationDate>2013-05</expirationDate></creditCard></payment><customerPaymentProfileId>87654321</customerPaymentProfileId></paymentProfile><validationMode>liveMode</validationMode></updateCustomerPaymentProfileRequest>

----Response----
<?xml version="1.0" encoding="utf-8"?><updateCustomerPaymentProfileResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd"><messages><resultCode>Ok</resultCode><message><code>I00001</code><text>Successful.</text></message></messages><validationDirectResponse>1|1|1|This transaction has been approved.|xxxxx|Y|1234567890|none|Test transaction for ValidateCustomerPaymentProfile.|0.00|CC|auth_only|65|First|Last||Street|City|State|12345|Country|5555555555||xxxxxx@xxxxxxxxxxxx.xxx|none|none|none|none|none|none|none|none|0.00|0.00|0.00|FALSE|none|xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx|||||||||||||XXXX1111|XXXXXXXX||||||||||||||||</validationDirectResponse></updateCustomerPaymentProfileResponse>

 

Other incorrect info (such as wrong CVV, wrong card number, wrong billing address) are declined as they should be - just not the expiration date. Interestingly, createCustomerPaymentProfile WILL decline a card with an incorrect expiration date.

 

Has anyone else encountered this problem or knows why updateCustomerPaymentProfile might ignore validation of the expiration date?

 

Thank you!

 

 

 

MartinEvans
Member
8 REPLIES 8

I assume this is in live mode and not test mode? As in the transaction is not in test mode - I'm not referring to the validation mode.

TJPride
Expert

Hi TJ, Thank you for your reply. Yes, this is all in live mode.

I'm not seeing anything obviously wrong with your request. Going to have to see if a mod can provide more insight, they have the ability to check transactions on the Authorize.net end of things.

Hi,

 

As referenced in previous posts, the expiration date validation is actually completely up to the customer's card issuing bank. It is actually quite common for banks to authorize transactions even with an incorrect expiration date. Unfortunately, we have no direct method of validating the expiration date, we can only tell you if the date (in conjunction with the card number) resulted in an authorization or not.
Thanks,
Joy
 
Joy
Administrator Administrator
Administrator

 

Thank you very much for your response, Joy. I understand that it's up to the individual bank as to whether expiration date is validated. However, in my testing on the live server I was seeing createCustomerPaymentProfile *declining* my card when I entered the wrong expiration date. Yet, updateCustomerPaymentProfile was approving the same card (with incorrect date). Why would one function work as expected, and not the other?

Hi MartinEvans,

As long as you are running the same validation mode for both the create and update requests, then they are handled identically by our system.  There is no reason that one should approve and another decline given the same information.

Thanks,
Joy

Hi Joy, 

 

Thank you for your reply. I double checked and I'm definitely running both requests in liveMode. Here's a sample of the code I'm using to make the API requests.

 

$request = new AuthorizeNetCIM;

$paymentProfile = new AuthorizeNetPaymentProfile;
$paymentProfile->customerType = "individual";
$paymentProfile->payment->creditCard->cardNumber = $cardinfo['ccnum'];
$paymentProfile->payment->creditCard->expirationDate = $cardinfo['ccexp'];
$paymentProfile->billTo->firstName = $cardinfo['ccfirstname'];
$paymentProfile->billTo->lastName = $cardinfo['cclastname'];
$paymentProfile->billTo->company = $cardinfo['cccompany'];
$paymentProfile->billTo->address = $cardinfo['ccaddress'];
$paymentProfile->billTo->city = $cardinfo['cccity'];
$paymentProfile->billTo->state = $cardinfo['ccstate'];
$paymentProfile->billTo->zip = $cardinfo['cczip'];
$paymentProfile->billTo->country = $cardinfo['cccountry'];
$paymentProfile->billTo->phoneNumber = $cardinfo['ccphone'];

$cardCode = 0;
if (isset($cardinfo['cccode']))
{
$paymentProfile->payment->creditCard->cardCode = $cardinfo['cccode'];
$cardCode = $cardinfo['cccode'];
}

$mode = "liveMode";
if ($this->GetValue("testmode") == 'YES')
{
$mode = "testMode";
}

$response = $request->updateCustomerPaymentProfile($cimid,$ppid,$paymentProfile, $mode);

 

=============

 

The code for creating a customer profile is identical to the code above except for the last line:

 

$response = $request->createCustomerPaymentProfile($cardinfo['cimid'], $paymentProfile, $mode);

 

In each case the value of $mode is "liveMode". Is there anything else I could possibly be doing wrong to get an "accepted" reponse from updateCustomerPaymentProfile when it should be coming back as "declined" based on expiration date?

 

Thanks! 

 

Martin

 

Hi,

 

I suggest that you email Developer@Authorize.Net with specific examples like transaction ID, Payment Gateway ID, etc. and we will check this for you. Please do not post this type of information on this thread.

 

Thanks,

Joy