08-11-2021 08:14 AM
When using hosted fields through Accept.js, customer fills in card data (number, expiry date, and cvv) and our system receives a temporary token (to be used to capture or charge the card later).
We are using the button input parameters such as data-billingAddressOptions. But, nowhere do we find a way to specify that this card should be authorized ONLY and to get the token for submitting for payment later.
FYI: We tested with good cards (works fine) but with good card number + wrong expiry date or bad cvv, the hosted form does not throw any errors.
08-11-2021 10:19 AM - edited 08-11-2021 10:24 AM
I do not work for Authorize.. I am just a user of the API.. so don't take this answer as authoritative.
But basically, no, Accept doesn't check anything. All it does is convert the security-sensitive card number and etc to a security-insensitive token that you can send instead of the card number when you do an auth or authCapture.
In theory you don't need to use Accept or AcceptUI, you could use the plain card number, expiration etc in your authorization request, it's just more secure if you use Accept and then work with the token.
The actual validation occurs when you do the auth or authCapture transaction, and that's when you need to handle errors and if necessary display them to the user and prompt them to try again.
And, to answer your question directly.. it is THEN, on the server side, that you decide whether you want to do an authOnly or AuthCapture transaction (just authorize, or authorize and capture). There is no such thing as "just check the card and don't do anything". If you do an "authorize" transaction, you have to send an amount. And if the card is ok, then that amount will be held for later capture.
Anyway, yes it is a bit annoying because if a user fails to fill out a field in the hosted form you would want them to be prompted right then and there rather than having to start all over again, but I understand why authorize.net does not do any validation in that stage.. it is because any validation there could potentially be used by bad guys for card testing.. there's nothing stopping anyone from using Accept.js and feeding it card numbers.
08-11-2021 06:57 PM
@benmehlmanThanks so much for a detailed reply. We have to use hosted field functionality for security. We have to try out one of the other approaches.
08-11-2021 08:27 PM
If you code it using Authorize.js with your own form, rather than AuthorizeUI with the hosted form, it should be equally secure. Just make sure the form containing the credit card information is never submitted.
In the API examples, what authorize.net tells you to do for the "own form" method is to create one form in your html which has both visible fields for the credit card entry, as well as hidden fields for the opaqueData. Then they show how you must replace the sensitive fields with blanks before the form is submitted.. so that the card number itself is not submitted to your server...
But what I did was simpler.. I just used two forms.. one with only the hidden fields, one with visible fields. The one with the visible fields, which contains the clear-text card information, is never submitted.. just used as input for Authorize.js. The one with the hidden fields containing the low-security data is the one I submit to my server.