Integration and Testing

Authorize.Net API questions and help with your payment integration.

Reply
Member
Posts: 2
Registered: ‎08-11-2021

How to Authorize Only with Accept.js Hosted Form

When using hosted fields through Accept.js, customer fills in card data (number, expiry date, and cvv) and our system receives a temporary token (to be used to capture or charge the card later).

We are using the button input parameters such as data-billingAddressOptions. But, nowhere do we find a way to specify that this card should be authorized ONLY and to get the token for submitting for payment later.

 

FYI: We tested with good cards (works fine) but with good card number + wrong expiry date or bad cvv, the hosted form does not throw any errors.

Contributor
Posts: 10
Registered: ‎07-28-2021

Re: How to Authorize Only with Accept.js Hosted Form

[ Edited ]

 

I do not work for Authorize.. I am just a user of the API.. so don't take this answer as authoritative.

 

But basically, no, Accept doesn't check anything.  All it does is convert the security-sensitive card number and etc to a security-insensitive token that you can send instead of the card number when you do an auth or authCapture.

 

In theory you don't need to use Accept or AcceptUI, you could use the plain card number, expiration etc in your authorization request, it's just more secure if you use Accept and then work with the token.

 

The actual validation occurs when you do the auth or authCapture transaction, and that's when you need to handle errors and if necessary display them to the user and prompt them to try again.

 

And, to answer your question directly.. it is THEN, on the server side, that you decide whether you want to do an authOnly or AuthCapture transaction (just authorize, or authorize and capture).  There is no such thing as "just check the card and don't do anything".  If you do an "authorize" transaction, you have to send an amount.  And if the card is ok, then that amount will be held for later capture.

 

Anyway, yes it is a bit annoying because if a user fails to fill out a field in the hosted form you would want them to be prompted right then and there rather than having to start all over again, but I understand why authorize.net does not do any validation in that stage.. it is because any validation there could potentially be used by bad guys for card testing.. there's nothing stopping anyone from using Accept.js and feeding it card numbers.

 

What I did in my application is, I stopped using AcceptUI and went to using Accept with my own form (not hosted form).  It was a bit more work but in the end worth it because it fit the style of my site more nicely and as well I am able to do some basic validation in javascript, so on my site it is not possible to submit the card until all the required fields are filled with valid-seeming data, and I highlight the fields that aren't valid seeming.  This prevents the customer having to start all over filling the card information just because they forgot to enter a zip code, or whatever.

 

Member
Posts: 2
Registered: ‎08-11-2021

Re: How to Authorize Only with Accept.js Hosted Form

@benmehlmanThanks so much for a detailed reply. We have to use hosted field functionality for security. We have to try out one of the other approaches.

Contributor
Posts: 10
Registered: ‎07-28-2021

Re: How to Authorize Only with Accept.js Hosted Form

If you code it using Authorize.js with your own form, rather than AuthorizeUI with the hosted form, it should be equally secure.  Just make sure the form containing the credit card information is never submitted.

 

In the API examples, what authorize.net tells you to do for the "own form" method is to create one form in your html which has both visible fields for the credit card entry, as well as hidden fields for the opaqueData.  Then they show how you must replace the sensitive fields with blanks before the form is submitted.. so that the card number itself is not submitted to your server...

 

But what I did was simpler.. I just used two forms.. one with only the hidden fields, one with visible fields.  The one with the visible fields, which contains the clear-text card information, is never submitted.. just used as input for Authorize.js.  The one with the hidden fields containing the low-security data is the one I submit to my server.