05-30-2011 09:22 AM
I want a way to let my users know if their card is about to expire. The problem is the expiration date is masked, so there is no way to retrieve it.
I've seen a number of posts on this subject with the common solution being to store a notify date based on the entered expiration date on your own servers.
But.... how do you do that if you're using the hosted CIM option???
With the hosted option you never request the the expiration date in a form you control, therefore you cannot store the date or a variation of it as a notification date and you're left with no way to get an unmasked expiration date via xml or soap requests.
So is there any way to deal with expiring card issues if you're using the hosted CIM option? Please help. Thank you.
06-05-2011 10:24 AM - edited 06-05-2011 10:26 AM
Update - I have asked support about this issue and they said the only option is to submit a feature request. I did (request is copied below).
If this feature would be helpful to you, please also send a feature request so they will hopefully add it soon. You can send feature requests by logging in to your merchant account and clicking 'feedback' on the top menu.
09-30-2012 05:40 PM
Hmm... just realized the original post is reallly old. That doesn't bode well.
I am in the exact same boat. We are using the CIM gateway and have implemented a hack by storing the expiration date in the fax field - we absolutely need to track expiration date for our customers. The new hosted profile pages are great, but they're useless to us since we have no control over the form fields and can't hack the fax field as we used to.
As I understand it, expiration date is not considered a sensitive field and is not required to be masked for PCI compliance. So why is Anet masking expiration date to begin with?
10-01-2012 05:09 AM
I don't know where you heard that - as far as I know, expiration date IS a protected value, and storing it means you have to qualify for the most stringent set of security guidelines, something which is virtually impossible. The Authorize.net documentation also makes it fairly clear that passing a protected value in one of the other fields is a serious security violation.
About all I can recommend is that you ask your customers if they want to be reminded when their card is about to expire, and give them a field for putting in a date to be reminded. The date they put in won't technically be a protected value, and you can pass it using a custom field (fax is a messy kludge).