Reply
Highlighted
Member
Posts: 5
Registered: ‎02-29-2012

Need Expiry Date

[ Edited ]

Hello Everybody,

 

I am using CIM in one of my new sites developed in PHP using IFRAME popup, where I have a requirement to send emails to customers whose creditcards are about to expire.

 

But in CIM when I am retrieving the payment details of a customer based on its "profileId" I get masked expiry date of the credit-card.

 

Can any one help me with this? Is it possible to fetch the credit-card expiry date in CIM.

 

Please help me with this. Any help is highly appreciated.

 

Thanks in Advance.

Highlighted
Administrator
Posts: 591
Registered: ‎08-21-2009

Re: Need Expiry Date

The expiration date for a the credit card on file can be viewed by logging into the Authorize.Net merchant interface, but it cannot be retrieved programmatically. Unfortunately, passing the expiration date in conjunction with the last four digits of the card number raises the level of PCI sensitivity.  It would somewhat undermine the benefits of the hosted CIM forms if we were to return these two pieces of information back to you together.

Highlighted
Contributor
Posts: 12
Registered: ‎05-09-2012

Re: Need Expiry Date

Authorize.Net continues to use this excuse but it is NOT valid and is NOT correct.  The PCI requirements state in requirement 3.1 through 3.4 of Version 2.0 of the PCI DSS Requirements and Security Assessment Procedures (https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf) that the PAN (Personal Account Number) should not be stored with the expiration date unless encrypted.  Authorize.Net received it's PCI compliance because they do store the PAN and Expiration Date securely.  The PCI requirement is for when the full PAN and any other Cardholder data is stored/displayed.  However, in the case of your merchants and developers, we are NOT viewing the full PAN (only a masked version) and therefore are allowed to see the full expiration date with no additional PCI requirements.  This document also explains that Expiration Date can be shown if NOT shown with the full PAN:  https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf

 

I would appreciate it if Authorize.Net would read the specifications and get up to speed with PCI factual data.  Not having the Expiration Date available is a very large problem and has me looking elsewhere for merchant solutions.  What type of Website can't show their user's when their card is expiring or even which card (e.g. last four and expiration date) they actually have stored.  Authorize.Net is doing a dis-service to it's merchants and making incorrect and false statements about PCI.

Highlighted
Contributor
Posts: 19
Registered: ‎09-01-2012

Re: Need Expiry Date

Hmm.  That is troubling.  I was planning to highlight expired card numbers.  

 

Sounds like a bit of work, but it should be possible to use an XMLHttpRequest object to login to the cim and retrieve the html for a particular customer id and parse the result....

 

But, yeah, an api call would be better!   Guys?

Highlighted
Member
Posts: 3
Registered: ‎12-09-2012

Re: Need Expiry Date

I would need this requirement too... I'm just starting to develop with Authorize.net... unless it gets sorted I'll be dumping them.

Highlighted
Contributor
Posts: 34
Registered: ‎03-21-2013

Re: Need Expiry Date

Any update on this ? There does not seem to be any requirements in the PCI rules that prevent passing an expiry date in the CIM API.

 

 

Highlighted
Member
Posts: 3
Registered: ‎12-09-2012

Re: Need Expiry Date

@christophe

 

I doubt that you will ever get an update to this and you are wasting your time with their support as you'll just get the same scripted response.

 

Your best bet is to store the date yourself but I suppose this depends on if you are using their "pages" to process the payments.

 

henda79

Highlighted
Member
Posts: 2
Registered: ‎04-29-2014

Re: Need Expiry Date

Interesting discussion about exposing the expiry date.. Just wanted to note that another vendor ProtectPay (ProPay a TSYS company) provides the expiry through their API (along with the masked CCard number)  So it it interesting the different interpretations of the PCI DSS requirements.

 

I'm currently trying to create an Authnet sollution that paralells the ProtectPay solution that a client currently is using and this has become a major difference.