The Authorize.Net Developer Blog

Posts from Authorize.Net employees, community members and experts about integrating with the Authorize.Net Payment Gateway: sample code, tutorials, and problem-solving techniques, just to name a few.

Merchant-Defined Fields – What are they and how should they be used?

by ‎04-14-2011 11:38 AM - edited ‎04-14-2011 02:30 PM (27,423 Views)

So what are they exactly?
Merchant-defined fields are any fields that are not recognized by the payment gateway as standard application programming interface (API) payment form fields. You can also choose to submit merchant-defined fields to further customize the information that is included with a transaction. For example, you might provide a field in your checkout process where customers could provide specific shipping instructions or product color information. All you need to do is submit a custom field name and any accompanying text with the payment form request---for example, shipping_instructions and product_color.

Merchant-defined fields are included with the transaction response and in the merchant confirmation email for the merchant’s records. However, they are not provided on the Transaction Detail page in the Merchant Interface.

How should they be used?
Merchant-defined fields should only be used to submit additional, non-sensitive fields that the merchant needs to collect. They should NEVER be used to capture any kind of sensitive or personally identifying information. If you submit sensitive or personally identifying  data in an MDF, it could result in non-compliance with numerous state and federal data privacy regulations and/or the Payment Card Industry Data Security Standards (PCI DSS), which all merchants, no matter what size, must comply with.


So what kinds of data constitute sensitive information?
Examples of sensitive and personally identifying information include, but are not limited to, the following:

  • Credit Card Number
  • Expiration Date
  • Card Verification Codes (CVV, CVC2, CVV2, CID, CVN)
  • Social Security Number
  • Tax ID
  • Driver's License Number
  • Bank Account Number
  • ABA/Bank Routing Number
  • Date of Birth
  • Passport Number
  • Name
  • Contact details (Phone Number, Address, Email, etc.)

This kind of data above should only ever be collected in recognized payment gateway standard API payment form fields which are designated and secured for that purpose.


Additionally, if your merchant is using a third-party shopping cart or other commercial application, you must still ensure that sensitive data is not being passed in an MDF. You need to account for all third-party capabilities and make sure you are disabling any settings that are in violation of PCI DSS compliance.


What could happen…
Because doing so violates PCI DSS compliance, capturing, obtaining, and/or transmitting any personally identifying information in or by means of an MDF is prohibited.


In the event that Authorize.Net discovers that you or your merchant is capturing and/or transmitting personally identifying information by means a merchant-defined field, whether or not intentionally, we will immediately suspend the merchant's account, resulting in a rejection of any and all transaction requests submitted by the merchant after the point of suspension.

You or your merchant’s site could also be in violation of PCI DSS which can result in fines and other actions from your merchant account provider.


Where can I get more info?
Check out the Requirements and Security Assessment Procedures Guide for more information on the requirements and your responsibilities.

The PCI Security Standards Council’s website at also has a ton of information on PCI DSS, on how to get certified, the requirements themselves and more. We strongly encourage you to familiarize yourself with this valuable site.

You can also check out Authorize.Net’s Developer Security Best Practices White Paper at