Use Accept.js Payment Nonce for All Transaction Types, unmasked expiration for customer profiles

by Administrator Administrator ‎08-10-2016 08:46 AM - edited ‎08-10-2016 09:06 AM (17,026 Views)

Today we are announcing three new enhancements to the Authorize.Net API

 

Use Payment Nonce with All Transaction Types

 

Authorize.Net Accept.js now supports using the payment nonce to create transactions, customer profiles or subscriptions. You can now create a custom card-on-file experience, while avoiding sensitive credit card data passing through your server. Accept.js also provides developers more UI control for managing payment profiles.

 

createProfilePaymentNonce.png

 

 

Unmasked Expiration Date for Customer Profiles

 

Developers can set <unmaskExpirationDate> with getCustomerProfile and the response will include an unmasked expiration date.

 

 

 

IP Address Whitelisting

 

The latest release of the Authorize.Net API enhances support for client connection whitelisting for customer profiles, recurring billing and reporting API requests. 

 

ipAddressWhitelist.png

 

 

Comments
by blackbeltdev
on ‎08-11-2016 11:04 AM

This looks really nice. I have a little Angular POC working using this for managing customer payment profiles. I do have a few questions though.

 

#1) Without disabling CORS in Chrome/IE  using a plugin I wasn't able to use the Accept.js API (it is blocked by the browser as security precaution). Is there any documentation about how to setup infrastructure to allow this to work with a vanilla browser? I have a high level understanding of CORs but I don't know all the nuances for setting it up correctly to work. I already have my server setting the HTTP header

"Access-Control-Allow-Origin: *" but the authnet site doesn't

 

$ curl -i https://jstest.authorize.net/v1/Accept.js
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Thu, 23 Jun 2016 23:29:09 GMT
Accept-Ranges: bytes
ETag: "1013a8aa7cdd11:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 4187
Date: Thu, 11 Aug 2016 17:59:53 GMT
Connection: keep-alive

 

Like I said I'm not a CORs expert but I think that both servers might need to set this header to work. I haven't spent much time on this but it defintely works OK when using the disable plugin (https://chrome.google.com/webstore/detail/allow-control-allow-origi/nlfbmbojpeacfghkpbjhddihlkkiljbi)

 

Otherwise I get in the console an error:

 

XMLHttpRequest cannot load https://jstest.authorize.net/v1/AcceptCore.js. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://dev027:5000' is therefore not allowed access.

 

#2) What is the JSON cardData payload look like for including the CVV?

 

 

For example in step #3,

 

http://developer.authorize.net/api/reference/features/acceptjs.html

 

cardData.cardNumber = document.getElementById('CARDNUMBER_ID').value;
cardData.month = document.getElementById('EXPIRY_MONTH_ID').value;
cardData.year = document.getElementById('EXPIRY_YEAR_ID').value;

 

I couldn't find any documentation about the Accept functions and data structures, i.e.

Accept.dispatchData(secureData, 'responseHandler');

 

#3)

It would be better if this supported non-global functions for the 'responseHandler' callback. Is that a technical limitation?

 

 

Thanks

 

by Administrator Administrator
on ‎03-07-2017 10:24 AM

Hi @blackbeltdev,

 

We've released code in sandbox that fixes at least #1 and #3 on your list, and this code should make it into the production environment within the next couple of days.

 

Specifically for Accept.js, there's no longer any "Access-Control-Allow-Origin" related error in the console, the accept.js script can now be loaded at any point in the workflow, and the response handler function can be passed directly in the function call instead of having to pass the name.

 

Of course, please let us know if anything's not working as expected!