Ussage instructions issue: Declined transaction is considered successful

[shhavel]

Provided method to check transaction status to charge credit card is not accurate:

if response.messages.resultCode == MessageTypeEnum::Ok
  # Payment is considered to be successful.
  # Providing goods or services to the customer ...
end

This is taken from Hello World example and README of the current gem.

Please check XML responses for different cases:

Successful charge:

<?xml version="1.0" encoding="utf-8"?>
<createTransactionResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd">
  <messages>
    <resultCode>Ok</resultCode>
    <message>
      <code>I00001</code>
      <text>Successful.</text>
    </message>
  </messages>
  <transactionResponse>
    <responseCode>1</responseCode>
    <authCode>UZJ0KN</authCode>
    <avsResultCode>Y</avsResultCode>
    <cvvResultCode>P</cvvResultCode>
    <cavvResultCode>2</cavvResultCode>
    <transId>2249638815</transId>
    <refTransID />
    <transHash>8614D9C8EA2ED3869D3CBE33D118B68C</transHash>
    <testRequest>0</testRequest>
    <accountNumber>XXXX4242</accountNumber>
    <accountType>Visa</accountType>
    <messages>
      <message>
        <code>1</code>
        <description>This transaction has been approved.</description>
      </message>
    </messages>
  </transactionResponse>
</createTransactionResponse>

Failure:

<?xml version="1.0" encoding="utf-8"?>
<createTransactionResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd">
  <messages>
    <resultCode>Error</resultCode>
    <message>
      <code>E00027</code>
      <text>The transaction was unsuccessful.</text>
    </message>
  </messages>
  <transactionResponse>
    <responseCode>3</responseCode>
    <authCode />
    <avsResultCode>P</avsResultCode>
    <cvvResultCode />
    <cavvResultCode />
    <transId>0</transId>
    <refTransID />
    <transHash>137CBC40236BA3F51C96439EC93BEF10</transHash>
    <testRequest>0</testRequest>
    <accountNumber>XXXX4242</accountNumber>
    <accountType>Visa</accountType>
    <errors>
      <error>
        <errorCode>8</errorCode>
        <errorText>The credit card has expired.</errorText>
      </error>
    </errors>
  </transactionResponse>
</createTransactionResponse>

The transaction is declined:

<?xml version="1.0" encoding="utf-8"?>
<createTransactionResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd">
  <messages>
    <resultCode>Ok</resultCode>
    <message>
      <code>I00001</code>
      <text>Successful.</text>
    </message>
  </messages>
  <transactionResponse>
    <responseCode>2</responseCode>
    <authCode />
    <avsResultCode>N</avsResultCode>
    <cvvResultCode>M</cvvResultCode>
    <cavvResultCode />
    <transId>8449440786</transId>
    <refTransID />
    <transHash>3BD3DB541ECEEE82758CABE23CF25B0B</transHash>
    <testRequest>0</testRequest>
    <accountNumber>XXXX3173</accountNumber>
    <entryMode>Keyed</entryMode>
    <accountType>MasterCard</accountType>
    <errors>
      <error>
        <errorCode>2</errorCode>
        <errorText>This transaction has been declined.</errorText>
      </error>
    </errors>
  </transactionResponse>
</createTransactionResponse>

So according to documentation both
successful transaction and declined transaction are considered as paid (response.messages.resultCode == "Ok").

More accurate would be to check transactionResponse message code:

if response.messages.resultCode == MessageTypeEnum::Ok &&
  response.transactionResponse.messages &&
  response.transactionResponse.messages.messages[0].code == "1"
  # Payment is considered to be successful.
  # Providing goods or services to the customer ...
end

I think this is serious vulnerability issue.
Thanks

[vttoonses]

I spoke with Authorize.Net about this and the MessageTypeEnum::Ok value just means the request was processed successfully, it does not reflect the results of that request. You must do something along the lines of what you show to verify those results. I believe their "Hello World" sample needs updating as this is very misleading.

[shhavel]

@vttoonses Yes, this issue requires only changes in documentation and "Hello World" sample, no need any changes in the code. I emailed to Authorize.Net with this and they confirmed that they will do some clarifications (changes) in the docs.
Thanks

[akankaria]

Hi @shhavel,
We have updated our sample codes (for all the languages) to demonstrate the various scenarios of response handling. For example, you can take a look at our charge a credit card sample @ https://github.com/AuthorizeNet/sample-code-ruby/blob/master/PaymentTransactions/charge-credit-card.rb

You can also use : http://developer.authorize.net/api/reference/dist/json/responseCodes.json
to check for details about all the possible response/error codes to handle them appropriately in your code.

Let us know if anything is not clear.

[shhavel]

@akankaria Thanks for updating example codes.
Can I ask you one more question please.
How can I send a credit card owner (name), is this correct sample?

transaction = Transaction.new(config['api_login_id'], config['api_transaction_key'], gateway: :sandbox)

request = CreateTransactionRequest.new

request.transactionRequest = TransactionRequestType.new()
request.transactionRequest.amount = 5
request.transactionRequest.payment = PaymentType.new
request.transactionRequest.payment.creditCard = CreditCardType.new('4242424242424242', '0220', '123')
request.transactionRequest.transactionType = TransactionTypeEnum::AuthCaptureTransaction
request.transactionRequest.billTo = CustomerAddressType.new("Firts name", "Last name")

response = transaction.create_transaction(request)

Thanks

[akankaria]

Hi @shhavel,

Customer payment profile comprises of payment details (creditcard, bank account, etc.) and billTo information.
The sample you have provided is correct.

[shhavel]

@akankaria Thank you!

[ericboehs]

This issue shouldn't be closed until the documentation is updated. This is a significant bug and has affected hundreds of our users.

Both the README and the Hello World Example still do not mention to check the response code.