When updating a card on file, the form does not allow for a new CVV to be entered, which is an issue for a payment gateway that needs all the details to be reentered for an update.

The specific use case is for the Commerce SecurePay(.com.au) payment gateway, as Securepay.com.au doesn't really support the ability to update the card, instead it requires the card to be deleted and recreated, which is what I am doing in the update callback.

I can simply inject the CVV field for the moment, but it would be nice if there was an alternative.

Comments

micheas’s picture

Category: feature » bug

Updated to Bug status as this is required in the United States.

jphelan’s picture

I second this. You get lower rates if the user submits their cvv. It also adds an extra step of security to require the user to enter their cvv of the stored card.

dwkitchen’s picture

Category: bug » feature

I want to improve the forms for both payment with a card on file and updating a card on file to work on a similar basis to the main payment forms. This includes support for hosted forms etc. for paying on file and updating card details.

The actual form settings would then be set up in the payment module not in Card on File.

stewart.adam’s picture

Issue summary: View changes

Is there any update on this? In commerce_cardonfile_card_form() I see this snippet:

if ($op == 'update') {
    unset($fields['code']);
    $defaults = array(
      'type' => $card->card_type,
      'owner' => $card->card_name,
      'exp_month' => $card->card_exp_month,
      'exp_year' => $card->card_exp_year,
    );
  }
  $form += commerce_payment_credit_card_form($fields, $defaults);
  if ($op == 'update') {
    $form['credit_card']['type']['#access'] = FALSE;
    $form['credit_card']['number']['#access'] = FALSE;
  }

For what reason was the card type/number disabled on update? When I comment out the #access lines, Authorize.net does update the card type and PAN correctly, it's just our local database doesn't reflect those changes.

jrao’s picture

I'm also wondering why update card number is disabled.

@stewart.adam: In order for local db to change, you need to modify the validation and submit handler too, in those handlers there're checks like if ($op == 'create'), you need to change them to if ($op == 'create' || $op == 'update')

torgospizza’s picture

I agree that the unsetting of the code field shouldn't be here. When a bank customer receives a "new" card after one has expired, it is - at least in my experience - the same card number, but with a different expiry and CVV code. (The only time I've had a card with a new number is after having to cancel it due to being lost or stolen.)

So I think we should allow Cardonfile users to update the code along with the expiration date of the card.