1

I am trying to save credit card info so I can allow my users to recharge saved cards for subsequent purchases via the PayPal Payflow Pro API.

There seems to be a stored credential transactions feature with examples of how to indicate a CARDONFILE transaction, but I don't see anything about how to then recharge that card later without having the card number.

Here is an example of the a Card on File request and response...

TRXTYPE=S&TENDER=C&AMT=9.95&ACCT=4012000033330026&EXPDATE=0125&VERBOSITY=HIGH&STREET=100 SOUTH NORTH DR&CITY=NORTHWOOD&STATE=NH&ZIP=03275&CVV2=987&CARDONFILE=CITR

RESULT=0&PNREF=AS0O0D64E7C2&RESPMSG=Approved&AUTHCODE=010203&AVSADDR=Y&AVSZIP=Y&CVV2MATCH=X&TXID=X1Y2Z3100026810&HOSTCODE=00&RESPTEXT=APPROVAL&PROCAVS=Y&PROCCVV2=X&VISACARDLEVEL=A&IAVS=N

Notice on the end there is &CARDONFILE=CITR, this seems to indicate for PayPal that this is to be a card on file.

But then how would I recharge this card for a later purchase?

Thanks in advance for any help

1 Answers1

1

You are describing reference transactions, so according to the Payflow documentation there is no need to specify CARDONFILE. It is handled for you.

To use reference transactions, save the PNREF of an initial sale transaction, delayed capture, or zero dollar authorization -- and reference it in the future for a new sale (TRXTYPE=S) with ORIGID instead of ACCT

Note that to use reference transactions they must be enabled in the settings of your Payflow Manager, and you must wait up to 1 hour after making changes to those settings.

Preston PHX
  • 27,642
  • 4
  • 24
  • 44
  • Thanks so much for the answer. I was doing it that way, but the CVV2MATCH seems to always by "X" on reference transactions even though I am resubmitting it for verification. We are required to revalidate it with each recharge for security reasons. any idea how I can run a reference transaction with the CVV being revalidated? –  Jan 20 '22 at 19:58
  • 1
    Credit card companies do not permit CVV numbers to be stored, ever. CVVs are not used for reference transactions. X is the correct response. – Preston PHX Jan 20 '22 at 20:11
  • Yea, that's why we don't store the CVV, but couldn't PayPal revalidate the CVV if we provide it the same way that they do when the initial transaction happens? Without CVV validation these reference transactions are very insecure. –  Jan 20 '22 at 20:15
  • The CVV is validated when the original PNREF is created. For future transactions, it is you who is verifying that the same user is authorizing subsequent transactions. – Preston PHX Jan 20 '22 at 20:22
  • But consider this. I have a site where a user creates a login then purchases something saving his/her credit card for future use. If someone else is able to gain access to that users login on my site, they can make all the purchases they want by reusing the saved credit card. Since the thief likely does not have the card or cvv, being able to require it for future purchases prevents this crime. Allowing the card to be reused simply by selecting the saved card in the account opens the door for fraud. Why wouldn't PayPal just allow revalidating this to help make the sale more secure? –  Jan 20 '22 at 20:27
  • You are responsible for verifying the user is the same. Forget and have them re-enter payment information when a shipping address is changed if you are concerned someone else might be using the account. – Preston PHX Jan 20 '22 at 20:55