[jira] Created: (OFBIZ-1716) POS: CVV2 code is not always deleted from the DB

POS: CVV2 code is not always deleted from the DB
------------------------------------------------

                 Key: OFBIZ-1716
                 URL: https://issues.apache.org/jira/browse/OFBIZ-1716
             Project: OFBiz
          Issue Type: Bug
          Components: specialpurpose/pos
    Affects Versions: Release Branch 4.0
            Reporter: Chris Lombardi


I ran a transaction that was declined by the processor.  I later noticed that the cvv2 code was still present in the database.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12580999#action_12580999 ]

Chris Lombardi commented on OFBIZ-1716:
---------------------------------------

I have to go read the interchange guidelines to determine what is allowable for retention of cvv2 for retries in an ecommerce context.  If anyone has any comments on this, please chime in.

Here's the section that may need to be changed:

PaymentGatewayServices: 1770

            if (context != null && authResult.booleanValue()) {
                orderPaymentPreference.set("statusId", "PAYMENT_AUTHORIZED");
                orderPaymentPreference.set("securityCode", null);
                orderPaymentPreference.set("track2", null);                
            } else if (context != null && !authResult.booleanValue()) {
                orderPaymentPreference.set("statusId", "PAYMENT_DECLINED");
            } else {
                orderPaymentPreference.set("statusId", "PAYMENT_ERROR");
            }


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-1716:
-----------------------------------

          Component/s:     (was: specialpurpose/pos)
                       ALL COMPONENTS
             Priority: Critical  (was: Major)
    Affects Version/s: SVN trunk

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux reassigned OFBIZ-1716:
--------------------------------------

    Assignee: Jacques Le Roux

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12581814#action_12581814 ]

Jacques Le Roux commented on OFBIZ-1716:
----------------------------------------

Hi Chris,

AS long as you don't persist the CV2 code in DB there is no problems to keep it in a session.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12588231#action_12588231 ]

Jacques Le Roux commented on OFBIZ-1716:
----------------------------------------

Hi Chris, All,

I just had a look at it and yes indeed there seems to be a problem there...

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12588237#action_12588237 ]

Jacques Le Roux commented on OFBIZ-1716:
----------------------------------------

I did not change it yet in the case of PAYMENT_DECLINED, since I think that, in such case, the transaction may be retried one or more times. If it's well done I suppose that at the end of transactions (with success or not) securityCode and track2 are "nullified" in the DB. So for now I only nullified int the case of PAYMENT_ERROR and I hope it's the exit door (did not look further)

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12588241#action_12588241 ]

Chris Lombardi commented on OFBIZ-1716:
---------------------------------------

I'm not sure of  the scenario where you wouldn't just report back to the customer that their card has been declined and instead retain the cvv code for later retries.

1.  Online e-commerce
2.  POS
3.  Card  taken over phone by sales
4.  Recurring subscriptions

For cases 1, 2 and 3, just report back declined.  The customer may enter in a different credit card.  For case 4, you shouldn't retain the cvv code past the initial transaction.

In reading the code, there was some retry logic for a not sufficient funds (nsf) case.  Could anyone  explain when this is actually used?  I'm having a hard time figuring out when you wouldn't just report back to the customer with a decline.


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12588403#action_12588403 ]

David E. Jones commented on OFBIZ-1716:
---------------------------------------

The NSF retry stuff can be used for any order, but is mostly intended for automatic orders done through ShoppingLists.

Either way, it totally depends on business policy and desired process.

For CVV codes it doesn't matter anyway. You cannot store or in any way remember them beyond the time scope of the transaction they were entered for (and if it is split into auth and capture then that would be ONLY the auth part you can keep the code for).

That means for ALL automatic retries you will not have the CVV code, and will not get the benefit of the discounted transaction fee for having the CVV code. That's the only real difference.

Again, it's all a business decision to be made with an understanding of these sorts of constraints. Whatever is done OOTB in OFBiz needs to be changeable to different situations. Well, it is always changeable, but the goal is to make more common variations easier to configure.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12588410#action_12588410 ]

Chris Lombardi commented on OFBIZ-1716:
---------------------------------------

I'll fix it to delete the cvv and track2 information per DJ's comment.  JLR, do you have any objections?

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12588417#action_12588417 ]

Jacques Le Roux commented on OFBIZ-1716:
----------------------------------------

Any objections this is fine with me

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Chris Lombardi updated OFBIZ-1716:
----------------------------------

    Attachment: ofbiz-1716.patch

I have to test this patch.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12608293#action_12608293 ]

Jacques Le Roux commented on OFBIZ-1716:
----------------------------------------

Hi Chris,

What is the status of this patch, now ?

Thanks

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12608446#action_12608446 ]

Chris Lombardi commented on OFBIZ-1716:
---------------------------------------

I don't remember.  The patch looks pretty straight forward though, I'll test it today.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Chris Lombardi updated OFBIZ-1716:
----------------------------------

    Attachment: ofbiz-1716.patch

Updated patch to work with current trunk.  Tested, works ok.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux closed OFBIZ-1716.
----------------------------------

       Resolution: Fixed
    Fix Version/s: Release Branch 4.0
                   SVN trunk

Thanks Chris,

Your patch is in trunk revision: 672130 , release4.0 672133  



--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.