Authorize.net (AIM) Putting AUTH: Code & TransID in order comments

[nextlevelmotoring]

I just upgraded from a very old 1.2 to 1.3.8a and everything seems to be working great, except a wierd occurance with Aurhorize.net (AIM)....

When a customer pays with a credit card the following information is entered into the publicly viewable order comments:

Credit Card payment. AUTH: 625145. TransID: 2542587412. (I've changed the numbers but everything else is the same)

As a result, the customer can see these numbers when viewing the order history through the website.


Can anyone tell me how to turn this off?

Thanks!

Ryan

[DrByte]

Is there something wrong with the customer seeing the authorization code applied to their transaction?
Keep in mind that you normally see that information on a credit card receipt you get when you swipe your card in a store for a retail purchase. Aren't customers entitled to see that information?

[nextlevelmotoring]

Is there something wrong with the customer seeing the authorization code applied to their transaction?
Keep in mind that you normally see that information on a credit card receipt you get when you swipe your card in a store for a retail purchase. Aren't customers entitled to see that information?

Yes, there is! When there's an AVS error and a customer has held funds and they request to remove the authorization, the only thing we need to provide to have that authorization removed is the authorization number.

Someone who knows that they're doing can have any charge removed (even active charges prior to settlement) with that number after placing an order by calling the toll-free number on the back of their card.

[DrByte]

So you're saying you don't want that disclosed *ever*? Or only if there were no warnings with the authorization?

[nextlevelmotoring]

So you're saying you don't want that disclosed *ever*? Or only if there were no warnings with the authorization?

Yeah, I just think it would be better to not put that as an order comment - I can't think of a single benefit, it's just unnecessary info that can confuse the customer and offer a way for unscrupulous peoples to try to do things they shouldn't be doing.

[DrByte]

If you wish to exclude that, simply remove or comment-out the following from near the bottom of /includes/classes/order.php:

Code:

      if ($GLOBALS[$_SESSION['payment']]->auth_code || $GLOBALS[$_SESSION['payment']]->transaction_id) {
        $pmt_details = 'AuthCode: ' . $GLOBALS[$_SESSION['payment']]->auth_code . '  TransID: ' . $GLOBALS[$_SESSION['payment']]->transaction_id . "\n\n";
        $email_order = $pmt_details . $email_order;
        $html_msg['EMAIL_TEXT_HEADER'] = nl2br($pmt_details) . $html_msg['EMAIL_TEXT_HEADER'];
      }

and the same with the after_process() function in /includes/modules/payment/authorizenet_aim.php:

Code:

    $sql = "insert into " . TABLE_ORDERS_STATUS_HISTORY . " (comments, orders_id, orders_status_id, date_added) values (:orderComments, :orderID, :orderStatus, now() )";
    $sql = $db->bindVars($sql, ':orderComments', 'Credit Card payment.  AUTH: ' . $this->auth_code . '. TransID: ' . $this->transaction_id . '.', 'string');
    $sql = $db->bindVars($sql, ':orderID', $insert_id, 'integer');
    $sql = $db->bindVars($sql, ':orderStatus', $this->order_status, 'integer');
    $db->Execute($sql);

[nextlevelmotoring]

Thanks so much - that's exactly what I needed!