CRM-21311 Credit card type is unset on submission causing credit card payment to fail with CVV validation error message

[jusfreeman]

Overview

Credit card type is unset on submission causing credit card payment to fail with CVV validation error message. Regression bug introduced in PR #10774

Before

In CiviCRM, change default credit card name for "Amex" to "American Express".
Submit a test credit card transaction using an American Express test credit card number, 378282246310005
Contribution will fail with CVV validation error message.
Existing code does not set the credit card type on submission, causing the CVV not to be validated correctly. American Express uses 4 digit CVV.

After

Credit card type is set correctly, CVV is validated and submission succeeds.

Technical Details

Regression bug introduced in PR #10774 - See https://github.com/civicrm/civicrm-core/pull/10774/files#diff-31a6607a9f03e2336c412d8fad30d711R72

This function has a comment that it was created to be used only for CSS names. Since PR #10774 it is being used to return a json string. Recommend refactor function name and remove comment - since it is not just being used for CSS anymore.

See CRM/Core/Payment/Form.php - public static function getCreditCardCSSNames

https://github.com/civicrm/civicrm-core/pull/10774/files#diff-31f2b294fac11671bf5ae72d8e6d7172R115

Comments

Who uses AMEX anyway?

---

• CRM-21311: CIVICRM-668 Credit card type is unset on submission causing credit card payment to fail with CVV validation error message

[civicrm-builder]

Can one of the admins verify this patch?

[jusfreeman]

@monishdeb another one to review buddy!

[monishdeb]

@jusfreeman I have reviewed your changes and it fixes the issues you mentioned above but causes another regression. Let me explain with screencast, where after submission, card type ID is not saved.

After applying the patch do a live contribution with Visa (4111111111111111 / 123)

Without patch do a live contribution with Visa (4111111111111111 / 123)

As you can see in comparison to the earlier transaction, the card type and card number (last 4 digit) is recorded now.

[monishdeb]

This patch is also affecting backoffice contribution as CC(Credit Card) type id is not recorded. Do a backoffice contribution using CC as payment instrument and use Visa/1111 as CC type and last 4 digit card number. You will find that CC type ID is not saved (you need to look at civicrm_financial_trxn)

[eileenmcnaughton]

I think this HAS TO BE fixed in 4.7.27 - even if at expense of recording credit card type - we can't be not accepting cards.

I'm confused as to why there is a problem with this fix. It seems the array on the form looks like

<select name="credit_card_type" id="credit_card_type" class="crm-form-select" style="display: none;">
	<option value="">- select -</option>
	<option value="Visa">Visa</option>
	<option value="MasterCard">MasterCard</option>
	<option value="Amex">American Express</option>
	<option value="Discover">Discover</option>
</select>

Later on we see

  public static function formatCreditCardDetails(&$params) {
    if (in_array('credit_card_type', array_keys($params))) {
      $params['card_type_id'] = CRM_Core_PseudoConstant::getKey('CRM_Core_BAO_FinancialTrxn', 'card_type_id', $params['credit_card_type']);
    }
    if (!empty($params['credit_card_number']) && empty($params['pan_truncation'])) {
      $params['pan_truncation'] = substr($params['credit_card_number'], -4);
    }
  }

So we are taking the name field from the option value & using it with 'getKey' - so as long as we are always working with the KEY/ machine_name and never with the label we should be OK. So the js fix changes us from using label to name - which seems a correct part of the fix.

I can't see why the php function change is needed at this stage. We should totally NOT allow anything in the machine_name field that machines don't like

@seamuslee001 ^^

[seamuslee001]

I think that sounds right but not 100% sure, I will try and test this when i am a bit less jetlagged

[jusfreeman]

Jenkins please test

[eileenmcnaughton]

So my concern here is whether this now means the format that will be passed to the processors will change slightly (e.g from visa to Visa). Paypal code DOES pass this through to Paypal. Others might too.

I think it makes sense to update the name field in the DB to lower case so that will stay consistent?

UPDATE civicrm_option_value v
INNER JOIN civicrm_option_group g
ON v.option_group_id = g.id AND g.name= 'accept_creditcard'
SET v.name = lower(v.name) ;

[eileenmcnaughton]

(the code changes do seem like a sensible magicobotomy)

[jusfreeman]

I think it makes sense to update the name field in the DB to lower case so that will stay consistent?

@eileenmcnaughton Simple solutions are best and yes, I think that's fine to do that too. Still the credit card type key should be lowercased in code before passing to the payment processor - if that's what they accept (or have been given in the past).

It's worth keeping in mind that the problem being solved here really was that the key and the label for the credit card type were assumed to be the same value. And so were used interchangeably throughout the code. Now that users can easily change the label for any credit card type, this breaks credit card type being set and on-line payments is then non-functional.

I noticed that CiviCRM actually ships with pear libraries which have built-in credit card number validation and setting of the credit card type. So all this jiggery pokery could be made simpler by just doing server side validation and setting of the credit card type. And to be honest, I think that would be a more robust solution going forward - the current state is very fragile. Why even ask the user what type of credit card it is, when this can be computed?

I can see there is still a problem on the Contribution confirmation page where the credit card type key is displayed, instead of the label. That should also be changed and all other payment confirmation pages (Event, Contribution, Membership etc.) changed to display the credit card type label.

For changing the confirmation pages, I am not really sure what to do here and would appreciate advise or someone else helping out.

Files:
templates/CRM/Contribute/Form/Contribution/Confirm.tpl
CRM/Contribute/Form/Contribution/Confirm.php

[eileenmcnaughton]

"Why even ask the user what type of credit card it is, when this can be computed?" - good question @KarinG @colemanw @JoeMurray - do any of you know?

[KarinG]

No - I don’t - I’m pretty sure I asked the same question;

[KarinG]

So what 4.7.x version has this bug? I have a 4.7 site that’s on 4.7.22 - that is happily accepting AMEX (I just checked);

[KarinG]

It’s more a lookup rather than a compute: https://en.m.wikipedia.org/wiki/Payment_card_number#Issuer_identification_number_.28IIN.29

[eileenmcnaughton]

@KarinG the bug only manefests if you change the label on the option value from Amex to American Express

[KarinG]

Ah I see - thank you; yeah we don’t do that; so that explains why we’ve not seen it;

[eileenmcnaughton]

right - it's kinda edge.

[monishdeb]

Jenkin test this please

[jusfreeman]

right - it's kinda edge.

@eileenmcnaughton as you know, we live on the edge!

[eileenmcnaughton]

You rebel you!

I think the best path to getting this resolved is to update the name field in the DB to be lower case (via upgrade script) and keep the main js change in this PR but cull out a couple of the changes that are about handling the casing change. We might make the option values 'is_reserved' = TRUE too, since the name values are not actually permitted to be amended.

I think there is a case for not having card type but I think it should be resolved as a follow up since it probably involves email discussion and requires at least 6 people to attempt to hijack the change with their pet project before we can be sure everyone is happy with the basic principle of removing the field :-)

[jusfreeman]

Jenkin test this please

[jusfreeman]

I think the best path to getting this resolved is to update the name field in the DB to be lower case (via upgrade script)

@eileenmcnaughton can you provide some guidance on doing this change?

[eileenmcnaughton]

it can be done in CRM_Upgrade_Incremental_php_FourSeven

[agilewarealok]

@eileenmcnaughton We've updated the PR by adding Update query in CRM_Upgrade_Incremental_php_FourSeven under upgrade_4_7_27

[colemanw]

That upgrade function looks correct, except it will need to be moved to function upgrade_4_7_30 because of our release schedule (4.7.28 is going out today. 4.7.27 is already out and 4.7.29-rc is about to be cut). If we consider this critical enough and the PR is complete we could potentially merge it into the 4.7.29-rc, but currently it looks like there are still some outstanding review comments from @eileenmcnaughton about culling case handling changes.

[jusfreeman]

For the "culling case handling changes" - all the conversion to lowercase in JS are required for CSS declarations. I recommend leaving as is.

@eileenmcnaughton would mind reviewing this again, thanks.

[eileenmcnaughton]

this line should not be required now - we have a list of names that are already lower case

[agilewarealok]

@eileenmcnaughton We've just tested against master and logging CRM.config.creditCardTypes return following JSON string.

{Visa: "Visa", MasterCard: "MasterCard", Amex: "Amex", Discover: "Discover"}

So the first character of each keys are still in uppercase.

[eileenmcnaughton]

So we want to be assigning an array of name=>label yeah - ie

[
'visa' =.> 'Visa',
'mastercard' => 'MasterCard'
/....
]

[eileenmcnaughton]

ditto here - we should be already in lowercase

[eileenmcnaughton]

not sure we should be changing this - we should be running off the lower case 'name' field?

[eileenmcnaughton]

aren't we doing 'mastercard' => 'Mastercard' now?

[jusfreeman]

@eileenmcnaughton happy for you to edit this PR so we can get it merged.

[eileenmcnaughton]

Closing in favour of #12615 (which requires review)