So, I ran across something interesting today involving Verisign's Payflow Link system. For those of you who don't know, this is a cheap system that allows you to add e-commerce to your site. It works by allowing you to post data to their servers (and you have a choice of how much you ask on your server compared to theirs), have Verisign handle the CC checking, and then it will return a result. One of the features is the ability to post back to your server so that you can have a response from the transaction attempt. This allows you to build a "responder" that sits and waits for Verisign pings. On a good response, you could update a flag in your database marking a particular order as being processed.

Anyway, one of my employers clients is using this service. They recently decided to add AVS checking to their cart. This system basically checks to see if the address and zip code match that of the credit card number. This in itself was easy to configure at Verisign's Manager portal. I rechecked the docs to make sure I wasn't missing something when I ran across a doozy hidden way in the back...

Apparently, if the CC# is valid, and the AVS check fails, Verisign will still return a "Status Ok" type response! Even though they properly return an error to the user, their ping back to your site makes it seem as if the transaction was alright.

To make your responder code work properly, you have to check an AVS response field. Now, this seems incredibly crazy to me. I did some more reading, and apparently, you have to contact customer service to make their response code show an error in case of AVS failures.

So, as we all know, RTFM, but it certainly bears repeating.