I’m not sure if this is intended behaviour or not but I have identified an interesting behaviour in the development environment when associated cards with customers.
If a customer uses the test nonce value: ‘cnon:card-nonce-ok’ when creating a card on file, any transaction made with the same test value will be associated with that customer. Even if the customer id and card id field is left blank. This also occurs after the card has been removed from the customers account. The only way to stop any transaction with that nonce being associated with that customer is to delete the customer from both the merchant account and the application account, as per the new Cards API.
I assume this has something to do with the same nonce being used, being a non expiring test value, which could never happen in production. Is this expected behaviour?
Steps to replicate:
- Create a customer using the new Cards API.
- Use the test value ‘cnon:card-nonce-ok’ to create a card on file for the customer.
- Make a payment with no customer id or card id using the nonce ‘cnon:card-nonce-ok’.
- Note that the transaction was associated with the customer created in step 1.
- Delete the card from the customer account.
- Make a payment using the nonce ‘cnon:card-nonce-ok’.
- Note that the transaction was associated withe the customer created in step 1.
This behaviour is present as of API version: 2021-07-21
With more testing, it looks like even if just using the test visa card, going through the normal flow of adding a card on file, which I assume generates a new nonce every time, the issue remains. Is the expected behavior that a credit card associated with a customer will always be tied to that customer even if they are not logged in or using the Card On File payment flow?
Looking at a production environment, any transaction made with a card that is a card on file for an existing customer is attributed to them. Which matches the seen results in the test environment. To my knowledge, this is not a documented function.