Accept Fraud Review Result Codes as Success [#567284]

This module is great, but I'm trying to understand one of its behaviors. I'm running Ubercart 6.x-2.0-rc6.

Orders with credit card details that trigger Payflow Pro's optional "fraud filters" are coming back DECLINED. The user gets no confirmation--the standard card processing failure message appears, and the order information doesn't land in the database. The log message is "Payment failed for order XXX: Credit card payment declined: Under review by Fraud Service"

I went into PayPal Manager and set all the filters to "Review", not "Reject". Reference transactions were turned off, and I thought this might be affecting the behavior, but had no luck after turning it on either.

I stumbled into this because of the filter that prevents orders submitted with different shipping and billing addresses. I've since disabled this specific filter, but there are many others that would filter orders that we would like the chance to review and approve, then simply return to Ubercart order administration and update the order's status (at least I'm assuming this is how it works).

I'm guessing that either I'm missing something really obvious, or this module (or Ubercart at large) just isn't ready to work in sync with these Payflow fraud filters. Ideally, the orders would just wI've tried to research this issue, and have come up with nothing. Help? Or perhaps someone would confirm incompatibility with the fraud filters. Thanks.

Comments

Comment #1

kwinters commented 3 September 2009 at 13:58

Category:

support

» feature

From line 216 of uc_payflowpro.module:

if ((int)$txn_result_code != 0) {

Zero is Approved, but some other result codes are acceptable in some configurations. PayPal doesn't really do a good job of telling you whether a given result was a success, you have to figure that out based on the code. In this particular case, I think 126 is the code you're getting and that line can be set up to ignore both 0 and 126. Be careful though, as there are a number of other places that make the same check in the code.

I'm changing this to a feature request since this would be common enough to justify a gateway setting, possibly a comma-separated list of acceptable codes, but that won't be available for a little while.

The only codes that seem to be success are 0, 126 (under review), and 127 (filter service outage).

It may make more sense to change the order status to Pending (or whatever it is) instead of Completed in the case of fraud review, but that might depend on the site and might need to be another setting.

Comment #2

lgb commented 3 September 2009 at 19:07

This is extremely helpful--thanks. Result 126 was in fact what I was seeing returned. I will probably attempt to patch locally. (Although I'm definitely eager for this to possibly show up as a feature!) I could easily create a new logic block to return a different message on 126 (fraud review) transactions--however, I'm still a bit unsure about the easiest way to change the order status to Pending from this point in the code. Thought maybe a Conditional Action could do it, but I don't see a relevant condition (maybe I need to create one). Or perhaps some other code adjustment in the module is the easiest way. If anyone is more familiar with this code, I'd sure appreciate any pointers. Thanks so much.

Comment #3

kwinters commented 3 September 2009 at 19:17

I don't think Conditional Actions are response-code aware, but it's possible. I don't really see an easy way to handle it, going to take some experimentation. uc_payflowpro_charge returns the response code as part of the result array though, so it's just a matter of figuring out what hook you need to use to intercept it.

Comment #4

lgb commented 3 September 2009 at 21:28

I think I've got a temporary fix, and it seems much simpler than I thought.

For the code starting at line 216 of uc_payflowpro.module, I switched the existing if blocks and added one more. So now the first block deals specifically with actions if $txn_result_code == 0, the second (see below) triggers if $txn_result_code == 126, and the third is for everything else.

Here is the one I added:

  } elseif ((int)$txn_result_code == 126) {
    $x_approval_code = $response->AuthCode;
    $pnref = $response->PNRef;
    $message = t('Credit card payment flagged for fraud review; approval code !code and pnref !pnref.', array(
      '!code' => $x_approval_code,
      '!pnref' => $pnref,
    ));
    $data = array();
    $data['pnref'] = (string)$response->PNRef;
    $data['authcode'] = (string)$response->AuthCode;
    $data['result'] = (string)$response->Result;
    $result = array(
      'success' => TRUE,
      'comment' => t('Credit card payment flagged for fraud review; approval code !code and pnref !pnref.', array('!code' => $x_approval_code, '!pnref' => $pnref)),
      'message' => t('Credit card payment flagged for fraud review; approval code !code and pnref !pnref.', array('!code' => $x_approval_code, '!pnref' => $pnref)),
      'uid' => $user->uid,
      'data' => $data,
      'log_payment' => FALSE,
    );
  }

Very similar to the plain "approved" block, but note the different comment text and the 'log_payment' key for the payment gateway callback. Set it to FALSE and this appears to make all the difference. The customer now gets their "confirmation" and the appearance that everything is fine, no conditional action is triggered to update order status (since no actual payment was logged). Now we just have to go into PayPal manager to approve or deny the transaction, and return to Ubercart order administration to move the order to "Payment received" or "Cancelled" status.

Hopefully I'm not missing any unforeseen problems with this method, but it seems OK to me. (What a relief, we're supposed to go live in a week!) Thanks again.

Comment #5

kwinters commented 4 September 2009 at 13:08

Status:

Active

» Postponed

OK, nice.

I'd appreciate it if you could drop back in after a few weeks and let me know if this has been working out right. If it's all good then I'll roll a patch and get something into the module proper.

Comment #6

lgb commented 9 September 2009 at 15:18

This has worked so far, but I neglected the 127 error you mentioned earlier and it actually did arise today. So I added another condition for $txn_result_code == 127 with the only change being an order comment that reads something like "Credit card payment pending resolution of temporary gateway fraud module error".

Comment #7

kwinters commented 9 September 2009 at 15:24

Title:	Payment denied upon fraud filter review flag	» Accept Fraud Review Result Codes as Success
Status:	Postponed	» Needs work

Great, the only other thing I can think of is making the handling optional (in case it needed to be disabled for some reason, but should be fine to default on).

I'll come back and make a patch when I get some free time.

Comment #8

kwinters commented 16 September 2009 at 19:52

I'm working on a patch, and have a question for you: When a transaction is under review by the fraud service, do you have to do anything special in the manager.paypal.com admin to make the money deposit? If so, full support of the feature should really include some kind of "Accept Payment" button in Drupal on the admin order screen, which tells PayPal to charge the card and changes the order to be Completed / Payment Received / whatever.

I'm also trying to decide if it makes sense to treat 126 and 127 differently or not. Right now I'm leaning towards yes, since for some people it might be better to default to Completed when the fraud service goes down rather than have to approve tons of orders by hand.

The other setting I'm thinking of is to let the admin decide what status to use when the codes are returned:

* Accept the payment and mark the order as Pending (must update order status manually to Payment Received or Completed) - default
* Accept the order and mark it Completed
* Treat the result as Denied (user must try again).

Comment #9

lgb commented 17 September 2009 at 19:54

That's great news. Hmm. I think (and I'm still pretty new to the process) that what we do is (strictly in this order):

1.) Login to manager.paypal.com
2.) Check the report on submitted transactions marked potentially fraudulent or 127
3.) Approve or reject each of those transactions (and make a note of Ubercart order # on each approval)
4.) Do a delayed capture of funds for all outstanding authorizations (including those just approved from fraud queue)
5.) Return to Ubercart order administration
6.) Find orders by order # which were approved from fraud queue and mark each of them "Payment Received" (since 126s and 127s will otherwise stay in Pending)

The "Accept Payment" button from within Ubercart order admin sounds like a good idea. At the least, better synchronization of the PayPal & Drupal sides would be nice, in whatever form that comes. Is it actually possible to take advantage of the Payflow API to the extent that all the steps above can be performed in one fell swoop, with perhaps one confirmation screen shown on the Drupal side (displaying all the data from the fraud report in step 2?)

I'm also trying to decide if it makes sense to treat 126 and 127 differently or not. Right now I'm leaning towards yes, since for some people it might be better to default to Completed when the fraud service goes down rather than have to approve tons of orders by hand.

I suppose this would be a nice as an option (as you just mentioned), but I think from my perspective running our store (getting relatively few transactions per week), I would be fine with just treating 127s in the same way as potentially fraudulents and manually approving them before fulfilling the order with a status "Complete". But that's my preference--again, as a store with few transactions (at this point anyway ;)