Our new and improved credit card field makes it faster and easier for your customers to input their cardholder information and even safer for you to collect and process it.
With the release of this new field, we alerted customers that we would be discontinuing the old credit card field block in March 2019. When the old credit card field was removed, historical data collected from that field was also removed.
A unified, compact design
Instead of three separate fields, we’ve created one, responsive field that allows customers to enter all three pieces of cardholder data (credit card number, expiration date, and CVC) without stopping to tab or click into the next field. We still treat this field as three separate fields behind the scenes so you’ll be able to map them to the proper payment integration settings fields as usual.
We still treat this field as three separate fields behind the scenes but you’ll use the same field name for each field you map (similar to the address field) and we’ll parse the proper data from the field.
You may notice that the Card Verification Code (CVC) field is set as optional in the payment integration section. This only applies to payment integration rules wherein collecting CVC information is not always required.
For security purposes, the CVC, along with the expiration date and credit card number portion of the credit card field is always required in the live version of the form.
Note: When viewing the field on a narrow mobile phone screen you may see the field break into 3 fields, but auto-tabbing will still work.
Auto validation and number formatting support
This field will automatically validate the credit card number entered on the form to ensure that the number exists and is not missing any numerals.
If any issues occur, an error will display on the form. Further, the field will validate the expiration date and will display an error if the card is expired.
Card type identification support
While you are still able to control which card types you accept on your form, the field will now display the appropriate credit card brand icon based on the number the customer types into the field.
Formstack is becoming PCI compliant and this means we need to beef up our security around collecting payments.
Temporarily Store Credit Card Information
Should you need the full credit card information at a later time, you will have the option to store this information up to 90-days in your submissions page so long as the form has encryption enabled and no payment processors have been added to the form. After 90-days, this information will automatically be purged from your submissions. Also note that this functionality is not available by default and to be enabled you must have an admin user on the account submit this form. The Formstack Support team will follow-up with you after submission once this feature is enabled for your account.
The credit card field will appear as shown below when you access your submissions. To reveal the full credit card number, click to open the submission, then click the "Reveal and Process" button located under the credit card field entry.
To show the entire submission information, i.e. the full credit card information, click on the Show button.
Selecting the "I understand marking this as authorized will delete the stored credit card data" check box will expose the "Mark as Authorized" button, allowing the user the ability to PERMANENTLY delete the collected credit card information.
In addition, it is no longer possible to display the full credit card information in notifications - even with an encrypted submission table. Sensitive cardholder data is now sanitized upon submission. Only the last 4 digits of the credit card and expiration date will be visible in submissions and in emails.
If you need to capture cardholder data for pre-authorization purposes or collect credit card information without any of the time constraints, we recommend using our Authorize.Net integration in Authorization mode or setting up a PCI Webook (enabled upon request from our Support Team) to send the full information to a PCI compliant endpoint*.
*It is the responsibility of the customer to ensure that the webhook endpoint is PCI compliant. If you fail to secure your clients’ cardholder data in a PCI compliant manner you open yourself up to major risks and devastating fines if breached.