Applications allowed to proceed without valid payment acceptance

Owned by Robert Adach, created
Last updated: Oct 21, 2022
6 min read

Description

LMR-9038 was created by the MERS team for assistance in providing a receipt for a ASWBCentral pre-approval customer. Upon review the ASWBCentral system reflected the payment had previously been charged, however when reviewing the information in Authorize.net it was discovered that the payment remained in the Pending Capture status instead of the expected Captured status.

The IT team immediately began to reconcile the unsettled list in Authorize.net against applications in ASWBCentral to determine if there were any other applications which were noted as successfully improted, but payment had not yet been received from Authorize.net A preliminary list of the mismatched accounts was provided to the MERS team through the Jira ticket and IT continued its investigation into the cause of this issue.

Timeline

Date

Details

Date

Details

10/14/2022

Research into LMR-25229 identified that some applications were imported without the funds being captures in Auth.net

10/17/2022

The IT team has begun its investigation into the missing capture of payments

10/18/2022

Specific scenarios of applicant action have been identified where the system is incorrectly identifying payments as been collected. Development of a solution to address this issue in production has been completed/

10/19/2022

Additional review of the existing code in production as well as QA testing by all members of the IT team have verified that the developed solution has addressed all instances of the problem.

10/20/2022

The team has migrated the changes into the next release codebase (Exam Registration Phase 2) and has additional additional safeguards at other points in the purchase process to further prevent loss or misrepresentation of data.

10/21/2022

Final testing of the updated code in the current production release has been completed and deployment has been scheduled for 10/25/2022. Notification will be sent per standard practices.

10/25/2022

Deployment of updated code will be released to production during the scheduled maintenance window.

Investigation Steps

What steps are/have been taken to determine the cause of this issue

Start / End Date

Step

Status/Result

Start / End Date

Step

Status/Result

10/17

A full review of all transactions in ASWBCentral against those that have been captured in Authorize.net from January 1, 2021 through September 15, 2022 will be completed. Additional prior months will be reviewed if necessary.

This action has been transitioned to the Finance/MERS team.

10/17

The IT Team is completing a complete audit of all code regarding the capture of payments to identify possible scenarios where the system allowed a application to proceed in the application process without successfully capturing the payment

10/17/2022 - The first series independent reviews by each developer identified no conditional reasoning for the errant data issues. when importing the application. A collaborative review is underway at this time.

10/18/2022

  • Following additional reviews within the team, we have located three specific scenarios in which the data issue is occurring. Please refer to the “Scenarios affected by issue” section below.

  • A correction to the existing code in production has been identified and implemented in the QA system. We have tested six scenarios (including those listed in the “Scenarios affected by issue”) and have confirmed that the data issue is resolved with the correction to the code. Additional testing will be performed by the IT team at this time, including the capturing of these items to ensure 100% coverage of all scenarios.

10/19/2022

  • A review of the proposed change to the production website code was completed with Bob, Chris and Robert, and all are in agreement that the changes will catch and prevent the current data issue ensuring that applications which are submitted are done so in a manner that the Desktop application will collect against. There are no additional changes that are seen to be made to the desktop application at this time.

  • Several discussions have taken place with the team on ways to implement additional checks and balances to the submission and import processes to make sure that the authorizations are valid and collected appropriately. We are currently investigating these additional changes and confirming with Authorize.net that the approach is sustainable and determine if there are other ways to ensure collection accuracy.

10/20/2022

  • Additional conversations have been held with Authorize.net Merchant support and Developer support to review the processes that the IT is implementing. Both departments agree that the course of action taken is appropriate to provide additional safeguards for processing in the future.

10/21/2022

  • Final testing of the code improvement has been completed and is scheduled to be deployed on Tuesday, October 25th between 5 and 6AM ET.

10/17

We are reaching out to Authorize.net developer support team to discuss this issue and determine if there are any scenarios where their integration may misreport a capture or if there are scenarios which may not have been disclosed in their documentation.

10/17/2022 - A thorough review of the published change logs to the Authorize.net API and development kit is underway to ensure that no changes have occurred to their code which could have led to this issue.

10/18/2022 - The review has been completed and there are no changes to the API or functions that we use for the production code.

10/19/2022 - Per the previous step, the team is investigating additional steps utilizing the Authorize.net API to provide additional checks and balances. These changes would be implemented in the Exam Registration Phase 2 code and NOT in production.

10/20/2022 - Additional conversations have been held with Authorize.net Merchant support and Developer support to review the processes that the IT is implementing. Both departments agree that the course of action taken is appropriate to provide additional safeguards for processing in the future.

10/17

The IT team will continuously check the status of captured payments in ASWBCentral against Authorize.net records until we have resolved this issue to ensure no additional payment issues occur.

10/18/2022

  • 10:56 AM - 26 applications imported and verified are ready for settlement in Auth.net NO errors found

  • 01:25 PM - 1 application imported and verified are ready for settlement in Auth.net NO errors found (27 total)

  • 04:08 PM - 0 applications imported

10/19/2022

  • 9:02 AM - 17 applications imported and verified are ready for settlement in Auth.net NO errors found

  • 1:45 PM - 28 applications imported and verified are ready for settlement in Auth.net NO errors found (45 total)

  • 4:26 PM - 0 additional applications imported since last review. Confirmed with MERS that no additional imports will be done.

10/20/2022

  • This process was transitioned to the MERS team. Items that have not been captured will be reported by a Jira ticket so that the system may be updated after the MERS team captures the funds.

10/17

Using previous backups, the IT team is attempting to recreate the conditions using the data available before the errant events occurred in an attempt to recreate the issue.

Cancelled - After the review of the code, the IT team was able to identify the exact scenarios where the data issue occurs and locate test accounts in the current testing database to verify the code corrections.

Root Cause Analysis

Scenarios affected by issue

Scenario 1

  1. The applicant completes the question portion of their application

  2. They then go to the invoice page, agree to the T&C and selects Credit Card as the payment type

  3. The applicant then presses the Pay Now button and is sent to Authorize.net

  4. After entering their billing details and Authorize.net has a successful authorization the Applicant is returned to ASWBCentral and moved automatically to the submission page

  5. They close their browser window and do not submit the application

  6. At a later time, they return to their ASWBCentral application which takes them to the submission page

  7. The applicant then submits their application

Scenario 2

  1. The applicant completes the question portion of their application

  2. They then go to the invoice page, agree to the T&C and selects Credit Card as the payment type

  3. The applicant then presses the Pay Now button and is sent to Authorize.net

  4. After entering their billing details and Authorize.net has a successful authorization the Applicant is returned to ASWBCentral and moved automatically to the submission page

  5. They click the back button on the submission page returning to the application

  6. The applicant then moves forward in the application and back to the submission page

  7. The applicant then submits their application

Scenario 3

  1. The applicant completes the question portion of their application

  2. They then go to the invoice page, agree to the T&C and selects Credit Card as the payment type

  3. The applicant then presses the Pay Now button and is sent to Authorize.net

  4. After entering their billing details and Authorize.net has a successful authorization the Applicant is returned to ASWBCentral and moved automatically to the submission page

  5. The applicant then submits their application

  6. The authorization for the application is altered after submission from outside the system AFTER it is imported into ASWBCentral

    1. The this could occur through Authorize.net account page by voiding the transaction