magento2: CC validation incorrectly identifies some cards as Maestro Domestic
Preconditions and environment
- Magento version 2.4.5-p1
- A payment method that uses Magento’s native
'Magento_Payment/js/model/credit-card-validation/credit-card-number-validatorcredit card number validator/type detection
Steps to reproduce
- Go to checkout
- Select payment method that uses Magento native type detection and CC validation
- Enter card number “4111 6767 7011 1115”
Expected result
Credit card should be identified as a valid Visa CC number and allow order placement.
Actual result
Credit card is matched as both Visa and Maestro, fails to identify the specific card type, and blocks checkout submission.
Any customers affected by this issue will find themselves unable to place order and complete checkout with that credit card.
Additional information
The problem is the Maestro Domestic type definition: https://github.com/magento/magento2/blob/2.4-develop/app/code/Magento/Payment/view/base/web/js/model/credit-card-validation/credit-card-number-validator/credit-card-type.js#L106
{
title: 'Maestro Domestic',
type: 'MD',
pattern: '^6759(?!24|38|40|6[3-9]|70|76)|676770|676774\\d*$',
gaps: [4, 8, 12],
lengths: [12, 13, 14, 15, 16, 17, 18, 19],
code: {
name: 'CVC',
size: 3
}
},
As written, the pattern will match any number starting with 6759[...], or containing 676770, or containing 676774. Any credit card number that happens to contain those two number sequences will fail validation and be unable to check out.
To fix it, the pattern should be wrapped in parentheses so the ^ flag applies to all three sequences:
pattern: '^(6759(?!24|38|40|6[3-9]|70|76)|676770|676774)\\d*$',
In a brief look, it does not appear any other CC types or number sequences are affected.
Release note
No response
Triage and priority
- Severity: S0 - Affects critical data or functionality and leaves users without workaround.
- Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
- Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
- Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
- Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 25 (4 by maintainers)
@engcom-November Please note that this is an issue with the JavaScript validator NOT with the actual card processor. This is not about it being a valid number when submitting to a transaction, this is about the form even allowing you to submit the card number for payment.
Because of the issue, the customer doesn’t even have the option of submitting the card, whether it’s a legitimate card or not, because the form validator will not let them continue.
I can confirm this issue and believe we may have a customer that’s experiencing this bug.
I will also point out that the lib/mage/validator.js also has the same issue with the regex and would also need to be corrected.
Simply overriding these files and adding additional capture groups resolved the issue as stated by @rhoerr.