Authorize.net charged an individual three times

[dharmatech]

Hey everyone. Hoping someone could help with an issue we came across with a client. 

Drupal 6/CiviCRM 2.1.4

A person registered for a paid event but their credit card was charged three times. The time intervals between each were about 4 minutes and about 5.  Each had a unique transaction/invoice ID and this person's contributions record had the three contributions listed but only one event registration record.  And the change log had records with the times corresponding to each transaction.

Any ideas why or how this could have happened?  She didn't register additional people because there are no other participant records for the event and I doubt it was something like she clicked submit three times because of the time between each transaction and the button greys out when you try to click it again. Nor could she have filled out the form three separate times because no other participant records were created (I'm pretty sure).

And I tried recreating it with a real credit card and paying an event fee of $1 dollar and it went through as normal.  This is really mysterious so any help would be really appreciated.

Thanks in advance
Tony

[Donald Lobo]

1. was she a logged in user?

2. if i had to guess, she filled out the form 3 times. we found and updated the participant record but created new records for contribtution etc

3. seems like there is a bug that allowed her to fill it out 3 times. if u can get further details / hints on what she did and reproduce that would be super helpful

lobo

[dharmatech]

Hey Lobo. No she was an anonymous user.

Our client has still not talked to their member but I think you're right.  I was just able to anonymously fill out the event registration form with the same exact info (email, first & last name) twice but it just updated my existing participant record. I paid at a different fee level ($0) to see if it would update and it did update the participant record.

I was also able to reproduce on demo. I created an event and anonymously registered twice with the same email. And it updated my existing participant record.

Should i go ahead and file an issue? I can wait to get more info if need be.

thanks for your quick response lobo.
tony

[Donald Lobo]

and this is with authorize.net where the transaction is marked complete, right? (we allow folks to have multiple pending registrations)

Go ahead and file an issue. We dont support authorize.net (its a contributed module), but we will test and ensure it works with the sandbox server on paypal web payments pro (similar to auth.net)

lobo

[dharmatech]

and this is with authorize.net where the transaction is marked complete, right? (we allow folks to have multiple pending registrations)

Correct. It was marked as completed in CiviCRM and authorize.net

Posted an issue here: http://issues.civicrm.org/jira/browse/CRM-4005

thanks for the help, Lobo
Tony

[Donald Lobo]

hey tony:

looking at the issue. a few questions:

1. You replicated on demo using the test mode with dummy processor, right? We made a change to allow folks to register multiple times

2. were u able to replicate the issue in live mode?

3. I assume the error was a user doing things in live mode, right?

lobo

[dharmatech]

Hey lobo.  Sorry for not responding. I've just waiting to hear back from the client to hear what exactly happened.

I replicated on demo in live mode with the dummy processor. Is the change you refer to just for the demo site only in order to allow people to register multiple times in their testing/demoing? Is that the idea?

And yes, the error was in live mode. But still am confused and unsure if it was a payment processor error or she was able (and did) fill out the form three times. As soon as I hear more and know exactly what happened, I'll post back here.

thanks for the help
tony

[dharmatech]

So I finally heard back from the client as to what happened.  I'll describe everything I know so hopefully we can best figure out how to tackle this issue.

An organization staff person went to our client's website to anonymously register 4 people to an event. For some reason, she didn't see the large button allowing her to register additional people so she instead filled out the form 4 separate times (was three but she had filled it out once more after we discovered the issue and I posted this).

Each time, she put in a different person's name in the exposed profile but she put her own email address each time AND the same credit card/billing info each time.

The expected behavior should be (I assume) that 4 separate records would be created with the same billing info and same email address along with 4 separate participant records.

Instead, what happened is that each time she filled it out, it found the same contact and CiviCRM updated its personal info, created a new contribution record, and updated the same participant record.  In other words, the same contact ID was updated with a new name each time (so the person started as a Shannon and ended up as an Ethan - the last person the staff person registered). Ethan now has 4 contribution records for each event registration but only one participant record.

The strict duplicate matching rules are set to check first name, last name, and email with weights of 5,7,10 respectively and a threshold of 20.  Even though the staff person filling out the form used her same email address each time (for some reason) it was a different first/last name which should have created a new record. But for some reason, because it was the same billing info, it kept updating the exact same contact.  Very uncool.

So that's the problem. The money is fine and she was charged appropriately. This issue lies in how CiviCRM is handling duplicates when it comes to billing info.  It's almost as if billing info supersedes the contact matching rules that you configure.

Let me know if you have any questions or need more details.  Or if you want me to reopen the same issue or create a new one.  I think I remember issues with how billing info was handled in the past so hopefully this isn't one of those issues coming back.

Thanks for your help, Lobo

Tony

[petednz]

Was the staff member logged in at the time of doing this, or using an unlogged in browser? (or is that irrelevant?)

[dharmatech]

Hi peterd. The staff person was logged out (anonymous). I don't think this matters too much because if you were logged in, it wouldn't let you even register again. It would see that you already have a participant record and give you the message "oops, you're already registered..."

but i might be wrong.
tony

[dharmatech]

Hi Lobo. Do you have any advice on the issue I posted above?  Am I missing something as far as how CiviCRM handles duplicates? Should I file a ticket?

I appreciate any help you can give us.
thanks
tony

[Donald Lobo]

i'm not very sure why it happened.

would be great if you can reproduce this on sandbox.civicrm.org with a live processor and a live credit card

note that the dummy processor does not allow live transactions. Maybe we can modify it to allow live transactions

lobo

[Donald Lobo]

ok

i modified the dummy processor to accept live transactions. In 2.2 it detects a duplicate registration based on email address. I'm pretty sure this has not changed since 2.1

lobo