Important Note

Legacy API integration and features including Advanced Integration Method (AIM), Server Integration Method (SIM), Direct Post Method (DPM), Relay Response and Silent Post are now obsolete and in the process of being phased out. We strongly suggest using one of our modern integration methods with your Authorize.net account. Visit our Developer Center and Upgrade Guide for more information on our updated APIs.

Merchant-Defined Fields (MDFs)

Authorize.net provides a feature to merchants for submitting Merchant-Defined Fields (MDFs), which are not defined in our API documentation. These MDFs are included in the transaction response and the merchant email receipt. The purpose of MDFs is to allow merchants to include order details such as sizes, colors, or quantities.

Since MDFs are entirely defined by merchants and not the payment processor, these fields are not passed to the processor. To use MDFs with the Authorize.net API, use the userFields element in the createTransactionRequest call. In our legacy integration methods - AIM, SIM, and DPM - any field not defined in its documentation is considered an MDF.

However, merchants should be cautious not to misuse MDFs to send unmasked, sensitive information that violates Payment Card Industry Data Security Standard (PCI DSS) regulations or applicable state and federal laws, including but not limited to: GLBA, HIPPA, and CA SB1386. Since this information is included in the merchant email receipt, there's a risk of interception. Also, since we return the MDFs in the transaction response, there's an increased possibility that data included in the MDF is not being handled by the merchant in accordance with PCI DSS.

Merchants are prohibited from capturing, obtaining, or transmitting any Personal Account Numbers (PAN) or Personally Identifying Information (PII) through an MDF. This data should only be collected using fields defined in the Authorize.net APIs.

Examples of PAN and PII include, but are not limited to:

• Credit Card Number
• Expiration Date
• Card Verification Codes (CVV, CVC2, CVV2, CID, CVN)
• Social Security Number
• Tax ID
• Driver's License Number
• Bank Account Number
• ABA/Bank Routing Number
• Date of Birth
• Passport Number
• Name
• Contact details

Merchants found to be using MDFs to submit PAN or PII will be informed of the violation and its possible consequences. If no action is taken to resolve the issue after repeated attempts to contact the merchant, their payment gateway account may be subject to cancellation. Note that merchants who are acting in good faith to resolve the issue and have contacted Merchant Support for assistance will not be in danger of having their account canceled.