Search Developer Site

Customer Profiles

You can use customer profiles to enable merchants to tokenize and store sensitive customer payment information on our secure servers, which simplifies PCI DSS compliance as well as the payments process for returning customers and recurring transactions. For Customer Profile API reference information, see the API Reference Guide.

By providing quick access to stored customer information, Authorize.Net Customer Profiles are ideal for businesses that:

  • Process recurring transactions in which the date or amount or both are different each month; for example, utility companies.
  • Process usage charges that you bill only when the service is used; for example, pay-as-you-go cell phones.
  • Are concerned with PCI compliance.
  • Want to provide returning customers with the convenience of not having to re-enter personal data.

The Profiles API supports integration with a web site payment form or a proprietary business application. The profiles, which include payment and shipping information, can then be referenced in future transactions, eliminating steps in the transaction process for repeat customers and potentially increasing customer loyalty.


A customer profile contains minimal information about the customer such as ID, description, and email address, but its main purpose is to link multiple payment and shipping profiles with a single customer entity.

API methods to manage customer profiles include:

Payment Profiles

Payment profiles enable merchants to securely store sensitive payment information with Authorize.Net in a secure and PCI-compliant manner.

API methods to manage customer payment profiles include:

Shipping Profiles

Shipping profiles enable merchants to expedite the checkout process for repeat customers by securely storing multiple shipping addresses with Authorize.Net.

API methods to manage customer payment profiles include:

Duplicate Profile Verification

The duplicate profile verification prevents accidental duplicate submissions. When you submit the createCustomerProfileRequest, createCustomerPaymentProfileRequest, and createCustomerShippingAddressRequest API calls, the payment gateway checks certain fields in each request to ensure that a profile with the same information does not already exist. If the payment gateway finds a matching profile, it returns an error message. If the duplicate profile is a customer profile, the error message contains the ID of the existing profile.

The following table lists the fields for each API call that cannot match an existing profile. An error occurs only when all of the values for each API element match all of the values for each element in the existing profile.

  • merchantCustomerId
  • description
  • email
  • customerProfileId
  • cardNumber
  • accountNumber
  • routingNumber
  • billToFirstName
  • billToLastName
  • billToAddress
  • billToZip
  • customerProfileId
  • firstName
  • lastName
  • address
  • zip
  • phoneNumber

Guest Profiles

Use the profileType element to create a guest profile. Guest profiles are useful when you need to store a customer's payment information temporarily for one-time charges.

Note: We retain guest profiles for 90 days after their last usage in a transaction request. If you create no more transactions using a given guest profile, we purge the guest profile from our system.

Parameter Description

Indicates whether a profile is a guest profile. Either regular or guest. Defaults to regular.

We recommend submitting profileType only when you need a guest profile. If you do not need guest profiles, you do not need to send this element.

Using the Accept Customer Hosted Form

Authorize.Net Accept Customer is a fully hosted solution for payment information capture which allows developers to leverage our Customer Profiles API while still maintaining SAQ-A level PCI compliance. Our forms are mobile-optimized and designed to reduce friction in your consumer experience.

Identifying the Customer

Before you can present the hosted form, you need a way of identifying returning customers. You can have the customer log in to your site. Several content management systems and shopping carts automatically support that functionality. It is important that the login process is reliable so that one customer does not have access to another's stored payment information.

For first-time customers, you must create a new profile using the createCustomerProfileRequest method.

A customer profile contains any unique combination:

  • Customer ID (any value you choose)
  • Email
  • Description

Once the profile is created, you'll receive a unique profile ID that you can use to identify this customer in the future.

Retrieving a Token

Before you can send the HTML form post, you will need to retrieve a token using the getHostedProfilePageRequest method.

You must include the customer's profile ID in your request.

See the section Guidelines for Parameter Settings for more information on configuring parameter settings for the hosted form.

Presenting the Hosted Form

The token is passed in a basic HTML form with the input name token. The input name token is the only input value that must be included for a request to add a new payment or shipping profile, or to manage all of your profiles in one window. To prompt the customer to edit only a single existing profile, you must include the associated profile ID in an additional paymentProfileId or shippingAddressId form POST field.

The type of form that you display is determined by the URL that the form is submitted to, also known as the form action, shown below:

Form Action URLs

Conditional Fields

  • To edit the payment profile, include a form field called paymentProfileId containing the ID of the payment profile that you want the customer to edit.
  • To edit the shipping address include a form field called shippingAddressId containing the ID of the shipping address profile that you want the customer to edit.

For reference, here is a sample HTML form:

<form method="post" action="">
  <input type="hidden" name="token" value="HOSTED_PAGE_TOKEN"/> 
  <input type="hidden" name="paymentProfileId" value="PROFILE_ID_TO_EDIT"/> 


To test in Sandbox replace with in the form URL. For example:

Displaying the Form

The hosted form is designed so that you have the freedom to integrate it into your site in almost any way. You can configure it as a separate pop-up window or embed it into your existing site. You can use a lightbox layout, in which the box pops up in front of the rest of your site, but not in a new window. Finally, you can just use the full window by directing the customer to Authorize.Net and letting them direct themselves back again, which avoids the use of JavaScript.

Our sample application on GitHub shows examples of how to present the form in different modes, including examples of how to open the hosted form in a lightbox. The lightbox layout can also be accomplished with third-party JavaScript toolkits such as jQuery.


To implement hosted customer profile management access by using a redirect to Authorize.Net, follow these steps:

Step 1 - When you receive the token returned by the GetHostedProfilePageResponse function call, put a hidden form somewhere on your page (the value for the token will be the value returned by the function call).

If you are using the test environment, replace with

For reference, here is a sample HTML form:

<form method="post" action="">
  <input type="hidden" name="token" value="pfGaUNntEKMGfyWPmI4p+Bb4TJf2F0NCoCBp3cOXB7"/>
  <input type="submit" value="Manage my payment and shipping information"/>

Step 2 - Add a button on your page that redirects the customer to Authorize.Net's secure site. You can customize the text within your page's HTML:

<input type="button" onclick="document.getElementById('formAuthorizeNetPage').submit();">
  Manage my payment and shipping information</input>

In this example, the Manage my payment and shipping information" button directs users to the Authorize.Net Accept Customer hosted page, where they can:

  • Create a new payment profile
  • Update or delete current credit card or bank information
  • Enter a new shipping address
  • Update or delete current shipping address


For security reasons, web browsers do not allow JavaScript communication from a page inside an iFrame to the page that contains the iFrame if those pages are hosted on different domains. Therefore, our hosted form cannot directly provide information to the page that is encapsulating it.

However, it is beneficial to provide some small amount of information indirectly through a third page. When making the token request, you can pass us the URL for an iFrameCommunicator page. This iFrameCommunicator page is just a small HTML page, hosted on your domain, and containing a JavaScript that listens for events. When you embed our hosted form in an iFrame on your page, our hosted form can in turn embed your iFrameCommunicator page within it inside an invisible iFrame. This enables a channel of communication that allows us to send messages to your iFrameCommunicator page. Then, as long as your iFrameCommunicator page is hosted on the same domain as your main page, it can communicate back to your main page.

This channel of communication is used to pass a few basic messages back to a listener script running on your main page (the page that calls the form):

  • Ideal height and width of the window - allows you to resize the frame and avoid any scrollbars from appearing.
  • Changes Saved - returned whenever the customer saves changes to their profile. You can use this notification to know when to look for those changes through the Customer Profiles API.
  • Request Cancelled - returned when the customer backs out of the hosted form.

Note: If you plan to host our form in an iFrame, you must include the address to your iFrameCommunicator page in the hostedPaymentIFrameCommunicatorUrl parameter in the getHostedProfilePageRequest call.

Note: You must use HTTPS in the URL to your iFrameCommunicator page.

For an example of an iFrameCommunicator page and more information about the messages passed, see our sample IFrameCommunicator.html in our sample application on GitHub.

Guidelines for Parameter Settings

The following parameter settings are used with the getHostedProfilePageRequest call.

To integrate to the hosted page as a redirect, pass the hostedProfileReturnUrl parameter and the hostedProfileReturnUrlText parameter. The parameter hostedProfilePageBorderVisible=true is optional.

To integrate to the hosted page as a popup, pass the hostedProfilePageBorderVisible=false parameter and the hostedProfileIFrameCommunicatorUrl parameter.

The following table shows possible settings:

Parameter Description

The text for the button that the customer clicks to confirm changes and save the profile. Up to 20 characters. Defaults to Save.

Applicable to the addPayment, editPayment, addShipping, and editShipping forms.


The URL for the page the customer returns to when the hosted session ends. Used when redirecting to the form. Do not pass this setting for iFrames or popups.

The URL must begin with http or https.


The text for the button that returns the customer to your web site when finished. Up to 200 characters. Used when redirecting to the form. Defaults to Continue. Do not pass this setting for iFrames or popups.


Boolean (true OR false). Removes the border and associated logo from the payment form. Must be set to false for iFrames or popups. Optional for redirects.


An RGB hex color code, for example, #E0E0E0. Changes the accent color of the form's field lines, buttons, and other HTML elements.


The URL to a communicator page which will send details to the merchant's site through JavaScript.

Required only for iFrame or lightbox applications.


Specifies which payment options to show. Defaults to showAll.

To display only credit card fields, use showCreditCard. To display only bank account fields, use showBankAccount. To display both payment options, use showAll.

Applicable to Accept Customer pages where the customer may add payment information.


Specifies how the payment gateway will validate the customer's card prior to creating the profile. Either liveMode or testMode. Defaults to liveMode.

liveMode generates a transaction to the processor in the amount of 0.01 or 0.00. If successful, the transaction is immediately voided. Visa authorizations in liveMode use 0.00 for all processors. All other credit card types use 0.01.

Standard gateway and merchant account fees may apply to the authorization transactions. For Visa transactions using 0.00, the billTo address and billTo zip fields are required.

testMode performs field validation only. All fields are validated. However, fields with unrestricted field definitions, such as telephone number, do not generate errors.

If you set this parameter to testMode, a 1.00 test transaction is submitted using the Luhn mod 10 algorithm to verify that the credit card number is in a valid format. This test transaction is not authorized at the processor, and does not appear on the customer's card statement, but it will generate and send a transaction receipt email to the merchant.

If a validation transaction is unsuccessful, the profile creation attempt fails, and the merchant receives an error.

Note: liveMode requires a billing address. If you do not want to collect a billing address, you must use testMode.


Boolean (true OR false). Defaults to false.

When set to true, the hosted form will mark billing address fields as required, with an asterisk. These fields must now be completed in order to create or update a payment profile within the hosted customer profile form.


Boolean (true OR false). Defaults to false.

When set to true, the hosted form will mark the Card Code field as required, with an asterisk. The Card Code field must now be filled in order to create or update a payment profile within the hosted customer profile form.


Either showBillingAddress or showNone. Defaults to showBillingAddress.

Applicable to Add/Edit Payment Pages. When set to showBillingAddress, the form will display all billing address fields, including name fields. When set to showNone, the hosted form will only display payment method fields.

Note: When hostedProfileValidationMode is set to liveMode, you must set hostedProfileBillingAddressOptions to showBillingAddress. Any other value will generate an error. If you do not wish to collect a billing address, you must set hostedProfileValidationMode to testMode.


Either showAll, showPayment, or showShipping. Default is showAll.

Applicable to Manage pages. When set to showAll, both Payment and Shipping sections will be shown. When set to showPayment, only Manage Payment section will be shown. When set to showShipping, only Manage Shipping section will be shown.

Charging Customer Profiles

You can use profile information in the profile element of a createTransactionRequest API call.


If you submit a refund against a previous customer profile transaction, we recommend that you:

  • Include customerProfileId, customerPaymentProfileId, and transId.
  • customerShippingAddressId is optional.
  • creditCardNumberMasked, bankRoutingNumberMasked, and bankAccountNumberMasked do not need to be included, but they are validated if they are included.

You may also issue a refund for a transaction, whether generated by a customer profile or as a standalone transaction. For such refunds please bear in mind the following:

  • You must include transId, creditCardNumberMasked (or bankRoutingNumberMasked and bankAccountNumberMasked).
  • Do not include customerProfileId, customerPaymentProfileId, or customerShippingAddressId.

You can also issue an unlinked refund for a customer profile transaction. In this case, the following rules apply:

  • You must be enrolled in Expanded Credit Capabilities (ECC). For more information about ECC, go to
  • You must include customerProfileId and customerPaymentProfileId.
  • customerShippingAddressId is optional.
  • Do not include transId, creditCardNumberMasked, bankRoutingNumberMasked, or bankAccountNumberMasked.

Note: A refund transaction will not appear in the history of the payment profile unless you generate the refund with the payment profile.

Using the Account Updater Service

Authorize.Net's Account Updater service automatically checks and updates credit card information in customer profiles. This feature increases authorization approvals, helping drive more sales and retain customers by reducing risk of service cancellation.

You can run reports on Account Updater using the following API calls: