Description
Noticed this when testing with the demo code.
When trying to submit, the sagepay.js script catches your form submit and attempts to get a token for the card details entered. If the token cannot be fetched for any reason - invalid characters, type in CC number or date, missing CVV2 etc, then the form is not submitted to the server.
Each time an attempt to get a card token is made, the merchantSessionKey loses of of its lives. It starts with only three lives (three attempts as use) and a lifetime period of 400 seconds. Once either of these are exceeded, SagePay responds with a 401. The scripts in the page need to recognise this, and refresh the merchantSessionKey.
Whether that refresh happens through AJAX (fetching a new value from the server) or by allowing the whole form to be submitted and re-presented with a new merchantSessionKey is unclear. Once the card identifier is successfully obtained, it will last for up to 400 seconds and the payment form can be submitted multiple times. The card details of the form, when represented, should probably be hidden and disabled, and shown only if the user wishes to change to a different card, or the card token has expired or been used too many times.
The documentation only lists a card token (cardIdentifier) as lasting 400 seconds, and does not list a maximum number of times it can be used to submit the payment request. Multiple submissions may be needed to get the address details into a valid state, for example.
Anyway - we need to get a better demo together that brings all these expiring tokens together and handles them appropriately.