A couple weeks, that's not good :(
I have sort of the same problem.
If I put in an outright no good CC number then it tells me that # is no good. But if I put in a bogus EXP date or a bogus CVC# the transaction still captures.
I'm using v2.2RC2
Authorize.net AIM v1.0 w/auto capture
I thought the AIM module was contacting authorize.net and getting a result code of the transaction. Is authorize.net not verifing the EXP and CVC? Is that something I need to turn on via their side? I have a charge sitting there waiting settlement to see if it actually fails with the bogus info so I'll know more... so far it's just sitting there.
In the meantime, does anyone know what is going on?