How to implement 3d secure payment securely

落爺英雄遲暮 提交于 2019-12-02 17:17:43
damiankolasa

As you might already noticed in article you linked, presenting bank's page in iframe is a preferred option. Although if you read in further, it presents other security features, specifically in regard to phishing protection. Because your client won't know to whom is he really sending his password.

But going back to your proposition, if you present it in iframe or popup window, you would be able to store the original form on your base page and then resubmit it with received authentication token. It's a very good idea because you would not need to do any PCI compliance stuff. So not only it's easier for you it is recommended :).

With Sage Pay (and I would assume other payment providers) you don't need to pass the full order information again in the last step, just the response code from the 3D Secure form and a unique transaction reference. Storing the card details is therefore not necessary.

For me the process is:

  1. Card details etc. and unique transaction reference submitted to payment gateway.
  2. Payment gateway responds with 3D secure details (ACSURL and reference codes).
  3. Redirect user to 3D Secure form (passing ref codes and callback URL) where they enter their details.
  4. Verification code passed back to callback URL.
  5. Server must send the verification code and same transaction reference from step 1 to the payment gateway.
  6. Payment gateway responds with success/failure information.

I've done some recent work with 3d secure. From my personal experience:

  1. I pass the credit card information with a forward url to the banks 3d secure url.
  2. The user is redirected to the 3d secure url and prompted to type in his password.
  3. When he clicks continue, the user is passed to the forward url with the authorization token -- the credit card information gets passed along as well.
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!