Processor Native vs Cardinal Commerce
Where 3DS support is not natively supported by a given payment processor Vindicia leverages Cardinal Commerce (a Visa solution - cardinalcommerce.com) specifically for providing an authentication service
Some payment providers use Cardinal Commerce for their 3DS solution (WorldPay, CyberSource for example)
High Level Process Flow Changes
A new step of customer authentication is added in the eCommerce flow – usually, after the payment method capture and the order summary - the customer might be required to identify themselves via a form of two-factor authentication, such as an SMS code or a fingerprint.
As such, there are parts of the process that will be handle by Vindicia and there are parts of the process that will need to be implemented in the merchant’s front-end website.
The purchase flow will start by invoking a Vindica API, as usual, but maybe stopped to gather additional information from the user, which if completed successfully will trigger the continuation of the process.
What part does the Vindicia Subscribe platform play in the 3DS journey?
VIndicia has modified the following API’s to perform an additional step during the transaction flow.
During the authorization process, Subscribe will allow you to pass in any previously collected 3DS-related data elements, and will pass them to the processor in the correct data elements. Subscribe will pass back any challenge information in the transaction return object. If there is a challenge, and once the challenge process is complete, there is a new API call in Subscribe – transaction.finalizeSCAuth() you will use to finalize the pending transaction. This will allow the authorization process to continue and will progress the transaction status into its final state.
New Data Elements
In addition to the API changes, Vindicia has also added support for new data elements in the Payment Method object to support Extended Verification: PaymentMethod->ExtendedVerification
In addition to the above-fixed elements, Name Value Pairs will be used to pass risk-mitigation details to the issuing bank.
Typical 3DS Flow
Steps that will be needed
- Alter the commerce flow by implementing Device Data Collection in the customer’s browser. (Sometimes also referred to as fingerprinting)
- Query for 3DS availability for the Credit Card BIN (or Full PAN if available) used in the purchase. Not all cards are eligible for 3DS.
- Invoke Vindicia API to create a Transaction or Subscription. These APIs have been modified to support passing new, 3DS-specific fields, including the reference to the device information that was collected in the previous BIN lookup steps.
- Check the API response to see if the issuing bank has required a 3DS challenge for this purchase
- - If a challenge is required, the returned information will include a redirect URL from the issuing bank, and the merchant site will be required to handle the redirect of the customer to authenticate their identity. Based on the result, either continue or require a different payment method for the purchase.
- - If there is no challenge, the authorization will proceed as usual (generally termed a frictionless purchase).
- In case of a 3DS challenge, and successful authentication of the customer, you will call a new API method – transaction.finalizeSCAuth - to continue the authorization process.
If your purchase flow uses a PaymentMethod_update or Account_updatePaymentMethod HOA method to vault the card before you attempt to authorize a transaction, you can continue to use that flow and then use the exposed BIN to initiate BIN lookup and proceed with transaction or subscription creation using 3DS.
If you are using the SOAP API, you will need to upgrade to the latest version of the SOAP API (versions 27.0 or later) or upgrade to REST.
If you are a merchant using REST and Payment Method Tokenization (PMT). You will use the PMT process to tokenize the card in Subscribe, with or without validation, but with no 3DS involvement and you will use the card BIN, which is exposed on the masked credit card account number, to initiate 3DS BIN lookup
If you are using REST, you will not need to upgrade to a newer version of the API.