Sagepay - Payment Authorised despite 3dSecure Failure

0
votes

We're currently updating our SagePay integration to enforce 3DSecure in line with the EU regulations coming into force.

However our tests have found that, even though 3DSecure is marked as a 'Fail', the payment was still authorised. We havent set up any specific rules in the Admin system other than the 3D Secure check. (none of the other 3d secure tick boxes are checked and there are no values in the min/max fields).

We want to set up our system so that if 3Dsecure fails it does not authorise the transaction. How do we do this?

2
opayo3d-secure
This is a super specific question. Wouldn't you need to provide a lot of code for someone to do this? In fact, it would probably be better to hire someone you trust to take care of this.GamingFelix
Yeh, i have a team of developers. That's why i came to the "Support forum" for SagePay. (sagepay link directly to StackOverflow as their development support forum).David Wilson
I don't know, I'd be able to help with the specific code problem if I had the source code. But this seems very general and not at all like the topics they mention here : stackoverflow.com/help/on-topic . , but we'll see what replies you getGamingFelix
And here, seems you're not at fault. But Sagepay's meta.stackoverflow.com/questions/359288/…GamingFelix

2 Answers

0
votes

I'm getting exactly the same issues. Pass all of the details correctly and every test card comes back as successfully authorised. This is different to yesterday when I was being sent to the challenge page (which subsequently gave me a 404 error), so I can only surmise that SagePay haven't actually finished writing their 3DSv2 handling.

The "Magic Value" you can pass as the CardHolder doesn't actually do anything either and I'm also getting a server error when passing some of the new fields such as ThreeDSRequestorAuthenticationInfoXML and AcctInfoXML.

Waiting to hear back from an e-mail I've sent to their support team yesterday.

0
votes

Changing the Cardholder field to the magic value CHALLENGE worked for me

That will make the status returned as "3DAUTH" (I was always getting "OK" before using the magic value); you will also get the Sage simulator ACSURL ("https://test.sagepay.com/3ds-simulator/html_challenge"). See example of my request and response

SENT: "VPSProtocol=4.00&TxType=PAYMENT&Vendor=[YOUR_VENDOR_HERE]&VendorTxCode=[YOUR_VENDOR_TX_CODE]&Amount=8.05&Currency=GBP&Description=LDN payment&CardHolder=CHALLENGE&CardNumber=4929 0000 0000 6&CV2=123&ExpiryDate=0120&CardType=VISA&BillingSurname=TestSurname&BillingFirstnames=TestName&BillingAddress1=88&BillingCity=Glasgow&BillingPostCode=412&BillingCountry=GB&DeliverySurname=TestSurnameB&DeliveryFirstnames=TestNameB&DeliveryAddress1=test address line 1&DeliveryCity=Glasgow&DeliveryPostCode=412&DeliveryCountry=GB&[email protected]&Apply3DSecure=1&ChallengeWindowSize=01&ThreeDSNotificationURL=[YOUR_URL]&BrowserAcceptHeader=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3&BrowserUserAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36&BrowserJavascriptEnabled=1&BrowserJavaEnabled=1&BrowserLanguage=en-GB&BrowserColorDepth=8&BrowserScreenHeight=480&BrowserScreenWidth=640&BrowserTZ=0&ClientIPAddress=127.0.0.1"

RECEIVED: "VPSProtocol=4.00; Status=3DAUTH; StatusDetail=2021 : Please redirect your customer to the ACSURL, passing CReq.; VPSTxId={9A9461B6-C8A8-CDE5-75FC-EBABFA6BB5FD}; 3DSecureStatus=OK; ACSURL=https://test.sagepay.com/3ds-simulator/html_challenge; CReq=ewogICJtZXNzYWdlVHlwZSIgOiAiQ1JlcSIsCiAgIm1lc3NhZ2VWZXJzaW9uIiA6ICIyLjEuMCIsCiAgInRocmVlRFNTZXJ2ZXJUcmFuc0lEIiA6ICJmMWZkNWJhOS0xZTAzLTQ4NGQtOGQzNi0zMTU5MTM5N2Y2YmIiLAogICJhY3NUcmFuc0lEIiA6ICJmNzgxOTYwMS1iN2VhLTRkMWUtYWY0MS00ZjRhYTY1NjQ3MjMiLAogICJjaGFsbGVuZ2VXaW5kb3dTaXplIiA6ICIwMSIKfQ"

See link to the documentation on this, magic numbers on page 28: Sage direct-integration protocol 4.00