Difference between revisions of "XP Cloud:3D-Secure"
m (Mouse moved page X-Payments Cloud:3D-Secure Settings to XP Cloud:3D-Secure Settings: Test page move from API)
Revision as of 13:14, 2 March 2020
3-D Secure Payer Authentication in X-Payments Cloud
X-Payments Cloud allows you to use 3-D Secure Payer Authentication for a number of payment methods that support it. 3-D Secure provides an additional layer of security for payment transactions via your store.
Some payment solutions supported by X-Payments Cloud provide their own built-in integrated 3-D Secure authentication systems. Such solutions include:
- PayPal's Payflow Pro;
- Cardinal Commerce Centinel;
- Elavon (Realex API);
- eProcessing Network - Transparent Database Engine
- Global Iris/HSBC - RealAuth Remote;
- Global Payments (formerly Realex);
- Sage Pay Go - Direct Interface;
- Worldpay Corporate Gateway - Direct Model.
For many other payment solutions, it is possible to use the 3-D Secure authentication solution by CardinalCommerce (X-Payments Cloud has an integrated module for this purpose). Solutions that can be used with 3-D Secure authentication by CardinalCommerce include:
- PayPal Payments Pro,
- Bambora (Beanstream),
- Beanstream (legacy API),
- Blue Pay Canada (formerly Caledon),
- Chase Paymentech Orbital,
- CyberSource - SOAP toolkit API,
- ECHO NVP,
- First Data Payeezy Gateway (formerly Global Gateway e4),
- Netbilling - Direct Mode,
- NMI (Network Merchants Inc.),
- PSiGate XML API;
- USA ePay - Transaction Gateway API;
(Since the list of payment gateway integrations supported by X-Payments Cloud tends to change with time, we recommend to check with the document X-Payments Cloud:Supported Payment Gateways for information on the type of 3-D Secure system supported by specific payment integrations as it may be more up-to-date than the list above.)
When a customer pays you using a payment method with 3-D Secure enabled, in addition to providing their payment card details they also have to go through an additional authentication step validating that they are actually the cardholder. Depending on the bank and the payment method used, the process will have slight variations.
The traditional method to authenticate a purchase with the 3-D Secure v1 protocol (3DS1) involves redirecting the buyer who has provided their payment card details to a page on the bank's site where their bank asks them for a code or password to approve the purchase.
Recently, another method has been introduced based on 3-D Secure v2 (3DS2). The new method addresses many of the shortcomings of 3-D Secure v1 by introducing less disruptive authentication and improved customer experience. This method allows the business and the payment provider to send more data elements on each transaction to the cardholder’s bank (like the shipping address, the customer’s device ID, previous transaction history, etc). The cardholder’s bank uses this information to assess the risk level of the transaction. If the data is enough for the bank to trust that the real cardholder is making the purchase, it performs "frictionless" authentication without any additional input from the cardholder. If the bank decides it needs further proof, the customer is asked to provide additional input to authenticate the payment. In this case, however, the customer does not have to be redirected off the store website, which creates a more positive experience for them.
Payments submitted via X-Payments Cloud and using CardinalCommerce's 3-D Secure service for purchase authentication will be screened with 3-D Secure v1 if using the older Cardinal Centinel integration or with either 3-D Secure v1 or v2 if using the newer Cardinal Cruise integration.
For example, here is what we get in a demo X-Cart 5 store when making a test payment via an X-Payments Cloud enabled method with Cardinal Cruise 3-D Secure:
(The screenshot above demonstrates payer authentication with 3DS2, so you can see that the customer stays on the store website without a redirect to the bank's site, and the authentication form is provided to them in a popup).
For payment gateways providing native (built-in) 3-D Secure, no steps need to be taken to configure 3-D Secure on the X-Payments Cloud end: everything should work automatically as soon as you have properly configured the settings required for 3-D Secure in your payment processing provider account.
To use the 3-D Secure payer authentication solution by CardinalCommerce, you will, however, need to sign up for the respective service with CardinalCommerce and implement some further 3-D Secure related configuration in X-Payments Cloud. To sign up for CardinalCommerce, start on the following page: https://info.cardinalcommerce.com/cardinalcommerceandxpayments To configure CardinalCommerce 3-D Secure in X-Payments Cloud, follow the instructions in the section Managing Your 3-D Secure System Configuration in X-Payments Cloud below.
Managing Your 3-D Secure System Configuration in X-Payments Cloud
To enable 3-D Secure payer authentication via CardinalCommerce in X-Payments Cloud, follow the steps below:
- In your X-Payments Cloud admin panel, go to the General settings page (Settings -> General settings) and scroll down to the Services section.
- Check the status of CardinalCommerce 3-D Secure service. If you have not yet taken steps to configure and activate this service, you will find it not configured and inactive:
To proceed with the configuration, click on the Configure link:
This opens the CardinalCommerce 3-D Secure configuration page:
- On the CardinalCommerce 3-D Secure configuration page, provide the following information:
- Test/Live mode: The mode in which you will be using 3-D Secure (Test or Live).
- Merchant ID: The MerchantID value provided to you by CardinalCommerce.
- Processor ID: The ProcessorID value provided to you by CardinalCommerce.
- Transaction password: The Transaction password provided to you by CardinalCommerce.
- Transaction URL: The TransactionURL provided to you by CardinalCommerce.
- Api Identifier: The Api Identifier provided to you by CardinalCommerce.
- API Key: The API Key provided to you by CardinalCommerce.
- Org Unit ID: The Org Unit ID provided to you by CardinalCommerce.Setting the fields "Api Identifier", "API Key" and "Org Unit ID" is required for Cardinal Cruise. This type of integration supports both 3-D Secure v1 (3DS1) and v2 (3DS2) authentication protocols. If you do not have the respective credentials, simply leave these fields blank; in this case, your CardinalCommerce 3-D Secure integration will just use the 3-D Secure v1 protocol. 3-D Secure v2 is the newer version of 3-D Secure that is expected to eventually replace the 3DS1 protocol and become the main method for authenticating online card payments and meeting the new Strong Customer Authentication (SCA) requirements. This newer version improves the purchase experience compared to 3DS1 by minimizing the friction that authentication brings into the checkout flow. (It eliminates the need for a full-page redirect to the bank's site for purchase authentication and introduces “frictionless authentication” ). With Cardinal Cruise, 3DS2 will be applied when it is supported by the cardholder’s bank, and 3DS1 will still be available as a fallback solution when the new version is not supported.
- When you are done adjusting all the fields, click Save to save the changes.
Your 3-D Secure system configuration will be saved:
(Note the success message at the top of the page.)
- Enable the 3-D Secure system configuration you have created: On the page with the configuration details, switch the configuration status to Enabled by clicking the Disabled button and selecting the action Enable from the button menu.
This will enable 3-D Secure payer authentication via CardinalCommerce.
(Note the success message at the top of the page and the status button showing as Enabled.)
Now that you have configured 3-D Secure payer authentication via CardinalCommerce, it will be used for all your active payment configurations.
Besides the status button on the CardinalCommerce 3-D Secure configuration page, the status of your 3-D Secure payer authentication service is visible in the following locations:
- on the General settings page (Settings -> General):
- on the list of payment configurations (Settings -> Payment processing):
- on the details page of any payment configuration:
You can change the status at any time by going to the 3-D Secure configuration details page via the CardinalCommerce link in any of the above-mentioned locations and re-adjusting the status button.
Testing 3-D Secure
Once you have everything configured to start using 3-D Secure, it is a good idea to run a couple of test transactions to make sure it works as expected. To run transactions through 3-D Secure in test mode, some preparation will be needed:
- Check with the documentation or customer service of your payment gateway as to what needs to be done to run transactions in test mode. Depending on the payment system, you may have to set up a separate testing account, or adjust some settings in your existing account. Make sure 3-D Secure is enabled for the account you will use for testing.
- In X-Payments Cloud, set your payment method to work in test mode. For some payment gateways this means that you will just need to switch the test/live setting on the respective payment configuration details page; for others, you will have to use a testing account (different from your production account), so the settings with your account access details will need to be changed as well.
- Check with the documentation or customer service of your payment gateway whether you will need to use any test mode specific data for your test transactions. For example, some payment gateways may require that you use a special credit card number, have a certain transaction total or use some other information that will allow the gateway to identify the transaction as being run for testing purposes. Some payment gateways will have additional requirements for the use of 3-D Secure in test mode (like Worldpay Corporate - which requires you to specify the cardholder name for your test transactions as "3D" to enable 3-D Secure for them). It is always best to check with the customer service what data is required.