Token payment upgrade to 3DS: Difference between revisions
No edit summary |
No edit summary |
||
Line 13: | Line 13: | ||
This meant that as far as this token referenced a valid (and still available) funding source the merchant could create payments without any limitations. Basically, this token symbolized the funding source. It was up to the merchant to decide what it is used for, neither Barion nor the card issuer was aware of the nature of the subsequent payments. | This meant that as far as this token referenced a valid (and still available) funding source the merchant could create payments without any limitations. Basically, this token symbolized the funding source. It was up to the merchant to decide what it is used for, neither Barion nor the card issuer was aware of the nature of the subsequent payments. | ||
This funding source can be either a card or an e-money wallet and this is up to the payer to choose. In case the payer chooses to fund the payment from their e-money wallet there is no further need for extra security. On the other hand when it comes to card payment the authentication process changed with the new Strong Customer Authentication directive and the 3DS v2 protocol. | This funding source can be either a card or an e-money wallet and this is up to the payer to choose. In case the payer chooses to fund the payment from their e-money wallet there is no further need for extra security. On the other hand, when it comes to card payment the authentication process changed with the new Strong Customer Authentication directive and the 3DS v2 protocol. | ||
= Changes = | = Changes = | ||
Line 60: | Line 60: | ||
== Usage of TraceId == | == Usage of TraceId == | ||
3DS authentication requires another identifier. This new identifier is used to differentiate these token payment scenarios and help the issuer control what is non- | 3DS authentication requires another identifier. This new identifier is used to differentiate these token payment scenarios and help the issuer control what is a non-fraudulent transaction. | ||
So from now on there will be two IDs for every payer-not-present scenario: | So from now on, there will be two IDs for every payer-not-present scenario: | ||
* <code>RecurrenceId</code> for the funding source: this identifies the source of the money (could be card or wallet) | * <code>RecurrenceId</code> for the funding source: this identifies the source of the money (could be card or wallet) | ||
* <code>TraceId</code> (new) for the ''nature of the charge:'' this identifies the type of token payment scenario the merchant is conducting. | * <code>TraceId</code> (new) for the ''nature of the charge:'' this identifies the type of token payment scenario the merchant is conducting. | ||
Line 70: | Line 70: | ||
{{NotificationBox|title=CHANGE|text=The TraceId must processed from the [[Payment-GetPaymentState-v2|GetPaymentState]] response and must be attached to the payment in merchant's system. |color=#20c400}} | {{NotificationBox|title=CHANGE|text=The TraceId must processed from the [[Payment-GetPaymentState-v2|GetPaymentState]] response and must be attached to the payment in merchant's system. |color=#20c400}} | ||
Once the <code>TraceId</code> is acquired it must be sent in the [[Payment-Start-v2|Payment/Start]] request to identify the scenario. This is | Once the <code>TraceId</code> is acquired it must be sent in the [[Payment-Start-v2|Payment/Start]] request to identify the scenario. This is crucial for the card transactions otherwise they could be declined. A <code>TraceId</code> can only be used again if: | ||
* the funding source is the same (technically the <code>RecurrenceId</code> is the same) | |||
* the token payment scenario is the same (technically the <code>RecurrenceType</code> is the same) | |||
* the request complies with the scenario restrictions | |||
{{NotificationBox|title=CHANGE|text=The TraceId must specified in the [[Payment-Start-v2|Payment/Start]] for the subsequent token charges. |color=#20c400}} | |||
Line 76: | Line 83: | ||
Revision as of 08:52, 19 November 2020
Upgrading token payment implementation to comply with 3DS
Background
Token payment is a solution that enables the merchant to charge the payer without the presence of them. It is a powerful tool to conduct subscription-like or payer-not-present scenarios. This scenario requires the merchant to create a token that would act as an identifier for the payer's funding source. To attach that token to a valid funding source the merchant had to do several things:
- Create an alphanumeric token
- Conduct an initial payment in which this token gets registered in the Barion system
- Refer to this token in a subsequent payment attempt
This meant that as far as this token referenced a valid (and still available) funding source the merchant could create payments without any limitations. Basically, this token symbolized the funding source. It was up to the merchant to decide what it is used for, neither Barion nor the card issuer was aware of the nature of the subsequent payments.
This funding source can be either a card or an e-money wallet and this is up to the payer to choose. In case the payer chooses to fund the payment from their e-money wallet there is no further need for extra security. On the other hand, when it comes to card payment the authentication process changed with the new Strong Customer Authentication directive and the 3DS v2 protocol.
Changes
To make sure that the payer has more control over these token scenarios and the card issuer knows more about the payment scenarios several things need to be changed.
Token payment scenarios
First of all the merchant has to decide what kind of token payment scenario is suitable. These scenarios are the following:
- One-click payment: The payer clicks on the "Purchase" button but the charge happens in the background without the payer leaving the merchant's site.
- Recurring payment: The payer authorizes the merchant (at the initial payment) to charge their card periodically without being present.
- Merchant initiated payment: The payer authorizes the merchant to charge their card without restrictions.
These scenarios have different properties and requirements, this table below summarizes the key differences.
Scenario | Payer present? | Amount | Frequency | Liability |
---|---|---|---|---|
One-click payment | Yes | Various | Various | Card issuer |
Recurring payment | No | Various | Fixed | Card issuer |
Merchant initiated payment | No | Various | Various | Merchant |
Explanation:
Payer present: indicates whether the payer is present during the subsequent payments. During the first (initial) payment, the payer is always present in every scenario.
Amount: specifies whether the amount of the payments can change from payment to payment or must be the same.
Frequency: specifies whether it is mandatory to wait a fixed number of days between payments or the charges can happen ad-hoc.
Liability: describes the entity who is liable for the payment in case of fraud
To help you decide on a suitable scenario, please use the decision graph below:
File:3ds-recurrencetype-decision.jpg
Usage of TraceId
3DS authentication requires another identifier. This new identifier is used to differentiate these token payment scenarios and help the issuer control what is a non-fraudulent transaction.
So from now on, there will be two IDs for every payer-not-present scenario:
RecurrenceId
for the funding source: this identifies the source of the money (could be card or wallet)TraceId
(new) for the nature of the charge: this identifies the type of token payment scenario the merchant is conducting.
This new TraceId
is generated and stored by the card issuer. The Id is available in the GetPaymentState response once the charge is successfully completed.
Once the TraceId
is acquired it must be sent in the Payment/Start request to identify the scenario. This is crucial for the card transactions otherwise they could be declined. A TraceId
can only be used again if:
- the funding source is the same (technically the
RecurrenceId
is the same) - the token payment scenario is the same (technically the
RecurrenceType
is the same) - the request complies with the scenario restrictions
Prepare for 3DS authentication
The new more secure 3DS v2 authentication must be conducted for every online card payment. These token payment scenarios also need to use these new secure way of authentication. The initial payment must be authenticated every time although the subsequent payments may be exempted in certain cases. This table displays the different scenarios and the 3DS authentication requirements.
Scenario | Initial payment | Subsequent payments |
---|---|---|
One-click payment | ✔️ | ✔️ |
Recurring payment | ✔️ | |
Merchant initiated payment | ✔️ |
What happens if I don't change my implementation
TODO