Interesting, it's like Verified by Visa but more crafty. With VbV you
could keep your cards more secure to you by not signing up for an
account. In other words if you don't have a VbV account then no one
can somehow get your username and password and make charges on your
card that you can't do anything about, ie charges you're stuck with
because the normal credit card protections don't apply.
With 3D Secure, if they use the same username/password that you use
for online banking and you can't opt out of 3D Secure, then you get to
move to a bank that doesn't do 3D Secure, or deal with the fact that
if anyone gets your online account's username/password then you're in
big trouble and you'll get no help.
The scary thing is that many people won't be aware of this additional
risk, and that the protection is NOT for the consumer, it is for the
credit card company, payment processor company, and merchant bank, and
also the merchant/vendor. I'm guessing they won't advertise that fact,
at least until a law comes along that requires it.
Oh well, wonderful world we live in. I may be outvoted in this, but
just like Verified by Visa this is the sort of feature I'd like to see
never make it into OFBiz.
-David
On Oct 20, 2008, at 12:04 AM, Raj Saini wrote:
David,
AFAIK, 3D secure is similar to "Verified by Visa" in addition to
that it also supports Mastercard. In 3D secure customer authenticate
with their banker (issuer bank) and not the Visa or MasterCard site
and yes they waives the right to repudiation as they use their bank
userid/password to authenticate.
I know some of the merchant banks in UK made it mandatory to use 3D
secure for CC processing. I am not sure how useful it could be for
end customers but vendor have little choice when their merchant bank
makes it mandatory to use 3D secure as part of CC processing. Only
alternative is to switch to the other merchant bank which may not be
feasible sometime.
Thanks,
Raj
David E Jones wrote:
On a side note, is 3D Secure like the old "Verified by Visa" thingy
that was supposed to make things more secure for "customers" but by
using it customers actually waived the right to repudiation. In
other words, if someone was able to get your CC information and
Verified by Visa username/password then they could commit fraud and
Visa wouldn't help you out with it at all.
In other words, for your extra pain of signing up and using the
problem, the customer was rewarded by not being able to repudiate
fraudulent charges.
If the same is true for 3D Secure then chances are it won't be on
the radar for very long... when was the last time anyone here was
asked to implement for Verified by Visa?
-David
On Oct 19, 2008, at 11:05 PM, Christopher L wrote:
Yes, it's a complete rethink on how to ensure non-repudiation.
It's also less of a "call to a gateway" as it is a redirection to
the card issuer. The goal is to keep the PIN from the merchants
and card processors.
Here's the flow, IIRC.
1. User enters in a CC number into a storefront.
2. Storefront queries the CC number to determine participation in
3dsecure.
3. Response and issuer authentication url is returned.
4. Storefront redirects the user to the card issuer, with an
encrypted payload. This could be in a pop-up.
5. User authenticates with card issuer.
6. Card issuer redirects the user back to the storefront with a
code in an xml doc signed by the issuer.
7. Storefront adds the code to the authorization that is sent to
the credit card processor.
In my experience, merchants get very worried (and rightly so)
about the redirection/pop-up because you lose control of the
user. It's essential to make it a smooth experience. If it's
not, you lose sales because the customers don't come back from the
redirect.
Chris Lombardi
Date: Sun, 19 Oct 2008 13:27:43 -0700
From: [EMAIL PROTECTED]
To: dev@ofbiz.apache.org
Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure
Credit Card with ofbiz.]
I did not catch that, thanks, Chris.
This would be a independent service that the different CC
services could
call it while building thier call to the gateway they are using.
it would still be in the third party service.
3DsecureService.java
Christopher L sent the following on 10/19/2008 1:02 PM:
3D Secure isn't a payment processor. It's a supplemental
authentication service that authenticates the cardholder to the
*card issuing bank*.
The output of 3D Secure is an encrypted hash (not a payment
auth) that is then sent via your normal payment authorization
service.
So, you really can't implement ccAuth, ccCapture, etc.
Sarvesh is trying to find out where in the checkout process this
additional authentication step could go to then be utilized by
all the payment authorization services. I'm familiar with 3D
Secure, but unfortunately not familiar with the ofbiz ecommerce
module, or I'd suggest something myself.
Chris Lombardi
Date: Sun, 19 Oct 2008 12:41:03 -0700
From: [EMAIL PROTECTED]
To: dev@ofbiz.apache.org
Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure
Credit Card with ofbiz.]
I read
http://docs.ofbiz.org/display/OFBIZ/Credit+Card+3D+Secure++Authentication+Integration+with+ofbiz
and see no difference than using the CC service called by
PaymentGatewayServices
all the services now, had web interfaces at one time.
Raj Saini sent the following on 10/19/2008 8:43 AM:
BJ,
3D secure is not same as normal CC authorization. 3D secure
has a issuer
bank authentication and it happens in 2 phases. And that is
the reason
this proposal is to make 3D secure generic enough to integrate
with
OFBiz so that it can easily hooked up in other payment
processors.
Thanks,
Raj
BJ Freeman wrote:
look at the third party code under the financial folder.
applications\accounting\src\org\ofbiz\accounting\thirdparty
provide
ccAuth
ccCapture
at a minimum
and
ccRefund
ccRelease
ccCredit
ccAuthCapture
if the provider supports them.
http://docs.ofbiz.org/display/OFBIZ/OFBiz+Beginner%27s+Development+Guide+Using+Practice+Application
see part 1
Sarvesh sent the following on 10/17/2008 7:26 AM:
Hi,
I want to discuss integration 3D Secure Credit Card with
ofbiz. I
have got
it working(using protx simulator) by changing some of ofbiz
files but
still
it is not generic so I want to discuss it with the user
community to
make it
generic for general usage.
Thanks
Sarvesh.
