David E Jones wrote:
With 3D Secure, if they use the same username/password that you use
for online banking and you can't opt out of 3D Secure, then you get to
move to a bank that doesn't do 3D Secure, or deal with the fact that
if anyone gets your online account's username/password then you're in
big trouble and you'll get no help.
For customers there is a option to opt out from the 3D secure. I
remember bank site asking me to giving options to join in or opt of the
3D secure when it was activated on first use of the card.
Oh well, wonderful world we live in. I may be outvoted in this, but
just like Verified by Visa this is the sort of feature I'd like to see
never make it into OFBiz.
Well, 3D secure is optional for the customers as well as Vendors.
However, some of the merchant banks made it mandatory (in UK at least).
I feel there is no harm in having it in OFBiz as long as it does not
interfere with the normal authorization flow. Idea is to hook up the 3D
secure only if it is enabled in OFBiz otherwise, normal CC processing
used as it is.
Thanks,
Raj
-David
On Oct 20, 2008, at 12:04 AM, Raj Saini wrote:
David,
AFAIK, 3D secure is similar to "Verified by Visa" in addition to that
it also supports Mastercard. In 3D secure customer authenticate with
their banker (issuer bank) and not the Visa or MasterCard site and
yes they waives the right to repudiation as they use their bank
userid/password to authenticate.
I know some of the merchant banks in UK made it mandatory to use 3D
secure for CC processing. I am not sure how useful it could be for
end customers but vendor have little choice when their merchant bank
makes it mandatory to use 3D secure as part of CC processing. Only
alternative is to switch to the other merchant bank which may not be
feasible sometime.
Thanks,
Raj
David E Jones wrote:
On a side note, is 3D Secure like the old "Verified by Visa" thingy
that was supposed to make things more secure for "customers" but by
using it customers actually waived the right to repudiation. In
other words, if someone was able to get your CC information and
Verified by Visa username/password then they could commit fraud and
Visa wouldn't help you out with it at all.
In other words, for your extra pain of signing up and using the
problem, the customer was rewarded by not being able to repudiate
fraudulent charges.
If the same is true for 3D Secure then chances are it won't be on
the radar for very long... when was the last time anyone here was
asked to implement for Verified by Visa?
-David
On Oct 19, 2008, at 11:05 PM, Christopher L wrote:
Yes, it's a complete rethink on how to ensure non-repudiation.
It's also less of a "call to a gateway" as it is a redirection to
the card issuer. The goal is to keep the PIN from the merchants
and card processors.
Here's the flow, IIRC.
1. User enters in a CC number into a storefront.
2. Storefront queries the CC number to determine participation in
3dsecure.
3. Response and issuer authentication url is returned.
4. Storefront redirects the user to the card issuer, with an
encrypted payload. This could be in a pop-up.
5. User authenticates with card issuer.
6. Card issuer redirects the user back to the storefront with a
code in an xml doc signed by the issuer.
7. Storefront adds the code to the authorization that is sent to
the credit card processor.
In my experience, merchants get very worried (and rightly so) about
the redirection/pop-up because you lose control of the user. It's
essential to make it a smooth experience. If it's not, you lose
sales because the customers don't come back from the redirect.
Chris Lombardi
Date: Sun, 19 Oct 2008 13:27:43 -0700
From: [EMAIL PROTECTED]
To: dev@ofbiz.apache.org
Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure
Credit Card with ofbiz.]
I did not catch that, thanks, Chris.
This would be a independent service that the different CC services
could
call it while building thier call to the gateway they are using.
it would still be in the third party service.
3DsecureService.java
Christopher L sent the following on 10/19/2008 1:02 PM:
3D Secure isn't a payment processor. It's a supplemental
authentication service that authenticates the cardholder to the
*card issuing bank*.
The output of 3D Secure is an encrypted hash (not a payment auth)
that is then sent via your normal payment authorization service.
So, you really can't implement ccAuth, ccCapture, etc.
Sarvesh is trying to find out where in the checkout process this
additional authentication step could go to then be utilized by
all the payment authorization services. I'm familiar with 3D
Secure, but unfortunately not familiar with the ofbiz ecommerce
module, or I'd suggest something myself.
Chris Lombardi
Date: Sun, 19 Oct 2008 12:41:03 -0700
From: [EMAIL PROTECTED]
To: dev@ofbiz.apache.org
Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure
Credit Card with ofbiz.]
I read
http://docs.ofbiz.org/display/OFBIZ/Credit+Card+3D+Secure++Authentication+Integration+with+ofbiz
and see no difference than using the CC service called by
PaymentGatewayServices
all the services now, had web interfaces at one time.
Raj Saini sent the following on 10/19/2008 8:43 AM:
BJ,
3D secure is not same as normal CC authorization. 3D secure has
a issuer
bank authentication and it happens in 2 phases. And that is the
reason
this proposal is to make 3D secure generic enough to integrate
with
OFBiz so that it can easily hooked up in other payment processors.
Thanks,
Raj
BJ Freeman wrote:
look at the third party code under the financial folder.
applications\accounting\src\org\ofbiz\accounting\thirdparty
provide
ccAuth
ccCapture
at a minimum
and
ccRefund
ccRelease
ccCredit
ccAuthCapture
if the provider supports them.
http://docs.ofbiz.org/display/OFBIZ/OFBiz+Beginner%27s+Development+Guide+Using+Practice+Application
see part 1
Sarvesh sent the following on 10/17/2008 7:26 AM:
Hi,
I want to discuss integration 3D Secure Credit Card with
ofbiz. I
have got
it working(using protx simulator) by changing some of ofbiz
files but
still
it is not generic so I want to discuss it with the user
community to
make it
generic for general usage.
Thanks
Sarvesh.
