Ratepay: Scripts loaded and cookies set even though ratepay module is not active

[OvalMedia]

My customers are not using the ratepay invoice part of this module. That part is not active in the backend. But during checkout magento is loading multiple scripts from the domain d.ratepay.com and one (i.htm) from www.jsctool.com. Cookies are also being set without consent.

Question 1: Why? Question 2: WTF? Question 3: how do I get rid of this?

This is very discomforting and smells like spying to me. Something my (and therefore yours as well) customers will not appreciate.

Please elaborate.

[OvalMedia]

For anybody who is as excited about this as myself, here is the answer to question 3:

Create this file in your theme folder: Payone_Core\layout\checkout_index_index.xml

With this content:

<?xml version="1.0"?>
<page xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:View/Layout/etc/page_configuration.xsd">
    <body>
        <referenceBlock name="payone_ratepay_device_fingerprint" remove="true" />
    </body>
</page>

[mklooss]

Affected Files:

• https://github.com/PAYONE-GmbH/magento-2/blob/master/Block/RatepayDeviceFingerprint.php
• https://github.com/PAYONE-GmbH/magento-2/blob/master/view/frontend/templates/ratepay_device_fingerprint.phtml
• https://github.com/PAYONE-GmbH/magento-2/blob/master/view/frontend/layout/checkout_index_index.xml#L163

This config should be used in the Block Class: https://github.com/PAYONE-GmbH/magento-2/blob/master/etc/config.xml#L259

[janteuber]

Hello @mklooss @OvalMedia ,

Thank you very much for creating the issue.

I have created a ticket internally for this. We will take a close look at this case and get back to you.

[janteuber]

Hello @mklooss @OvalMedia ,

We can provide you a PR: https://github.com/PAYONE-GmbH/magento-2/pull/440 Now Ratepay's device fingerprinting is only active if Ratepay has also been activated as a payment method.

We will merge the PR soon and release it in our new plugin version in May.

[OvalMedia]

You might want to get in touch with your customers. I doubt this is in compliance with a lot of store's data protection policy.

[janteuber]

Device fingerprinting is a fraud detection tool. The aim here is not to collect data from the customers. A hash is created from various characteristics in order to minimize the risk of fraud. No personal data is sent at any time. Of course, this would not be allowed by data protection laws.