search

braintree / braintree-web-drop-in

Braintree Drop-in for the web
MIT License
200 stars 126 forks source link

3D Secure issue with Drop-in #607

Closed umaar closed 4 years ago

umaar commented 4 years ago

Thanks for the docs on 3D Secure, they're great. I'm trying to wrap my head around the challenge itself, and how that's presented to the user, but the docs/Codepen example does not seem to explain or clarify this.

Using the official Codepen: 3D Secure v2.0 sdk with Drop-in, there's a special card number to get a "successful with challenge", which would be great, however it presents me with an immediate "Payment method nonce received" whereas I was expecting to see a challenge.

Questions:

Thanks!

umaar commented 4 years ago

Update: I was able to trigger it using a card number which is not listed in that Codepen: 4000000000000002 - it's useful the challenge appears, but now I can't successfully complete it!

image

Searching around, it sounds like ad-blockers/DNS Blockers may interfere? (In this case with cardinalcommerce)

Have you at Braintree heard of an increase in shopping card abandonment with those who adopt 3D Secure? I'm wondering, if all these different banks have their own 'challenge' popup, which in turn loads a bunch of extra scripts, it may be the case that some users out there are unable to proceed with their checkout since the challenge never loads/executes correctly.

crookedneighbor commented 4 years ago

Thanks for the report.

Using the official Codepen: 3D Secure v2.0 sdk with Drop-in, there's a special card number to get a "successful with challenge", which would be great, however it presents me with an immediate "Payment method nonce received" whereas I was expecting to see a challenge.

Looks like if we modify the codepen to not require us to send the billing address, the challenge does successfully open. When we send along the billing address, it does not and liability is not shifted. We're investigating why this is.

Update: I was able to trigger it using a card number which is not listed in that Codepen: 4000000000000002 - it's useful the challenge appears, but now I can't successfully complete it!

This is because that is a 3ds v1 test card and because the codepen is in a sandboxed iframe, it's presented in such a way that it cannot complete. This won't be a problem in a normal, non-codepen integration.

How is the drop-in compatible with 'challenges', e.g. when a bank sends you a text message, does the braintree dropin somehow load an iframe which tells you "Go and check your phone for the pin" or something? I can't find any screenshots/docs which explain how the challenge itself presented (I appreciate this varies per bank)

Have you at Braintree heard of an increase in shopping card abandonment with those who adopt 3D Secure? I'm wondering, if all these different banks have their own 'challenge' popup, which in turn loads a bunch of extra scripts, it may be the case that some users out there are unable to proceed with their checkout since the challenge never loads/executes correctly.

These questions are best answered by our support team. Reach out to them here: https://help.braintreepayments.com/

crookedneighbor commented 4 years ago

Ok, looks like Cardinal did not used to validate the length of the region param in sandbox, but now they do. I’ve updated the codepen to use the correct format and now I get a challenge as I expect.

The rest of your questions are not about the SDK, so it’s best to reach out to our support team for those.

umaar commented 4 years ago

Thank you. I see the challenge now, but even if I cancel it, I still see get a nonce, not sure that's correct.

crookedneighbor commented 4 years ago

That is correct. You get a nonce back, but liability is not shifted. It's up to you as the merchant to determine if you want to go through with the transaction or not.