Email from Braintree re Updates to required 3D Secure data fields

[pbowyer]

General information

• SDK/Library version:
• Environment:
• Browser and OS

Issue description

We received an email from Braintree last week saying that effective 12 August 2024, Visa will recategorize five existing 3D Secure data fields from “conditional” to “required.” and asking us to check that our integration passes the newly required fields.

We use the web drop-in and I don't see a place in the API to set these fields. Can you confirm that this update will be taken care of automatically in the drop-in?

[Carter-Moorse]

Hi,

We are using the web drop-in too. There have been no updates to the Braintree drop-in documentation regarding these changes (https://braintree.github.io/braintree-web-drop-in/docs/current/Dropin.html#requestPaymentMethod). Looking through the Braintree web drop-in source code, I can't seem to find anywhere that collectDeviceData or IpAddress properties are set by default.

I found that you have to explicitly set these options in the requestPaymentMethod call, under the threeDSecure property (full list of options can be found https://braintree.github.io/braintree-web/current/ThreeDSecure.html#verifyCard).

So your implementation will look something like this...

dropinInstance.requestPaymentMethod({
  threeDSecure: {
    collectDeviceData: true,
    email: '<Cardholder Email Address>',
    mobilePhoneNumber: '<Cardholder Phone Number>'.replace(/[^0-9]/gm, ''), // Replace all non-numeric
    billingAddress: {
      givenName: '<Cardholder Name (first)>',
      surname: '<Cardholder Name (last)>',
      phoneNumber: '<Cardholder Phone Number>'.replace(/[^0-9]/gm, ''), // Replace all non-numeric
    },
    additionalInformation: {
      ipAddress: '<Browser / Device IP Address>'
    }
  }
}, callbackFunction);

Hope that helps

[ChrisHSandN]

I am glad Braintree handles collection via the collectDeviceData as its ambiguous from that email what:

Browser Screen Width

means when it is then immediately described as

width of a customers screen in pixels

Which is it, the browser or the screen 🤔

[PRR24]

Not sure I fully understand expectations about the ipAddress field...

[maplerock]

Not sure I fully understand expectations about the ipAddress field...

Agreed, it's really not clear 🤷‍♂️

[7ing7ing]

Hi,

How do you know that you extra fields are being sent? Make sure that is succesfully implemented? I don't get any errors and can see the transactions but I don't have a way to know this is working.

[joehuggans]

@7ing7ing

Under the "Premium Fraud Management Tools" section on a transaction the "Device Data Captured" should show true if you have successfully captured it and sent it with transaction.

As for the other fields, the idea I got from support was that we can't verify if these are working through looking at the Braintree control panel!

[7ing7ing]

@joehuggans I don´t have such a section (I'm using sandbox to test this, maybe that is the reason?). Anyways, at the end customer support was able to see that I was implementing this correctly. Also, I also noticed that during the transaction, lookup method is called, and when I check the payload, if the additional fields are added correclty, additionalInfo is populated, and other things such as browserScreenHeight. If this happens and the transaction status is succesful, I´m assuming is working.

[joehuggans]

@7ing7ing

Apologies I got the device data thing mixed up, response from support on that:

"Just to clarify the device data collection for the Premium Fraud tools and the 3DS are two different things"

And also below if it helps anyone:

"If your concern is for the new VISA regulations relating to the additional 3DS fields that need to be passed, its important to note that per new information we have received from specialist teams, when using Braintree web for drop-in or hosted fields you do not need to pass collectDeviceData=true as our 3DS MPI provider will pull and pass that automatically for you.

The only fields that you will need to be concerned about collecting and passing in the 3DS verifyCard call are the ipAddress, email address or phone number, and cardholder name. For these fields you will need to collect that on your own outside of the drop-in and then pass it in the requestPaymentMethod (drop-in) or the verifyCard (custom/hosted field integrations) call.

[7ing7ing]

That reminds me of another info that I couldn´t find anywhere but Braintree support told me. If this helps anyone:

Upon reviewing the details of the transaction you provided, it appears that it was a merchant-initiated transaction, indicated by the parameter "transaction_source"=>"unscheduled". Such transactions don't fall under 3DS verification, hence we didn't find the verifyCard call associated with this transaction.

[ivansrbic]

Hi. I asked support but still no answer so I will ask here as well since its in relation to what was said.

We have a site that is using Braintree on Wordpress via the official plugin as well as on Shopamine.

Is there anything we have to do in order to be complaiant on there or is it done automatically?

We are also based in EU if that is of any importance.

[7ing7ing]

Hi. I asked support but still no answer so I will ask here as well since its in relation to what was said.

We have a site that is using Braintree on Wordpress via the official plugin as well as on Shopamine.

Is there anything we have to do in order to be complaiant on there or is it done automatically?

We are also based in EU if that is of any importance.

I don't believe this can be automatic. In my particular case I had to add extra fields in the form to comply with this. And write a small function to get the IP of the user (among other stuff). The screenshot shows what is mandatory.

[PRR24]

There is no such thing as "IP of the user" in IPV4 world. There is only a "IP of the user from specific server perspective". Eg, my/your server may have completely different understanding of the client IP compared to the 3DS server.