[Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

[Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]

BJ Freeman
look at the third party code under the financial folder.
applications\accounting\src\org\ofbiz\accounting\thirdparty
provide
ccAuth
ccCapture
at a minimum
and
ccRefund
ccRelease
ccCredit
ccAuthCapture
if the provider supports them.

http://docs.ofbiz.org/display/OFBIZ/OFBiz+Beginner%27s+Development+Guide+Using+Practice+Application
see part 1

Sarvesh sent the following on 10/17/2008 7:26 AM:

> Hi,
>
>
>  I want to discuss integration 3D Secure Credit Card with ofbiz. I have got
> it working(using protx simulator) by changing some of ofbiz files but still
> it is not generic so I want to discuss it with the user community to make it
> generic for general usage.
>
>
> Thanks
> Sarvesh.
>


Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]

rajsaini
BJ,

3D secure is not same as normal CC authorization. 3D secure has a issuer
bank authentication and it happens in 2 phases. And that is the reason
this proposal is to make 3D secure generic enough to integrate with
OFBiz so that it can easily hooked up in other payment processors.

Thanks,

Raj

BJ Freeman wrote:

> look at the third party code under the financial folder.
> applications\accounting\src\org\ofbiz\accounting\thirdparty
> provide
> ccAuth
> ccCapture
> at a minimum
> and
> ccRefund
> ccRelease
> ccCredit
> ccAuthCapture
> if the provider supports them.
>
> http://docs.ofbiz.org/display/OFBIZ/OFBiz+Beginner%27s+Development+Guide+Using+Practice+Application
> see part 1
>
> Sarvesh sent the following on 10/17/2008 7:26 AM:
>  
>> Hi,
>>
>>
>>  I want to discuss integration 3D Secure Credit Card with ofbiz. I have got
>> it working(using protx simulator) by changing some of ofbiz files but still
>> it is not generic so I want to discuss it with the user community to make it
>> generic for general usage.
>>
>>
>> Thanks
>> Sarvesh.
>>
>>    
>
>
>
>  

Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]

BJ Freeman
I read
http://docs.ofbiz.org/display/OFBIZ/Credit+Card+3D+Secure++Authentication+Integration+with+ofbiz
and see no difference than using the CC service called by
PaymentGatewayServices
all the services now, had web interfaces at one time.



Raj Saini sent the following on 10/19/2008 8:43 AM:

> BJ,
>
> 3D secure is not same as normal CC authorization. 3D secure has a issuer
> bank authentication and it happens in 2 phases. And that is the reason
> this proposal is to make 3D secure generic enough to integrate with
> OFBiz so that it can easily hooked up in other payment processors.
>
> Thanks,
>
> Raj
>
> BJ Freeman wrote:
>> look at the third party code under the financial folder.
>> applications\accounting\src\org\ofbiz\accounting\thirdparty
>> provide
>> ccAuth
>> ccCapture
>> at a minimum
>> and
>> ccRefund
>> ccRelease
>> ccCredit
>> ccAuthCapture
>> if the provider supports them.
>>
>> http://docs.ofbiz.org/display/OFBIZ/OFBiz+Beginner%27s+Development+Guide+Using+Practice+Application
>>
>> see part 1
>>
>> Sarvesh sent the following on 10/17/2008 7:26 AM:
>>  
>>> Hi,
>>>
>>>
>>>  I want to discuss integration 3D Secure Credit Card with ofbiz. I
>>> have got
>>> it working(using protx simulator) by changing some of ofbiz files but
>>> still
>>> it is not generic so I want to discuss it with the user community to
>>> make it
>>> generic for general usage.
>>>
>>>
>>> Thanks
>>> Sarvesh.
>>>
>>>    
>>
>>
>>
>>  
>
>
>
Reply | Threaded
Open this post in threaded view
|

RE: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]

Christopher L
3D Secure isn't a payment processor.  It's a supplemental authentication service that authenticates the cardholder to the *card issuing bank*.

The output of 3D Secure is an encrypted hash (not a payment auth) that is then sent via your normal payment authorization service.

So, you really can't implement ccAuth, ccCapture, etc.

Sarvesh is trying to find out where in the checkout process this additional authentication step could go to then be utilized by all the payment authorization services.  I'm familiar with 3D Secure, but unfortunately not familiar with the ofbiz ecommerce module, or I'd suggest something myself.

Chris Lombardi

> Date: Sun, 19 Oct 2008 12:41:03 -0700
> From: [hidden email]
> To: [hidden email]
> Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]
>
> I read
> http://docs.ofbiz.org/display/OFBIZ/Credit+Card+3D+Secure++Authentication+Integration+with+ofbiz
> and see no difference than using the CC service called by
> PaymentGatewayServices
> all the services now, had web interfaces at one time.
>
>
>
> Raj Saini sent the following on 10/19/2008 8:43 AM:
> > BJ,
> >
> > 3D secure is not same as normal CC authorization. 3D secure has a issuer
> > bank authentication and it happens in 2 phases. And that is the reason
> > this proposal is to make 3D secure generic enough to integrate with
> > OFBiz so that it can easily hooked up in other payment processors.
> >
> > Thanks,
> >
> > Raj
> >
> > BJ Freeman wrote:
> >> look at the third party code under the financial folder.
> >> applications\accounting\src\org\ofbiz\accounting\thirdparty
> >> provide
> >> ccAuth
> >> ccCapture
> >> at a minimum
> >> and
> >> ccRefund
> >> ccRelease
> >> ccCredit
> >> ccAuthCapture
> >> if the provider supports them.
> >>
> >> http://docs.ofbiz.org/display/OFBIZ/OFBiz+Beginner%27s+Development+Guide+Using+Practice+Application
> >>
> >> see part 1
> >>
> >> Sarvesh sent the following on 10/17/2008 7:26 AM:
> >>  
> >>> Hi,
> >>>
> >>>
> >>>  I want to discuss integration 3D Secure Credit Card with ofbiz. I
> >>> have got
> >>> it working(using protx simulator) by changing some of ofbiz files but
> >>> still
> >>> it is not generic so I want to discuss it with the user community to
> >>> make it
> >>> generic for general usage.
> >>>
> >>>
> >>> Thanks
> >>> Sarvesh.
> >>>
> >>>    
> >>
> >>
> >>
> >>  
> >
> >
> >
Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]

BJ Freeman
I did not catch that, thanks, Chris.
This would be a independent service that the different CC services could
call it while building thier call to the gateway they are using.
it would still be in the third party service.
3DsecureService.java


Christopher L sent the following on 10/19/2008 1:02 PM:

> 3D Secure isn't a payment processor.  It's a supplemental authentication service that authenticates the cardholder to the *card issuing bank*.
>
> The output of 3D Secure is an encrypted hash (not a payment auth) that is then sent via your normal payment authorization service.
>
> So, you really can't implement ccAuth, ccCapture, etc.
>
> Sarvesh is trying to find out where in the checkout process this additional authentication step could go to then be utilized by all the payment authorization services.  I'm familiar with 3D Secure, but unfortunately not familiar with the ofbiz ecommerce module, or I'd suggest something myself.
>
> Chris Lombardi
>
>> Date: Sun, 19 Oct 2008 12:41:03 -0700
>> From: [hidden email]
>> To: [hidden email]
>> Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]
>>
>> I read
>> http://docs.ofbiz.org/display/OFBIZ/Credit+Card+3D+Secure++Authentication+Integration+with+ofbiz
>> and see no difference than using the CC service called by
>> PaymentGatewayServices
>> all the services now, had web interfaces at one time.
>>
>>
>>
>> Raj Saini sent the following on 10/19/2008 8:43 AM:
>>> BJ,
>>>
>>> 3D secure is not same as normal CC authorization. 3D secure has a issuer
>>> bank authentication and it happens in 2 phases. And that is the reason
>>> this proposal is to make 3D secure generic enough to integrate with
>>> OFBiz so that it can easily hooked up in other payment processors.
>>>
>>> Thanks,
>>>
>>> Raj
>>>
>>> BJ Freeman wrote:
>>>> look at the third party code under the financial folder.
>>>> applications\accounting\src\org\ofbiz\accounting\thirdparty
>>>> provide
>>>> ccAuth
>>>> ccCapture
>>>> at a minimum
>>>> and
>>>> ccRefund
>>>> ccRelease
>>>> ccCredit
>>>> ccAuthCapture
>>>> if the provider supports them.
>>>>
>>>> http://docs.ofbiz.org/display/OFBIZ/OFBiz+Beginner%27s+Development+Guide+Using+Practice+Application
>>>>
>>>> see part 1
>>>>
>>>> Sarvesh sent the following on 10/17/2008 7:26 AM:
>>>>  
>>>>> Hi,
>>>>>
>>>>>
>>>>>  I want to discuss integration 3D Secure Credit Card with ofbiz. I
>>>>> have got
>>>>> it working(using protx simulator) by changing some of ofbiz files but
>>>>> still
>>>>> it is not generic so I want to discuss it with the user community to
>>>>> make it
>>>>> generic for general usage.
>>>>>
>>>>>
>>>>> Thanks
>>>>> Sarvesh.
>>>>>
>>>>>    
>>>>
>>>>
>>>>  
>>>
>>>
>
Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]

Jacques Le Roux
Administrator
In reply to this post by Christopher L
At this stage I'd suggest to open a Jira issue for this.

Jacques

From: "Christopher L" <[hidden email]>
3D Secure isn't a payment processor.  It's a supplemental authentication service that authenticates the cardholder to the *card
issuing bank*.

The output of 3D Secure is an encrypted hash (not a payment auth) that is then sent via your normal payment authorization service.

So, you really can't implement ccAuth, ccCapture, etc.

Sarvesh is trying to find out where in the checkout process this additional authentication step could go to then be utilized by all
the payment authorization services.  I'm familiar with 3D Secure, but unfortunately not familiar with the ofbiz ecommerce module, or
I'd suggest something myself.

Chris Lombardi

> Date: Sun, 19 Oct 2008 12:41:03 -0700
> From: [hidden email]
> To: [hidden email]
> Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]
>
> I read
> http://docs.ofbiz.org/display/OFBIZ/Credit+Card+3D+Secure++Authentication+Integration+with+ofbiz
> and see no difference than using the CC service called by
> PaymentGatewayServices
> all the services now, had web interfaces at one time.
>
>
>
> Raj Saini sent the following on 10/19/2008 8:43 AM:
> > BJ,
> >
> > 3D secure is not same as normal CC authorization. 3D secure has a issuer
> > bank authentication and it happens in 2 phases. And that is the reason
> > this proposal is to make 3D secure generic enough to integrate with
> > OFBiz so that it can easily hooked up in other payment processors.
> >
> > Thanks,
> >
> > Raj
> >
> > BJ Freeman wrote:
> >> look at the third party code under the financial folder.
> >> applications\accounting\src\org\ofbiz\accounting\thirdparty
> >> provide
> >> ccAuth
> >> ccCapture
> >> at a minimum
> >> and
> >> ccRefund
> >> ccRelease
> >> ccCredit
> >> ccAuthCapture
> >> if the provider supports them.
> >>
> >> http://docs.ofbiz.org/display/OFBIZ/OFBiz+Beginner%27s+Development+Guide+Using+Practice+Application
> >>
> >> see part 1
> >>
> >> Sarvesh sent the following on 10/17/2008 7:26 AM:
> >>
> >>> Hi,
> >>>
> >>>
> >>>  I want to discuss integration 3D Secure Credit Card with ofbiz. I
> >>> have got
> >>> it working(using protx simulator) by changing some of ofbiz files but
> >>> still
> >>> it is not generic so I want to discuss it with the user community to
> >>> make it
> >>> generic for general usage.
> >>>
> >>>
> >>> Thanks
> >>> Sarvesh.
> >>>
> >>>
> >>
> >>
> >>
> >>
> >
> >
> >

Reply | Threaded
Open this post in threaded view
|

RE: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]

Christopher L
In reply to this post by BJ Freeman
Yes, it's a complete rethink on how to ensure non-repudiation.

It's also less of a "call to a gateway" as it is a redirection to the card issuer.  The goal is to keep the PIN from the merchants and card processors.

Here's the flow, IIRC.

1.  User enters in a CC number into a storefront.
2.  Storefront queries the CC number to determine participation in 3dsecure.
3.  Response and issuer authentication url is returned.
4.  Storefront redirects the user to the card issuer, with an encrypted payload.  This could be in a pop-up.
5.  User authenticates with card issuer.
6.  Card issuer redirects the user back to the storefront with a code in an xml doc signed by the issuer.
7.  Storefront adds the code to the authorization that is sent to the credit card processor.

In my experience, merchants get very worried (and rightly so) about the redirection/pop-up because you lose control of the user.  It's essential to make it a smooth experience.  If it's not, you lose sales because the customers don't come back from the redirect.

Chris Lombardi

> Date: Sun, 19 Oct 2008 13:27:43 -0700
> From: [hidden email]
> To: [hidden email]
> Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]
>
> I did not catch that, thanks, Chris.
> This would be a independent service that the different CC services could
> call it while building thier call to the gateway they are using.
> it would still be in the third party service.
> 3DsecureService.java
>
>
> Christopher L sent the following on 10/19/2008 1:02 PM:
> > 3D Secure isn't a payment processor.  It's a supplemental authentication service that authenticates the cardholder to the *card issuing bank*.
> >
> > The output of 3D Secure is an encrypted hash (not a payment auth) that is then sent via your normal payment authorization service.
> >
> > So, you really can't implement ccAuth, ccCapture, etc.
> >
> > Sarvesh is trying to find out where in the checkout process this additional authentication step could go to then be utilized by all the payment authorization services.  I'm familiar with 3D Secure, but unfortunately not familiar with the ofbiz ecommerce module, or I'd suggest something myself.
> >
> > Chris Lombardi
> >
> >> Date: Sun, 19 Oct 2008 12:41:03 -0700
> >> From: [hidden email]
> >> To: [hidden email]
> >> Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]
> >>
> >> I read
> >> http://docs.ofbiz.org/display/OFBIZ/Credit+Card+3D+Secure++Authentication+Integration+with+ofbiz
> >> and see no difference than using the CC service called by
> >> PaymentGatewayServices
> >> all the services now, had web interfaces at one time.
> >>
> >>
> >>
> >> Raj Saini sent the following on 10/19/2008 8:43 AM:
> >>> BJ,
> >>>
> >>> 3D secure is not same as normal CC authorization. 3D secure has a issuer
> >>> bank authentication and it happens in 2 phases. And that is the reason
> >>> this proposal is to make 3D secure generic enough to integrate with
> >>> OFBiz so that it can easily hooked up in other payment processors.
> >>>
> >>> Thanks,
> >>>
> >>> Raj
> >>>
> >>> BJ Freeman wrote:
> >>>> look at the third party code under the financial folder.
> >>>> applications\accounting\src\org\ofbiz\accounting\thirdparty
> >>>> provide
> >>>> ccAuth
> >>>> ccCapture
> >>>> at a minimum
> >>>> and
> >>>> ccRefund
> >>>> ccRelease
> >>>> ccCredit
> >>>> ccAuthCapture
> >>>> if the provider supports them.
> >>>>
> >>>> http://docs.ofbiz.org/display/OFBIZ/OFBiz+Beginner%27s+Development+Guide+Using+Practice+Application
> >>>>
> >>>> see part 1
> >>>>
> >>>> Sarvesh sent the following on 10/17/2008 7:26 AM:
> >>>>  
> >>>>> Hi,
> >>>>>
> >>>>>
> >>>>>  I want to discuss integration 3D Secure Credit Card with ofbiz. I
> >>>>> have got
> >>>>> it working(using protx simulator) by changing some of ofbiz files but
> >>>>> still
> >>>>> it is not generic so I want to discuss it with the user community to
> >>>>> make it
> >>>>> generic for general usage.
> >>>>>
> >>>>>
> >>>>> Thanks
> >>>>> Sarvesh.
> >>>>>
> >>>>>    
> >>>>
> >>>>
> >>>>  
> >>>
> >>>
> >
Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]

David E Jones

On a side note, is 3D Secure like the old "Verified by Visa" thingy  
that was supposed to make things more secure for "customers" but by  
using it customers actually waived the right to repudiation. In other  
words, if someone was able to get your CC information and Verified by  
Visa username/password then they could commit fraud and Visa wouldn't  
help you out with it at all.

In other words, for your extra pain of signing up and using the  
problem, the customer was rewarded by not being able to repudiate  
fraudulent charges.

If the same is true for 3D Secure then chances are it won't be on the  
radar for very long... when was the last time anyone here was asked to  
implement for Verified by Visa?

-David


On Oct 19, 2008, at 11:05 PM, Christopher L wrote:

> Yes, it's a complete rethink on how to ensure non-repudiation.
>
> It's also less of a "call to a gateway" as it is a redirection to  
> the card issuer.  The goal is to keep the PIN from the merchants and  
> card processors.
>
> Here's the flow, IIRC.
>
> 1.  User enters in a CC number into a storefront.
> 2.  Storefront queries the CC number to determine participation in  
> 3dsecure.
> 3.  Response and issuer authentication url is returned.
> 4.  Storefront redirects the user to the card issuer, with an  
> encrypted payload.  This could be in a pop-up.
> 5.  User authenticates with card issuer.
> 6.  Card issuer redirects the user back to the storefront with a  
> code in an xml doc signed by the issuer.
> 7.  Storefront adds the code to the authorization that is sent to  
> the credit card processor.
>
> In my experience, merchants get very worried (and rightly so) about  
> the redirection/pop-up because you lose control of the user.  It's  
> essential to make it a smooth experience.  If it's not, you lose  
> sales because the customers don't come back from the redirect.
>
> Chris Lombardi
>
>> Date: Sun, 19 Oct 2008 13:27:43 -0700
>> From: [hidden email]
>> To: [hidden email]
>> Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure  
>> Credit Card with ofbiz.]
>>
>> I did not catch that, thanks, Chris.
>> This would be a independent service that the different CC services  
>> could
>> call it while building thier call to the gateway they are using.
>> it would still be in the third party service.
>> 3DsecureService.java
>>
>>
>> Christopher L sent the following on 10/19/2008 1:02 PM:
>>> 3D Secure isn't a payment processor.  It's a supplemental  
>>> authentication service that authenticates the cardholder to the  
>>> *card issuing bank*.
>>>
>>> The output of 3D Secure is an encrypted hash (not a payment auth)  
>>> that is then sent via your normal payment authorization service.
>>>
>>> So, you really can't implement ccAuth, ccCapture, etc.
>>>
>>> Sarvesh is trying to find out where in the checkout process this  
>>> additional authentication step could go to then be utilized by all  
>>> the payment authorization services.  I'm familiar with 3D Secure,  
>>> but unfortunately not familiar with the ofbiz ecommerce module, or  
>>> I'd suggest something myself.
>>>
>>> Chris Lombardi
>>>
>>>> Date: Sun, 19 Oct 2008 12:41:03 -0700
>>>> From: [hidden email]
>>>> To: [hidden email]
>>>> Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure  
>>>> Credit Card with ofbiz.]
>>>>
>>>> I read
>>>> http://docs.ofbiz.org/display/OFBIZ/Credit+Card+3D+Secure++Authentication+Integration+with+ofbiz
>>>> and see no difference than using the CC service called by
>>>> PaymentGatewayServices
>>>> all the services now, had web interfaces at one time.
>>>>
>>>>
>>>>
>>>> Raj Saini sent the following on 10/19/2008 8:43 AM:
>>>>> BJ,
>>>>>
>>>>> 3D secure is not same as normal CC authorization. 3D secure has  
>>>>> a issuer
>>>>> bank authentication and it happens in 2 phases. And that is the  
>>>>> reason
>>>>> this proposal is to make 3D secure generic enough to integrate  
>>>>> with
>>>>> OFBiz so that it can easily hooked up in other payment processors.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Raj
>>>>>
>>>>> BJ Freeman wrote:
>>>>>> look at the third party code under the financial folder.
>>>>>> applications\accounting\src\org\ofbiz\accounting\thirdparty
>>>>>> provide
>>>>>> ccAuth
>>>>>> ccCapture
>>>>>> at a minimum
>>>>>> and
>>>>>> ccRefund
>>>>>> ccRelease
>>>>>> ccCredit
>>>>>> ccAuthCapture
>>>>>> if the provider supports them.
>>>>>>
>>>>>> http://docs.ofbiz.org/display/OFBIZ/OFBiz+Beginner%27s+Development+Guide+Using+Practice+Application
>>>>>>
>>>>>> see part 1
>>>>>>
>>>>>> Sarvesh sent the following on 10/17/2008 7:26 AM:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>>
>>>>>>> I want to discuss integration 3D Secure Credit Card with  
>>>>>>> ofbiz. I
>>>>>>> have got
>>>>>>> it working(using protx simulator) by changing some of ofbiz  
>>>>>>> files but
>>>>>>> still
>>>>>>> it is not generic so I want to discuss it with the user  
>>>>>>> community to
>>>>>>> make it
>>>>>>> generic for general usage.
>>>>>>>
>>>>>>>
>>>>>>> Thanks
>>>>>>> Sarvesh.
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>

Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]

rajsaini
David,

AFAIK, 3D secure is similar to "Verified by Visa" in addition to that it
also supports Mastercard. In 3D secure customer authenticate with their
banker (issuer bank) and not the Visa or MasterCard site and yes they
waives the right to repudiation as they use their bank userid/password
to authenticate.

I know some of the merchant banks in UK made it mandatory to use 3D
secure for CC processing. I am not sure how useful it could be for end
customers but vendor have little choice when their merchant bank makes
it mandatory to use 3D secure as part of CC processing. Only alternative
is to switch to the other merchant bank which may not be feasible sometime.

Thanks,

Raj

David E Jones wrote:

>
> On a side note, is 3D Secure like the old "Verified by Visa" thingy
> that was supposed to make things more secure for "customers" but by
> using it customers actually waived the right to repudiation. In other
> words, if someone was able to get your CC information and Verified by
> Visa username/password then they could commit fraud and Visa wouldn't
> help you out with it at all.
>
> In other words, for your extra pain of signing up and using the
> problem, the customer was rewarded by not being able to repudiate
> fraudulent charges.
>
> If the same is true for 3D Secure then chances are it won't be on the
> radar for very long... when was the last time anyone here was asked to
> implement for Verified by Visa?
>
> -David
>
>
> On Oct 19, 2008, at 11:05 PM, Christopher L wrote:
>
>> Yes, it's a complete rethink on how to ensure non-repudiation.
>>
>> It's also less of a "call to a gateway" as it is a redirection to the
>> card issuer.  The goal is to keep the PIN from the merchants and card
>> processors.
>>
>> Here's the flow, IIRC.
>>
>> 1.  User enters in a CC number into a storefront.
>> 2.  Storefront queries the CC number to determine participation in
>> 3dsecure.
>> 3.  Response and issuer authentication url is returned.
>> 4.  Storefront redirects the user to the card issuer, with an
>> encrypted payload.  This could be in a pop-up.
>> 5.  User authenticates with card issuer.
>> 6.  Card issuer redirects the user back to the storefront with a code
>> in an xml doc signed by the issuer.
>> 7.  Storefront adds the code to the authorization that is sent to the
>> credit card processor.
>>
>> In my experience, merchants get very worried (and rightly so) about
>> the redirection/pop-up because you lose control of the user.  It's
>> essential to make it a smooth experience.  If it's not, you lose
>> sales because the customers don't come back from the redirect.
>>
>> Chris Lombardi
>>
>>> Date: Sun, 19 Oct 2008 13:27:43 -0700
>>> From: [hidden email]
>>> To: [hidden email]
>>> Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure
>>> Credit Card with ofbiz.]
>>>
>>> I did not catch that, thanks, Chris.
>>> This would be a independent service that the different CC services
>>> could
>>> call it while building thier call to the gateway they are using.
>>> it would still be in the third party service.
>>> 3DsecureService.java
>>>
>>>
>>> Christopher L sent the following on 10/19/2008 1:02 PM:
>>>> 3D Secure isn't a payment processor.  It's a supplemental
>>>> authentication service that authenticates the cardholder to the
>>>> *card issuing bank*.
>>>>
>>>> The output of 3D Secure is an encrypted hash (not a payment auth)
>>>> that is then sent via your normal payment authorization service.
>>>>
>>>> So, you really can't implement ccAuth, ccCapture, etc.
>>>>
>>>> Sarvesh is trying to find out where in the checkout process this
>>>> additional authentication step could go to then be utilized by all
>>>> the payment authorization services.  I'm familiar with 3D Secure,
>>>> but unfortunately not familiar with the ofbiz ecommerce module, or
>>>> I'd suggest something myself.
>>>>
>>>> Chris Lombardi
>>>>
>>>>> Date: Sun, 19 Oct 2008 12:41:03 -0700
>>>>> From: [hidden email]
>>>>> To: [hidden email]
>>>>> Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure
>>>>> Credit Card with ofbiz.]
>>>>>
>>>>> I read
>>>>> http://docs.ofbiz.org/display/OFBIZ/Credit+Card+3D+Secure++Authentication+Integration+with+ofbiz 
>>>>>
>>>>> and see no difference than using the CC service called by
>>>>> PaymentGatewayServices
>>>>> all the services now, had web interfaces at one time.
>>>>>
>>>>>
>>>>>
>>>>> Raj Saini sent the following on 10/19/2008 8:43 AM:
>>>>>> BJ,
>>>>>>
>>>>>> 3D secure is not same as normal CC authorization. 3D secure has a
>>>>>> issuer
>>>>>> bank authentication and it happens in 2 phases. And that is the
>>>>>> reason
>>>>>> this proposal is to make 3D secure generic enough to integrate with
>>>>>> OFBiz so that it can easily hooked up in other payment processors.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Raj
>>>>>>
>>>>>> BJ Freeman wrote:
>>>>>>> look at the third party code under the financial folder.
>>>>>>> applications\accounting\src\org\ofbiz\accounting\thirdparty
>>>>>>> provide
>>>>>>> ccAuth
>>>>>>> ccCapture
>>>>>>> at a minimum
>>>>>>> and
>>>>>>> ccRefund
>>>>>>> ccRelease
>>>>>>> ccCredit
>>>>>>> ccAuthCapture
>>>>>>> if the provider supports them.
>>>>>>>
>>>>>>> http://docs.ofbiz.org/display/OFBIZ/OFBiz+Beginner%27s+Development+Guide+Using+Practice+Application 
>>>>>>>
>>>>>>>
>>>>>>> see part 1
>>>>>>>
>>>>>>> Sarvesh sent the following on 10/17/2008 7:26 AM:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>>
>>>>>>>> I want to discuss integration 3D Secure Credit Card with ofbiz. I
>>>>>>>> have got
>>>>>>>> it working(using protx simulator) by changing some of ofbiz
>>>>>>>> files but
>>>>>>>> still
>>>>>>>> it is not generic so I want to discuss it with the user
>>>>>>>> community to
>>>>>>>> make it
>>>>>>>> generic for general usage.
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>> Sarvesh.
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]

David E Jones

Interesting, it's like Verified by Visa but more crafty. With VbV you  
could keep your cards more secure to you by not signing up for an  
account. In other words if you don't have a VbV account then no one  
can somehow get your username and password and make charges on your  
card that you can't do anything about, ie charges you're stuck with  
because the normal credit card protections don't apply.

With 3D Secure, if they use the same username/password that you use  
for online banking and you can't opt out of 3D Secure, then you get to  
move to a bank that doesn't do 3D Secure, or deal with the fact that  
if anyone gets your online account's username/password then you're in  
big trouble and you'll get no help.

The scary thing is that many people won't be aware of this additional  
risk, and that the protection is NOT for the consumer, it is for the  
credit card company, payment processor company, and merchant bank, and  
also the merchant/vendor. I'm guessing they won't advertise that fact,  
at least until a law comes along that requires it.

Oh well, wonderful world we live in. I may be outvoted in this, but  
just like Verified by Visa this is the sort of feature I'd like to see  
never make it into OFBiz.

-David


On Oct 20, 2008, at 12:04 AM, Raj Saini wrote:

> David,
>
> AFAIK, 3D secure is similar to "Verified by Visa" in addition to  
> that it also supports Mastercard. In 3D secure customer authenticate  
> with their banker (issuer bank) and not the Visa or MasterCard site  
> and yes they waives the right to repudiation as they use their bank  
> userid/password to authenticate.
>
> I know some of the merchant banks in UK made it mandatory to use 3D  
> secure for CC processing. I am not sure how useful it could be for  
> end customers but vendor have little choice when their merchant bank  
> makes it mandatory to use 3D secure as part of CC processing. Only  
> alternative is to switch to the other merchant bank which may not be  
> feasible sometime.
>
> Thanks,
>
> Raj
>
> David E Jones wrote:
>>
>> On a side note, is 3D Secure like the old "Verified by Visa" thingy  
>> that was supposed to make things more secure for "customers" but by  
>> using it customers actually waived the right to repudiation. In  
>> other words, if someone was able to get your CC information and  
>> Verified by Visa username/password then they could commit fraud and  
>> Visa wouldn't help you out with it at all.
>>
>> In other words, for your extra pain of signing up and using the  
>> problem, the customer was rewarded by not being able to repudiate  
>> fraudulent charges.
>>
>> If the same is true for 3D Secure then chances are it won't be on  
>> the radar for very long... when was the last time anyone here was  
>> asked to implement for Verified by Visa?
>>
>> -David
>>
>>
>> On Oct 19, 2008, at 11:05 PM, Christopher L wrote:
>>
>>> Yes, it's a complete rethink on how to ensure non-repudiation.
>>>
>>> It's also less of a "call to a gateway" as it is a redirection to  
>>> the card issuer.  The goal is to keep the PIN from the merchants  
>>> and card processors.
>>>
>>> Here's the flow, IIRC.
>>>
>>> 1.  User enters in a CC number into a storefront.
>>> 2.  Storefront queries the CC number to determine participation in  
>>> 3dsecure.
>>> 3.  Response and issuer authentication url is returned.
>>> 4.  Storefront redirects the user to the card issuer, with an  
>>> encrypted payload.  This could be in a pop-up.
>>> 5.  User authenticates with card issuer.
>>> 6.  Card issuer redirects the user back to the storefront with a  
>>> code in an xml doc signed by the issuer.
>>> 7.  Storefront adds the code to the authorization that is sent to  
>>> the credit card processor.
>>>
>>> In my experience, merchants get very worried (and rightly so)  
>>> about the redirection/pop-up because you lose control of the  
>>> user.  It's essential to make it a smooth experience.  If it's  
>>> not, you lose sales because the customers don't come back from the  
>>> redirect.
>>>
>>> Chris Lombardi
>>>
>>>> Date: Sun, 19 Oct 2008 13:27:43 -0700
>>>> From: [hidden email]
>>>> To: [hidden email]
>>>> Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure  
>>>> Credit Card with ofbiz.]
>>>>
>>>> I did not catch that, thanks, Chris.
>>>> This would be a independent service that the different CC  
>>>> services could
>>>> call it while building thier call to the gateway they are using.
>>>> it would still be in the third party service.
>>>> 3DsecureService.java
>>>>
>>>>
>>>> Christopher L sent the following on 10/19/2008 1:02 PM:
>>>>> 3D Secure isn't a payment processor.  It's a supplemental  
>>>>> authentication service that authenticates the cardholder to the  
>>>>> *card issuing bank*.
>>>>>
>>>>> The output of 3D Secure is an encrypted hash (not a payment  
>>>>> auth) that is then sent via your normal payment authorization  
>>>>> service.
>>>>>
>>>>> So, you really can't implement ccAuth, ccCapture, etc.
>>>>>
>>>>> Sarvesh is trying to find out where in the checkout process this  
>>>>> additional authentication step could go to then be utilized by  
>>>>> all the payment authorization services.  I'm familiar with 3D  
>>>>> Secure, but unfortunately not familiar with the ofbiz ecommerce  
>>>>> module, or I'd suggest something myself.
>>>>>
>>>>> Chris Lombardi
>>>>>
>>>>>> Date: Sun, 19 Oct 2008 12:41:03 -0700
>>>>>> From: [hidden email]
>>>>>> To: [hidden email]
>>>>>> Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure  
>>>>>> Credit Card with ofbiz.]
>>>>>>
>>>>>> I read
>>>>>> http://docs.ofbiz.org/display/OFBIZ/Credit+Card+3D+Secure++Authentication+Integration+with+ofbiz
>>>>>> and see no difference than using the CC service called by
>>>>>> PaymentGatewayServices
>>>>>> all the services now, had web interfaces at one time.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Raj Saini sent the following on 10/19/2008 8:43 AM:
>>>>>>> BJ,
>>>>>>>
>>>>>>> 3D secure is not same as normal CC authorization. 3D secure  
>>>>>>> has a issuer
>>>>>>> bank authentication and it happens in 2 phases. And that is  
>>>>>>> the reason
>>>>>>> this proposal is to make 3D secure generic enough to integrate  
>>>>>>> with
>>>>>>> OFBiz so that it can easily hooked up in other payment  
>>>>>>> processors.
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Raj
>>>>>>>
>>>>>>> BJ Freeman wrote:
>>>>>>>> look at the third party code under the financial folder.
>>>>>>>> applications\accounting\src\org\ofbiz\accounting\thirdparty
>>>>>>>> provide
>>>>>>>> ccAuth
>>>>>>>> ccCapture
>>>>>>>> at a minimum
>>>>>>>> and
>>>>>>>> ccRefund
>>>>>>>> ccRelease
>>>>>>>> ccCredit
>>>>>>>> ccAuthCapture
>>>>>>>> if the provider supports them.
>>>>>>>>
>>>>>>>> http://docs.ofbiz.org/display/OFBIZ/OFBiz+Beginner%27s+Development+Guide+Using+Practice+Application
>>>>>>>>
>>>>>>>> see part 1
>>>>>>>>
>>>>>>>> Sarvesh sent the following on 10/17/2008 7:26 AM:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I want to discuss integration 3D Secure Credit Card with  
>>>>>>>>> ofbiz. I
>>>>>>>>> have got
>>>>>>>>> it working(using protx simulator) by changing some of ofbiz  
>>>>>>>>> files but
>>>>>>>>> still
>>>>>>>>> it is not generic so I want to discuss it with the user  
>>>>>>>>> community to
>>>>>>>>> make it
>>>>>>>>> generic for general usage.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>> Sarvesh.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]

rajsaini
David E Jones wrote:
>
> With 3D Secure, if they use the same username/password that you use
> for online banking and you can't opt out of 3D Secure, then you get to
> move to a bank that doesn't do 3D Secure, or deal with the fact that
> if anyone gets your online account's username/password then you're in
> big trouble and you'll get no help.
For customers there is a option to opt out from the 3D secure. I
remember bank site asking me to giving options to join in or opt of the
3D secure when it was activated on first use of the card.
>
> Oh well, wonderful world we live in. I may be outvoted in this, but
> just like Verified by Visa this is the sort of feature I'd like to see
> never make it into OFBiz.
Well, 3D secure is optional for the customers as well as Vendors.
However, some of the merchant banks made it mandatory (in UK at least).
I feel there is no harm in having it in OFBiz as long as it does not
interfere with the normal authorization flow. Idea is to hook up the 3D
secure only if it is enabled in OFBiz otherwise, normal CC processing
used as it is.

Thanks,

Raj

>
> -David
>
>
> On Oct 20, 2008, at 12:04 AM, Raj Saini wrote:
>
>> David,
>>
>> AFAIK, 3D secure is similar to "Verified by Visa" in addition to that
>> it also supports Mastercard. In 3D secure customer authenticate with
>> their banker (issuer bank) and not the Visa or MasterCard site and
>> yes they waives the right to repudiation as they use their bank
>> userid/password to authenticate.
>>
>> I know some of the merchant banks in UK made it mandatory to use 3D
>> secure for CC processing. I am not sure how useful it could be for
>> end customers but vendor have little choice when their merchant bank
>> makes it mandatory to use 3D secure as part of CC processing. Only
>> alternative is to switch to the other merchant bank which may not be
>> feasible sometime.
>>
>> Thanks,
>>
>> Raj
>>
>> David E Jones wrote:
>>>
>>> On a side note, is 3D Secure like the old "Verified by Visa" thingy
>>> that was supposed to make things more secure for "customers" but by
>>> using it customers actually waived the right to repudiation. In
>>> other words, if someone was able to get your CC information and
>>> Verified by Visa username/password then they could commit fraud and
>>> Visa wouldn't help you out with it at all.
>>>
>>> In other words, for your extra pain of signing up and using the
>>> problem, the customer was rewarded by not being able to repudiate
>>> fraudulent charges.
>>>
>>> If the same is true for 3D Secure then chances are it won't be on
>>> the radar for very long... when was the last time anyone here was
>>> asked to implement for Verified by Visa?
>>>
>>> -David
>>>
>>>
>>> On Oct 19, 2008, at 11:05 PM, Christopher L wrote:
>>>
>>>> Yes, it's a complete rethink on how to ensure non-repudiation.
>>>>
>>>> It's also less of a "call to a gateway" as it is a redirection to
>>>> the card issuer.  The goal is to keep the PIN from the merchants
>>>> and card processors.
>>>>
>>>> Here's the flow, IIRC.
>>>>
>>>> 1.  User enters in a CC number into a storefront.
>>>> 2.  Storefront queries the CC number to determine participation in
>>>> 3dsecure.
>>>> 3.  Response and issuer authentication url is returned.
>>>> 4.  Storefront redirects the user to the card issuer, with an
>>>> encrypted payload.  This could be in a pop-up.
>>>> 5.  User authenticates with card issuer.
>>>> 6.  Card issuer redirects the user back to the storefront with a
>>>> code in an xml doc signed by the issuer.
>>>> 7.  Storefront adds the code to the authorization that is sent to
>>>> the credit card processor.
>>>>
>>>> In my experience, merchants get very worried (and rightly so) about
>>>> the redirection/pop-up because you lose control of the user.  It's
>>>> essential to make it a smooth experience.  If it's not, you lose
>>>> sales because the customers don't come back from the redirect.
>>>>
>>>> Chris Lombardi
>>>>
>>>>> Date: Sun, 19 Oct 2008 13:27:43 -0700
>>>>> From: [hidden email]
>>>>> To: [hidden email]
>>>>> Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure
>>>>> Credit Card with ofbiz.]
>>>>>
>>>>> I did not catch that, thanks, Chris.
>>>>> This would be a independent service that the different CC services
>>>>> could
>>>>> call it while building thier call to the gateway they are using.
>>>>> it would still be in the third party service.
>>>>> 3DsecureService.java
>>>>>
>>>>>
>>>>> Christopher L sent the following on 10/19/2008 1:02 PM:
>>>>>> 3D Secure isn't a payment processor.  It's a supplemental
>>>>>> authentication service that authenticates the cardholder to the
>>>>>> *card issuing bank*.
>>>>>>
>>>>>> The output of 3D Secure is an encrypted hash (not a payment auth)
>>>>>> that is then sent via your normal payment authorization service.
>>>>>>
>>>>>> So, you really can't implement ccAuth, ccCapture, etc.
>>>>>>
>>>>>> Sarvesh is trying to find out where in the checkout process this
>>>>>> additional authentication step could go to then be utilized by
>>>>>> all the payment authorization services.  I'm familiar with 3D
>>>>>> Secure, but unfortunately not familiar with the ofbiz ecommerce
>>>>>> module, or I'd suggest something myself.
>>>>>>
>>>>>> Chris Lombardi
>>>>>>
>>>>>>> Date: Sun, 19 Oct 2008 12:41:03 -0700
>>>>>>> From: [hidden email]
>>>>>>> To: [hidden email]
>>>>>>> Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure
>>>>>>> Credit Card with ofbiz.]
>>>>>>>
>>>>>>> I read
>>>>>>> http://docs.ofbiz.org/display/OFBIZ/Credit+Card+3D+Secure++Authentication+Integration+with+ofbiz 
>>>>>>>
>>>>>>> and see no difference than using the CC service called by
>>>>>>> PaymentGatewayServices
>>>>>>> all the services now, had web interfaces at one time.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Raj Saini sent the following on 10/19/2008 8:43 AM:
>>>>>>>> BJ,
>>>>>>>>
>>>>>>>> 3D secure is not same as normal CC authorization. 3D secure has
>>>>>>>> a issuer
>>>>>>>> bank authentication and it happens in 2 phases. And that is the
>>>>>>>> reason
>>>>>>>> this proposal is to make 3D secure generic enough to integrate
>>>>>>>> with
>>>>>>>> OFBiz so that it can easily hooked up in other payment processors.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> Raj
>>>>>>>>
>>>>>>>> BJ Freeman wrote:
>>>>>>>>> look at the third party code under the financial folder.
>>>>>>>>> applications\accounting\src\org\ofbiz\accounting\thirdparty
>>>>>>>>> provide
>>>>>>>>> ccAuth
>>>>>>>>> ccCapture
>>>>>>>>> at a minimum
>>>>>>>>> and
>>>>>>>>> ccRefund
>>>>>>>>> ccRelease
>>>>>>>>> ccCredit
>>>>>>>>> ccAuthCapture
>>>>>>>>> if the provider supports them.
>>>>>>>>>
>>>>>>>>> http://docs.ofbiz.org/display/OFBIZ/OFBiz+Beginner%27s+Development+Guide+Using+Practice+Application 
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> see part 1
>>>>>>>>>
>>>>>>>>> Sarvesh sent the following on 10/17/2008 7:26 AM:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I want to discuss integration 3D Secure Credit Card with
>>>>>>>>>> ofbiz. I
>>>>>>>>>> have got
>>>>>>>>>> it working(using protx simulator) by changing some of ofbiz
>>>>>>>>>> files but
>>>>>>>>>> still
>>>>>>>>>> it is not generic so I want to discuss it with the user
>>>>>>>>>> community to
>>>>>>>>>> make it
>>>>>>>>>> generic for general usage.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Thanks
>>>>>>>>>> Sarvesh.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>
>>>
>>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]

Jacques Le Roux
Administrator
In reply to this post by David E Jones
From: "David E Jones" <[hidden email]>
> Oh well, wonderful world we live in. I may be outvoted in this, but  
> just like Verified by Visa this is the sort of feature I'd like to see  
> never make it into OFBiz.
>
> -David

+1 : don't support evil !

Jacques

Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]

Jacques Le Roux
Administrator
Of course if the bank advertises or/and guarantees the payment it's another story.

In France we have some laws for that http://tinyurl.com/6jq5fe
Article L132-4 says for instance (automatically traduced)
<<The responsibility of the tenured one of a mentioned card to the item L. 132-1 is not engaged if the protested payment was carried
out frauduleusement, from afar, without physical usage of his card.  All the same, his responsibility is not engaged in case of
forgery of his card to the direction of the item L. 163-4 and if, at the protested operation, it was in physical possession of his
card.  In the foreseen cases to the two preceding indentations, if the tenured one of the card protests in writing to have carried
out a payment or a collection, are protested them him are recréditées on his account by the transmitting one card or returned,
without expense, at the latest in the delay of a month to count reception of the dispute.  >>

Is there anything like that in other countries ?

BTW, it's no CC related but did you know that http://www.iht.com/articles/2008/10/19/europe/19sarkobankFW.php ?

Jacques

From: "Jacques Le Roux" <[hidden email]>
> From: "David E Jones" <[hidden email]>
>> Oh well, wonderful world we live in. I may be outvoted in this, but  just like Verified by Visa this is the sort of feature I'd
>> like to see  never make it into OFBiz.
>>
>> -David
>
> +1 : don't support evil !
>
> Jacques

Reply | Threaded
Open this post in threaded view
|

RE: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]

Christopher L
In reply to this post by David E Jones
I could be wrong on this, but I believe that "3D Secure" is the name of the protocol and "Verified by Visa" is the customer brand.  They may have changed the name when they started verifying Mastercard also.

Some banks did mandate use of the VbV program in the past, but I'm not sure if that's the case anymore.  You may have better information on this than I.

Well, I look at it this way...

Right now, there's really no credit card security whatsoever.  Sure, there's AVS, but anyone with your credit card information can usually find out enough about you to add an additional address at your issuing bank.  Other stores will let you send out purchases to other addresses as "gifts".
There's also CVV, but if a store or a customer's machine is hacked, the CVV code can be compromised.  Then there's the merchants who retain the CVV code even though they shouldn't.  (I haven't seen that myself, but I'm sure it's out there.)  

In theory, 3DS should be more secure as it would require the issuer to be hacked or the customer's computer to be compromised.  That said, there are some scary scenarios that could be brought up.

However, that's not to say that repudiation isn't also a big issue.  It is.  And as ofbiz primarily caters to mail order businesses, they have ZERO protection from credit card fraud and repudiation.  Basically, if someone makes a purchase and decides they don't want to pay, they just call up their issuer, say it was fraud, and the money comes out of the merchant's account.  The merchant has very little recourse.

In summary:

1)  3DS should reduce fraud, at least for participants, and at least until new methods are invented/implemented to capture cardholder's PINs.
2)  3DS should reduce repudiation, by making it harder for those who wish to raise the specter of fraud to get out of paying for a product or service.
3)  3DS will give some security (and a better rate) to mail order merchants who currently have none.
4)  3DS does break new legal ground, and I'm sure in time the courts or legislature will have to sort it out.  Some jurisdictions already have, I think JLR mentioned a pro-consumer law in France.

There's good and bad in there, but ultimately, the consumer decides if they want to participate.  I haven't been forced to participate in VbV on any of my cards, and I hold cards (through aquisition/mergers, etc) with the biggest issuers in the US.  If I were forced to participate, I'd go elsewhere, whether it's another issuer or another brand (discover, amex, etc).  There's nothing wrong with that.

It sounds like you have someone who wants to implement a feature in such a way that it can be disabled, where's the harm?  Refusing to allow it to be put in only raises the barriers to adopting ofbiz.  Those who wish to implement 3DS will implement it in ofbiz, or will choose a product that does so OOTB.

Chris Lombardi

> From: [hidden email]
> To: [hidden email]
> Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]
> Date: Mon, 20 Oct 2008 01:19:27 -0600
>
>
> Interesting, it's like Verified by Visa but more crafty. With VbV you  
> could keep your cards more secure to you by not signing up for an  
> account. In other words if you don't have a VbV account then no one  
> can somehow get your username and password and make charges on your  
> card that you can't do anything about, ie charges you're stuck with  
> because the normal credit card protections don't apply.
>
> With 3D Secure, if they use the same username/password that you use  
> for online banking and you can't opt out of 3D Secure, then you get to  
> move to a bank that doesn't do 3D Secure, or deal with the fact that  
> if anyone gets your online account's username/password then you're in  
> big trouble and you'll get no help.
>
> The scary thing is that many people won't be aware of this additional  
> risk, and that the protection is NOT for the consumer, it is for the  
> credit card company, payment processor company, and merchant bank, and  
> also the merchant/vendor. I'm guessing they won't advertise that fact,  
> at least until a law comes along that requires it.
>
> Oh well, wonderful world we live in. I may be outvoted in this, but  
> just like Verified by Visa this is the sort of feature I'd like to see  
> never make it into OFBiz.
>
> -David
>
>
> On Oct 20, 2008, at 12:04 AM, Raj Saini wrote:
>
> > David,
> >
> > AFAIK, 3D secure is similar to "Verified by Visa" in addition to  
> > that it also supports Mastercard. In 3D secure customer authenticate  
> > with their banker (issuer bank) and not the Visa or MasterCard site  
> > and yes they waives the right to repudiation as they use their bank  
> > userid/password to authenticate.
> >
> > I know some of the merchant banks in UK made it mandatory to use 3D  
> > secure for CC processing. I am not sure how useful it could be for  
> > end customers but vendor have little choice when their merchant bank  
> > makes it mandatory to use 3D secure as part of CC processing. Only  
> > alternative is to switch to the other merchant bank which may not be  
> > feasible sometime.
> >
> > Thanks,
> >
> > Raj
> >
> > David E Jones wrote:
> >>
> >> On a side note, is 3D Secure like the old "Verified by Visa" thingy  
> >> that was supposed to make things more secure for "customers" but by  
> >> using it customers actually waived the right to repudiation. In  
> >> other words, if someone was able to get your CC information and  
> >> Verified by Visa username/password then they could commit fraud and  
> >> Visa wouldn't help you out with it at all.
> >>
> >> In other words, for your extra pain of signing up and using the  
> >> problem, the customer was rewarded by not being able to repudiate  
> >> fraudulent charges.
> >>
> >> If the same is true for 3D Secure then chances are it won't be on  
> >> the radar for very long... when was the last time anyone here was  
> >> asked to implement for Verified by Visa?
> >>
> >> -David
> >>
> >>
> >> On Oct 19, 2008, at 11:05 PM, Christopher L wrote:
> >>
> >>> Yes, it's a complete rethink on how to ensure non-repudiation.
> >>>
> >>> It's also less of a "call to a gateway" as it is a redirection to  
> >>> the card issuer.  The goal is to keep the PIN from the merchants  
> >>> and card processors.
> >>>
> >>> Here's the flow, IIRC.
> >>>
> >>> 1.  User enters in a CC number into a storefront.
> >>> 2.  Storefront queries the CC number to determine participation in  
> >>> 3dsecure.
> >>> 3.  Response and issuer authentication url is returned.
> >>> 4.  Storefront redirects the user to the card issuer, with an  
> >>> encrypted payload.  This could be in a pop-up.
> >>> 5.  User authenticates with card issuer.
> >>> 6.  Card issuer redirects the user back to the storefront with a  
> >>> code in an xml doc signed by the issuer.
> >>> 7.  Storefront adds the code to the authorization that is sent to  
> >>> the credit card processor.
> >>>
> >>> In my experience, merchants get very worried (and rightly so)  
> >>> about the redirection/pop-up because you lose control of the  
> >>> user.  It's essential to make it a smooth experience.  If it's  
> >>> not, you lose sales because the customers don't come back from the  
> >>> redirect.
> >>>
> >>> Chris Lombardi
> >>>
> >>>> Date: Sun, 19 Oct 2008 13:27:43 -0700
> >>>> From: [hidden email]
> >>>> To: [hidden email]
> >>>> Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure  
> >>>> Credit Card with ofbiz.]
> >>>>
> >>>> I did not catch that, thanks, Chris.
> >>>> This would be a independent service that the different CC  
> >>>> services could
> >>>> call it while building thier call to the gateway they are using.
> >>>> it would still be in the third party service.
> >>>> 3DsecureService.java
> >>>>
> >>>>
> >>>> Christopher L sent the following on 10/19/2008 1:02 PM:
> >>>>> 3D Secure isn't a payment processor.  It's a supplemental  
> >>>>> authentication service that authenticates the cardholder to the  
> >>>>> *card issuing bank*.
> >>>>>
> >>>>> The output of 3D Secure is an encrypted hash (not a payment  
> >>>>> auth) that is then sent via your normal payment authorization  
> >>>>> service.
> >>>>>
> >>>>> So, you really can't implement ccAuth, ccCapture, etc.
> >>>>>
> >>>>> Sarvesh is trying to find out where in the checkout process this  
> >>>>> additional authentication step could go to then be utilized by  
> >>>>> all the payment authorization services.  I'm familiar with 3D  
> >>>>> Secure, but unfortunately not familiar with the ofbiz ecommerce  
> >>>>> module, or I'd suggest something myself.
> >>>>>
> >>>>> Chris Lombardi
> >>>>>
> >>>>>> Date: Sun, 19 Oct 2008 12:41:03 -0700
> >>>>>> From: [hidden email]
> >>>>>> To: [hidden email]
> >>>>>> Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure  
> >>>>>> Credit Card with ofbiz.]
> >>>>>>
> >>>>>> I read
> >>>>>> http://docs.ofbiz.org/display/OFBIZ/Credit+Card+3D+Secure++Authentication+Integration+with+ofbiz
> >>>>>> and see no difference than using the CC service called by
> >>>>>> PaymentGatewayServices
> >>>>>> all the services now, had web interfaces at one time.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Raj Saini sent the following on 10/19/2008 8:43 AM:
> >>>>>>> BJ,
> >>>>>>>
> >>>>>>> 3D secure is not same as normal CC authorization. 3D secure  
> >>>>>>> has a issuer
> >>>>>>> bank authentication and it happens in 2 phases. And that is  
> >>>>>>> the reason
> >>>>>>> this proposal is to make 3D secure generic enough to integrate  
> >>>>>>> with
> >>>>>>> OFBiz so that it can easily hooked up in other payment  
> >>>>>>> processors.
> >>>>>>>
> >>>>>>> Thanks,
> >>>>>>>
> >>>>>>> Raj
> >>>>>>>
> >>>>>>> BJ Freeman wrote:
> >>>>>>>> look at the third party code under the financial folder.
> >>>>>>>> applications\accounting\src\org\ofbiz\accounting\thirdparty
> >>>>>>>> provide
> >>>>>>>> ccAuth
> >>>>>>>> ccCapture
> >>>>>>>> at a minimum
> >>>>>>>> and
> >>>>>>>> ccRefund
> >>>>>>>> ccRelease
> >>>>>>>> ccCredit
> >>>>>>>> ccAuthCapture
> >>>>>>>> if the provider supports them.
> >>>>>>>>
> >>>>>>>> http://docs.ofbiz.org/display/OFBIZ/OFBiz+Beginner%27s+Development+Guide+Using+Practice+Application
> >>>>>>>>
> >>>>>>>> see part 1
> >>>>>>>>
> >>>>>>>> Sarvesh sent the following on 10/17/2008 7:26 AM:
> >>>>>>>>
> >>>>>>>>> Hi,
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> I want to discuss integration 3D Secure Credit Card with  
> >>>>>>>>> ofbiz. I
> >>>>>>>>> have got
> >>>>>>>>> it working(using protx simulator) by changing some of ofbiz  
> >>>>>>>>> files but
> >>>>>>>>> still
> >>>>>>>>> it is not generic so I want to discuss it with the user  
> >>>>>>>>> community to
> >>>>>>>>> make it
> >>>>>>>>> generic for general usage.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Thanks
> >>>>>>>>> Sarvesh.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>
> >>
> >>
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]

Jacques Le Roux
Administrator
In reply to this post by Jacques Le Roux
Oops sorry, traduced should have been translated here (traduction is the word for translation in French)

Jacques

From: "Jacques Le Roux" <[hidden email]>

> Of course if the bank advertises or/and guarantees the payment it's another story.
>
> In France we have some laws for that http://tinyurl.com/6jq5fe
> Article L132-4 says for instance (automatically traduced)
> <<The responsibility of the tenured one of a mentioned card to the item L. 132-1 is not engaged if the protested payment was
> carried
> out frauduleusement, from afar, without physical usage of his card.  All the same, his responsibility is not engaged in case of
> forgery of his card to the direction of the item L. 163-4 and if, at the protested operation, it was in physical possession of his
> card.  In the foreseen cases to the two preceding indentations, if the tenured one of the card protests in writing to have carried
> out a payment or a collection, are protested them him are recréditées on his account by the transmitting one card or returned,
> without expense, at the latest in the delay of a month to count reception of the dispute.  >>
>
> Is there anything like that in other countries ?
>
> BTW, it's no CC related but did you know that http://www.iht.com/articles/2008/10/19/europe/19sarkobankFW.php ?
>
> Jacques
>
> From: "Jacques Le Roux" <[hidden email]>
>> From: "David E Jones" <[hidden email]>
>>> Oh well, wonderful world we live in. I may be outvoted in this, but  just like Verified by Visa this is the sort of feature I'd
>>> like to see  never make it into OFBiz.
>>>
>>> -David
>>
>> +1 : don't support evil !
>>
>> Jacques
>

Reply | Threaded
Open this post in threaded view
|

RE: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]

Christopher L
To half answer your question, I'm not sure if it's law, but it is common practice.

A similar situation occurred when Visa/MC branded debit cards hit the market.  These are Visa/MC "credit cards" that take the money direct from a checking account as purchases are made.

When they were introduced, there wasn't such strong fraud protection in practice.  If there were any protection the general practice was somewhat onerous, including the bank holding the cash in dispute until there was a resolution.  Now there are much more generous protections in place.

I imagine something similar might happen with VbV.  But it won't happen before it becomes more widespread.

My 2c.

C

> From: [hidden email]
> To: [hidden email]
> Subject: Re: [Fwd: Re: I want to discuss integration 3D Secure Credit Card with ofbiz.]
> Date: Mon, 20 Oct 2008 16:32:57 +0200
>
> Oops sorry, traduced should have been translated here (traduction is the word for translation in French)
>
> Jacques
>
> From: "Jacques Le Roux" <[hidden email]>
> > Of course if the bank advertises or/and guarantees the payment it's another story.
> >
> > In France we have some laws for that http://tinyurl.com/6jq5fe
> > Article L132-4 says for instance (automatically traduced)
> > <<The responsibility of the tenured one of a mentioned card to the item L. 132-1 is not engaged if the protested payment was
> > carried
> > out frauduleusement, from afar, without physical usage of his card.  All the same, his responsibility is not engaged in case of
> > forgery of his card to the direction of the item L. 163-4 and if, at the protested operation, it was in physical possession of his
> > card.  In the foreseen cases to the two preceding indentations, if the tenured one of the card protests in writing to have carried
> > out a payment or a collection, are protested them him are recréditées on his account by the transmitting one card or returned,
> > without expense, at the latest in the delay of a month to count reception of the dispute.  >>
> >
> > Is there anything like that in other countries ?
> >
> > BTW, it's no CC related but did you know that http://www.iht.com/articles/2008/10/19/europe/19sarkobankFW.php ?
> >
> > Jacques
> >
> > From: "Jacques Le Roux" <[hidden email]>
> >> From: "David E Jones" <[hidden email]>
> >>> Oh well, wonderful world we live in. I may be outvoted in this, but  just like Verified by Visa this is the sort of feature I'd
> >>> like to see  never make it into OFBiz.
> >>>
> >>> -David
> >>
> >> +1 : don't support evil !
> >>
> >> Jacques
> >
>