Mastercard Hosted Checkout Tokenised Cards - payment

This is something we've asked Mastercard about, however, I haven't been able to get a clear answer from them. Perhaps someone has implemented this and can assist. In our initial emails with them, it was implied that the Hosted Checkout can work with tokenized cards.
We are implementing the Hosted Checkout solution from Mastercard into our mobile app. We've been using these integration guidelines.
We are doing a two-step journey, where we are performing a VERIFY using the Hosted Checkout, and submitting the PAY operation afterward in a separate call.
The user has the option after going through the Hosted Checkout to save (tokenize) their card through MPGS.
The bit I'm stuck on: Is it possible to supply a card token to the Hosted Checkout, so that the user can verify an existing card if needed through a 3DS2 flow, without having to enter the card details again?
I've tried sending the card token through to the CREATE_CHECKOUT_SESSION request, but this seemingly has no impact - the user still needs to enter their card details, and then, because they have card details entered, those override any token for the payment.
Any ideas are greatly appreciated.

You can use the API process for this tokenization part.
URL: https://test-gateway.mastercard.com/api/rest/version/62/merchant/{merchantId}/order/{orderid}/transaction/{transactionid}
HTTP Method :PUT
Request
{
"apiOperation":"PAY",
"order":{
"amount":"1.25",
"currency":"LKR"
},
"session":{
"id":"SESSION0002257639145N66745126J0"
},
"sourceOfFunds":{
"token":"9407378747428845",
"type":"CARD"
}
}

Related

How to add credit card using Braintree Hosted Fields with 3D Secure verification

I have a credit card addition as a separate step in the flow. That means I'm creating credit cards via Braintree Hosted Fields without running a transaction. To use vaulted credit cards for future transactions.
As I understand it right (correct me if I'm wrong), I can and should verify credit cards on their creation by running 3d Secure verification.
There are two things I'm not sure about:
Should I even run 3d Secure verification when adding a credit card?
If yes, what should be passed in the threeDSecureParams.amount (cause eventually, the amount is set between $0 and $1 by the 3D Secure processor)?
threeDSecureParams = {
cardAddChallengeRequested: true,
bin: tokenizeData.details.bin,
email: email,
nonce: tokenizeData.nonce,
amount: 1
}
P.S. As I didn't find a clear answer in the Braintree doc and by googling, while I'm waiting for Braintree support to get a reply on this, I've decided to see how you guys managed to set such flow.
I really appreciate any help/opinion.

How to handle Stripe 3D Secure when creating a PaymentMethod on the client for multiple charges on the server

In my marketplace I have a requirement to:
Have a customer enter their card details
Once card details are submitted, process multiple charges against that card on the server side
I'm using stripe.js and creating a PaymentMethod on the client side using stripe.createPaymentMethod()
The ID of the PaymentMethod is posted to the server, which then does the following via the Stripe API library for PHP:
Retrieves the PaymentMethod from Stripe using the posted ID
Creates a Customer on Stripe, specifying the 'payment_method'
Creates multiple PaymentIntents, specifying the 'payment_method', the 'customer', 'save_payment_method' as true and 'confirm' as true.
I'm now wanting to handle scenarios where Stripe requires the use of 3D Secure.
Is there any way that 3D Secure verification can take place on the client, prior to the request to the server, whilst using stripe.createPaymentMethod() ?
If not, what alternative do I have?
It seems that a user completing the 3D Secure steps returns only a PaymentIntent. I don't believe I'm able to use this to make multiple charges against the card. This is whole reason for using createPaymentMethod() on the client in the first place.
Any ideas on how to go about this?
Is there any way that 3D Secure verification can take place on the client, prior to the request to the server, whilst using stripe.createPaymentMethod() ?
The approach to handle 3D Secure authentication on the client is to either use the confirmCardPayment [0] or handleCardAction [1] methods on Stripe.js. Unless you have specific needs, you would most likely want to use confirmCardPayment and follow this guide here:
https://stripe.com/docs/payments/accept-a-payment
I should note, that both these methods only work to process one payment at a time. In your case, you have multiple payment intents, so you would need to call either of the methods once per transaction. That is, if you have three payment intents you would need to call confirmCardPayment three times, repeating the last step in the guide [2] that many times as well.
This means that it is technically possible (but unlikely) that your users may have to authenticate multiple times to process each of their payments.
Unfortunately, there are really no workarounds for this. Even if you were to setup a user's card with SetupIntents [3] and charge them off-session at a later date, there is still a risk that you would need to bring user's back on-session to authenticate each individual payment intent.
All this being said, the majority of your users probably won't run into a scenario where they would need to authenticate multiple times in a row.
The only other option would be to create a single payment intent that covers the full cost of your product/service, which would allow you to call confirmCardPayment just once.
[0] https://stripe.com/docs/js/payment_intents/confirm_card_payment
[1] https://stripe.com/docs/js/payment_intents/handle_card_action
[2] https://stripe.com/docs/payments/accept-a-payment#web-submit-payment
[3] https://stripe.com/docs/payments/save-and-reuse

PayPal and Microsoft WebAPI: best security approach

I'm creating a WebApi project that aims to handle payments in my project.
Actually, my approach is like:
CreatePaymentMethod(creates the payment, contact paypal and redirect the user to the payment page. If payment is done, redirect to PaymentApprovalMethod)
PaymentApprovalMethod (confirm the payment on my system, allowing the user to access the content)
What I'm wondering is... What if an users directly creates a message to invoke the PaymentApprovalMethod?
Suppose:
- CreatePaymentMethod is called, user sniffs with Fiddler the Transaction ID of the redirect
- Creates and adhoc call of the PaymentApprovalMethod like.
I see two possibles scenario to handle this situation:
Restrict (I don't know how) the calling of PaymentApprovalMethod to the messages from Paypal only
Cross Check the payment inside the PaymentApprovaMethod (ok, user, you said the transaction ID 123 is done, I'll contact paypal to verify this before trust this call)
The second one seems more safe but also more "time / resource" problematic..
Do I'm missing something? Is there something else I can do to avoid this problem?
Take a look at Instant Payment Notification (IPN). PayPal's system will POST transaction data to a listener script that you setup for all transactions on your account, be it a payment, refund, dispute, cleared payment (from pending), etc. You can use this to completely automate many post-payment procedures.
Part of your IPN listener will include a call back to PayPal's server to verify that the data actually came from them. You can then log IPN's separately, and only process verified IPN's, which means you know somebody didn't just POST directly to it on their own.
Some people do go a step further and only accept traffic to that script from PayPal's IP addresses, however, they do change their addresses quite a bit and I think that just becomes a hassle. The verification has always been enough for me.
IPN is definitely what I would recommend for you.

PayPal returnURL security

Summary: I want to use the returnUrl as a proof that the transaction has been accepted by PayPal.
I'm implementing a very basic purchase workflow based on PayPal.
Everything works nice, the User clicks on pay, the User goes to PayPal, PayPal sends the User to my returnURL... and I'm accepting the payment in this last step.
I know I would have to implement an IPN endpoint and accept the payment there, but this project is very basic and I'm too old or too lazy to implement all this asynchronous behavior which can be a hell of edge-cases.
Would be nice if I would just make the returnUrl more confident, difficult to fake.
I was thinking that there would be the possibility that in the returnURL there would be included a checksum signature based in a secret key stored in the PayPal account and in the actual transaction token
I don't know if this exists, I didn't find any of this into the documentation, any suggestion to make the returnUrl more confident is welcome.
Also if someone thinks I'm completely wrong and the returnUrl is never gonna be a proof that the transaction has been accepted please express your self.
When you're just doing the return URL you need to post to PayPal again to verify the transaction using your PDT token.
Say your return URL is Thanks.aspx:
"From the code-behind of Thanks.aspx, you'll parse the tx value and make an HTTP POST to https://www.paypal.com/cgi-bin/webscr with the following parameters: cmd=_notify-synch&tx=[TransactionID]&at=[PDTIdentityToken]."
This will respond with whether or not that request was valid.
The problem is that this page isn't guaranteed to get hit. The user could close their browser, or their internet could get cut off, or anything else.
The IPN will be getting hit from PayPals servers, and you really can't beat that.
It's pretty easy to set up, but I suggest reading through this document which will explain the PDT and IPN methods, and gives an easy way to figure out what you need.
http://www.codeproject.com/Articles/42894/Introduction-to-PayPal-for-C-ASP-NET-developers?msg=4382854#xx4382854xx
After completing an installation for Express Checkout I realised how it could be exploited.
Even though I am creating a unique invoice number and returning to mark that as paid, I found that it could still be exploited by a user changing the invoice parameter in the return link. Of course there were already checks to ensure that any invoice could only be paid once, but I needed to make it hack proof.
So what I finished up doing was adding some extra checks to ensure that the invoice in question was the last invoice assigned to that user. Yes, the same session ID is maintained aven after a visit to Paypal and back.

Securing a payment gateway POST

I'm setting up a payment gateway on our site that we can post information to via php (so all information is hidden from prying eyes) which will post to authorize.net, post back to our gateway and post back to our current page. The purpose for this is to give us a streamlined method of processing payments and easier debugging.
I have an auth key that is required to be posted to our gateway for the transaction to be processed. Is it worth it for me to secure a list of approved URLs to accept posts from, or is that too easily manipulated?
Do you have any other ideas on what I should focus on in regards to securing my gateway?
update
This gateway has a login/key pair used for authorize.net that it submits to. I have a 64 digit md5 encoded key that I use for domain.com to communicate with gateway.domain.com which happens of course over SSL. I'm inquiring as to whether that key is enough. Given, anyone with that key could run a transaction, but why would they... it would only be giving us money.
A list of approved URLs will do very little to protect your gateway:
curl -H "Referrer: http://happy.example.com" -D "pay_to=evil#example.com&amount=$100,000" http://example.com/gateway.php
You should take a look at using something like OAuth, where each request contains a unique token that only an authorized actor could provide.
Also remember that POSTing data only provides the illusion of security. It's easy (nay, trivial) to see what data is posted.
Oh, and this should be a no-brainer, but make sure you're using SSL.

Resources