Understand 3D-Secure support

The following diagram illustrates how credit card payments are handled in a generic payment gateway that implements 3D-Secure support:

This illustration is described in the surrounding text.

The payment processing involves the following steps:

  1. When the shopper clicks Place Order, the storefront invokes the createOrder endpoint of the Store API . The endpoint sends the order information to the Commerce Cloud server.

  2. When the server receives the order submission, it invokes the Generic Payment webhook, which posts an authorization request to the merchant.

  3. The merchant and the card issuer communicate to determine whether 3D-Secure is required, and whether the shopper is enrolled in the card issuer’s 3D-Secure program. If 3D-Secure is required and the shopper is enrolled, the card issuer sends an ACS (access control server) URL to the merchant.

  4. The merchant sends the webhook response to the Commerce Cloud server. If 3D-Secure is required for the transaction, the merchant includes the response code 10000 (PAYER_AUTH_REQUIRED). The merchant supplies the ACS URL and other data needed for invoking the 3D-Secure authentication page on the card issuer’s website.

  5. The Commerce Cloud server sends the data it receives in the webhook response, including the 3D-Secure data, to the storefront in the createOrder endpoint response. The uiIntervention property for the payment group is set to true in the response to indicate that 3D-Secure authentication is required.

  6. The storefront posts a payment request to the card issuer’s website to invoke the 3D-Secure authentication page. The request includes data returned from the merchant in the webhook response.

  7. The card issuer displays the authentication page.

  8. The shopper fills out the authentication form and submits it.

  9. The card issuer and the merchant communicate to determine if the shopper authenticated successfully, and if so, whether to authorize the transaction..

  10. The merchant constructs an authorization response and sends it to the Commerce Cloud server using the POST /ccstore/v1/payment/genericCardResponses endpoint.

  11. Meanwhile, after posting the payment request to the issuer’s website, the storefront begins polling the Commerce Cloud server using the getPaymentGroup endpoint to detect when the server receives the authorization response from the merchant.

  12. When the Commerce Cloud server receives the authorization response from the merchant, the server includes the data from the merchant in the getPaymentGroup endpoint response it sends to the storefront.

These steps are described in greater detail below.

Note: 3D-Secure is not applicable to payment requests that originate from the Oracle Commerce Cloud Agent Console. If the value of the channel property in a Generic Payment webhook request is agent, the merchant should map the transaction appropriately in the gateway so the card issuer bypasses 3D-Secure.

Copyright © 1997, 2017 Oracle and/or its affiliates. All rights reserved. Legal Notices