Question about 3D Secure

[ashcroft_s]

Hi, we have a customer who wants to use their 3D Secure MPI in a slightly unusual way. This isn't a 'how' question, as we have figured out that we can make their MPI do what they want, this is more of a 'what if' question...

What they want to do is to be able to authenticate (i.e. 3D Secure) for a transaction amount that in some situations may be different to the authorisation amount, with the caveat that in the case where the amounts are different, the authorisation amount will always be the lower amount.

For example, they may want to make the MPI request for £20, but then only actually authorise for £15

We have done some tests and whilst this does appear to work (in that the 3D Secure page comes up showing £20, and the authorisation request for £15 with the VbV results in it does authorise), what we can't confirm to the customer is if that is still actually an authenticated transaction or not. In the event of a chargeback, would they still be covered by the liability shift?

At this time we have not gone back to them and said that this can be done as we don't want them to just press ahead with this. It would be good if we could go back to them and say either:

• It does work, and you will be fine doing this
• It does work, but those transactions will not be 3D Secure even if the authentication was completed, so no liability shift on those.

In an ideal world (for us) the authorisation for £15 would of declined and we could tell them that it can't be done...

Does anyone here have any clues as to how this would be treated? We've not been able to get an answer from their merchant account provider on this.

 

[Optegris]

At a guess I would think that you would get no 3D protection from the merchant account as although the amount is higher it is not the amount being charge to the buyer but only they will confirm this. My second thought is why would you want to take this method in the first place?

 

[ashcroft_s]

That's kind of what we thought would be the case, though we so far have not been able to get an answer one way or the other from the merchants acquirer.

We do the web site development for them, and what they wanted to do was to be able to offer a discount from the final price if (amongst other things) the card holder was authenticated though 3D Secure. That's where it became a bit chicken-and-egg, as you can't know if the card is authenticated (and so can't offer the discount) until after the MPI process has been completed.

I know that if you authorise more than the amount authenticated it's not covered, but have so far not been able to get a definite answer about authorising a lower amount.

 

[kulture]

It does seem an overly complicated way of doing things. Most payment gateways allow an authorisation only stage, where the money is not actually taken from the card, and then a subsequent release stage where the actual money is taken. The release can be less than the authorisation amount. 3D secure applies throughout. This release is normally done an hour (or up to 7 days) latter when the items are picked and packed and, say, one item is out of stock.

Why not do it this way? It is two transactions granted, but there is no rule saying that they cannot both be done immediately after each other.

 

[ashcroft_s]

To use that two-transaction model with their acquirer, they have to change to have every transaction processed that way, they can't choose to have some done that way and not others. It would also mean that they have to then manually accept every transaction as that's how their acquirer system works - and that's not something they want to have to do.

It's looking like we will have to tell them that they only have two options, that either they don't do this or that they will have to accept that even though the card holder gets authenticated the transaction won't be covered by 3D Secure.

 

[kulture]

To use that two-transaction model with their acquirer, they have to change to have every transaction processed that way, they can't choose to have some done that way and not others.

Really? The transaction type is not in the interface per transaction? Consider talking to different payment gateways. Because it is a per transaction field, not a per account field.

 

[ashcroft_s]

I can't see them agreeing to change gateway, so looks like they won't be able to do what they want.

Thanks all.

 

[Optegris]

Is this the Barclays MPI that you bare using for the gateway? If so I can understand it's inflexibility. It's a shocker of a gateway to use.

As Richard said though, pre-auth would be the way to go and someone like sagepay would be able to provide this on some transactions and not on others...

 

[ashcroft_s]

Thanks, I'll have a look round sagepay and see if it would be able to be used in the way they want with their existing system.