Poking at 3D Secure

The list of andrological profanities which would adequately describe the fucktard(s) who devised the 3D Secure protocol is vast. But nonetheless, it’s going to become more prolific [read: mandatory].

I spent a few hours looking throught sample implementations as well as people who had extended activemerchant. But this, and some opaque high-level documentation wasn’t really giving me much insight into how you’d work 3D Secure into an existing app, perhaps one using an antiquated version of activemerchant or a hand-rolled solution.

As a preamble to all of the above, I’ll ignore activemerchant, rails, etc and just start playing about with the constituent parts in ruby. Remember a_m is just a convenient way of abstracting all of those calls to payment gateways that you don’t really want in your models. It’s just a specialised http client.

With that in mind, let’s forget about abstracting stuff and just make a call to a gateway (I’m using Sage Pay*, but the general flow is universal):

Here I passed it the PaRes and MD strings that the gateway gave me when I posted the customer’s credit card details. You’d do this after they’ve successfully completed the 3D Secure validation. The response here should return the status ‘OK’, which completes the transaction (update your ActiveRecord object!).

The Net::HTTP library is a great alternative to cURL for making secure http requests and I found it easier to probe gateway behaviour with this than debugging a_m.

Just remember, all you’ve doing is working with a key pair (PaReq & MD or something similar), passing them:

  1. From to issuer to the app
  2. From the app to the card issuer
  3. From the card issuer back to the app
  4. From the app to your gateway
  5. From the gateway back to your app again

If you can grab their values (they’re immutable AFAIK) and poke the gateway independently with a quick & dirty script, you’ll probably pick up the principle quicker than by reading 20 pages of documentation interspersed with ASP examples.

* Sage Pay (what used to be called Protx have changed all their urls. Details here).