Prevent orders without 3DS Authentication

Hello @m22878

Thank you for reaching out to us, we are here to help.

Your question does not have a default response and there is not existing solution for this. Getting this to work, will most likely require custom development to get in place.

You probably would need to use the Authorize intent and then programmatically capture/void based on the response:?https://github.com/woocommerce/woocommerce-paypal-payments/wiki/Actions-and-Filters#programmatically-capture-void-or-refund-a-paypal-order

There might be an issue with the fact that the plugin currently doesn’t display the 3D Secure data when using Authorize intent:?https://github.com/woocommerce/woocommerce-paypal-payments/issues/1799
So you can try this setup, but we are not sure if this would get you a solution for the requirement you have.

Please let us know if you have any follow-up questions on this.

Kind regards,
Joost

What does the void order function do? Will the order still register on the site with the status set to failed? Or something else will happen? Will the card be authorized for the order amount before this can be triggered or will this be able to void the order before the card has been authorized? I’m aware of the issue with authorization intent and 3DS data. I’ve already addressed that.

Does the 3DS response come before the payment authorization attempt or after it? This is all I need to know at this point. Is there a hook I can use to bypass the authorization attempt if it comes after the 3DS response?

Right now I can void the authorization based on the 3DS response and set the order to failed status, but it would be better if I could not even do the payment authorization in the first place so that the customer could use the pay button to resubmit payment on the failed order.

Right now, since I am voiding the authorization instead of bypassing it, the customer cannot use the pay button on the failed order because the invoice number already has a voided authorization on it and you cannot reuse the invoice number through Paypal on a second authorization.

Hello @m22878

I will try to answer your question, but I am not sure that all questions/issue can be addressed/resolved here. Let me give you my response to them individually:

Q1: What does the void order function do? Will the order still register on the site with the status set to failed? Or something else will happen? Will the card be authorized for the order amount before this can be triggered, or will this be able to void the order before the card has been authorized??

When an initial payment for a subscription is being made, the plugin will first authorize the initial payment and then ask the PayPal server to vault/save the payment method for future renewals. So when it vaults the payment method, the authorization of the payment is already approved. The void activity is done in cases where the plugin or server believes the authorized payment is not valid any longer and is being cancelled (not approved/captured). The card should be authorized for the order amount, but this, in some cases, can be adjusted within a 115% or a $75 change. If the change is bigger, the PayPal server could send an error response.

Q2: Does the 3DS response come before the payment authorization attempt or after it? This is all I need to know at this point. Is there a hook I can use to bypass the authorization attempt if it comes after the 3DS response?

For this I had to contact our developer, but this was his response:

3DS response comes before payment is captured or authorized, you can see the flow by enabling logging:
1. POST https://api-m.sandbox.paypal.com/v2/checkout/orders
2. 3DS authentication result: Array ( [liability_shift] => POSSIBLE [three_d_secure] => Array ( [enrollment_status] => Y [authentication_status] => Y ) )
3. POST https://api-m.sandbox.paypal.com/v2/checkout/orders/ABC123/capture (or authorize)

There is no dedicated hook for bypassing 3DS authorization attempt but all requests could be modified through this filter: https://github.com/woocommerce/woocommerce-paypal-payments/blob/trunk/modules/ppcp-api-client/src/Endpoint/RequestTrait.php#L43

Q3: …because the invoice number already has a voided authorization on it, and you cannot reuse the invoice number through PayPal on a second authorization

It’s not recommended, but this could be worked around by?disabling the feature that prevents double payments with the same invoice ID.

Hopefully these answers will help you further. Let me know if there is anything you require.

Kind regards,
Joost

Can you explain this below in more detail? My dev doesn’t understand how to use this filter in order to bypass the authorize payment request based on the 3DS response. He seems to suggest he cannot see the 3DS response before the authorize payment request and doesn’t know how to use this filter in order to create a conditional that would bypass the authorize request based on the response of the 3DS.

If 3DS response returns anything other than authenticated: Y response we want to bypass the authorize payment request. Can you give any more direction?

There is no dedicated hook for bypassing 3DS authorization attempt but all requests could be modified through this filter: https://github.com/woocommerce/woocommerce-paypal-payments/blob/trunk/modules/ppcp-api-client/src/Endpoint/RequestTrait.php#L43

• This reply was modified 1 year, 3 months ago by m22878.

Hello @m22878

Thank you for your response. I discussed this within our support team, but we also don’t know how it could be used to achieve what you are looking for. This is a customization we cannot assist with within the scope of our plugin support, and we do not have the resources to assign a dev to this type of requests.

We do have an open feature request for more 3DS and fraud prevention capabilities (including hooks to more easily detect the events), but there isn’t a lot of demand for it at this time and will take more time before it will be picked up and implemented. Hopefully, next year, we have an opportunity to provide more entry points for users to more easily customize the behavior. I will link this thread to the feature request so we can update you once this becomes available.

My apologies that we could not help you on this request.

Kind regards,
Joost

We added a hook to the core code. Can you merge this upstream? This hook allows you to create security filters that will reject orders and return an error message before the payment authorization has occurred. You can rename the hook, obviously.

We created a filter so that if the 3DS doesn’t return Authenticated: Y, Liability Shift: Yes then it returns an error saying they need to try a different card, and it does this before the payment is ever authorized on their card, which is important.

With this filter, we never have to worry about chargebacks because every credit/debit transaction will have the 3DS liability shift.

View post on imgur.com

Hello @m22878,

I have created a request for this and will try to get this discussed on our next backlog meeting. Hopefully I will have a response for you soon on this request.

Kind regards,
Joost