Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
From 14th September 2019 any site within the EU will need to comply with the new PSD2 Directive.
Sagepay have issued some information on it which can be found here: https://www.sagepay.co.uk/support/12/36/3d-secure-explained
Has anybody started to look into this? And work out what will need to be changed?
Comment | File | Size | Author |
---|---|---|---|
#23 | commerce_sagepay-3064258-22-3ds2_non-complance.patch | 32.83 KB | mbatterton |
Comments
Comment #2
guy_schneerson CreditAttribution: guy_schneerson commentedThis will only affect the Direct payment method. If you are using Server or Form this should have no implications for your site.
Details about the direct integration can be found at https://www.sagepay.co.uk/library/document/directintegrationandprotocol4...
A couple of points that may be relevant:
- This may give us more time. Needs making sure
I am changing the issue Priority to Major as this can have severe consequences. I think the next step is to figure out what is the timeline if we have until the end of 2020 it is not so pressing.
Comment #3
guy_schneerson CreditAttribution: guy_schneerson commentedJust to add to my previous comment. Looks to me that even if 3Dv1 is supported and the code still works after 19th September 2019 you will not be meeting the EU Directive.
Comment #4
kevster CreditAttribution: kevster commentedGood to be looking at this now, thx for flagging it. I think I will switch to server option to avoid any potential issues or complications.
Comment #5
slipstreamer CreditAttribution: slipstreamer as a volunteer commentedJust a quick note the new EU Payment Services Directive (PSD2) comes into effect on 14 September 2019 not the 19th as declared above.
You can quickly check if this is going to affect you by going to /admin/commerce/config/sagepay and checking the settings under SAGE PAY INTEGRATION OPTIONS.
if you have Server (Including InFrame) or Form (Completely outsourcing your online payments to Sage Pay) ticked then your payment is handled by Sage Pay so they will automatically apply updates as and when they are required.
If you have Direct (The full white-label payment solution) then this will probably be a problem for you as your payment will be handled within your website. If you find you have this option ticked a quicker resolution could be to change it to the server option as suggested by kevster
Comment #6
guy_schneerson CreditAttribution: guy_schneerson commentedComment #7
guy_schneerson CreditAttribution: guy_schneerson commentedThanks, @slipstreamer I have updated the issue description with the correct date.
I have also updated the priority to critical as my understanding is that anyone using the Direct payment method may not have a working payment system in less than 2 weeks.
Comment #8
paulbeaney CreditAttribution: paulbeaney commentedHi Guy and anyone else following this issue,
Here is an initial pass at implementing the V4.00 API for SagePay Dirext (rolled against the dev release). SagePay had problems with their Test environment for a while, but they seem to be up and running now and sending back the expected responses to test data. I don't know whether they have gone live with the API changes yet.
This patch adds a config setting to the admin setting page which allows the API version to be selected, although it should handle any in-flight downgrade to V3.00 which SagePay might impose (as per their documentation: https://www.sagepay.co.uk/support/38/psd2-under-direct-integration).
Regards,
- Paul
Comment #9
paulbeaney CreditAttribution: paulbeaney commentedRe-rolled patch with correct paths.
Comment #10
joekers@paulbeaney thanks for the patch!
I've set the protocol to version 4 but when I get to the 3D secure page and enter the password, the iframe disappears and nothing happens.
Looking in the console log I see there's a POST request that fails:
https://test.sagepay.com/mpitools/null
I'm guessing /null isn't right but I can't see where this URL is generated - I believe it's by Sagepay so I think something may be missing when the form gets submitted.
Any ideas?
Comment #11
joekersIt's strange, now I can't submit the payment form and get the following error in the logs:
The ClientIPAddress is missing.
Comment #12
joekersI've added the client ip address to the parameters and now I'm getting:
The ThreeDSNotificationURL field is required.
Is there somewhere this should be configured?
Comment #13
paulbeaney CreditAttribution: paulbeaney commentedHi joekers,
I think I might need to re-roll the patch as I seem to recall I had to revisit the code and make some changes. I have to confess I have given up going much further with V4 of the API for now as SagePay aren't particularly in a hurry now that the official deadline (in the UK at least) has been pushed way back, and the Test environment has been very flaky for a few months.
I'll try and re-roll the patch early next week for you if that can help.
Regards,
- Paul
Comment #14
joekersThanks for the quick reply Paul - a fresh patch would be great if you get chance.
I've noticed there's less urgency now that the UK deadline has been pushed back. I have a client who accepts EU payments and they have already started seeing declined payments due to the extra authentication checks not being in place.
The Test environment being flaky could be the reason I'm seeing different errors with the POST request failing - what kind of issues were you having with it?
Comment #15
paulbeaney CreditAttribution: paulbeaney commentedHi joekers,
Sorry for the delay - we have other customisations in the module which needed weeding out before I could roll a new, clean patch against DEV. See how you get on with this one. FWIW, I haven't used this code recently so I can't guarantee that SagePay haven't changed anything since last time!
Regards,
- Paul
Comment #16
joekersThanks a lot Paul - really appreciate the new patch!
I'll give it a try and update the patch if Sagepay have made any changes.
Cheers
Comment #17
c_archer CreditAttribution: c_archer as a volunteer and commentedDo you want anybody testing the patch?
Comment #18
keiron CreditAttribution: keiron commentedHi there
I tried implementing the patch, but I'm getting the error message: Call to undefined function commerce_sagepay_protocol() in commerce_sagepay_settings_form()
Does anyone have any idea about how to fix it?
Thanks in advance
Keiron
Comment #19
mbatterton CreditAttribution: mbatterton at Open Imagination commented@paulbeaney - Thank you for creating the patch. I wasn't able to apply the patch so have taken all your references and created a new patch that looks to work nicely for me from version commerce_sagepay 7.x-1.x. I hope this can help someone else as well.
It requires the administrator to set the new API version 4.0 in the SagePay Settings under DirectPayments. I think in the long term this could be removed and the API version could be removed because all payments should now be using version 4.0. Please do test it and feedback.
I do hope some of this finds its way back to the module because, without it, Sage/Opayo will prevent payments from being taken without this by 14 March 2022.
Thanks,
Matt
Comment #20
mbatterton CreditAttribution: mbatterton at Open Imagination commentedThis patch is updated to remove condition
has_js
which was being temperamental and cleared up some repetitive code.Comment #21
keiron CreditAttribution: keiron commentedThanks for this @mbatterton! I'm going to give this a try
Comment #22
mbatterton CreditAttribution: mbatterton at Open Imagination commentedPlease find attached the updated patch, this is based upon version 7.x-1.x that includes all the features from the dev branch as well.
This will add the js file that may need moving to commerce_sagepay/js/. for it to work.
It requires the administrator to set the new API version 4.0 in the SagePay Settings.
Don't use select use test data when testing - this still needs a bit of work.
Key points included:
VendorTxId - must not include curly brackets for protocol 4.0.
CReq - must be presented lowercase when passed to 3d secure.
Comment #23
mbatterton CreditAttribution: mbatterton at Open Imagination commentedComment #24
headbank CreditAttribution: headbank as a volunteer commented@mbatterton I'm getting some errors when trying to apply this patch to the current dev tarball:
I notice it is a git diff, is that an issue? Or am I targeting the wrong source? Or am I just showing my nonexistent patch knowhow? (Yes!)
A steer would be appreciated - thanks.
EDIT TO ADD:
As I see that the problematic files above are just the .info files, I went ahead and applied the patched dir to my test server.
Context: I am using Form, but MySagePay has been warning me that I still need to be using Protocol v4 or transactions will stop working October 15th.
On attempting an order in test mode, the checkout/payment step crashes and the dblog shows:
Does the 3D Secure submodule need to be enabled even for Form?
Comment #25
headbank CreditAttribution: headbank as a volunteer commentedLeaving aside the issue in my last comment, the conclusion I'm reaching wrt Form support is that:
So it looks like all we need to do is bump the version number in includes/commerce_sagepay_constants.inc
define('SAGEPAY_PROTOCOL', '4.0');
Would welcome any confirmation on this. I'll pursue it with Opayo support but I'm not sure how reliable their responses will be.
Comment #26
macman911 CreditAttribution: macman911 commented@headbank - thanks for your comment. I'm also using the form integration. Did your solution work - "define('SAGEPAY_PROTOCOL', '4.0');" ? Thank you for looking at this.
Comment #27
headbank CreditAttribution: headbank as a volunteer commented@macman911 Yes that change seems to have been adequate for Form. I queried this with Opayo support and they said our transactions were now meeting requirements. (At least now I have it in writing in case they're wrong.)
Note: an Opayo newsletter sent 29 September mentions that 3DSv1 would be turned off in the Test server "in September" - not sure how verifiable it is that they have actually done so, but if so that should help in assuring self that the update has been effective.
Hope the above does not seem unduly cynical towards Opayo; just want to be clear in this forum that I am giving you their assurances, not my own. All I can say for myself is the edit didn't break it, and we are currently processing successfully.
We'll know for sure next weekend in any case ;)
EDIT TO ADD: Now we are past the watershed, can confirm that transactions with Form are still working fine with just the version-bump fix.