I seem to be qute proficient in finding issues that are (in my opinion) HUGE and yet are being mostly ignored by the companies associated with them. Last time it was a HUGE issue with Google Panda, this time it seems to be an issue with online payments, 3d secure (Verified by Visa) and any customer of HSBC, First Direct, Nationwide (and any other bank who uses a 3rd party for their 3d secure offering).
I’ll start with the symptoms.
We had a call a few months ago from one of our largest customers, Milner Off Road. They get a large amount of online sales through their website and noticed that they were getting a lot of duplicate payments appearing, and they started to get customer complaints through about people “Not able to complete checkout” etc.
Nothing out the ordinary really, apart from the sheer volume these erroneous payments and customer complaints were flooding in. So, they asked me to Speak to SagePay (their Payment provider) about it, so I did.
An hour later, and I was told by a member of staff at SagePay that the issues were down to;
- Wrong card number being inputted.
- Customer pressing back on their browser and trying again due to lags/delayed page loading times.
- Customer reloading browser.
- Any old rubbish as long as it wasnt SagePays fault.
As this was the first time I had called them about it, I took the info, passed back to my customer and told them to monitor the situation and was hoping that would be that.
My customer contacted me again a month later, more of the same issue but this time they had tried it themselves and have seen what was actually happening.
They added products to the cart, went to checkout, clicked complete which took them to SagePay.
They then filled their card details out on the first screen you get on the SagePay website, and clicked the button to take them to the Card Authentication part, it’s on this screen where 3d Secure is supposed to kick in.
NB 3d Secure is “Powered” by the card issuing bank not by your payment provider- so if you bank with HSBC, and you pay online, when you get to the authorisation stage HSBC are supposed to serve pages that contain the 3d secure module.
However, with a First Direct bank card (and it seems the same with many others) the customer is instead greeted with this;
And with no other option, users are clicking the continue button and then their browser sits churning away, until the user gets this;
If you were a novice user at this point you would simply press back and try again – however SagePay have taken your money, and you are now just going to pay for the order again.
To make matters worse, because the checkout is not technically being completed despite payments being taken, this means nothing is fed back to the website so the customer doesn’t even get one order sent to them! What a mess!
Ok, so what’s the diagnosis?
After hours and hours of research online and via phone calls to about 15 different numbers, this is my hypothesis.
Every bank that provides bank cards that allow online payments (so all of them basically) opt in to the 3d Secure system, which is supposed to be another level of security to help prevent online fraud (on a sidenote, its actually a terrible way of stopping online fraud and is exploited allll the time – thats a story for another day though!)
They can either provide the service directly, or you can rent the service from various 3rd parties and they serve those pages for you. My bank does it directly, so when you get to this page on a checkout;
The bit ive pointed to with the black arrow is actually being served from secure.barclays.co.uk (meaning they host it themselves.)
It seems that the issue is with anyone using a 3rd party 3d Secure issuer. We checked nationwide, HSBC and First Direct and they all had this issue, and all used a 3rd party 3d secure issuer.
It seems that these 3rd Party 3d Secure Issuers are for some reason letting people through without completing the authentication, which is then having a knock on effect and causing businesses at the bottom to suffer.
I believe the error some users are getting is because the SagePay rules that apply to all accounts with 3d secure enabled dictate that 3d secure MUST be completed and passed before a payment can be accepted. As this page is letting the users SKIP 3d secure, its sending a confusing status back to SagePay and SagePay don’t know what to do with it. Hence the 5002 error of Invalid request.
I have searched, and we’re not the only ones with this issue;
https://wordpress.org/support/topic/3d-secure-timing-out – I spoke to these guys, they have lost LOTS of business because of this issue and would have been shut down if their customers were not so loyal.
http://www.bluepark.co.uk/forums/showthread.php?6233-Losing-sales-because-checkout-is-timing-out – I spoke to this lady, she resolved this by switching to SagePay InFrame integration as opposed to Direct or Redirect. This is one to try for sure but SagePay shouldn’t allow people to integrate using a method that isnt 100%.
And this was just off page 1.
I have tried to contact Arcot.com (one of the 3rd party providers of 3d Secure) but as im some dude off the street they shrugged their shoulders and told me that issues need to come from the banks not from the public. I have told my customers to contact their card issuing banks and explain the issue to them, I shall update this if I get anything back.
It seems that no one cares about this issue, no one wants to accept responsibility for it and it very much looks like the support systems within places like SagePay are simply not set up to (or Staff have been warned off) deal with issues of this nature. Every time I find and read a forum post or blog about it, the Payment Processor simply fobs their customer off with a “Oh your users are idiots” style rebuttal.
If you have had issues like this before then please comment below & together maybe we can get the people up top listening and get something done about this!
Its also worth noting that they are releasing 3D Secure V2 next year – It wouldn’t surprise me if this issue was known and they are just ignoring it whilst they make v2!
Thanks for reading.
This is alarming. i hope this issue has been resolved already and hope the customers also get a chargeback. 3D secure should do something about this issue before the banks loses their clients.
Is there any update on this issue please???we are still getting this on our website.
We assumed it had been resolved as we had not come across the issue again, have you contacted your card issuer? Its such an awkward issue to debug.
Hello Olly, i meant asking does the fix for this issue sit with the merchant website or the 3d Secure service providers? We are still getting the issue on a website while making payments with some of the bank cards.
Hi, Came across your discussion and I am experiencing this too with an Airline payment system. Not sure if it is the same issue exactly as you are discussing a commercial payments issue. But I am been made to feel that it is my fault when I can prove it is not – ie that I am entering incorrect details etc. I am approaching the Financial Ombudsman and FCA about this. But also I am contacting the 3dSecure service provider – in this case Worldpay. If anyone has any advice info or pointers on who has influence over the 3dSecure system I would be most grateful.
YOu can inspect the iframe and see who is providing it, when the 3d secure loads. Hope this helps.
Still the same today trying to renew our Railcards. Totally useless system, and not fit for purpose. Cleared and accepted cookies, disabled ad-block, tried different cards Not a chance.
Thank heavens Paypal works-but sadly not offered for Railcard renewals! Why not?
Is there a list of which banks that use 3rd party 3DS services?
I seem to having a similar issue with WooCommerce and WorldPay using some banks (Tesco being one of them).
HI Mr C,
I think most of them do to be honest, but not sure how this now changes based on the new 3d secure style thingy.
Hi, Yes we have started to experience these same issues over the past few months. SagePay said it was nothing to do with their systems and were not helpful at all. I know it is not the customer entering details incorrectly as it is happening on every transaction made and not all the customers can be getting it wrong! ALso they all say the same thing – they enter the 3D secure details then the page just does nothing and eventually times out on them and no transaction is taken therefore as it is deemed to be incomplete. The customers have to phone us to find out if the payment has gone through or not – its really unprofessional! We have to get around it by taking the payment for them as a “card not resent” transaction which removes the 3D secure element but kind of defeats the purpose of having Sagepay in place for automated payments by customers without having to handle card details. I am sure there is more Sagepay could do to help resolve this issue.
This happens to 1 in 5 of my customers. They reach the secure 3D stage and the screen just appears to hang. Some retry several times. And for these customers some payments actually go through. But the website function does not complete so they do not get their order. So I have to refund their payments and use am alternative method to send them their order!!!!!!
It still seems to be happening now. I look after a magento2 store and it relies on the whole process to complete before sending out mails. Spoke to Opayo and they just say its not there problem. I don’t know how this can keep going on??
Still happening now – April 2021 with Mastercard verification and arcot.com . Sometimes the verification process does not even complete to the bank – when it does and payment is sent to the merchant – in my case World Remit, the process times out or a null is returned on my browser/server. so World remit sees it as a cancellation (which it is not) and then goes through an automated refund to the bank – that takes days – with the customer’s money in limbo!
Hopefully this is helpful to someone, sounds like the same issue.
I think I’ve worked out the issue and there’s a solution for SagePay Direct. For SagePays other gateways, they would probably have to make this change their end.
We’ve been getting these three errors, all from arcot.com on about 5% of payments for the last 12 months, all of which cause 3DSv2 to fail:
1. VpsTxId provided in callback does not match transaction in CRes
2. The ACS has provided on Erro message. CReq validation failure.
3. The ACS has provided on Erro message.
Arcot.com servers sometimes return the threeDSSessionData value in base64, i’ve not yet found a pattern but secure5.arcot.com and secure7.arcot.com seem to pop up alot.
Either arcot.com or everyone else has mis-read the 3DSv2 spec.
(Scroll to bottom click accept to download)
Page 226 – Specification for threeDSSessionData value states this value should be base64encoded, however the description also states:
‘Because the content of this field varies by 3DS Requestor implementation, the ACS preserves the content unchanged and without assumptions’
I believe this statement should trump the base64encoding as all other ACS providers pass back what was sent, unchanged, regardless of encoding.
Now, if you are using SagePay Direct, they recommend using the VPSTxID for this value which the ACS then passes back and should be forwarded to SagePay for completion. If it was returned by teh ACS encoded the payment completion will fail.
This problem is responsible for the first two errors.
The third error is because arcot.com sometimes returns the cres data in post[error] instead of post[cres]. If you decode the cres (or error) message it states transaction already processed. I believe this is in fact a bug but I cant be sure that its not triggered by the issue that is solved above as all of these issues seem to be dependant on which secure*.arcot.com server you are redirect to.
Base64Encode/Decode the threeDSSessionData value that is sent/returned to/from the ACSURL.
The 3DSv2 spec specifies this value should be base64encoded anyway. SagePays docs make no mention of this.
I’ve made the above change to our system and so far we’ve not had any more errors. The change has only been live for 36 hours so I’ll let you know how it goes but looking good so far.
Update to my previous comment, it seems even if you send threeDSSessionData encoded, arcot just encode it again, so for now im sending it unencoded and looking for a hyphen in the response if it contains one forward to sagepay as is, if not decode it first.
Dude, awesome reply!
Please keep us posted but this seems very thorough!
We’ve just had this problem blow up in the last month. Opayo say it’s customers leaving the 3DS page open and it timing out.
We’re losing tons of business
UPDATE: We’ve had a massive reduction in errors since making this change.
There have still been a few errors (maybe 1 everyone 1-2 days on average compared to the 6-8 a day we used to be getting), mostly missing the threeDSSessionData values from secure4.arcot.com (sometimes secure5.arcot.com). These may be due to customer timeouts but its suspicious that its only those two servers.
It’s got better still over the last week, only 1 error in last 7 days, currently 5 days error free.
SAM! Thanks for coming back and updating the blog. You legend! 🙂
Can I ask, is this a typical problem across all payment gateway providers, even the likes of Klarna, Stripe or Braintree, that act as the bank and the gateway, or just related to Sagepay? Reading this, it sounds like cutting out some of the ‘middle men’ and choosing a provider that does it all would resolve the problem.
I’ve been googling time out errors that you reference above with those alternative providers, and I’m still finding instructions on adjusting timeout settings for all of them which suggests there are still problems.
We use Sagepay PI on a Magento 2 site and are experiencing at least 1 payment problem a day now we are entering peak season. It’s typically, payment failed on 3d, timed out and returned to the site with a cleared basket. We’ve recently switched from Ebizmarts to the Opayo version in hopes for some resolve, but there’s no obvious difference.
Yes this isnt a Sagepay issue I dont think, its a 3d secure issue.
Global Pay & Payment sense both use Arcot. Terrible service. They each blame the other. Only one provider I have found that works is Stripe. More expensive but hey if it works, needs must until Arcot get their act together.
We have had this problem for months on client sites and Opayo push back and never provide support apart from saying it is the customer closing browser or doing nothing when 3D secure is triggered. We have found transactions in Opayo dashboard that do not even appear in the Magento admin, clients are using Magento 2.4.3 with eBiz Magento extension. Time we found a new payment gateway.
So, nearly a year in with the changes I made, not a single 5036 error.
Sam I really appreciate the feedback!
Can I ask what system you did this on?
Sam, is there any way we can get in touch for a brief chat? I have customers pulling their hair out. Whilst I did have a few errors logged regarding the 3rd party applying base64 encoding… the majority of the ‘abandoned’ order I have are just reporting a hanging page. I see above you managed to get other errors
We are facing similar issue with checkout -3DS2 timeout error.
Anyone else facing similar issue with checkout and can help here?
Hi I have just found your blog as I am having a similar problem making payments with Worldpay .com and epaycapita.com. I thought it was me as I am not particularly experienced with the internet.i made sure my cookies were enabled cleaned my phone and scanned for viruses but still no good.The problem for me has arisen since all payments online now have to be confirmed by the bank and as soon as I try to go back to the site to complete the transaction it says session timed out.Tells me to enable my cookies,done that and it may be I don’t have enough money in my account I have more than enough because they won’t let me spend it.i have tried paying on my laptop and confirming on my phone still no joy.Arrrrgh
Just tried to book a holiday with the Caravan Club.
Completed all the fields and paid, or at least I thought I had, when up pops this notice about 3D Secure.
After half an hour of watching dots dance across the screen and a circle turning I gave up and rang the Caravan Club direct, after another twenty minute wait, I spoke to a very nice human, who took my booking and my money.
Barclay’s haven’t even had the decency to write to us about this, which because they have closed their branch in our town, we now have a ten mile trip to the nearest branch.
I cannot handle on line shopping or do not have any apps on my phone. I tried to re join Find my Past today and tried 4 times to subscribe. I phoned them up and they quoted 3D secure, never heard of this before. So I went to my bank and he is kindly going to try and help me on Monday. What a joke this is as only trying to pay for subscriptio
We would be very interested to hear people’s experiences of the roll out of 3D secure V2, having experienced very few problems with 3D secure V1 in more recent years, failed payments for non-valid reasons, for seemingly very similar reasons to those highlighted above, are currently accounting for 10% of our transactions, with one of Europe’s largest payment gateway providers since their upgrade to 3D secure V2
Hi David – cant say ive seen as many issues with v2 as with v1 but please keep us posted if you manage to find out whats happening with your failed transactions.
Are you direct or redirect integrated? IE is the card form ON your website, or are your visitors taken off site to make the payment?