I seem to be qute proficient in finding issues that are (in my opinion) HUGE and yet are being mostly ignored by the companies associated with them. Last time it was a HUGE issue with Google Panda, this time it seems to be an issue with online payments, 3d secure (Verified by Visa) and any customer of HSBC, First Direct, Nationwide (and any other bank who uses a 3rd party for their 3d secure offering).
I’ll start with the symptoms.
We had a call a few months ago from one of our largest customers, Milner Off Road. They get a large amount of online sales through their website and noticed that they were getting a lot of duplicate payments appearing, and they started to get customer complaints through about people “Not able to complete checkout” etc.
Nothing out the ordinary really, apart from the sheer volume these erroneous payments and customer complaints were flooding in. So, they asked me to Speak to SagePay (their Payment provider) about it, so I did.
An hour later, and I was told by a member of staff at SagePay that the issues were down to;
- Wrong card number being inputted.
- Customer pressing back on their browser and trying again due to lags/delayed page loading times.
- Customer reloading browser.
- Any old rubbish as long as it wasnt SagePays fault.
As this was the first time I had called them about it, I took the info, passed back to my customer and told them to monitor the situation and was hoping that would be that.
My customer contacted me again a month later, more of the same issue but this time they had tried it themselves and have seen what was actually happening.
They added products to the cart, went to checkout, clicked complete which took them to SagePay.
They then filled their card details out on the first screen you get on the SagePay website, and clicked the button to take them to the Card Authentication part, it’s on this screen where 3d Secure is supposed to kick in.
NB 3d Secure is “Powered” by the card issuing bank not by your payment provider- so if you bank with HSBC, and you pay online, when you get to the authorisation stage HSBC are supposed to serve pages that contain the 3d secure module.
However, with a First Direct bank card (and it seems the same with many others) the customer is instead greeted with this;
And with no other option, users are clicking the continue button and then their browser sits churning away, until the user gets this;
If you were a novice user at this point you would simply press back and try again – however SagePay have taken your money, and you are now just going to pay for the order again.
To make matters worse, because the checkout is not technically being completed despite payments being taken, this means nothing is fed back to the website so the customer doesn’t even get one order sent to them! What a mess!
Ok, so what’s the diagnosis?
After hours and hours of research online and via phone calls to about 15 different numbers, this is my hypothesis.
Every bank that provides bank cards that allow online payments (so all of them basically) opt in to the 3d Secure system, which is supposed to be another level of security to help prevent online fraud (on a sidenote, its actually a terrible way of stopping online fraud and is exploited allll the time – thats a story for another day though!)
They can either provide the service directly, or you can rent the service from various 3rd parties and they serve those pages for you. My bank does it directly, so when you get to this page on a checkout;
The bit ive pointed to with the black arrow is actually being served from secure.barclays.co.uk (meaning they host it themselves.)
It seems that the issue is with anyone using a 3rd party 3d Secure issuer. We checked nationwide, HSBC and First Direct and they all had this issue, and all used a 3rd party 3d secure issuer.
It seems that these 3rd Party 3d Secure Issuers are for some reason letting people through without completing the authentication, which is then having a knock on effect and causing businesses at the bottom to suffer.
I believe the error some users are getting is because the SagePay rules that apply to all accounts with 3d secure enabled dictate that 3d secure MUST be completed and passed before a payment can be accepted. As this page is letting the users SKIP 3d secure, its sending a confusing status back to SagePay and SagePay don’t know what to do with it. Hence the 5002 error of Invalid request.
I have searched, and we’re not the only ones with this issue;
https://wordpress.org/support/topic/3d-secure-timing-out – I spoke to these guys, they have lost LOTS of business because of this issue and would have been shut down if their customers were not so loyal.
http://www.bluepark.co.uk/forums/showthread.php?6233-Losing-sales-because-checkout-is-timing-out – I spoke to this lady, she resolved this by switching to SagePay InFrame integration as opposed to Direct or Redirect. This is one to try for sure but SagePay shouldn’t allow people to integrate using a method that isnt 100%.
And this was just off page 1.
I have tried to contact Arcot.com (one of the 3rd party providers of 3d Secure) but as im some dude off the street they shrugged their shoulders and told me that issues need to come from the banks not from the public. I have told my customers to contact their card issuing banks and explain the issue to them, I shall update this if I get anything back.
It seems that no one cares about this issue, no one wants to accept responsibility for it and it very much looks like the support systems within places like SagePay are simply not set up to (or Staff have been warned off) deal with issues of this nature. Every time I find and read a forum post or blog about it, the Payment Processor simply fobs their customer off with a “Oh your users are idiots” style rebuttal.
If you have had issues like this before then please comment below & together maybe we can get the people up top listening and get something done about this!
Its also worth noting that they are releasing 3D Secure V2 next year – It wouldn’t surprise me if this issue was known and they are just ignoring it whilst they make v2!
Thanks for reading.