Reply
Highlighted
Member
Posts: 2
Registered: ‎03-11-2019

Loophole around 3D Secure via Cardinal Commerce

We're implementing credit card payments on our site via Authorize.Net, but we're only interested in supporting 3D Secure transactions. We've already performed the integration, however we have a few concerns.

 

1) We chose Cardinal Commerce for 3D Secure validation, as you guys had a guide on how to use Cardinal and Authorize.Net together. From what we can tell though, there's no way to verify that the auth data from Cardinal Commerce actually matches the tokenized card that is being used for our Authorize.Net transaction. Is there a way to verify that the two go together before we run the transaction? Without this verification, a malicious user could provide an (albeit valid) Cardinal Commerce authorization that belongs to a different credit card. This would pass our Cardinal Commerce validation, but obviously would not result in a liability shift as it is for a different card.

 

2) Taking that a step further, since we only want to support transactions that pass 3D Secure verification, is there some way to submit a transaction to Authorize.Net that will only actually go through provided that the liability shift occurs? Assuming there isn't, if we see that the liability shift did not occur, and we immediately refund/cancel the transaction, will we still be charged fees for the invalid transaction?