PSD2 SagePay - what requirements - opayo

Do I need to change anything within my payment gateway script on my ecommerce website, so it complies with PSD2 requirements on sagepay hosted?
I don't take payments on my website, but redirect people to SagePay.
My question is according to Septembers EU law changes.

With any luck, you won't need to make any changes, as SagePay should handle the SCA process for you via 3D secure V2. You will probably already have needed to upgrade your protocol version from 2.x to 3.0 (https://www.sagepay.co.uk/support/12/36/sage-pay-version-3-00-understanding-the-process), and if you have, then SagePay should take care of the 3DS process for you, and hopefully will upgrade that process to 3DS2 when they see fit.
You will need to ensure that you have 3DS turned on in your SagePay account (https://www.sagepay.co.uk/support/28/36/activating-adding-a-3d-secure-rule)
This article:
https://www.sagepay.co.uk/support/12/36/3d-secure-explained suggests that "Depending on which payment integration your site uses with Sage Pay you may have to make some changes to the integration, so it is important to flag with your developer/IT that you may need to make some development changes in June / July / August to ensure they will be ready to act for you. Specific details will be available in May." However, it's now June, and I haven't seen any such "specific details".
I'm not involved with SagePay, so I don't have any further knowledge than that - we too have an integration with SagePay, so I'm also waiting for further confirmation from them on what steps will need to be taken.
EDIT January 2022
At some point between June 2019 and January 2022, SagePay, or rather Opayo, have indeed updated their integration and they do require changes in order to fully cater for 3DSv2. Specifically, you will need to upgrade from Version 3.00 of their integration to Version 4.00 and pass some additional data. The migration process is documented here
Essentially you need to send some additional SCA data and "Credential on File" (CoF) data if you intend to do repeat transactions.

If you use the SagePay REST API (I don't think this applies to OP) then there are some changes you may need to make, the docs for it are available at https://developer.sage.com/api/payments/api/
As far as I understand it the old system is still available and working but implementing these changes should allow you to use frictionless checkout (where 3DS is automatically confirmed) and 2FA.

Related

Sagepay - which api should I use?

I try to integrate our test system with SagePay. But I've found lot of different apis and documentations for integration. I'm bit confused about it. Could you tell me which api version is most up to date and suits my needs?
I want to have recurring payment functionality without CVV resubmit.
System will be designed to work on US market.
This api have functionality which I want and it's also mentioned in some answers on stackoverflow
https://test.sagepay.com
This api is very easy to use, but I don't see recurring payment functionality (only with CVV resubmit)
https://developer.sagepayments.com
There is another set of documents for integration, based on .vsp services
www.sagepay.co.uk/support/integration-kits-protocols-document
I suppose some of those apis are legacy and are maintained for some old integrated systems. It would be great if documentation for those apis were gathered in one place and explained.
Sage Pay UK and Sage Payment Solutions(US) operate independtly to each other with different integration methods and API's. www.sagepay.co.uk/support/integration-kits-protocols-document relates to Sage Pay UK only.

How to develop new site with Sage Pay

Note: Not sure if this is the best site for this question but didn't think it was suitable for Super User etc.
I have a client with an e-commerce site built using Sage Pay. I am in the process of developing their brand new website which will also be using Sage Pay.
I am aware that if you run any transactions on the test Sage Pay server your Sage Pay account will stop taking payments. See 'If you are already set up on Live and are testing additional functionality, DO NOT leave your kit set to Test or you will not receive any money for your transactions!' from the Sage Pay docs.
My question is how can I develop my integration with Sage Pay in a safe environment which won't have any detrimental effects on the clients live Sage Pay site.
The Sage Pay simulator sounds perfect for what I am trying to do but this has not been updated to use the current protocol and I've been told there is no release date as of yet for the new version.
Thanks
I think the quote above is from one of the comments in the integration kit. Essentially, it is a warning that if you change your integration, to point at the Sage Pay test server, you won't be taking much in the way of payments.....
As long as you have a separate test integration, pointing at the Sage Pay test server, the production site will continue to operate as usual.
The test and live accounts aren't linked - the live environment won't know (or care) that there are test transactions being made from another integration.

SonarQube Securty Advisories

I am trying to locate a web page or alert service that I can sign up for to receive information on security patches / alerts relating to SonarQube.
I need to rate these advisories on a monthly basis to ensure that all security patches are applied in a timely manner.
Regards
Sean
The downloads page lists all the updates. You could just check there once a month.
If you pay SonarSource for support, you could express the desire to receive this information by email as well.
I don't know of any service that lists the info you need. That said, I don't remember seeing a lot of security alerts. It's not like Java where there are quarterly patches.

Magento Recurring Billing Solutions [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking us to recommend or find a book, tool, software library, tutorial or other off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
Closed 8 years ago.
Improve this question
Magento is a great product but out-of-the-box it really lacks recurring billing support. I've come to a crossroads with my current project and need some direction.
We have exhausted every Google search and module that is under the sun for Magento to support recurring billing the way we need it to. So far, all we have come across is one module that costs $300 by aHeadWorks in the UK. We've tried the module and are extremely disappointed so far, mainly just due to total lack of support and documentation; Nobody seems to have the knowledge to answer our questions, or even attempt to.
Our goals are simple and we cannot figure out why there aren't more solutions out there to do this, so the question becomes, what is everyone else doing?
All we need to do is the following:
Provide subscriptions for items such as web hosting, text message marketing, etc.
Tie into our merchant account and authorize.net
Keep the customer on our site at all times
Skrill Moneybookers & their module isn't compatible with what we need to do (at least in the US). PayPal sucks and wants to hold our money back and also wants to redirect customers to their site to setup a billing agreement. iTransact services are fantastic but there is one module that is 2 years+ old and has no support.
The answer is recurring billing is quite a taboo in the e-commerce industry. This is mostly because the big boys, i.e. Mastercard and Visa have very strict rules governing recurring billing transactions.
Recurring billing means storing a customer's credit/debit card data, long number, expiry, and cvv2, for future processing. However, this opens up a huge can of worms in terms of security. This is why Visa/Mastercard impose rules on merchants in becoming PCIDSS compliant. Practically this means your server/website have to be certified to be secure, using a service like McAfee PCIDSS, which basically scans your server/website remotely and attempts to break it. It looks for open ports, badly configured firewall (or lack of), xss scripting flaws, mysql injection breaches, operating system security breaches, and many more. One of the most important elements with PCIDSS is having all card data encrypted.
It is a laborious process, since once you are given a report, you are also expected to repair all flagged critical issues and pass the scan. There are other steps to complete, but I shan't enumerate them all here. See the pci dss website for reference. You are also expected to keep the certification up-to-date on a quarterly basis.
Basically what this means is that Visa/Mastercard don't particularly like the smaller merchants to have this feature, as they can be of major risk to clients. If their system is breached, hackers could use the card data for criminal enterprises.
This in turn means Visa/Mastercard favor the big players in the industry to handle recurring billing, such as PayPal, Worldpay, authorize.net, etc. One port of call, one entity to fine and recover losses if there's a problem.
And now we return to Magento. Whilst it is relatively easy to create a normal payment method in Magento, since most PSPs work in the same manner [mostly], recurring billing is handled differently from provider to provider. Furthermore, some are more restrictive than others.
I can't and won't recommend PayPal as I have had extremely bad experiences with them, I can definitely recommend Worldpay + Futurepay + Invisible XML method. You would need to hire a Magento developer to write a custom module for you, but it's doable. I am currently writing a module for a client in Norway using a norwegian payment method and recurring billing.
If you still need help, get in touch, I can write a module for your store.
Hope this helps.
Cheers,
Michael.
Paradox Labs has an Authorize.NET CIM extension that supports Magento Recurring Profiles and Braintree recently released an extension that also supports them. I have made lots of improvements to Magento's recurring profiles. You can definitely tell they are in beta form, but that should stop you from getting your hands dirty and finishing things that the Magento team hasn't got to yet.
Here are a few things I improved:
https://github.com/tegansnyder/Magento-Recurring-Beta-Grid-Improvements
https://github.com/tegansnyder/Magento-Programmatically-Create-Recurring-Profiles-Authorize.net-CIM
https://gist.github.com/tegansnyder
I'm had to make modifications to the cart controller to allow discount codes to display on the frontend when used on nominal items. By default they wouldn't display that they were applied.
I also had to make some modifications to the daily billing job that runs to remove the discounts the second time the profile is billed. Magento was applying them each time it reached the end of cycle.
Lots of little things here and there, but it's getting there.
You should look at the service OrderGroove.com. They specialize in recurring orders in e-commerce systems like Magento.
There are different strategies to implement recurring billing / product subscriptions with Magento:
Magento Recurring Profiles
Magento's built in recurring profiles feature can be used with compatible Magento payment extensions and gateways. These include PayPal, Authorize.Net CIM (Customer Information Manager). A payment extension which supports the recurring profiles feature is required for this approach, for example Paradox Labs CIM Extension.
Customize Magento to Support Recurring Billing
This can be done with a third party extension, like the (AheadWorks SARP extension) or developed from scratch.
Integrate External Subscription Management Software
Platforms which specialize in eCommerce product subscriptions include:
Subscribe Pro
Order Groove
Some subscription management software for digital goods includes:
Recurly
Zuora

Does Magento have an existing extension that works with SAP

We run SAP ECC 6.0 basis version 702, and are integrating with Magento for order management. I know that SBOeConnect :eCommerce Integrated with SAP Business One ERP extension exists, but I do not know if this works with our SAP installation.
(SAP ECC 6 and Business One are two very different beasts.)
Has anyone experience with integration the two systems?
Does the extention support SAP ECC 6?
As far as I know that is the only extension. I would recommend contacting them to ask if it supports your version of SAP.
The other option would be to build a custom module. Using the APIs and a cron job you can setup automatic push/pull events to sync data or tie it to an event observer for an action like a new transaction. There are obviously a lot of variables depending on what you specifically want to do.

Resources