Search code examples
c#braintree3d-secure

3D Secure 2.0 integration with Braintree Subscriptions

I’m implementing 3DS 2.0 integration with Braintree subscriptions. Braintree’s documentation is not clear enough to answer my questions, and Braintree support is not helping at all. Here are the questions that I have:

  1. When is the best moment to perform a card verification: at the time of adding the card to a vault or when creating a subscription? Maybe I should do this twice in both cases?
  2. Which amount should be used to verify a card when adding it to the vault? Should it be $0, $1 or should I rather rely on amount that Braintree gateway is choosing when I don’t pass the amount?
  3. Does 3DS 2.0 verification performed when adding a card to a vault guarantee that later (when creating a subscription) I can charge a card without 3DS for hundreds, thousands of dollars?
  4. If a verification should be performed when creating a subscription, is it the right way to do this:
    1. Obtain PaymentMethodNoce from Braintree using payment method token
    2. Verify card using the nonce and get a new nonce
    3. Use Nonce obtained in 2nd step as a PaymentMethodNonce parameter in SubscriptionRequest
  5. What happens if I lower or increase the price of a subscription? Do I have to reverify with 3DS? Should I reverify with updated price?
  6. I’m using the proration mechanism. Does 3DS affects this in any way?
  7. What happens when 3DS verified card used to create a subscription is changed for a new one? Which amount should be used to verify a new card (just like in 2nd question)?
  8. How to increase a price of a subscription without a need for 3DS reverification?
  9. Is there a sample code illustrating working with 3DS and subscriptions?

Looks like Braintree doesn’t know how to answer these questions or for some reason doesn’t want to do this. Very poor support. I would really appreciate any feedback.

Solution

  • I was in contact with Braintree having similar questions. I think I can answer your questions. This is my view of the situation:

    1. The best moment is when you know the subscription price. You should charge the vaulted card to the amount specified during card verification (with some exceptions such as small amounts that won't need verification). If you skip verification you seem to be liable for frauds instead of the bank. If you verified for a lower amount than you try to charge, I suppose the bank can reject the transaction.

    2. You can't verify the card with an amount of $0. I tried that. My assumption here is that you don't verify vaulted cards. Once you know the amount, you pick a card from the vault, verify it for the amount and update subscription with a nonce obtained from 3DS.

    3. You should perform validation again when the amount increases. My view here is that you can skip 3DS for later payments with a higher amount, but you are fully liable for potential frauds. If you perform 3DS with a new amount, the liability is shifted to the bank.

    4. Yes, this seems correct.

    5. Yes, you should reverify with 3DS. Verification always requires you to specify amount so use the new amount for verification.

    6. I received a response for this a minute ago from Braintree. It should not be a problem. When upgrading a subscription, you verify the card against the monthly price. The prorated amount will be smaller than that. And banks won't care much if you charge a smaller amount than verified.

    7. I use monthly subscription amount here.

    8. Just update the subscription with the new amount. However, I think you will be again liable for frauds if you skip 3DS.

    9. developers.braintree.com is full of examples. For 3DS, see https://developers.braintreepayments.com/guides/3d-secure/client-side/javascript/v3

    I had similar questions and Braintree support team was quick and very helpful to answer them.