Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Credit Card Payment Security: adding 3D Secure SDK for Merpay iOS

Credit Card Payment Security: adding 3D Secure SDK for Merpay iOS

Security is our primary concern when it comes to payment services.
This is why, among other important features, we implemented 3D Secure for credit card payments in collaboration with Payment Service Providers (PSP). Thanks to this new feature, we protect our users and we make sure that their credit card can not be used by others when it comes to Mercari.
------
Merpay Tech Fest 2022は3日間のオンライン技術カンファレンスです。
IT企業で働くソフトウェアエンジニアおよびメルペイの技術スタックに興味がある方々を対象に2022年8月23日(火)から8月25日(木)までの3日間、開催します。 Merpay Tech Festは事業との関わりから技術への興味を深め、プロダクトやサービスを支えるエンジニアリングを知れるお祭りです。 セッションでは事業を支える組織・技術・課題などへの試行錯誤やアプローチを紹介予定です。お楽しみに!

■イベント関連情報
- 公式ウェブサイト:https://events.merpay.com/techfest-2022/
- 申し込みページ:https://mercari.connpass.com/event/249428/
- Twitterハッシュタグ: #MerpayTechFest
■リンク集
- メルカリ・メルペイイベント一覧:https://mercari.connpass.com/
- メルカリキャリアサイト:https://careers.mercari.com/
- メルカリエンジニアリングブログ:https://engineering.mercari.com/blog/
- メルカリエンジニア向けTwitterアカウント:https://twitter.com/mercaridevjp
- 株式会社メルペイ:https://jp.merpay.com/

mercari
PRO

August 25, 2022
Tweet

More Decks by mercari

Other Decks in Technology

Transcript

  1. Credit Card Payment Security: adding 3D Secure SDK for Merpay

    iOS Mikael LE GOFF iOS Engineer , Merpay
  2. Mikael / @mikael iOS Engineer , Merpay Focused on iOS

    development starting with Objective-C. Passionate about Fintech and teamwork, joined Merpay in 2019 and now spends his energy on providing the best user experience for Merpay+Mercari iOS users. He is also passionate about project management and as a scrum master, helps teams to achieve their best results when necessary.
  3. 3D Secure 01 What is 3D Secure? 02 Problem we

    needed to solve 03 How to identify security risks 04 Security and trust using 3DS SDK for iOS 05 Implementation details
  4. What is 3D Secure? The 3D Secure protocol is aimed

    at securing authentication in both browser-based apps and mobile-based apps for online payment. 3D means here the 3 domains: Issuer, Interoperability, Acquirer Issuer Domain Interoperability Domain Acquirer Domain the bank and the merchant to which the money is being paid infrastructure provided by the card scheme, credit, debit, prepaid or other types of a payment card, to support the 3-D Secure protocol the card issuer
  5. What is 3D Secure? A bit of history: - 1999:

    Created by Celo Communications AB (Now Thales Group) under the name “p42” - 2001: Improved by Arcot Systems and Visa Inc under the new name “Visa Secure” - 2016: Release of the version 2 of the protocol by EMVCo in order to comply with new EU authentication requirements
  6. What is 3D Secure? How does it work? 1 2

    3 A user will try to buy goods with a credit card The 3DS system will estimate the transaction risk The user might be asked to input a one time password in order to proceed with his purchase
  7. What is 3D Secure? 3DS usage worldwide Second half 2021

  8. 3D Secure 01 What is 3D Secure? 02 Problem we

    needed to solve 03 How to identify security risks 04 Security and trust using 3DS SDK for iOS 05 Implementation details
  9. Problem we needed to solve Stolen credit cards shouldn’t be

    usable in our product There are many ways to steal a credit card. It could be done offline or online. - offline: people could take a picture of your credit card. - online: your credit card information could be leaked following a hack.
  10. Problem we needed to solve A scenario example without 3D

    Secure. (Note that 100% of our transactions are now using 3DS) user A will have his credit card stolen user B will try to buy an item on Mercari with the stolen credit card without 3D Secure, Mercari had no way to know that the card was stolen and proceeded with the purchase 1 2 3
  11. 3D Secure 01 What is 3D Secure? 02 Problem we

    needed to solve 03 How to identify security risks 04 Security and trust using 3DS SDK for iOS 05 Implementation details
  12. How to identify security risks? During a purchase on Mercari,

    we ask ourselves: • Is the item at high risk of being bought by fraudulent users? • What are the risks the credit card was stolen? We can estimate the probability of fraudulent purchases thanks to Anti Money Laundering systems but we also want to make sure that only the owner of the credit card can use it for payment. We use 3DS to assess the risk of a card transaction. Mercari checkout screen
  13. How to identify security risks? 3DS can judge a card

    transaction and return a risk level: Frictionless password is required Transaction refused Low Medium High
  14. 3D Secure 01 What is 3D Secure? 02 Problem we

    needed to solve 03 How to identify security risks 04 Security and trust using 3DS SDK for iOS 05 Implementation details
  15. Security and trust using 3DS SDK for iOS By adding

    3D Secure SDK to our client applications, we bring more trust to our users by making sure that, only the real owner of the credit card can use it on our platform. - If somebody stole your credit card, he won’t be able to use it on Mercari. - If a buyer tries to purchase your items with a stolen credit card, he will be stopped. Credit card
  16. Security and trust using 3DS SDK for iOS What is

    the 3DS requested password? - The password is often a one-time password (OTP) provided by your credit card issuer. - It means that you will be requested a new password for every medium risk transaction made. - Usually, credit card issuers will simply send you an OTP by SMS to your personal phone number.
  17. 3D Secure 01 What is 3D Secure? 02 Problem we

    needed to solve 03 How to identify security risks 04 Security and trust using 3DS SDK for iOS 05 Implementation details
  18. Implementation details After confirmation of a credit card payment request,

    we can show a 3D Secure modal from the 3DS SDK. You will be asked for your credit card OTP in order to proceed with the purchase. Other flows lead to a successful frictionless payment or refused payment. Mercari checkout screen 3DS password check screen
  19. Implementation details We worked with partners to achieve the integration.

    Merpay iOS App 3DS SDK Visa Amex … Partner Merpay Backend
  20. Implementation details Merpay iOS App 3DS SDK Adding a new

    SDK to our codebase: - We need to make sure it won’t impact our performances, security and app binary size. - The SDK also needed to be a xcframework (mandatory since Xcode 12) in order to support the transition to M1 arm 64 architecture. - The SDK can also be updated. - It should not impact previous mercari versions - An abstraction layer using swift protocols on client side is useful for future developments (ex:It allows testing with a Mock 3DS SDK).
  21. implementation details difficulties 1/2 Bug fixing on both sides Merpay

    and Partners • Because of the system complexity, bugs were found. It was necessary to debug, based on the SDK logs, with our partners in order to identify the source of a problem (in-house code or 3DS SDK) ◦ This requires a deep understanding of the SDK specifications ◦ A preparation of the key data before each meeting in order to be efficient ◦ Use simple and efficient English to help understand the topics and being more inclusive Legacy support • At Merpay, we use Feature Flags in order to deliver new features and do A/B testing. ◦ This allows releasing new features by small increments (ex: 10% of users first) ◦ But this increases the complexity of the code and requires non-regression testing by QA.
  22. implementation details difficulties 2/2 Quality Assurance • The system is

    complex and depends on many credit card issuers who present their portal through the 3DS SDK. • For each software iteration, our QA had to check the legacy and new flows including testing the different card issuers scenarios. Improving UX with our partners: • UX is important. Over the months, we worked with our partners to reach a great Mercari user experience. ◦ We added self explanatory error feedbacks ◦ We updated our payment flow in case of 3DS errors ◦ Discussed OS-specific user interactions as we also have an Android implementation (ex: On Android, a new activity is shown, on iOS, a page sheet is presented)
  23. Credits to the team. We worked for months all together…

    Project Manager, Android Engineers, UX Designers, Backend Engineers and our great partners to bring this project to life. Thank you.
  24. Links • The latest 3D Secure specification is made by

    EMVCo, LLC. ◦ https://www.emvco.com/terms-of-use/?u=wp-conten t/uploads/documents/EMVCo_3DS_SdkSpec_210_1017 -1.pdf • Data related to 3DS usage in the world ◦ https://www.ravelin.com/global-payment-regulation- map
  25. None