Subject: NB. API Call Update: Subscription/Recurring Payments Initial Call
If you are using a Peach plugin (Shopify, WooCommerce and/or Wix) please ignore this notification.
If you have a custom integration using our Copy and Pay, and/or server-to-server, and/or our Mobile SDK API please implement the Payments Association of South Africa (PASA) mandated changes outlined below.
At Peach Payments, we strive to continuously provide world-class, leading payments infrastructure that offers a secure and seamless experience for our merchants and their customers.
One of the major initiatives that we are currently undertaking (in line with global payment standards) is switching over our merchants to the VISA and Mastercard mandated 3D Secure Version 2 authentication flow.
This mandated switchover requires our merchants who make use of our Recurring Payment/Card Storage functionality to add an additional parameter to their initial payment requests.
Why is this now a requirement?
With the rapid growth of eCommerce and the subsequent increase in volumes of stored card transactions, VISA and Mastercard have rolled out new mandates which pertain to how cardholders’ payment credentials (i.e. account details) are stored for future purchases.
Part of this mandate includes the switch to 3D Secure 2 (3DS2) Security Protocol
More on 3DS2 here
Adding the parameter "threeDSecure.challengeIndicator=04" will ensure that you are complying with the latest VISA and Mastercard 3DS2 Mandate around storing Credentials on File (CoF)/Card Storage
Including this parameter makes sure that the customer goes through their bank’s 3D Secure Authentication process, which is necessary/now mandated for your recurring payments to continue securely.
More on CoF here
In the past with 3DS 1, you would have replied on the initial transaction being fully authenticated giving you comfort in the likelihood that the subsequent transactions would be formed by the card hold, meaning less risk of being disputed.
In 3DS 2, if you do not submit the correct parameter with the initial transaction, there is a higher likelihood that fraudulent transactions would occur.
What action is required from You/The Merchant?
Including 1 additional parameter to your initial request to our API endpoint where the Registration/Tokenization of the customer’s card occurs
Parameter to add/include in your initial payment request: "threeDSecure.challengeIndicator=04"
The initial payment request is the step wherein you, the merchant, would register the customer’s card and push said customer through the 3D Secure authentication flow.
-d "entityId=8a82xxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
-d "amount=1.00" \
-d "currency=ZAR" \
-d "paymentType=DB" \
-d "standingInstruction.mode=INITIAL" \
-d "standingInstruction.type=UNSCHEDULED" \
-d "standingInstruction.source=CIT" \
-d "createRegistration=true" \
-d "threeDSecure.challengeIndicator=04" \
-H "Authorization: Bearer OGE4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=="
Further reference to this parameter can be found here in our documentation.
Please refer to this article if you have not moved over/changed/updated your endpoint to the latest URL yet
Implications of failure to implement these changes:
API requests where the Registration/Tokenization of the customer’s card occurs which do not have the "threeDSecure.challengeIndicator=04" parameter, should this not be submitted in your API request, are at risk of not being fully authenticated which will result in the transaction liability shift being you as the merchant on record.
recurring payments which do not have an initial successful (RG) with the "threeDSecure.challengeIndicator=04" parameter included will be rejected
Deadline - while the deadline is July 2022, the longer the merchant takes to implement, the higher likelihood of receiving chargebacks.
Thank You for using Peach Payments as a Payment Gateway and please do not hesitate to reach out to us if you have any questions.
Peach Payments Support
Contact us at firstname.lastname@example.org
*Insert Peach Payments Logo*