I am currently looking if handling 3dsv1 inside an iframe would be a possible solution.
Description of the iframe solution
- on the merchant website, have an iframe opening the issuer bank website
- customer complete challenge inside the iframe
- customer is being redirected to merchant callback page (but still within the iframe)
- parent merchant page detects that the 3ds challenge is completed and close the iframe
Concern about the solution: Issuer bank detects that their website is open inside an iframe and decide to block it
Question Does this concern is valid?
What I have found so far
Source against iframe: https://stackoverflow.com/a/58760991/1210376
Source pro iframe: https://usa.visa.com/dam/VCOM/download/merchants/verified-by-visa-acquirer-merchant-implementation-guide.pdf
7.4 Use of Framed Inline Page
The 3-D Secure Protocol requires the authentication page displays to be presented to cardholders using the full browser window in an “inline” approach. U.S. merchant 3-D Secure implementations must use a framed inline page for Verified by Visa. The use of a pop-up page is not permitted. The requirements for the use of framed inline pages are:
• The merchant must not display promotional messages to cardholders. It is important that cardholders have confidence in the authentication session with their card issuer.
• The frame opened for the issuer ACS to present the Verified by Visa window must be large enough to present the entire 390 pixel width by 400 pixel length authentication page, without scrolling, over a standard range of browser resolutions.
Thank you