As part of the security improvements from card networks like Visa and MasterCard for your online card payments and to minimize chargeback liability, Xendit will be enabling 3DS 2.0 (EMV 3DS) for all credit / debit card transactions made using Xendit by December 2021. To learn more about 3DS 2.0, see here.
You do not need to make any changes in your API/XenInvoice/Xendit integrations (Shopify, Wix etc) to support EMV 3DS. We do not expect the enablement of EMV 3DS to cause any breaking changes in your setup with us.
However, we are unable to guarantee perfect compatibility between your webpages / mobile apps and the new One-Time Password pages returned by the card networks and issuers for EMV 3DS. In order to minimize the risk of any issues arising from EMV 3DS on your webpages / apps, please follow the below recommendations on your sites or integrations and perform test payments using different web browsers if possible.
|API||Content Security Policy optimization (see below)|
|Xendit SDK||Upgrade to latest SDK Version: |
Xendit.js = v2.0
Android = v3.6.0
iOS = v3.4.2
|Invoice||Content Security Policy optimization (see below)|
|Xendit Integrations :
- Easy Digital Download
|Content Security Policy optimization (see below)|
If your websites or integrations utilize Content-Security-Policy header as part of security enhancement, you’ll be required to have additional domains to whitelist in order for EMV 3DS can be triggered.
Here are some additional domains that are required to be whitelisted:
Example of CSP configuration that we found are working:
|frame-src||data:; https:; |
An example of the error message that might be returned if CSP are not configured properly to support additional process required for EMV 3DS: