SagePa 3DS2 3377 : The ACS has provided an Erro message. CReq validation failure from thephpleague/omnipay-sagepay

Question

I'm using thephpleague/omnipay-sagepay https://github.com/thephpleague/omnipay-sagepay

After receiving response from the 3DS Notification, I am running the following code:

$gateway = $this->fetchGateway(); 
$completeRequest = $gateway->completeAuthorize([
  'transactionId' => $payment->transaction_id
]); 
$completeResponse = $completeRequest->send(); 
print "<pre>"; 
print_r($completeResponse);

and receiving the following message:

[data:protected] => Array ( 
[VPSProtocol] => 3.00 
[Status] => ERROR 
[StatusDetail] => 3377 : The ACS has provided an Erro message. CReq validation failure. )

I've tried also including a CRes and CReq in the $gateway->completeAuthorize() function with no luck.

Anyone have any clue on this?

The protocol 4 documentation states:

This POST needs to contain the VPSTxId (or MD) and CRes (or PARes). but as above, it doesn't seem to work and returns a CReq validation error

Not sure if this could be relevant? https://dijitul.uk/payment-gateway-3d-secure-timing-out-huge-issue/#comment-121740

I read somewhere that the {} around the threeDSSessionData could be causing a problem but removing them has no effect.

Bit worried that the deadline for this is the 14th March:(

edit:

I have also tried this with the same response:

$gateway = $this->fetchGateway();
$completeRequest = $gateway->completeAuthorize([
  'VPSTxId' => str_replace("{", "", str_replace("}", "", $payment->vpsTxId)),
  'CRes' => $cres,
  'CreateToken' => '1',
]);
$completeResponse = $completeRequest->send();

$payment->vpsTxId that's sent equals: 923DD024-8E55-A543-AA6F-4E76AECB67D8

$cres equals ewogICJtZXNzYWdlVHlwZSIgOiAiRXJybyIsCiAgIm1lc3NhZ2VWZXJzaW9uIiA6ICIyLjEuMCIsCiAgImFjc1RyYW5zSUQiIDogIjZjOGE2MzQyLTI2OTUtNDAzMi04NDVkLTBmZGU2MDBiYmFhMyIsCiAgImVycm9yQ29kZSIgOiAiMjAzIiwKICAiZXJyb3JDb21wb25lbnQiIDogIkEiLAogICJlcnJvckRlc2NyaXB0aW9uIiA6ICJEYXRhIGVsZW1lbnQgbm90IGluIHRoZSByZXF1aXJlZCBmb3JtYXQgb3IgdmFsdWUgaXMgaW52YWxpZCBhcyBkZWZpbmVkIGluIFRhYmxlIEEuMS4iLAogICJlcnJvckRldGFpbCIgOiAidGhyZWVEU1Nlc3Npb25EYXRhIiwKICAiZXJyb3JNZXNzYWdlVHlwZSIgOiAiQ1JlcSIKfQ

Not worried about security as posting via testMode

Answer 1

I managed to fix this by stripping the parentheses "{}" from the vpsTxId before returning the form.

For completeness the code I ended up using for the return form was:

 <!DOCTYPE html>
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <title>Redirecting...</title>
</head>
<body onload="document.forms[0].submit();">
    <form action="' . $responseMessage->getRedirectUrl() . '" method="' . $responseMessage->getRedirectMethod() . '">
        <p>Redirecting to payment page...</p>
        <p>
            <input type="hidden" name="creq" value="' . $data['creq'] . '" />
<input type="hidden" name="threeDSSessionData" value="' . str_replace(array("{", "}"), "", $data['threeDSSessionData']) . '" />

            <input type="submit" value="Continue" />
        </p>
    </form>
</body>
</html>

The really important line here is: str_replace(array("{", "}"), "", $data['threeDSSessionData'])

I really hope this helps somebody else out!

Answer 2

We have been experiencing this exact same issue (but using our own direct integration pi method). We have had this error occurring on and off for a few weeks with seemingly random customer payments, one would work, and one would fail. We determined that it was to do with specific card issuers and the type of value that we were sending via the threeDSSessionData form value.

Our solution to this error was to base64 encode the threeDSSessionData value and then decode the base64 value upon return from the ACS.

Answer 3

This error seems to be the result of using the VPSTxId as your threeDSSessionData value. I had the same issue but was able to resolve it by changing my threeDSSessionData to use a local transaction ID from my database instead of SagePay's one.

Another thing I noted was that while using the VPSTxId as the threeDSSessionData , the 3DS challenge simulator wasn't actually being displayed during the 3DS flow. As soon as I switched to using my own transaction ID it kicked back in.

Answer 4

To expand on the accepted answer, I do believe this is to do with parenthesis in general. So, you may be trying to provide the VPSTsId as in the case of the OP, or like me you might be trying to provide a JSON object, which again includes parentesis .