SagePa 3DS2 3377 : The ACS has provided an Erro message. CReq validation failure from thephpleague/omnipay-sagepay

Question

I'm using thephpleague/omnipay-sagepay https://github.com/thephpleague/omnipay-sagepay

After receiving response from the 3DS Notification, I am running the following code:

$gateway = $this->fetchGateway(); 
$completeRequest = $gateway->completeAuthorize([
  'transactionId' => $payment->transaction_id
]); 
$completeResponse = $completeRequest->send(); 
print "<pre>"; 
print_r($completeResponse);

and receiving the following message:

[data:protected] => Array ( 
[VPSProtocol] => 3.00 
[Status] => ERROR 
[StatusDetail] => 3377 : The ACS has provided an Erro message. CReq validation failure. )

I've tried also including a CRes and CReq in the $gateway->completeAuthorize() function with no luck.

Anyone have any clue on this?

The protocol 4 documentation states:

This POST needs to contain the VPSTxId (or MD) and CRes (or PARes). but as above, it doesn't seem to work and returns a CReq validation error

Not sure if this could be relevant? https://dijitul.uk/payment-gateway-3d-secure-timing-out-huge-issue/#comment-121740

I read somewhere that the {} around the threeDSSessionData could be causing a problem but removing them has no effect.

Bit worried that the deadline for this is the 14th March :(

edit:

I have also tried this with the same response:

$gateway = $this->fetchGateway();
$completeRequest = $gateway->completeAuthorize([
  'VPSTxId' => str_replace("{", "", str_replace("}", "", $payment->vpsTxId)),
  'CRes' => $cres,
  'CreateToken' => '1',
]);
$completeResponse = $completeRequest->send();

$payment->vpsTxId that's sent equals: 923DD024-8E55-A543-AA6F-4E76AECB67D8

$cres equals ewogICJtZXNzYWdlVHlwZSIgOiAiRXJybyIsCiAgIm1lc3NhZ2VWZXJzaW9uIiA6ICIyLjEuMCIsCiAgImFjc1RyYW5zSUQiIDogIjZjOGE2MzQyLTI2OTUtNDAzMi04NDVkLTBmZGU2MDBiYmFhMyIsCiAgImVycm9yQ29kZSIgOiAiMjAzIiwKICAiZXJyb3JDb21wb25lbnQiIDogIkEiLAogICJlcnJvckRlc2NyaXB0aW9uIiA6ICJEYXRhIGVsZW1lbnQgbm90IGluIHRoZSByZXF1aXJlZCBmb3JtYXQgb3IgdmFsdWUgaXMgaW52YWxpZCBhcyBkZWZpbmVkIGluIFRhYmxlIEEuMS4iLAogICJlcnJvckRldGFpbCIgOiAidGhyZWVEU1Nlc3Npb25EYXRhIiwKICAiZXJyb3JNZXNzYWdlVHlwZSIgOiAiQ1JlcSIKfQ

Not worried about security as posting via testMode

Currently have the exact same issue. Interesting that the response is protocol v3, I hadn't noticed that until googling the ACS error message found your (very fresh) question. — Polynomial, Mar 10 '22 at 19:37
There seems to be quite a few of us. Hopefully someone can find the solution soon! — MysticQuack, Mar 11 '22 at 08:02
I've added an answer below. With the removal of parentheses the VPS protocol does indeed return as 4.00 — MysticQuack, Mar 11 '22 at 11:35

score 2 · Accepted Answer · answered Mar 11 '22 at 11:34

I managed to fix this by stripping the parentheses "{}" from the vpsTxId before returning the form.

For completeness the code I ended up using for the return form was:

 <!DOCTYPE html>
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <title>Redirecting...</title>
</head>
<body onload="document.forms[0].submit();">
    <form action="' . $responseMessage->getRedirectUrl() . '" method="' . $responseMessage->getRedirectMethod() . '">
        <p>Redirecting to payment page...</p>
        <p>
            <input type="hidden" name="creq" value="' . $data['creq'] . '" />
<input type="hidden" name="threeDSSessionData" value="' . str_replace(array("{", "}"), "", $data['threeDSSessionData']) . '" />

            <input type="submit" value="Continue" />
        </p>
    </form>
</body>
</html>

The really important line here is: str_replace(array("{", "}"), "", $data['threeDSSessionData'])

I really hope this helps somebody else out!

PJ Ninnim · Answer 2 · 2022-11-21T09:15:59.157

We have been experiencing this exact same issue (but using our own direct integration pi method). We have had this error occurring on and off for a few weeks with seemingly random customer payments, one would work, and one would fail. We determined that it was to do with specific card issuers and the type of value that we were sending via the threeDSSessionData form value.

Our solution to this error was to base64 encode the threeDSSessionData value and then decode the base64 value upon return from the ACS.

Polynomial · Answer 3 · 2022-03-11T16:56:19.350

1

This error seems to be the result of using the VPSTxId as your threeDSSessionData value. I had the same issue but was able to resolve it by changing my threeDSSessionData to use a local transaction ID from my database instead of SagePay's one.

Another thing I noted was that while using the VPSTxId as the threeDSSessionData, the 3DS challenge simulator wasn't actually being displayed during the 3DS flow. As soon as I switched to using my own transaction ID it kicked back in.

edited Mar 11 '22 at 16:56

answered Mar 10 '22 at 20:03

Polynomial

3,656
23
36

Interesting, thanks for your reply! Out of interest, what are you posting back to SagePay to complete the authorisation? – MysticQuack Mar 11 '22 at 08:01
Ah, so I now have the simulator being displayed but on confirmation I am receiving the following error "5083 : VpsTxId provided in callback does not match transaction in CRes" – MysticQuack Mar 11 '22 at 10:21

score 1 · Answer 4 · edited Oct 28 '22 at 09:50

1

To expand on the accepted answer, I do believe this is to do with parenthesis in general. So, you may be trying to provide the VPSTxId as in the case of the OP, or like me you might be trying to provide a JSON object, which again includes parentesis.

edited Oct 28 '22 at 09:50

Jason

4,411
7
40
53

answered Aug 11 '22 at 11:41

JDandChips

9,780
3
30
46

SagePa 3DS2 3377 : The ACS has provided an Erro message. CReq validation failure from thephpleague/omnipay-sagepay

4 Answers4