Upcoming Changes to Payer Authentication Hybrid JavaScript Method.

We want to inform you of upcoming changes to our services. To better serve our clients and enhance security, the underlying 3DS Server will be migrating to the Visa Data Centers.

If you are currently using the Hybrid Connection for Payer Authentication transactions, it is recommended to upgrade to the Direct API connection to benefit from the new capabilities and technology available with it. Further information is detailed below in Alternative Options.

Summary
Scheduled to be introduced after July 30th, merchants using Payer Authentication Hybrid integration with the Songbird JavaScript to evoke Device Data Collection and Step-up Authentication challenges will need to make updates to the Endpoint URLs.

In addition to the URL update, there has also been a security enhancement to help merchants adhere with the latest PCI DSS update v4, which introduced the requirement 6.4.3 related to page scripts.

The standard sets comprehensive requirements aimed at helping to ensure the security of cardholder data, including SRI to help ensure external resources loaded by web apps are secure.

Technical Changes
With this adoption of SRI implementation in the Songbird JavaScript Library, meaning we are changing our deployment process from a single install to a quarterly install to help ensure integrators are using the latest versioned URL. In each release, Cardinal will provide a full semantic versioning in a new URL path, and a hash value.

Example Script update:
<script src="songbirdUrl" integrity="Integrity hash" crossorigin="anonymous"></script>

• Update your application(s) and web front-end: As outlined, you will need to update your script tag and reference the integrity hash generated by Cardinal to help ensure you can reach the latest version of Songbird. We encourage you to work with our Implementation and Support teams directly so that we can verify the changes directly with you through this process.
• Test your changes: You will be able to test your solution in the Staging/Test environment with Acceptance Solutions prior to rolling the change out to the LIVE/Production environment.

• Greater control of the checkout flow and timing of events.
• No ongoing JavaScript updates to support in concert with API changes/management.
• Access to EMV 3DS features and capabilities.
• Leverage Visa Payment Passkey service for biometric authentication.

Please refer to the latest Cybersource Payer Authentication Developer Guide for detailed instructions to update to the Direct API integration. You can find the guide at Cybersource Payer Authentication Developer Guide.

FREQUENTLY ASKED QUESTIONS

What is SRI?
Sub Resource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) deliver without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.
 

What is a Hash?
A hash is a fixed-size numerical or alphanumeric value computed from an input. In the context of SRI, the input is the content of the file being fetched. The hash is unique to the content of the file - even a small change in the file will produce a different hash.
 

How to Implement SRI?
To implement SRI in the Songbird library, you need to include the cryptographic hash in the script tag that is loading the library. The hash should be a base64-encoded cryptographic hash of the exact resource being fetched.
 

What happens when wrong SRI is passed?
If a wrong SRI hash is passed, this will cause the browser to block the resource, suggesting file tampering.
 

What happens when no SRI is passed?
If no SRI hash is passed, the browser will load the resource as usual. However, it will not be able to verify the integrity of the file, and this could potentially lead to security risks.
 

What happens when an incorrect SRI is passed?
If an incorrect SRI hash is passed, the browser blocks the resource from loading. This is because the hash of the fetched resource will not match the hash provided in the ‘integrity’ attribute.
 

What is the impact of not loading the Songbird resource?
If you prevent the Songbird resource from loading, this can affect the ability to process the Device Data Collection and Step-Up flows. This can possibly lead to Unauthenticated transactions and affect the liability shift provided by Payer Authentication.
 

Can I add code to my page load to detect a failure? If so, how?
Yes, a page can be configured to listen for the ‘error’ event on the script tag to detect if the script fails to load because of a hash mismatch.
Example:
var script = document.querySelector('script[src="https://example.com/symphone.js"]');
script.onerror = function() {
  // Handle error here
};
 

Can I implement SRI prior to this date?
If you need to utilize SRI prior to the migration date, please request from the support team for your key to migrated early so you can start using the new endpoint before the migration date.
 

Further Reading:
https://www.visaacceptance.com/en-us/blog/article/2024/prepare-for-pci-dss-security-standard-updates.html