Bug V10 Adyen Magento 2 Card BIN Missing Issue And Fix For Fraud Payloads

Hey everyone! We've got an important issue to discuss today that affects those of you using the Adyen Magento 2 plugin, specifically version 10.4.0 and below. It turns out there's a bug where card BIN and other crucial card attributes are missing, which can seriously mess up your fraud prevention efforts. This article dives deep into the issue, explains why it's happening, and provides a fix to get you back on track.

Description of the Card BIN Missing Issue

So, what's the deal? After upgrading to version 10.4.0 of the Adyen Magento 2 plugin, some key card details, like the card BIN, expiry date, and issuer country, are no longer included in the additional_information section of the payment data. This is a big problem because many fraud detection systems, such as Riskified and Signifyd, rely on this information to build their payment_details payload and accurately assess the risk associated with a transaction. Without these attributes, your fraud protection can be significantly weakened, leaving you vulnerable to fraudulent activities.

When we talk about card BIN (Bank Identification Number), we're referring to the first few digits of a credit or debit card number. This number is crucial because it identifies the issuing bank and provides valuable information about the card's origin. Fraud prevention systems use this data to verify the card's authenticity and flag potentially risky transactions. If the card BIN is missing, it's like trying to solve a puzzle with a crucial piece missing – you won't get the complete picture.

The absence of these card details means that the fraud detection systems receive incomplete data, leading to less accurate risk assessments. This can result in a higher number of false positives, where legitimate transactions are flagged as fraudulent, or, even worse, a higher number of false negatives, where fraudulent transactions slip through the cracks. Both scenarios can be detrimental to your business, either by causing customer frustration or by incurring financial losses due to fraud.

Steps to Reproduce the Missing Card Attributes Bug

Okay, so how can you see this issue in action? Here’s a step-by-step guide to reproduce the bug and confirm if you’re affected:

1. Install or Upgrade: First, you need to have the Adyen Magento 2 plugin installed or upgraded to version 10.4.0 (or a version below). This is the version where the bug was introduced, so it's crucial to be on this version to experience the issue.
2. Enable Adyen Credit Card: Make sure you have Adyen Credit Card (Checkout API) enabled in your Magento 2 store. This is the payment method that's affected by the bug.
3. 3DS Settings: It doesn't matter whether 3D Secure (3DS) is turned on or off; the bug will reproduce in both scenarios. So, you can leave your 3DS settings as they are.
4. Place a Test Order: Use a test card (like a Mastercard) to place an order on your store. This will simulate a real transaction and allow you to inspect the payment data.
5. Inspect Payment Information: This is the crucial step. Go to your Magento admin panel and find the sales order you just placed. Look at the sales_order_payment.additional_information section or the fraud payload constructed after the order placement/notification.
6. Observe Missing Fields: If you're experiencing the bug, you'll notice that the BIN, expiry date, and issuer fields are missing from the additional_information. This confirms that the bug is affecting your store.

By following these steps, you can quickly verify if your Adyen Magento 2 setup is affected by this bug. If you do find that these card attributes are missing, don't worry; we have a solution for you, which we'll discuss in the next section.

Actual Behavior: Missing Card Details

In practical terms, what does this bug look like? When a customer makes a purchase, the additionalData in the authorization/notification no longer contains the vital cardBin, expiryDate, and issuerCountry information. This is a departure from the expected behavior, where these details would typically be present and available for use by fraud prevention systems.

Here’s an example of what the additional_information might look like when the bug is present:

{
  "guestEmail": "xxx@xxx.com",
  "method_title": "Credit or Debit Card",
  "3dActive": false,
  "pspReference": "xxx",
  "adyen_avs_result": "1 Address matches, postal code doesn't",
  "adyen_cvc_result": "1 Matches",
  "adyen_refusal_reason_raw": "xxx",
  "adyen_acquirer_reference": "xxx",
  "adyen_auth_code": "xxx",
  "payment_method": "visa"
}

Notice how key attributes like cardBin, expiryDate, and issuerCountry are conspicuously absent. This absence directly impacts the fraud payload sent to services like Riskified and Signifyd, which rely on these attributes to accurately assess the risk associated with a transaction. Without this information, the fraud systems are essentially operating with blind spots, making it harder to detect and prevent fraudulent activities.

As a result, the fraud payload sent to services like Riskified and Signifyd is missing crucial attributes like credit_card_bin and other related card details. This incomplete data can lead to inaccurate fraud assessments, potentially resulting in both false positives (legitimate transactions being flagged as fraudulent) and false negatives (fraudulent transactions slipping through unnoticed).

Expected Behavior: Stable Card Metadata

Ideally, the Adyen Magento 2 plugin should consistently provide a stable BIN field and other essential card metadata. This ensures that merchants can seamlessly forward this information to their fraud prevention services, maintaining a robust defense against fraudulent transactions. The plugin should act as a reliable bridge, passing on the necessary data to keep your store and customers secure.

The expected behavior is that the additionalData in the authorization/notification should always include the cardBin, expiryDate, and issuerCountry information. This ensures that merchants have access to the data they need to effectively combat fraud. Fraud prevention systems rely on this data to make informed decisions, and the plugin should facilitate this process by consistently providing these key attributes.

By exposing a stable BIN field and basic card metadata, the plugin allows merchants to leverage the full capabilities of their fraud prevention tools. This leads to more accurate risk assessments, reduced instances of both false positives and false negatives, and ultimately, a safer and more secure shopping experience for customers. It's about maintaining a consistent and reliable flow of information, ensuring that all the pieces of the puzzle are available for analysis.

Code Fix: Restoring Card Details

Now, let's get to the solution! The good news is that there's a straightforward fix for this issue. It involves reintroducing a code snippet that was present in earlier versions of the plugin but seems to have been removed in version 10.4.0. This code snippet is responsible for capturing the cardBin, expiryDate, and issuerCountry from the Adyen response and storing them in the payment's additional_information.

Here's the code snippet that needs to be added back into the vendor/adyen/module-payment/Helper/Webhook.php file:

        if (isset($additionalData['cardBin'])) {
            $payment->setAdditionalInformation('adyen_card_bin', $additionalData['cardBin']);
        }
        if (isset($additionalData['expiryDate'])) {
            $payment->setAdditionalInformation('adyen_expiry_date', $additionalData['expiryDate']);
        }
        if (isset($additionalData['issuerCountry'])) {
            $payment
                ->setAdditionalInformation('adyen_issuer_country', $additionalData['issuerCountry']);
        }

This code snippet checks for the presence of cardBin, expiryDate, and issuerCountry in the $additionalData array and, if found, stores them in the payment's additional_information using the setAdditionalInformation() method. This ensures that these vital card details are available for use by fraud prevention systems.

To apply this fix, you'll need to manually add this code snippet back into the Webhook.php file. Here's how you can do it:

1. Locate the File: Open the vendor/adyen/module-payment/Helper/Webhook.php file in your Magento 2 installation.
2. Insert the Code: Find the appropriate place to insert the code snippet. A good spot is typically after the if (isset($additionalData['authCode'])) block. This keeps the code organized and ensures it's executed in the correct context.
3. Save the File: Save the changes to the Webhook.php file.
4. Clear Cache: Clear your Magento 2 cache to ensure the changes take effect. You can do this through the Magento admin panel or using the command line.

Once you've added this code back in, the plugin should once again expose the cardBin, expiryDate, and issuerCountry information, allowing your fraud prevention systems to function correctly. This simple fix can make a significant difference in your ability to detect and prevent fraudulent transactions.

Patch File for the Card BIN Issue

For those who prefer a more automated approach, a patch file is available that can apply the fix with a single command. This is often the easiest and most reliable way to implement the solution, especially if you're comfortable using the command line.

The provided adyen-card-bin-additional-data-fix.patch file contains the necessary changes to restore the missing code snippet. To apply the patch, you'll need to use a patch utility, which is commonly available on most Linux systems. Here's how to use the patch file:

1. Download the Patch: Download the adyen-card-bin-additional-data-fix.patch file to your Magento 2 root directory.

2. Apply the Patch: Open your terminal, navigate to your Magento 2 root directory, and run the following command:

   patch -p1 < adyen-card-bin-additional-data-fix.patch
   

   This command tells the patch utility to apply the changes in the patch file to your Magento 2 codebase. The -p1 option specifies that the patch file includes the directory structure, so the utility knows where to apply the changes.

3. Verify the Patch: After running the command, you should see output indicating that the patch was applied successfully. If there are any errors, carefully review the output and ensure that the patch file is in the correct location and that you have the necessary permissions to modify the files.

4. Clear Cache: As with the manual fix, you'll need to clear your Magento 2 cache after applying the patch. This ensures that the changes take effect and that Magento is using the updated code.

Using a patch file is a convenient way to apply code changes, especially when dealing with specific issues like this. It ensures that the correct changes are made in the right places, reducing the risk of errors. If you're comfortable with the command line, this is the recommended approach for fixing the card BIN issue.

Affected Versions and Environment Details

To give you a clear picture of the scope of this issue, let's outline the specific versions and environments that are known to be affected:

• Adyen Magento Plugin Version: The bug is present in version 10.4.0 of the Adyen Magento 2 plugin. If you've upgraded to this version, you're likely experiencing the issue. Versions below 10.4.0 might not have this problem, but it's always a good idea to verify.
• Magento Version: The issue has been confirmed on Magento version 2.4.8-p2. However, it's possible that other versions of Magento 2 are also affected. If you're using a different version of Magento 2 and experiencing similar issues, it's worth investigating further.
• Operating System: The operating system doesn't seem to be a factor in this bug. It has been observed on Linux systems, but it's likely that other operating systems, such as Windows and macOS, are also affected.
• Browser: Similarly, the browser used to place the order doesn't impact the bug. The issue is related to the server-side code of the Adyen Magento 2 plugin, so it's independent of the browser.

Knowing these details helps you quickly assess whether you're affected and take the necessary steps to implement the fix. If you're using the specified Adyen Magento plugin version and Magento version, it's highly recommended to apply the patch or manually add the code snippet to restore the missing card details.

Conclusion on the Card BIN Issue

Okay, guys, let's wrap things up! We've covered a pretty critical bug in the Adyen Magento 2 plugin that can impact your fraud prevention efforts. The missing card BIN and other card attributes can leave your store vulnerable to fraudulent transactions, so it's essential to address this issue promptly.

To recap, the bug affects version 10.4.0 of the Adyen Magento 2 plugin and results in the cardBin, expiryDate, and issuerCountry information not being included in the payment's additional_information. This missing data can disrupt the functionality of fraud detection systems like Riskified and Signifyd, leading to inaccurate risk assessments.

Fortunately, the fix is relatively straightforward. You can either manually add the provided code snippet back into the vendor/adyen/module-payment/Helper/Webhook.php file or use the adyen-card-bin-additional-data-fix.patch file to apply the changes automatically.

By implementing this fix, you'll ensure that your fraud prevention systems have access to the necessary card details, allowing them to accurately assess the risk associated with each transaction. This will help you protect your store and customers from fraudulent activities.

If you're using the affected versions of the Adyen Magento 2 plugin and Magento, we strongly recommend applying the fix as soon as possible. Don't let this bug compromise your store's security! Take action today and ensure that your fraud prevention systems are functioning optimally.

If you have any questions or run into any issues while applying the fix, don't hesitate to reach out to the Adyen support team or the Magento community for assistance. We're all in this together, and we can help each other stay secure.

Thanks for tuning in, and stay safe out there!