At Cardinal, we’re always making sure you don’t get surprised by outside updates that can impact your authentication flow. Read on to see what you can do to avoid these errors.
Apple has decided to replace one type of web control with another. Merchants can switch to the new control or change to a mobile SDK to ensure applications continue to work as expected. Apple will no longer allow applications on the App Store that include the UIWebview control. More details on timelines and potential solutions can be found below.
What changed and how was I affected?
Apple is no longer accepting new mobile applications that embed web content in a UIWebView control as of April, 2020. This control will be accepted in updates to existing applications until December, 2020.
Developers often use a UIWebView control when displaying HTML content in an iOS application. For example, when a customer adds items to their cart and begins the checkout process, this control may be used to provide a consistent checkout process between web and mobile applications. If this control is being used, it is important to note that it will not be accepted in new versions of the application by the App Store after December, 2020.
What can be done to remedy the situation?
For your mobile application to be accepted by Apple, you will need to replace any UIWebViews with WKWebViews.
Option 1: Use the Cardinal Mobile SDK (CMSDK) for EMV® 3-D Secure (EMV 3DS) authentication
The Cardinal Mobile SDK is simple to integrate and is API-driven, so there would be no need for a web view to complete authentication. For EMV 3DS, using an SDK is the required method for authenticating a Card Not Present (CNP) transaction within a mobile application.
Option 2: Use WKWebView for 3-D Secure (3DS) 1.0 authentication
Since the web view is visible to the consumer, a WKWebView can be used. However, it is important to note that many regions and/or card networks strongly recommend EMV 3DS over 3DS 1.0. For more information on the payment networks’ transitions to EMV 3DS, see this listing of important dates.
Option 3: Discontinue use of Quick Authentication in mobile applications
Quick Authentication allows the application to send a Bank Identification Number (BIN) to Cardinal Centinel for use by the ACS in running additional risk analysis. The BIN is combined with data collected by the Method URL or the CMSDK to enable risk scoring. This functionality was meant to allow scoring similar to EMV 3DS, but in a 3DS 1.0 environment.
Because Quick Authentication relies on a hidden web view to collect data from the mobile device, WKWebView will not be useful for this purpose. The Cardinal Mobile SDK will no longer support Quick Authentication as of 12/31/2020, though it will continue to be supported for web browser transactions.
The recommended replacement is to run an EMV 3DS transaction where possible in a mobile application, or a 3DS 1.0 transaction where that is not possible.
As we discussed, recent changes in Apple’s App Store policies may affect you. We have outlined a few possible solutions based on the most common situations. If you have any questions, let’s talk. We’re here to help.
Visit https://www.cardinalcommerce.com/about/contact or call +1.440.352.8444
You can also reference the sites below for more info on updates and what you need to know.
Announcement on apple.com - Updating Apps that Use Web Views - News
We’d like to thank our guest contributor, Brian Brotherton, for this blog packed full of useful information. Brian is a Sr. Technical Product Manager at Cardinal and a former developer turned huge supporter of all agile and lean methodologies. His spare time is spent with his wife, small boys, and making full use of our local parks for hiking and outdoor activities. Sidebar: Brian’s interest in technology started by watching science fiction! Stay tuned for more technical blogs in the near future!
All brand names, logos and/or trademarks are the property of their respective owners, are used for identification purposes only, and do not necessarily imply product endorsement or affiliation with Visa.
EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC
EMV 3DS can help manage PSD2 SCA’s exemptions. See if they’ll work for you.
At Cardinal, our 2020 resolution is all about building our existing capabilities and expanding our reach in the latest protocols. See what we've got planned for 2020.
Learn how authentication affects Card-not-Present authorization rates and key statistics on fraud in the clothing and footwear industry.
Authentication is core to payment processing in Europe, so if your digital transactions are not authenticated, you will be expected to implement a solution before your business is impacted.
You'll be the first to hear about new products, features, and company updates.