Payment Gateway Failed Transactions

, , , ,
#1

Customer asks

We have just gone live with section.io and we have noticed that we are getting a lot of failed transations in ur eway portal, which is our payments gateway. This frequency of this has greatly increased since we went live. Can you help?

This is typically caused by an incorrectly configured payment gateway. Most payment gateways by default detect the connecting IP address of the downstream browser and uses that IP address to assess whether it is fraudulent.

Once you have setup section.io or any other CDN service to sit in front of the payment gateway, the connecting IP address will always be from section.io. This may trigger some logic within the fraud detection, with the most common trap being rate limiting. As all your customers are now served over the section.io network, it will appear to the payment gate way that only a small number of section.io IP addresses are making lots of transaction requests, and it may chose to block some of these requests.

To solve this issue you will need to configure the payment gateway to look at the user’s IP address, not section.io’s IP address. To facilitate this, section.io sends the IP address of the user with every request that goes to the origin in the form of a custom header True-Client-IP. For example:

True-Client-IP: 203.104.2.25

The payment gateway service should be able to be configured to examine this True-Client-IP header instead of client IP. section.io will also send an x-forwarded-for header containing any intermediate IP addresses to the origin. For example:

x-forwarded-for: 203.104.2.25, 102.43.55.100, 63.45.198.252
You will notice that the left most value of this is the same value as True-Client-IP.

#2

We have also had reports of customer payment gateways rejecting multiple IP addresses in the x-forwarded-for

This usually occurs due to multiple proxies in the chain, or if the connecting user has intermediate proxies in between them and section.io. Each proxy may add an extre IP address to the x-forwarded-for header. This behaviour is well established in the industry and is expected. But some payment gateways are not setup to accept multiple IP values in this header.

There are a few solutions to this problem.

  1. True-Client-IP header - section.io always sends through the connecting IP of the downstream user to the upstream origin web application in the form of a request header True-Client-IP, You can configure the payment gateway to eamine that header instead of x-forwarded-for

  2. Override x-forwarded-for header - You can override the header in Varnish and replaces it with the single IP value True-Client-IP header.

    set req.http.X-Forwarded-For = req.http.True-Client-IP;