During the incident window, impacted customers attempting to check out using 3D Secure on web browsers and iOS devices may have experienced errors that prevented them from completing the verification process. On iOS devices, errors in the BTThreeDSecureRequest.m file may have caused apps to perform an exit system call. Customers on web browsers may have experienced Access Denied errors in the 3DS iframe pop-up.
A 3D Secure deploy on 18 June 2019 increased the size of the lookup payload when additional fields were included. To initiate the 3D Secure process using the iOS SDK, the iOS client sends a URL parameter and the lookup payload is included in this URL parameter. By including additional data, the length of the URL was increased. At some point in the authentication cycle, the newly-lengthened URL was being truncated and as a result, the information in the authentication response was incomplete and unable to be parsed accurately. This led to exception errors that customers experienced when checking out. For the JS web SDK, additional information included in URL changed how this was presented to our CDN provider, which flagged the malformed requests and led our CDN provider to halt requests to the callback URL with an “Access Denied” error.