How does the Chrome SameSite Cookie policy affect my integration?

Beginning mid-March this year, we've found an increase in issues which resulted in merchants experiencing unusually high levels of incomplete 3DS orders. After further investigation, we have found out that the cause of the 3DS drop-offs originated from the new Chrome SameSite Cookie policy that was released on the 4th of February 2020 with the launch of Chrome 80 by Google. On the 9th of March, it was then enabled for a larger pool of users.

With the progressive roll-out of the Chrome SameSite Cookie policy, our merchants only started seeing an increase in 3DS drop-offs from the second week of March. On Adyen's end, the only cookies that we use are tracking cookies, and a session cookie called JSESSIONID. Based on our tests, we've determined that those cookies will not interfere with your payment flows.

Chrome SameSite Cookie policy roll-back

Due to the unforeseen COVID-19 situation worldwide, Google has decided to rollback the Chrome SameSite Cookie policy as of 3rd April 2020 due to issues surrounding website stability during these times. For now, this means that the Chrome SameSite Cookie policy will not be in effect. You can find the full press release here.

Regardless, Google has made it clear that they will still pursue the global rollout of the Chrome SameSite cookie policy over summer, so we strongly recommend that our merchants take this time to prepare for the upcoming changes.

About Chrome's SameSite Cookie Policy

For users running Chrome 80 and higher, Chrome is enforcing a secure-by-default cookie classification system, treating cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies set as SameSite=None; Secure will be available in third-party contexts, provided they are being accessed from secure connections. Do note that the SameSite field is not yet widely supported in older browsers, as well as Safari and Firefox.

A more comprehensive explanation of this policy explained by Rowan Merewood - Developer Advocate for Chrome @ Google - can be found here.

How to fix (or prepare) for it?

A comprehensive link with sequence diagrams can be found here. Do note that your cookies do have to be set with the correct fields so that the warnings/errors do not appear.

If you are looking for guides on how to modify your cookies based on your current stack, take a look at this link, which has examples on how to properly configure the cookies based on the stack that you are working with.

If you are wanting to test it out and are unable to see the warnings, you have to enable the experimental flags, which can be found on chrome://flags, and set all the functions named "SameSite" to "Enabled" in order to fully test the flow to see if your solution is working.

Was this article helpful?
0 out of 0 found this helpful