If you offer iDEAL in your app and are experiencing problems or are receiving customer complaints with regard to redirects to (some) of the iDEAL Issuers, please make sure that you do not open the Issuer redirect URL in an in-app browser. This is not allowed as it will not only break your iDEAL payment flow, but also creates secuity issues. For more information, please refer to below passage from the iDEAL implementaton guidelines 10.3
- When you as a merchant have an app in which you offer iDEAL as a payment option, specifically mind the following aspects regarding the Issuer redirect:
- The consumer must be able to check the URL and https “lock” icon of the Issuer webpages at all times
- The browser in which the redirect to the Issuer takes place, must be securely safeguarded for the Merchant (the Merchant should not be able to eavesdrop on user typing
- The browser, in which the redirect to the Issuer takes place, must be able to open bank-apps (app schemes like “bank://ideal/12392”).
- To be able to comply to the above requirements, we strongly advise you to always offer the IssuerAuthenticationURL to the operating system of the mobile device. As a result, the IssuerAuthenticationURL will be opened within the browser of choice of the user or directly in the bank-app
- It is strictly forbidden to make use of custom made in-app browsers for the redirect to the Issuer, because by doing this the above requirements are not complied to!
- In case you chose to make use of an in-app browser for opening the IssuerauthenticationURL, you must make use of SafariViewController for Apple iOS and Chrome Custom Tabs for Android, so that you comply to the above requirements.