iDEAL in mobile app: using in-app web browser for Issuer redirect

If you offer iDEAL in your app and are experiencing problems or are receiving customer complaints with regard to redirects to (some) of the iDEAL Issuers, please make sure that you do not redirect the user to the IssuerAuthenticationURL by openeing it in an in-app browser. This is not allowed as it will not only break your iDEAL payment flow, but also creates secuity issues. You should offer the IssuerAuthenticationURL to the opertaing system of the mobile device of your user or make use of Chrome Custom Tabs (Android) or SafariViewController (iOS). For more detailed information, please refer to below passage from the iDEAL implementaton guidelines 10.3 

  • When you as a merchant have an app in which you offer iDEAL as a payment option, specifically mind the following aspects regarding the Issuer redirect:
    1. The consumer must be able to check the URL and https “lock” icon of the Issuer webpages at all times
    2. The browser in which the redirect to the Issuer takes place, must be securely safeguarded for the Merchant (the Merchant should not be able to eavesdrop on user typing
    3. The browser, in which the redirect to the Issuer takes place, must be able to open bank-apps (app schemes like “bank://ideal/12392”).
  • To be able to comply to the above requirements, we strongly advise you to always offer the IssuerAuthenticationURL to the operating system of the mobile device. As a result, the IssuerAuthenticationURL will be opened within the browser of choice of the user or directly in the bank-app
  • It is strictly forbidden to make use of custom made in-app browsers for the redirect to the Issuer, because by doing this the above requirements are not complied to!
  • In case you chose to make use of an in-app browser for opening the IssuerauthenticationURL, you must make use of  SafariViewController for Apple iOS and Chrome Custom Tabs for Android, so that you comply to the above requirements.