#zzking-paymentintent-3ds

Hi 👋 you should use stripe.js to handle that action by using confirmSetup or the confirm method associated with the type of payment method being used:
https://stripe.com/docs/js/setup_intents/confirm_setup
or you can display the 3DS flow yourself:
https://stripe.com/docs/payments/3d-secure#when-to-use-3d-secure

If you use Stripe Elements and stripe.js to collect payment method details, as outlined in our guide here, then any necessary authentication challenges will be handled while confirming the Setup Intent from your client-side code.
https://stripe.com/docs/payments/save-and-reuse

we are using Stripe Elements, but flow is a bit different to what is des cribed here https://stripe.com/docs/payments/save-and-reuse (first create setupIntent, then collect all the details, submit to stripe and confirm from frontend ) . In our current code flow we collect all the payment method details (credit card number, user info) from Stripe Elements, and then use Ruby backend to create a setupIntent directly with all the details.

If SCA happens in this case, can we still confirm the setupIntent using confirmSetup and let Stripe handle all the rest ?

Any particular reason you're handling it that way? Doing so increases the number of times your frontend and backend need to communicate, adding duration to your flow.

good question , because the code is already written that way and it might take a long time to refactor everything 🙂

In that case, you'll need to build a process for your backend to notify your frontend that the confirmation attempt wasn't successful, and then build a flow on your frontend to handle the confirmation.

yeah, I was thinking if the created setupIntent has status requires_action , i could redirect customer to a page where I'd use stripe.confirmSetup to confirm the setupIntent, but from https://stripe.com/docs/js/setup_intents/confirm_setup it seems that stripe.confirmSetup requires an "Element" too, is there a way to confirm the setupIntent with something else such as paymentMethod ?

aha, I just saw there is a stripe.confirmCardSetup which I think I could use ? (since we are handling credit card only). The question is : suppose I use stripe.confirmCardSetup , would stripe handle the rest such as showing 3DS dialog or redirecting user to a bank authorization page.

Yes, as mentioned in the description of that function. (though it will only be 3DS if you're only accepting cards)

OK, so for the "credit card" case, using stripe.confirmCardSetup (just attaching the id of an existing paymentMethod) would be exactly the same as stripe.confirmSetup ? (where I'd have to use an elements) . ie.: stripe would handle the 3DS should that happens. Am I correct ?

Yes

nice, sorry for keep asking: so an SCA could already happen even when user just save the card details without any payment ?

Setup Intents handle card validations, so yes it is possible for them to trigger an authentication flow when they reach out to the card's issuer.

aha OK, btw: I see 4000 0027 6000 3184 is mentioned on https://stripe.com/docs/payments/save-and-reuse as the card that "The card requires authentication for the initial setup and also requires authentication for subsequent payments." . But this card is not listed under 3DS cards here: https://stripe.com/docs/testing#three-ds-cards .

So I'm wondering what's the difference between card 4000 0027 6000 3184 and other 3DS required card such as 4000000000003220 ?

The first card number you referenced (ending in 3184) is in the 3D Secure authentication section of our test card docs. It is in the Authentication and setup subsection that is above the Support and availability subsection you linked to.

The Support and availability cards are more about testing 3DS challenges/presentment, whereas the ones in 3D Secure authentication are designed for testing scenarios where you set up and card and then try to charge it later.

It's been a while since I've compared 3184 and 3220, but I believe they will behave very similarly.

thanks for the detail explanation !! Sorry I just thought about another question related to setupIntent : do we HAVE TO pass the "mandate" as part of the creation request ? I mean we will collect mandate from customer for sure, but is it absolute necessary to pass it when creating the setupIntent ?

coz for now I didn't pass the mandate , I see the setupIntent is still created, just requires_action coz I am using a 3DS required card

I don't recall if mandates are required for cards, but believe the frontend confirmation will handle the mandate collection. What is the behavior that you see if you use a test card that doesn't require 3DS? Is the mandate field populated on the successful Setup Intent?
https://stripe.com/docs/api/setup_intents/object#setup_intent_object-mandate

no , if I use a normal card (the 4242 one), the mandate is null in the setup_intent.succeeded event.

I asked similar question yesterday, I think your colleague said I need to append the mandate when "confirm" the setupIntent, but I'm not sure if that's really necessary

and I didn't see stripe.confirmCardSetup requires a mandate

Okay, that makes sense now that I think about it because a server-side confirmation will have no context of what is happening on the frontend and wouldn't be able to associate any mandate information.

If you don't provide a mandate, does your flow run into problems later when trying to charge the payment method?

that might be the case. the doc here : https://stripe.com/ie/guides/strong-customer-authentication also mention the mandate is necessary.

I mean I could send a mandate when creating the setupIntent, but it seems I can't send it when using stripe.confirmCardSetup

When using Elements, your customer is interacting directly with Stripe, so I believe we handle the mandate creation from stripe.js. Does that align with what you see when you test with confirmCardSetup?

and here is another way to confirm setupIntent at Backend ? :https://stripe.com/docs/api/setup_intents/confirm#confirm_setup_intent-mandate_data

Yes, because backend integrations don't have frontend context, so if mandate data is needed our service needs a way to allow you to provide it.

I haven't tested with confirmCardSetup yet

Ok, in the worst case where a "mandate" is necessary and if I can't get it done via stripe.confirmCardSetup, I guess I could :

1. use stripe.confirmCardSetup to handle the 3DS flow , and then
2. On the backend use https://stripe.com/docs/api/setup_intents/confirm#confirm_setup_intent-mandate_data to confirm it again with mandate ?

I know it might not be the best solution

I believe the second server-side confirmation will fail since the Setup Intent will have already succeeded then.

Also that would then be the third confirmation attempt in your flow, so it keeps getting longer and longer. You already need to build most of our recommended flow to handle the frontend portion anyway, so I would again strongly encourage you to consider trying our recommended flow.

hmm, OK, thanks for your suggestion. I'll bring it to upper layer for sure. And I'll append mandate when creating the setupIntent, that's what we are already doing for the US.

Just not sure if it's mandatory to append mandate when "confirm" the setup (when SCA happens). I suppose if I already appended mandate when creating the setupIntent, then to "confirm" it should not ask for the mandate again ?

What do you mean by ask for the mandate? Are you seeing a flow that is being blocked by missing mandate data?

Based on what I've been able to find, mandates are typically only required for bank payments or when handling India-based cards:
https://stripe.com/docs/invoicing/india-emandate-guide

this link here: https://stripe.com/ie/guides/strong-customer-authentication says To use merchant-initiated transactions, you need to authenticate the card either when it's being saved or on the first payment. Finally, you need to get an agreement from the customer (also referred to as a "mandate") in order to charge their card at a later point. I'm not sure the "mandate" here refers to "showing a checkbox and let your customer agree your term" OR "it's part of Stripe request param that you ahve to set"

Ah good catch, so yeah, looks like you need mandate details.

hmmm yeah. Do you know if it's enough to append "mandate" when CREATING the setupIntent even if we still need to "confirm" the setupIntent later because of SCA ? I mean we'd only append "mandate" when customer already accepts it

I believe so since you're also doing server-side confirmation (mandate_data can only be provided for a Setup Intent alongside confirm=true).

But I think that mandate information may be dropped if client side confirmation is then performed, though I'm not entirely certain.

yeah I believe (hope) it's enough, coz https://stripe.com/docs/js/setup_intents/confirm_card_setup would have client_secret of the setupIntent , which should have the original mandate.

Can I assume if there are no problems after I test with Stripe authentication required cards for all the flows, then it also work in real life (i.e: production) ?

Yes, if the flows complete successfully with our test cards then running into problems in production is unlikely.

great, thank you very much Toby for answering all my questions. Really appreciate your help !