#anastasiia_best-practices

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1290668640143937559

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

Below are links to other discussions we've had with you in the past week in case you want to review that information. If your question is related to one of these previous discussions, please provide a comprehensive summary of the current state and what you need help with now. We help many users simultaneously, so a summary allows us to resolve your issue as soon as possible.

• anastasiia_docs, 4 days ago, 8 messages
• anastasiia_best-practices, 5 days ago, 9 messages

Our Flow:
The backend creates a PaymentIntent with capture_method: 'manual' for preauthorization.
Stripe responds with a next_action object containing a 3D Secure challenge at next_action.redirect_to_url.url (for example, when the customer’s card requires 3DS).
The customer is not immediately present for the 3DS challenge, so we send an email containing a secure link, which includes:
A link to our API endpoint (without a Bearer token).
A secret code embedded in the URL that is valid for 10 minutes.
When the customer clicks the email link, the backend validates the secret code and, if valid, retrieves the PaymentIntent and redirects the customer to the next_action.redirect_to_url.url for 3DS verification.
The customer completes the 3DS authentication, and we capture the payment.
Note: We are aware of the off-session payments flow when adding a card. However, we cannot be certain that the customer’s bank will not request another 3DS challenge during the transaction initiation, which is why we rely on this flow.

Questions:
URL Expiration: When we receive next_action.redirect_to_url.url in the PaymentIntent creation response, is there any way to determine or control how long that URL is valid? Specifically, if we retrieve the PaymentIntent 5 days after its creation (and the PaymentIntent is still open), will the next_action.redirect_to_url.url still be valid?

New URL Requests: Does Stripe automatically refresh or request a new 3D Secure URL from the card issuer (bank) if the original next_action.redirect_to_url.url has expired? In this case, would we need to create a new PaymentIntent, or can we rely on the existing one?

Security Considerations: Can you confirm whether this flow (email with a one-time-use, time-limited secret code that validates the PaymentIntent and redirects to next_action.redirect_to_url.url) is secure and compliant from Stripe’s perspective?

I'm not aware of any general time limit for those authentication urls. Have you encountered cases where trying to action the 3ds leads you to believe it has expired?

For example, when my bank requires 3DS, the redirect link to confirm payment is valid for only 1 minute (it's not Stripe flow). To get a new 3DS link, we need to regenerate it.

Interesting. I've not heard of that. Typically any time limitation I've seen starts the timer upon visiting the link, not beforehand.

If you've tried completing a payment via Stripe and a customer at your bank with this behaviour, leading to problems redirecting to the 3ds url from an off session payments, I would suggest writing in to support with the details of this experience (in particular the payment intent ID and bank information) so that it can be investigated.
https://support.stripe.com/contact

Okay, thank you. I might not fully understand what happens under the hood when 3D Secure is initiated. Could you please help me understand step by step?

I create a PaymentIntent and receive next_action.redirect_to_url.url.The link from next_action.redirect_to_url.url is available as long as the PaymentIntent has not been paid and closed by Stripe.

When the user clicks on next_action.redirect_to_url.url, what happens under the hood? Does Stripe send a request to the bank each time the link is accessed to start authentication?

This typically directs you to a bank-hosted "ACS" that manages the authentication flow. This is often outsourced, especially by smaller banks, to larger providers of these services.
https://www.tokenex.com/blog/what-is-an-access-control-server-in-3ds/

So that experience is entirely bank controlled, as stripe links you to that ACS

Okay, thank you.
Do I understand correctly that if I create a PaymentIntent and Stripe attempts to trigger the authentication flow, Stripe returns a link that redirects to the ACS domain of the bank? If the ACS session expires (for example, the user didn't finish authentication), in order to complete the authentication, do we need to:
a) Try accessing next_action.redirect_to_url.url again?
b) Regenerate next_action.redirect_to_url.url for the current PaymentIntent?
c) Create a new PaymentIntent?

If this happened, what i would expect is that the authentication would fail, you'd be redirected back to your return_url and the payment intent would revert to requires_payment_method
At that point you would need to confirm again (with the customer on session, ideally) to handle the 3ds flow/redirect.

You would no do c, you can continue to use the same payment intent and attempt to confirm again if the require_action status changes

Do I understand correctly that the ACS session only starts after the redirect via next_action.redirect_to_url.url? If we simply create the PaymentIntent and open the link, say, on the 3rd day after creation, the link will still be valid until the ACS session is initiated and completed?

I would expect so, like I said i'm not aware of any general time limit. If particular banks impose a time limit, i would expect them to handle those during the redirect (for example as a failure).

If you have a counter example that does not work properly, I recommend reporting that example payment via support for investigation.

Okay, thank you for the explanation🥹

To finalize, how do you view this flow:

• The backend creates a PaymentIntent with capture_method: 'manual' for preauthorization.
• Stripe responds with a next_action object containing a 3D Secure challenge at next_action.redirect_to_url.url (for example, when the customer’s card requires 3DS).
• The customer is not immediately present for the 3DS challenge, so we send an email containing a secure link, which includes:
• -A link to our API endpoint (without a Bearer token).
  --A secret code embedded in the URL that is valid for 10 minutes.
• When the customer clicks the email link, the backend validates the secret code and, if valid, retrieves the PaymentIntent and redirects the customer to the next_action.redirect_to_url.url for 3DS verification.
  -The customer completes the 3DS authentication, and we capture the payment.

Does this flow comply with Stripe's process, and can it be considered secure?

While I cannot assess your conformance with our services agreement and compliance with pci or any applicable regulations, that sounds like a reasonable flow to me.

It leaves out the error case we discussed, and what action you take after that 10 minutes (cancel the payment intent?), but it seems like a viable happy path.

Thank you for your help and quick response!
Have a great day.