#andrew_api

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1333915057511469126

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

Hello
Banks can trigger 3DS anytime. Instead of passing payment_method_options , try using the payment method object from this list - https://docs.stripe.com/testing#authentication-and-setup

Specifically, always authenticate payment method

Ok is that only for testing purposes? Passing "payment_method": "pm_card_authenticationRequired" when creating the PaymentIntent?

👋 Stepping in for my teammate

Yes, that specific PaymentMethod is one of our testing PaymentMethods

The use case we are trying to recreate here is manually requesting 3DS on payments which are using saved cards (previously set up, but not 3DS authenticated at that time)

For real usage by customers, if we want to perform 3DS on payments, then should we pass "payment_method_options": {"card": {"request_three_d_secure": "any"}} when creating PaymentIntent objects?

I recommend reviewing this: https://docs.stripe.com/payments/3d-secure/authentication-flow#manual-three-ds

You can use payment_method_options.card.request_three_d_secure: 'any' to request 3DS though this will give preference to the frictionless flow. You should use challenge if you want customers to take an action

Thanks, this is what was referenced already and we do prefer the frictionless flow. Where I am having trouble is the use case where we are requesting 3DS with a frictionless flow for a payment using a previously saved card (off-session). The saved card was not 3DS authenticated during set up previously.

This returned an error when it was tried, so I have a few questions:

1. Are off-session payments (via PaymentIntent API) exempt from Stripe 3DS authentication requirements? (more specifically, 3DS for Japan: https://support.stripe.com/questions/3ds-mandate-in-japan)
2. Is it possible to require 3DS on an off-session PaymentIntent, or would that always fail?
3. Does 3DS authentication require the PaymentIntent to be on-session?

1. Off-session payments are not exempt from 3DS. If 3DS was completed when creating the PM in the first place, we'll flag this to the issuer but the issuing bank can always decide to require additional authentication. This chart specific to Japan may also help: https://docs.stripe.com/payments/3d-secure/japan-exemptions

2. I'm not sure why you would do this? The point of trying to complete an off-session payment is to avoid having customers complete any additional steps to have the charge go through. If you attempt an off-session payment and an issuing bank requires 3DS, the PaymentIntent will transition to requires_action state

3. If a PaymentIntent requires additional authentication to be completed, the customer must come back on session to complete this

Thanks! To meet the Japan mandate, we are trying to manually request 3DS when creating PaymentIntents and SetupIntents. Perhaps a better approach would be to focus on handling instances where the bank/card issuer is requiring the authentication (without us requesting it)?

Yep, I think so. If you intend to charge a card and save it for future off-session payments, you should just create the PI with usage: off_session

Is it safe to assume that Stripe will automatically trigger 3DS for payments in Japan without us taking any additional action to trigger 3DS. In other words, after the Japan mandate is in effect, Stripe will trigger 3DS in all instances that it is required for Japan and we would not have to manually request 3DS anywhere to satisfy the requirement? Only handle the cases where Stripe does trigger it?

for reference: https://support.stripe.com/questions/3ds-mandate-in-japan

Right, for the most part. If in a recurring billing setting, you change the price that the customer is Subscribed to, you must explicitly request 3DS and bring the customer back on session

That's mentioned at the bottom here: https://docs.stripe.com/payments/3d-secure/japan-exemptions

Interesting. I think this is enough to run with for now, and I may follow up with more questions in the future. Thank you!