#milan_api

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1420535138269528215

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

Below are links to other discussions we've had with you in the past week in case you want to review that information. If your question is related to one of these previous discussions, please provide a comprehensive summary of the current state and what you need help with now. We help many users simultaneously, so a summary allows us to resolve your issue as soon as possible.

• milan_api, 1 day ago, 10 messages

My understanding is that once we set up a payment method using that test card, we shouldn't need to follow the 3ds flow for that card with off_session set to true.

Checking it now

I don't see 3DS being performed during the attachment processing. Where did you perform 3DS on?

I did it on pm_1SB0svDFt6iTMCHH3yyn9pEV pi_3SB0t6DFt6iTMCHH027ALp33

Where do you see it wasn't performed?

I can run another real quick if needed.

Basically, I create a customer and a payment method and then attach using the payment service.

Then we execute the payment intent. This gives us a next action Url which I use to confirm the payment.

Now it's time to execute the second payment that is off_session so I reuse the previously created customer and payment method Ids to create a payment intent with off_session set to true.

This test card expected 3DS to be performed on Setup Intent for attachment process, instead of using the manual payment method attachment /v1/payment_methods/pm_xxx/attach like yours in https://dashboard.stripe.com/test/logs/req_ygkVtE3g7rcvBy

For 3DS on any future Payment Intents after the payment method being attached, it will not be considered 3DS being performed

I'm sorry, but I don't follow.

Are you saying that performing the 3ds as a result of the payment intent isn't the right place to do that (see my 3 step flow above)?

Yes. 4000002500003155 test card expects 3DS to be performed during the attachment process using Setup Intent: https://docs.stripe.com/payments/save-and-reuse

Performing 3DS on the subsequent Payment Intent is a standalone payment and it's not part of "set up" process. Therefore, 3DS will always be triggered if the attachment process doesn't use Setup Intent to perform 3DS

Ok. So does that mean off_session is only supported if we use the UI elements?

off_session supports in any form of payment method collection.

In other words, we have to use the UI elements to auth the card for 3ds the first time and then use that PM moving forward for off_session?

I'd recommend using Setup Intent to attach the payment method to the customer instead

Just so I understand the flow...

We should challenge the user with the 3ds prompt when they initially create the payment method and BEFORE actually running the payment?

You're right! I saw that you're using raw card number integration. For raw card integration, you can submit the card details directly in the Setup Intent API instead of using Payment Method API to create a payment method and attach to the customer later.

When using Setup Intent API, the 3DS will be prompted when required

curl https://api.stripe.com/v1/setup_intents \
    -u sk_test_XXXXX: \
    -d confirm=true \
    -d payment_method_types[]=card \
    -d payment_method_data[type]=card \
    -d payment_method_data[card][number]=4242424242424242 \
    -d payment_method_data[card][exp_month]=12 \
    -d payment_method_data[card][exp_year]=2026 \
    -d payment_method_data[card][cvc]=123 \
    -d payment_method_data[billing_details][name]=name \
    -d payment_method_data[billing_details][address][line1]=line1 \
    -d payment_method_data[billing_details][address][city]=city \
    -d payment_method_data[billing_details][address][postal_code]=90210 \
    -d payment_method_data[billing_details][address][state]=CA \
    -d payment_method_data[billing_details][address][country]=US

The problem is this requires a change to the flow and user experience. It would be ideal if we can call the set up intents API to generate a payment method and then prompt the user as a part of the response from the payment intent call. But prompting the user between the setup intents API and payment intents API call would certainly be a big change to the user flow.

What would be really great is if this would work - create the customer, create the pm, attach the customer and pm, execute the pi. As a part of the 3ds confirmation from the pi, Stripe marks the pm as authenticated so we can use that moving forward.

In this case, you can submit the raw card details in Payment Intent directly and set setup_future_usage: 'off_session'. This will allow new payment method to be saved, and trigger 3DS at the same time. Using setup_future_usage will be considered as "set up" process

With this approach, you can make your current 3 steps process into 1

curl https://api.stripe.com/v1/payment_intents \
    -u sk_test_XXXXX: \
    -d amount=1000 \
    -d currency=usd \
    -d confirm=true \
    -d payment_method_types[]=card \
    -d payment_method_data[type]=card \
    -d payment_method_data[card][number]=4242424242424242 \
    -d payment_method_data[card][exp_month]=12 \
    -d payment_method_data[card][exp_year]=2026 \
    -d payment_method_data[card][cvc]=123 \
    -d payment_method_data[billing_details][name]=name \
    -d payment_method_data[billing_details][address][line1]=line1 \
    -d payment_method_data[billing_details][address][city]=city \
    -d payment_method_data[billing_details][address][postal_code]=90210 \
    -d payment_method_data[billing_details][address][state]=CA \
    -d payment_method_data[billing_details][address][country]=US \ 
    -d setup_future_usage=off_session

Let me try that. Is there harm in always having that to off_session during PI creation?

setup_future_usage and off_session are two different parameters.

• setup_future_usage is to indicate that this payment method will be saved to the customer: https://docs.stripe.com/api/payment_intents/create#create_payment_intent-setup_future_usage
• off_session is meant to be used when the customer is not present to additional action such as 3DS.

If your customer is around to perform 3DS, then off_session shouldn't be set to true

Right. Yes - I was referring to the SetupFutureUsage setting.

But we only have off_session = true if the user isn't present

Sorry - mixed up settings in my question

Setting setup_future_usage to off_session indicates this this saved payment method can be used for on and off session payments in the future

It worked! I think

Got it. And we'll only use the setup_future_usage flag when we are creating the PM and we won't set it if we are reusing a previously created PM.

Does that sound right?

That's right!

You're a life saver. I think this really works now.

Going to run through this test one more time. Please give me 45 seconds.

Just completed the first payment pi_3SB1eFDFt6iTMCHH16zkfPHp

Using cus_T7GAz6VoQYOXAf and pm_1SB1e2DFt6iTMCHH0KOjwlOz I then ran another payment but this was off session. pi_3SB1fbDFt6iTMCHH0LHG80N3

Would you mind taking a look to make sure it looks right? It looks good to me.

https://dashboard.stripe.com/test/logs/req_LdqGAYP6njUdjU (Payment Method creation) and https://dashboard.stripe.com/test/logs/req_OAJDkmCHoKEYKa (Attachment) are unnecessary if you submit the raw card details directly in Payment Intent, e.g. pi_3SB1eFDFt6iTMCHH16zkfPHp

Oh really? I thought it was so I could reuse the payment method.

You can reuse the payment method with your current flow, just that you can save these two requests if you submit the card details directly in first Payment Intent

Stripe has rate limit on the APIs: https://docs.stripe.com/rate-limits. Having too many requests when you have high volume in your system may potentially hit the rate limt

Yeah - because we are making 3 calls before running a payment (customer, pm, and attach).

So you're saying we can submit raw card data in the PI request with setup for future usage = "off_session"? Then we keep that PM that comes back on the PI response and we use that for the next payment?

Because, frankly, we aren't actually using the customer records in Stripe anyway.

So you're saying we can submit raw card data in the PI request with setup for future usage = "off_session"? Then we keep that PM that comes back on the PI response and we use that for the next payment?
Yup! That's right!

You're blowing my mind right now.

The problem is I don't see how to even submit raw card data during a PI request.

I've poked all around the Stripe docs and I can't see it.

Raw card data is not allowed by default due to the PCI regulation, so the information is not available on Stripe doc.

Ah. I'm also using the .NET SDK. Is there support in the .NET SDK?

I'd recommend using this guide to send undocumented parameters: https://github.com/stripe/stripe-dotnet?tab=readme-ov-file#parameters

I'm looking at seting PaymentMethodData and there isn't a card option

Card is an undocumented parameter. Using undocumented parameter can be acheived with the instruction here: https://github.com/stripe/stripe-dotnet?tab=readme-ov-file#parameters

["Card"]["Number"]
["Card"]["ExpMonth"]
["Card"]["ExpYear"]
["Card"]["Cvc"]

options.AddExtraParam("payment_method_data[card][cvc]", "secondary value"); (I'm just guessing here)

I assume the options in your example is PaymentIntentCreateOptions. If so, this looks right to me

Fascinating. You're saving me 3 API calls per payment intent. Thank you. This will take a little more effort to wire in so I won't keep you waiting. I'll give this a go and ping you all back if I have questions. Thank you very much for this.

And to confirm - for the other payment methods (ACH, ACSS), we should do the same (skip PM creation etc). Except for those, we won't have to use the AddExtraParam approach since there is a first class property for the other payment methods?

Yes, that's right! If your system is not going to charge the customer immediately (just save the payment method only), same can be achieved using Setup Intent.

In this flow, we are always going to run the payment immediately.

That sounds good to me! Feel free to let us know if you have any question

Thank you again. This has been really awesome. I really appreciate your time and patience.

Have a great day

No problem! Happy to help 😄 Have a great day too!