#Wanna-subscription

Hi! If the card requires 3DS, then you'll need to go though the authentication flow for the first payment. When the subscription renews the payment should work automatically.
In some cases the payment might fail because of a requires_action. When that happens Stripe can automatically retry the payment depending on your settings. You can learn more about this here: https://stripe.com/docs/billing/subscriptions/overview#settings

Hi, thanks for the response, but how could I handle the authentication flow? In my case I use the Subscription API which automatically collects the payment, but the only way i guess could be working is the webhook event

How are you creating the subscription, with Checkout or manually? If manually, how are you collecting the payment information?

I'm collecting them manually, i use the API for creating a customer and attaching the payment method to it, then I create the subscription with "stripe.subscriptions.create"

This is performed server side, we use an app to collect the cards details

Hey, taking over from @glossy condor! How, and at what point are you collecting the payment data?

Our recommended integration path is to first create the Subscription object, then capture payment details and confirm/auth any subsequent Payment/Setup Intents which will automatically auth off-session payments

Hi @lament schooner, we are collecting the payment data before the subscription creation, in order we :

• create customer
• the customer attaches all the payment details info, done through the API paymentMethods
• then the customer selects the product to purchase (Price API)
• we create the subscription with the product and the payment method decided by the customer
• we listen for the payment_intents webhook events in order to get if the first payment and all subsequent payments are successful

Sorry but i didn't understood your integration path, what do you mean by "capture payment details"?

capture payment details === attaches all the payment details info

Can you share how exactly you create a Payment Method? Are you using the API directly or the Payment Element?

Ooh okay

Yeah sure

We use the API, this is the code:

let a = await stripe.paymentMethods.create({
    type: 'card',
    card: {
        number: card.number,
        exp_month: card.exp_month,
        exp_year: card.exp_year,
        cvc: card.cvc,
    },
});

then we attach it to the customer:

let attachedMethod = await stripe.paymentMethods.attach(
    a.id,
    {customer: cust.customer.id}
);

Currently our flow is working well, although this 3DS procedure is giving us some issues because the customer could be off-session, and the Subscription API doesn't return the paymentIntent with a requires_action status

Do you have the necessary PCI compliance to be handling raw card data like that?

https://stripe.com/docs/security/guide

But yes, creating a Payment Method this way will not handle any 3DS/auth requirements!

Actually we didn't know about this

Yeah you should be using Stripe.js to capture any payment details like that, so that you are PCI compliant

I'd recommend look at this guide: https://stripe.com/docs/billing/subscriptions/build-subscription?ui=elements

Isn't the PaymentIntent which is intended for 3DS auth?

We already viewed the Stripe.js, the issue is we have to perform all validation server side because we don't have a site where the customer is purchasing our services

Actually, we have an app, but all the procedures must be completed server side because we don't have one-time payments, but also preauthorizations processes and automatic payments

The Payment Intent is a state machine to facilitate 3DS/auth and the various stages/statuses of the PI

The actual 3DS/auth is carried out client-side when your user is on-session with Stripe.js. It cannot be handled server-side

Yeah this is clear, currently we pass from the server to the client the client_secret of the paymentIntent, which in the app redirects to a page or anything provided by the bank

It's working, mostly, for single payments, because we process the payment intent in real time, but for the subscription we don't know how to handle the payment intent generated by the subscription API

You'd complete the initial payment with confirmPayment: https://stripe.com/docs/billing/subscriptions/build-subscription?ui=elements#complete-payment

This will carry out any required 3DS/auth flows

But to be clear, you should not be handled raw card data as you are without any PCI compliance

You need to refactor your integration to collect payment data using Stripe.js, which will in turn create the Payment Method object for you

Ok, but in case we are not able to do change the integration, we have to filll the SAQ-D PCI questionnaire?

Every Stripe merchant is required to complete the SAQ questionnaire, but most Stripe merchants are inherently covered by our PCI compliance. Your current integration is not

Ok this was not specified in the APIs

Which part?

There's any tool or library for being PCI compliant, that can be used in a Flutter app?

There's a third-party library: https://github.com/flutter-stripe/flutter_stripe

Ok so in that case, we could use this library in order to collect card details of a customer, and then we could still process all payments through our server?

You'd still need a server to create the Payment Intent yes

But that library will facilitate collecting payment details in a PCI compliant way

We didn't found anything about PCI in the Stripe API documentation, this is why I am a bit surprised

Ok so in that way we will be eligible for the base PCI provided for most merchants?

None of our guides create Payment Methods the way you are, everything uses Stripe.js

Okay okay

The Payment Intent itself does not fall under PCI scope. It's the collection of payment data (credit card details mostly), that does. Stripe.js facilitates the collection of that data and tokenises it on our servers (via iframes)

Ok that's perfect, in this case this will be a lot easier

So, only to ensure i undestood correctly, if we use the flutter_stripe sdk to collect payment method details, we'll be PCI compliant with no need to fill the SAQ.
Besides this will also already handle any 3DS/auth regarding the paymentMethod, which will not be re-asked to the customer through the paymentIntent? Is that correct?
If that, we will not need anymore to handle the client_secret in order to redirect the user to the bank's page, right?

Every Stripe merchant is required to verify their PCI compliance. If you're using Stripe.js or another library that wraps that (like flutter_stripe) then you are covered by our Stripe compliance. If you weren't, then you need your own compliance certificate which is something entirely different, more complex and expensive. This is why Stripe partly exists, to make accepting payments online a lot easier for smaller companies where PCI compliance isn't an option

Besides this will also already handle any 3DS/auth regarding the paymentMethod, which will not be re-asked to the customer through the paymentIntent? Is that correct?
I'd assume flutter_stripe can handle that yes, I don't know. It's a third party library

Either way you should read the doc I sent earlier about general billing integrations as that outlines the flow clearly

That's clear, thank you

Okay, I'll investigate on it by myself

Perfect

Also another question, we are currently handling payment cards the raw way and i think we will migrate everything to flutter_stripe, but we stiil need to handle the PCI for our previous integration?

You should just stop doing that or refactor it immediately

Ok understood

Thank you for your time and your support!

Sure, np