#rudi-declined-card

Hey, you say it fails with Stripe.js - is that using confirmCardPayment?

no, I use stripe.createPaymentMethod('card', card)

then with the given payment_method.id I call from Ruby:

Stripe::PaymentMethod.retrieve

Stripe::PaymentMethod.retrieve(payment_method_id)

we have been processing a lot of cards for years, and this problema started a few weeks ago, exclusively with expedia virtual cards.

Can you share a PM ID?

I'll try now.

this has been created with Stripe::PaymentMethod.create, and it's fine "pm_1KedSKG3lu1xZIdba7XPbpna"

now I'll try the same card from the web form.

This one fails: pm_1KedxIG3lu1xZIdb1IY0mtSr

Fails? The request succeeded: https://dashboard.stripe.com/logs/req_cnGvOnwVC8W6Ac

You need to share the PI if it's failing an actual payment

You are right. I see ... it fails later, when attaching to the StripeCustomer.

Yeah, you generally shouldn't do that as that request will likely trigger authentication from the bank

And that endpoint can't facilitate the required 3DS checks

You should instead use Setup Intents if your intention is to save the card for future usage: https://stripe.com/docs/payments/save-and-reuse

for example now I got the error attachingpm_1Kee5uG3lu1xZIdbUyuRHDAn to cus_LLKlvo6jHQs7Am

Yep, explained above why

Generally don't use the /attach endpoint

but it works for every other card ...

Every bank is different! Some may request auth, some may not

this is not a bank actually, expedia virtual cards are from expedia. We have been processing hundreds of card for years this way. We create the stripe customer, create the card, attach the card.

But our recommendation is to not use that endpoint, and instead implement a Setup Intents flow which can handle 3DS if required

But if I try to pay with that card, I got no 3ds trigger. It just works.

I mean, it does not work attaching it, but I can on the other hand charge it 🧐

Yes, but SCA is now becoming mandatory in Europe. Regulation requires banks to perform authentication for certain transactions. This endpoint, unfortunately, unintentionally triggers a 3DS request auth from some issuers/banks and it can't facilitate it (as its essentially marked as an off-session transaction)

the link https://stripe.com/docs/payments/save-and-reuse at the end says to attach the pm to the customer anyway

Where?

ath the end (5. Use the payment method)

If you didn’t create the Checkout Session with an existing customer, attach the PaymentMethod to a Customer

Yes, but at that point the PM has been generated by the Setup Intent which facilitates completing required auth checks

Your way of creating the PM does not do that

I don't understand how can I use that example. I am batch processing the cards when I save them, there is no checkout session.

You don't need Checkout: https://stripe.com/docs/payments/save-and-reuse?platform=web

it's still a client-server example ... I just receive a list of credit cards from another service and I have to save them on stripe for later use.

No stripe.js

You'll need Stripe.js to handle the 3DS flow

now i create customer (Stripe::Customer.create) then payment method , the I attach the pm to the customer.

I recommend you read up on SCA and it's impact, and how our APIs facilitate working within regulations: https://stripe.com/docs/strong-customer-authentication

I know 3D and I know that some cards sometimes require user input, but this cards don't. If I create it and charge it at the same time it works.

on the other hand I don't understand, are you saying that gradually it will be impossibile to save any card for future payments without user input?

but this cards don't
The issuers is requesting that the cardholder authenticate that transaction. When you attach, it's mostly the equivalent of a $0 charge

exactly. Why it doesn't allow 0 charge but it allows a 200 eur charge?

on the other hand I don't understand, are you saying that gradually it will be impossibile to save any card for future payments without user input?
I wouldn't say impossible. But in Europe, yes it'll become more and more likely that auth will be requested

You would need to speak to the issuer/bank

Actually the operators are telling me that they charge it on Stripe directly.

So, attach fails (using the api, with card_declined errore) but charge from Stripe UI works. Secure code is never asked.

I'm not sure I know what this means

You mean the Dashboard?

Those are flagged as MOTO transactions, which are exempt from SCA: https://support.stripe.com/questions/mail-order-telephone-order-moto-transactions-when-to-categorize-transactions-as-moto

That will be why there's no prompt for 3DS

yes from the dashboard

Ah, and how can MOTO be enabled on out account?

Well it only works when charging cards. Not saving them like you are

For example now they charged it "src_1KeebhG3lu1xZIdbpPEm5Akb"

So there is no way to save the cards for future use without user input?

Looking at the successful payment (pi_3KeeboG3lu1xZIdb1qGYlgNV) I see that the card is marked as "three_d_secure": "optional",

"country": "US",

It's not even EU

As you're discovering, there's a chance the bank will request 3DS and that endpoint does not support an authentication flow (so it's declined/fails)

Ok I understand, but I am not sure that 3DS is the problem with these cards.

Being virtual I don't think they can have any secure code.

It's not the CVV

It's simply the user authenticating the 'transaction' so that they approve it. Normally via SMS, biometrics, etc

https://stripe.com/en-gb-us/guides/3d-secure-2

Yes I know, we use it already on online payments. But these cards, according to Expedia, do not require any kind of authentication.

Even the payment transaction issued 10 minutes ago seems to reinforce it: "three_d_secure": "optional",

Looking at our logs at: https://dashboard.stripe.com/logs/req_09gyPCh2VJI8A8

Here's the $0 charge attempt for that API call (that I spoke about before): https://dashboard.stripe.com/payments/ch_3Kee5TG3lu1xZIdb0DC94TDK

Anyway, we just blocked that one as it was a retry of a previous charge: https://dashboard.stripe.com/payments/ch_3KcxNxG3lu1xZIdb1I1kLgos

Decline code: transaction_not_allowed

Your card does not support this type of purchase.

I've seen that another virtual card worked, but it is marked with "three_d_secure": null instead of "optional"

pi_3KeaJ6G3lu1xZIdb0AcRrTby

I don't understand the relevance. That field just notes whether 3DS was attempted or not: https://stripe.com/docs/payments/3d-secure#controlling-when-to-present-the-3d-secure-flow

But again, this is all just determined by the bank/issuer on a per transaction basis. You really need to adapt your integration flow if this is problematic otherwise you'll continue to see these issues

and what does "optional" mean? It seems that we can change the rules from the dashboard "Use Radar rules in the Dashboard"

maybe we can uncheck the first check

Configuring Radar rules won't change things as they only relate to payment/charge attempts

ok thanks, we'll try to contact again expedia

but what does "optional" mean on the three_d_secure attribute?

I believe that means the bank hasn't required 3DS but we will defer to your Radar rules and request it if necessary

so the radar rules could change that behaviour

Unlikely as 3DS is being requested by the issuer

Radar is not really playing any part here

I've outlined the steps you need to take to adapt your integration to work, I'm not sure what else we can suggest

This may apply, worth a read: https://stripe.com/docs/strong-customer-authentication/previous-authorization-agreements

That would only apply to any cards you've 'saved' prior to the exemption date. Any new cards going forward would (likely) need to be auth'd, so you'll need to update your integration anyway

ok thanks

we'll try to contact the card issuer. We even noticed that this problem happens on a specific stripe connected account. Other accounts do not have the problem.

this for example pi_3KdUxnL2DI6wht390ksoO507

What's the issue? That payment succeeded

Like, as I noted SCA/3DS is not a blanket rule for all transactions. There are many exemptions: https://stripe.com/en-gb-us/guides/strong-customer-authentication#exemptions-to-strong-customer-authentication

exactly, same issuer (mastercard "Expeida virtual card") but the transactions work (0 transactions as well as real tx)

Looking at the json I notice that all the cards that succeeds have the null "three_d_secure", while those that fail have "three_d_secure": optional. Other than that I don't see any difference.

Hi 👋 jumping in as my teammate needed to step away.

We don't have any insight on why a card issuer declines authorizations other than what they return. The issuer will be better positioned to explain why they declined one but not the other.

Ok thanks, we'll try to ask them!