bennyvdhoogen-sca | Stripe Developers | Page 1

humble karma May 24, 2022, 11:33 AM

#

Hey! Whilst SCA is now enforced, it is evaluated on a per transaction basis with many factors influencing whether or not an auth flow is required. It's not a blanket requirement for every payment (and there are exemptions)

#

In the case of off-session (recurring) payments, you can take steps to reduce friction/auth requests for those kind of payments using our APIs: https://stripe.com/docs/payments/save-and-reuse

Set up future payments

Learn how to save card details and charge your customers later.

#

SCA and our related products/APIs are documented extensively here: https://stripe.com/docs/strong-customer-authentication

Strong Customer Authentication readiness

Learn how the Strong Customer Authentication regulation affects your business and how to update your integration to support it.

#

I should stress that it's ultimately the bank/issuer the determines whether the payment requires authentication, not us. We just provide the APIs to facilitate it

agile arch May 24, 2022, 12:08 PM

#

Thanks a lot! I'll look into the exemptions, wasn't aware of those. But am I correct in saying that as long as we use PaymentIntents we shouldn't have to worry about being SCA compliant?

rocky badger May 24, 2022, 12:10 PM

#

PaymentIntents are a state machine for being able process a payment and handle any additional steps like 3D Secure authentication that are required during that process, so using them is what makes you SCA compliant(being able to handle payments that require authentication) yes

agile arch May 24, 2022, 12:10 PM

#

Great!

#

Reading into those exemptions now. Regarding recurring payments: we're solely using Subscriptions (using the setup_future_usage param) to charge our customers. From what I understand there are SCA exemptions rules for recurring payments so a customer wouldn't have to re-authorize a payment after already authorising the initial payment. However, I read that we should not rely on those exemptions always being there. Do I understand correctly that it could be possible that 3DS kicks in for a certain customer even after a couple succesful charges intiatied by a Subscription?

#

And if so, how could we test such a situation?

rocky badger May 24, 2022, 12:17 PM

#

agile arch Reading into those exemptions now. Regarding recurring payments: we're solely us...

yes, all correct

rocky badger May 24, 2022, 12:17 PM

#

agile arch And if so, how could we test such a situation?

use your integration with a test card that always requires 3D Secure like 4000000000003063 and observe that the off-session payments will decline

agile arch May 24, 2022, 12:18 PM

#

Ah alright, so that works for following off-sessions payments as well?

rocky badger May 24, 2022, 12:18 PM

#

conversely, test with the 4000002500003155 card(https://stripe.com/docs/testing#authentication-and-setup) that simulates exemptions and see that they don't decline

rocky badger May 24, 2022, 12:18 PM

#

agile arch Ah alright, so that works for following off-sessions payments as well?

yes

#bennyvdhoogen-sca