# SCA migration guide for Connect platforms Learn how to update your Connect platform for Strong Customer Authentication (SCA). *Strong Customer Authentication* (Strong Customer Authentication (SCA) is a regulatory requirement in effect as of September 14, 2019, that impacts many European online payments. It requires customers to use two-factor authentication like 3D Secure to verify their purchase) applies to businesses based in the *European Economic Area* (The European Economic Area is a regional single market with free movement of labor, goods, and capital. It encompasses the European Union member states and three additional states that are part of the European Free Trade Association) (EEA) that accept online payments from customers located in the EEA. Many card payments require additional authentication through *3D Secure* (3D Secure (3DS) provides an additional layer of authentication for credit card transactions that protects businesses from liability for fraudulent card payments). As of September 14, 2019, transactions that don’t follow the new authentication guidelines might be declined by a customer’s bank. You need to update your platform if you create any of the following charges: - [Direct charges](https://docs.stripe.com/connect/direct-charges.md) on a connected account based in the EEA. - [Destination charges](https://docs.stripe.com/connect/destination-charges.md) if the `on_behalf_of` parameter is set and specifies a connected account based in the EEA. - [Separate charges and transfers](https://docs.stripe.com/connect/separate-charges-and-transfers.md) if your platform is based in the EEA or if the `on_behalf_of` parameter is set and specifies a connected account based in the EEA. ## Choose an SCA-ready integration You need to update your Stripe integration to meet SCA requirements. For example, SCA requires *off-session payments* (A payment is described as off-session if it occurs without the direct involvement of the customer, using previously-collected payment information) to be authenticated when customers enter payment details, and subsequent off-session payments might require notifying the customer to return to the application to re-authenticate. Choose [Stripe Checkout](https://docs.stripe.com/payments/checkout.md) if it supports the features your integration requires. Checkout is a hosted payment page that can be branded by businesses, supports recurring *subscriptions* (A Subscription represents the product details associated with the plan that your customer subscribes to. Allows you to charge the customer on a recurring basis), and supports SCA for your connected accounts. It supports creating [direct charges](https://docs.stripe.com/connect/direct-charges.md) and [destination charges](https://docs.stripe.com/connect/destination-charges.md) for *Connect* (Connect is Stripe's solution for multi-party businesses, such as marketplace or software platforms, to route payments between sellers, customers, and other recipients). If you want to build custom payments, use the [Payment Intents API](https://docs.stripe.com/payments/payment-intents.md) as the legacy Charges API isn’t SCA-ready. The Payment Intents API supports the same set of Connect features as the Charges API. ## Examine Connect-specific changes ### Destination charge changes If you’re using the `destination`, `destination[account]`, or `destination[amount]` parameters with the Charges API, note that these parameters have been replaced with `transfer_data[destination]` and `transfer_data[amount]` in both the Charges and the Payment Intents APIs. See the following table for more information. | Use case | Charges API | Payment Intents API | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Your platform is the *merchant of record* (The legal entity responsible for facilitating the sale of products to a customer that handles any applicable regulations and liabilities, including sales taxes. In a Connect integration, it can be the platform or a connected account), but you want to create a transfer to a connected account after the payment completes | Not possible | Set [transfer_data[destination]](https://docs.stripe.com/api/payment_intents/object.md#payment_intent_object-transfer_data-destination) to the connected account’s ID | | You want your connected account to be the settlement merchant *without* creating a separate transfer after the payment completes | Set `on_behalf_of` to the connected account’s ID | No change | | You want your connected account to be the settlement merchant *and* you wish to create a transfer to that account after the payment completes | Set `destination` or `destination[account]` to the connected account’s ID | Set [transfer_data[destination]](https://docs.stripe.com/api/payment_intents/object.md#payment_intent_object-transfer_data-destination) and [on_behalf_of](https://docs.stripe.com/api/payment_intents/object.md#payment_intent_object-on_behalf_of) to the connected account’s ID | | You wish to collect an application fee | Set `application_fee` to the amount desired | Set [application_fee_amount](https://docs.stripe.com/api/payment_intents/object.md#payment_intent_object-application_fee_amount) to the amount desired | | You wish to transfer a partial amount to your connected account after the payment completes | Set `destination[amount]` to the amount to transfer | Set [transfer_data[amount]](https://docs.stripe.com/api/payment_intents/object.md#payment_intent_object-transfer_data) to the amount to transfer | ### 3D Secure and Radar rules Stripe Checkout and the Payment Intents API triggers [dynamic 3D Secure authentication](https://docs.stripe.com/payments/3d-secure/authentication-flow.md#three-ds-radar) based on [Radar rules](https://docs.stripe.com/radar/rules.md). With Connect, the rules you create only apply to payments created on the platform account. Payments [created directly on the connected account](https://docs.stripe.com/connect/direct-charges.md) are subject to the connected account’s rules. Configure your default rules and test your integration with [3D Secure test cards](https://docs.stripe.com/payments/3d-secure/authentication-flow.md#three-ds-cards). ### SCA impact on saving payment methods Under SCA, authentication is required when saving a card to collect customer permission and qualify for [off-session exemptions](https://stripe.com/guides/strong-customer-authentication#merchant-initiated-transactions-including-variable-subscriptions) for subsequent off-session payments. To reduce the rate of customers having to authenticate their payment method, update your integration to use off-session payments with the Payment Intents API [in a checkout flow](https://docs.stripe.com/payments/save-during-payment.md) or [outside the checkout flow](https://docs.stripe.com/payments/save-and-reuse.md?platform=checkout). If you [clone saved payment methods](https://docs.stripe.com/connect/cloning-customers-across-accounts.md) to reuse across multiple connected accounts, sharing a payment method with a connected account automatically shares customer permission as well. This allows the platform to make off-session payments on any of their connected accounts without requiring the customer to authenticate their payment method again. ## Determine whether connected accounts need to make changes In most cases, after you update your payments integration for SCA, your connected accounts don’t have to do any additional work. If you provide your own payments API to your connected accounts in addition to or on top of Stripe’s API, your connected accounts might need to make changes to continue accepting payments on your platform. For example, if you run a subscriptions platform on Stripe in which your connected accounts pass payment information to you using your own API, and then you pass those payment details to Stripe’s API, both APIs must be SCA-ready. If this is the case for your platform, provide guidance to your connected accounts on any changes they need to make. ## Implement and test the new integration path After you’ve identified your integration path and determined if your connected accounts need to make changes, follow the relevant migration guides for [Stripe Checkout](https://docs.stripe.com/payments/checkout/migration.md) or the [Payment Intents API](https://docs.stripe.com/payments/payment-intents/migration.md). Once implementation is complete, configure your [Dynamic 3D Secure rules](https://docs.stripe.com/payments/3d-secure/authentication-flow.md#three-ds-radar) to test your integration using [3D Secure test cards](https://docs.stripe.com/payments/3d-secure/authentication-flow.md#three-ds-cards). Make sure to test both cases when the authentication is successful and unsuccessful. ## Educate your connected accounts Finally, inform your connected accounts about how SCA can affect them and when your platform will be SCA-ready, regardless of whether they need to [make any changes](https://docs.stripe.com/strong-customer-authentication/connect-platforms.md#implement-changes). In particular, provide them with the following information, tailored for your business: Strong *Customer* (Customer objects represent customers of your business. They let you reuse payment methods and give you the ability to track multiple payments) Authentication (SCA) is a new European regulatory requirement to reduce fraud and make online payments more secure. Since SCA took effect September 14, 2019, online payments require additional customer authentication. Transactions that don’t adhere to the new guidelines may be declined by your customers’ banks. This regulation applies to transactions where both the business and the cardholder’s bank are located in the European Economic Area (EEA). If you’d like, you can also send along the [SCA video](https://stripe.com/payments/strong-customer-authentication) and [guide](https://stripe.com/guides/strong-customer-authentication). ### How your platform should support SCA If you’re not migrating to an SCA-ready solution, reach out to any of your connected accounts with significant business from European customers so they can move to a new solution before experiencing declines due to SCA. ### Any actions your connected accounts need to take If no action is required on their end, let your connected accounts know. Similarly, if action is required, provide them with instructions on the necessary changes. ### How SCA can affect their business SCA changes the checkout flow for card payments. Payments that require authentication ask for [3D Secure](https://docs.stripe.com/payments/3d-secure.md) (often known by its brand names, “Verified by Visa” or “Mastercard SecureCode”), which typically adds an extra step in which the cardholder must provide additional information, such as a one-time passcode or biometric ID.