Strong Customer Authentication readiness

Strong Customer Authentication (SCA), a rule in effect as of September 14, 2019, as part of PSD2 regulation in Europe, requires changes to how your European customers authenticate online payments. Card payments require you to use 3D Secure to meet SCA requirements. Your customers’ banks might decline transactions that don’t follow the new authentication guidelines.

To support SCA:

1. Determine if SCA impacts your business.
2. Decide which SCA-ready product is right for your business.
3. Make changes now to avoid declined payments.

If you use a third-party plugin, platform, or extension partner, contact your Stripe partner to see if changes are required to support SCA. Contact support if you have any questions.

Impacted businesses and payments

Update your Stripe integration to support SCA, if all of the following apply:

• Your business is based in the European Economic Area or you create payments on behalf of connected accounts based in the EEA.
• You serve customers in the EEA.
• You accept cards (credit or debit).

While some low-risk transactions (based on the volume of fraud rates associated with the payment provider or bank) don’t require authentication, banks can still request that the customer complete authentication. Even if you’re primarily processing low-risk transactions, update your integration so your customers can complete authentication when requested by the bank. Learn about SCA exemptions.

SCA-ready products and APIs

Whether you collect one-time payments or save cards for later reuse, Stripe provides prebuilt and customizable products to help you meet SCA requirements.

Integrations that aren’t SCA-ready, like those using the legacy Charges API, might see high rates of declines from banks that enforce SCA.

One-time payments

Accept card payments with the Payment Intents API and Checkout, a prebuilt, Stripe-hosted checkout flow that automatically handles SCA requirements for you. Checkout is customizable and lets you accept payments for one-time purchases and subscriptions on your website.

• Migrate to the Payment Intents API
• Use a prebuilt checkout page
• Build a custom payment flow

Re-using cards

Save a card for later reuse with the Payment Intents API and the Setup Intents API. You can also use Checkout to automatically handle SCA requirements, or use Billing to handle SCA for subscriptions.

• Use a prebuilt checkout page
• Build a custom flow to save card details

SCA migration

You might need to update your integration to support SCA. For details about the changes to make, including for specific product recommendations based on use case, see the following guides:

• Migrate to the Payment Intents API
• SCA payment flows

Update plugins and developer libraries

You might need to update your Stripe plugin or developer library to support SCA. If you’re looking for an SCA-ready plugin, visit Stripe Partners.

Identify your plugin on our platform

Include identifying information in your plugins and third-party libraries so we can contact you about future changes or critical updates to the API. Use the setAppInfo function to provide those details in your Stripe integration.

We encourage you to join the Stripe Partner Program, which includes free registration and more resources for developers building plugins. Learn more about suggested best practices.

Determine your integration path

Consider the following:

• Use Stripe Checkout to collect payments using a customizable form. You can embed the payment form on your website or host it on Stripe.
• For more control over your checkout flow, use the Payment Intents API and Setup Intents API with Elements, PaymentMethods, Customers, and Connect. These APIs display authentication flows like 3DS 2, save cards to use later, and support SCA.
• For recurring payments, use Stripe Billing to manage subscriptions and invoicing.
• Register a webhook endpoint for your account or connected accounts, and manage them with the Webhooks API.

If none of these options work for your integration, let us know.

Test dynamic authentication

After you implement your integration path, configure your Dynamic 3D Secure Radar rules to test your integration using 3D Secure test cards. Make sure to test both successful and unsuccessful authentication cases.

Notify your customers and Stripe

As soon as you finish updating, provide an SCA-ready update to your customers. You can share the Strong Customer Authentication guide with your customers to help them understand these regulatory changes. When you release an SCA-ready update, notify Stripe as well. We direct users to SCA-ready solutions on the Stripe Partners page.

Use previous authorization agreements

If you collect payments when your customer isn’t actively using your application, SCA might require your customer to re-authenticate, even if they authenticated in the past. For these off-session payments, you can use the Stripe APIs to authenticate your customer once while on-session, and then reuse the card repeatedly while off-session.

Alternatively, you can use previous authorization agreements (sometimes referred to as grandfathering) for off-session payments that meet the following eligibility period, regardless of payment amount and frequency:

• Cards from EU customers saved before December 31, 2020
• Cards from UK customers saved before September 14, 2021

Stripe automatically looks for transactions made with cards prior to the dates listed above. If found, Stripe uses the previous authorization agreement for the current transaction. If the bank accepts the previous authorization agreement, the transaction is categorized as out-of-scope for SCA and can proceed without additional authentication.

If the bank declines the previous authorization agreement, the PaymentIntent status changes to requires_payment_method, and you must notify your customer to complete the payment.

Save cards after the eligibility period

After SCA takes effect, you can use the Payment Intents API to save and reuse cards, and the Setup Intents API to qualify for off-session exemptions. You can also save cards using Stripe Checkout.

Prepare your saved cards for SCA

For Stripe to reuse previous authorization agreements, you must use the Payment Intents API and tell Stripe the payment is off-session.

SCA enforcement

Prepare your payment flows for SCA-readiness as soon as possible, if SCA regulations impact you. This can help prevent an increase in declines from European cards, and prepare you in case of early enforcement by banks. Learn how enforcement varies by country.

Make sure your integration is SCA-ready

Your integration is SCA-ready when you process all of your payments using SCA-ready products, such as Checkout, Billing, the Payment Intents API, or an SCA-ready partner solution.

Additionally, do the following:

• Test 3DS authentication with our regulatory test cards to make sure your integration can handle 3DS.
• For off-session payments, set up and authenticate the card when saving the payment method, and use the API to flag off-session payments.
• If you use the Billing API for subscriptions or invoices, make sure your integration can handle incomplete statuses.

Understand incomplete, declined, or failed payments

Payments might not succeed for reasons including incomplete, declined, or failed payments. For payments stuck in an incomplete (Dashboard) or requires_action (API) status, do the following:

• Make sure your customer isn’t actively authenticating an on-session payment. Your customer might also have abandoned the checkout flow.
• Verify that you’re handling next actions, such as authentication.
• Set off_session to true when creating an off-session payment.

Banks can decline payments that require 3DS authentication but don’t have 3DS enabled.

If an off-session payment fails, but you think it’s exempt from SCA requirements, do the following:

• Make sure you authenticate the card when saving payment method details, either during a payment or without a payment.
• When saving cards during a payment, set setup_future_usage to off_session.
• When saving cards without a payment, use the Setup Intents API and set usage to off_session.

Exemptions aren’t guaranteed, and off-session payments might still require authentication by the bank.

View declined payments

1. In the Dashboard, go to Transactions > Payments.

2. From the Filter by: status dropdown, do one of the following:

   • Select Failed to view declined off-session payments.
   • Select Incomplete to view declined on-session payments.

3. Click Apply.

4. Hover over the status badge for the reason.

Monitor disputes

When monitoring disputes, be aware that payments successfully authenticated through 3DS fall under the liability shift rule. If a cardholder disputes a 3DS payment as fraudulent, the liability typically shifts from you to the card issuer. If the card issuer applies exemptions, the payment isn’t authenticated through 3D Secure, and liability shift doesn’t apply.

Collect permission to reuse cards

When you set up your payment flow to save a card using the Payment Intents API or Setup Intents API, Stripe marks subsequent off-session payments as a merchant-initiated transaction (MIT). These transactions require an agreement (also known as a mandate) between you and your customer.

On your website or application, minimally cover the following:

• The customer’s permission for you to initiate a payment or a series of payments on their behalf
• The anticipated frequency of payments (one-time or recurring)
• How you determine the payment amount

In your checkout flow, reference the terms of the payment: