Designing card payment flows for SCA

Strong Customer Authentication, or SCA, has changed online payments in Europe. See the impact it may have on your payment flows, and learn how Stripe can help.

Payments
Payments

Accept payments online, in person, and around the world with a payments solution built for any business—from scaling startups to global enterprises.

Learn more 
  1. Introduction
  2. How online card payments have changed
  3. Understanding exemptions
  4. Business scenarios
    1. Ecommerce
    2. Ridesharing
    3. Crowdfunding
    4. Car rental
    5. Gym membership
    6. Utility bill

Strong Customer Authentication (SCA) requirements are fully enforced in all eligible European countries, causing a massive shift in the European payment landscape.

To meet SCA requirements, a form of two-factor authentication is required for electronic payments and access to payment accounts. Without authentication, many payments may be declined by your customers’ banks. We designed foundational payments APIs to help businesses handle this change and take full advantage of any SCA exemptions. Stripe’s authentication engine automatically selects the optimal authentication flow for each transaction to maximize conversion while minimizing fraud.

We recommend using this guide to understand how different types of payment flows have changed due to SCA and to reference it as you design your payment flows.

STAY INFORMED ABOUT SCA

We’re working closely with regulators and the broader payments industry. If you’re interested in knowing more about the regulation and our products, please check our recent guide on PSD3 or reach out.

How online card payments have changed

Traditional card payments usually involve two steps: authorization and capture. A payment is authorized when a customer's bank or card issuer decides to approve a payment, and the payment is captured when the card is charged.

With SCA, there is an additional and mandatory step before authorization and capture: authentication. This step is aimed at protecting customers by preventing fraud. To authenticate a payment, a customer responds to a prompt from their bank and provides additional information. This may be something they know, like a password, something they use, like their phone, or something that's part of who they are, like their fingerprint.

The most common way to authenticate an online card payment is a method called 3D Secure. You may recognize 3D Secure by its branded names, such as “Visa Secure” or “Mastercard Identity Check.” A newer version called 3D Secure 2 has become the standard method to authenticate payments. You can learn about the differences between these methods in our 3D Secure 2 guide. Our SCA-ready products all support 3D Secure 2.

No matter what method you use, customers need to be using your website or app to authenticate. Adding this step can be simpler for businesses that charge customers right away, and more complex for businesses that charge customers after they’ve left the checkout flow. (This is sometimes called off-session.)

The scenarios in this guide offer examples of how these three steps (authentication, authorization, and capture) can vary depending on how and when you charge your customers.

AUTHENTICATE

A customer authenticates an online payment by responding to a 3D Secure prompt from their bank and providing additional information. See 3D Secure from your customer’s perspective.

Multifactor authentication is required when a payment isn’t eligible for an exemption or when the customer’s bank denies an exemption request. Our new payments APIs automatically request any eligible exemptions before adding the authentication step. This simplifies checkout flows and protects conversion rates.

Did you know: Authentication has to happen while the customer is on-session, or using your website or app, so this step typically happens when the customer completes the checkout form.

AUTHORIZE

Your business asks the customer’s bank to approve the payment: The customer’s bank decides whether to approve or decline a payment. If approved, the funds are put on hold for seven days. If an authorization request is declined, your business needs a way to bring the customer back on-session to re-authenticate the payment and then attempt to authorize again.

Did you know: An authorization request can still be declined by the customer’s bank after it’s been authenticated. This can, for example, happen if the customer doesn’t have enough funds or the card has expired.

Up to 7 days

The standard time period between authorization and capture can be up to seven days, but most businesses capture a payment immediately after authorization.

CAPTURE

The business charges the customer’s card, completing the payment.

Did you know: A customer’s bank may show that a payment is “pending” if it has been authorized but not captured.

Understanding exemptions

There are certain types of payments—such as low-risk transactions, fixed-amount subscriptions, phone sales, and merchant-initiated transactions—that may be exempt from SCA. Merchant-initiated transactions are payments made with a saved card when the customer is off-session. Common examples include a gym membership payment or utility bill. To use this exemption, your business must have an agreement with your customer and have them authenticate their card when it’s being saved or authenticate the first payment. Our Strong Customer Authentication guide goes into greater detail about these exemptions and others.

Stripe’s SCA-ready payment APIs and products help businesses take full advantage of these opportunities by automatically requesting exemptions. When exemptions are accepted by your customers’ banks, your customers won’t have to authenticate, minimizing the impact on conversion.

However, businesses must design their payment flows to authenticate customers if the exemption is declined. This is especially important because the rules around exemptions depend on your customers’ banks. The banks evaluate each payment and decide whether an exemption applies—and individual banks will apply exemptions differently.

Business scenarios

To illustrate the impact and application of SCA, we’ve outlined how an authentication step can fit into payment flows for different business models.

Ecommerce

One-time payment. Card not saved.

Ecommerce businesses typically charge customers while they’re on-session, without saving card details for future payments. If your business has a similar payment flow, adding authentication should be simple: you can authenticate with 3D Secure right after the customer enters their card details and places their order.

Stripe automatically requests any eligible exemptions, so your customers may not need to authenticate. But because individual banks apply exemptions differently, your business still needs to design payment flows to authenticate customers when necessary.

Order placed: Elisa enters her card details and shipping information. The total comes to €29 including tax.

AUTHENTICATE

€29 authenticated using 3D Secure: Elisa completes 3D Secure authentication.

Note: Stripe requests exemptions automatically. If Elisa’s bank accepts the exemption, she won’t have to complete the 3D Secure authentication challenge.

AUTHORIZE

€29 authorized

CAPTURE

€29 captured

Order shipped

Recommendations

Choose an option:

STRIPE CHECKOUT

Get prebuilt, conversion-optimized checkout flows with minimal code.

PAYMENTS API

Build dynamic payment flows and maximize exemptions.

Ridesharing

Payment captured within seven days of authorization. Final payment amount may change.

Ridesharing businesses and other on-demand marketplaces typically capture payments within seven days of authorization, and the final amount may increase or decrease. If your business has a similar payment flow, you can authenticate with 3D Secure right after the customer requests a ride, because they’ll still be on-session. If the final amount ends up being more than originally authenticated, the customer would need to authenticate again for the increased amount, unless a tolerance is permitted by the regional policies allowing the amount to differ. If the final amount is less than originally authenticated, there would be no need to authenticate again.

Another way to approach this payment flow would be to authenticate and authorize for a larger amount when the customer first requests a ride. If the customer wants to add a tip later, and the total is below the authenticated amount, the customer won’t need to authenticate again. The downside to this approach is that authenticating for a larger amount up front might deter price-sensitive customers.

Ride requested: Sami opens the app and requests a ride for €20.

AUTHENTICATE

€20 authenticated using 3D Secure: Sami completes 3D Secure authentication.

Note: Stripe requests exemptions automatically. If Sami’s bank accepts the exemption, he won’t have to complete the 3D Secure authentication challenge.

AUTHORIZE

€20 authorized

Rider picked up and dropped off: A driver picks up Sami and takes him to his destination.

Tip added: He opens the app, rates the driver, and adds a €3 tip.

AUTHENTICATE

€23 (€20 ride + €3 tip) authenticated using 3D Secure: Sami completes 3D Secure authentication.

Note: Stripe requests exemptions automatically. If Sami’s bank accepts an exemption, he won’t have to complete the 3D Secure authentication challenge.

CAPTURE

€23 captured

Note: Capturing €23 cancels the previous authorization for €20.

Recommendation

PAYMENTS API

Build dynamic payment flows and maximize exemptions.

Crowdfunding

Payment captured more than seven days after authorization.

Crowdfunding platforms typically capture payments more than seven days after authorization. Each campaign lasts for a set length of time, and payments are captured when a campaign is successful. If your business has a similar payment flow, you can authenticate with 3D Secure when customers pledge to support a campaign, and then authorize and capture when the campaign ends successfully. If authorization fails, your business will need to bring the customer back on-session to re-authenticate.

Successful payment

Campaign launched

Pledge made:
Luka supports the campaign and pledges €40.

AUTHENTICATE

Card authenticated using 3D Secure:
Luka completes 3D Secure authentication after entering his card details.

30 DAYS PASS

Campaign completed:
Luka’s card is charged when the campaign ends successfully.

AUTHORIZE

€40 authorization attempted

AUTHENTICATE

€40 authenticated using 3D Secure:
Luka completes 3D Secure authentication.

AUTHORIZE

€40 authorized

CAPTURE

€40 captured

Failed payment

Campaign launched

Pledge made:
Luka supports the campaign and pledges €40.

AUTHENTICATE

Card authenticated using 3D Secure:
Luka completes 3D Secure authentication after entering his card details.

30 DAYS PASS

Campaign completed:
Luka’s card is charged when the campaign ends successfully.

AUTHORIZE

€40 authorization attempted

DECLINE

Authorization failed because of an expired card, and re-authentication is required.

Email sent:
Luka opens an email from the crowdfunding website and clicks a link.

Information updated:
He returns to the crowdfunding website and enters new card details.

AUTHENTICATE

€40 authenticated using 3D Secure:
Luka completes 3D Secure authentication.

AUTHORIZE

€40 authorized

CAPTURE

€40 captured

Recommendation

PAYMENTS API

Build dynamic payment flows and maximize exemptions.

Car rental

Payment captured more than seven days after authorization. Final payment amount may change.

Car rental companies typically capture payments more than seven days after authorization, and the final payment amount is likely to increase or decrease because of discounts, upgrades, or add-on services at pickup or dropoff. If your business has a similar payment flow, you can split the payment into separate charges—authenticating the card with 3D Secure when it’s being saved, and authorizing and capturing the cost of the rental and any incidentals later on.

Car reserved: Emma rents a car for an upcoming vacation.

AUTHENTICATE

Card authenticated using 3D Secure: Emma completes 3D Secure authentication after entering her card details.

Car picked up

More than 7 days pass

Car returned: She returns the car without filling up the tank, incurring a €50 fee.

AUTHORIZE

€350 authorized (reservation)

€50 authorized (fuel fee)

CAPTURE

€350 captured (reservation)

€50 captured (fuel fee)

Recommendation

PAYMENTS API

Build dynamic payment flows and maximize exemptions.

Gym membership

Recurring payments. Fixed amount.

Gym memberships are typically recurring payments with a fixed amount, and the membership may begin with a free trial period.

Merchant-initiated transactions are payments made with a saved card when the customer is off-session. To qualify, your business must have an agreement with the customer and have them authenticate their card, either when it’s being saved or on the first payment.

It’s important to note that exemptions aren’t guaranteed, and subsequent payments may require authentication. Individual banks may apply exemptions differently, so your business needs to design payment flows to bring customers back on-session to re-authenticate.

Successful payment

Membership begins:
Imani enters her email and card details to join her local gym for €50 per month.

AUTHENTICATE

€50 authenticated using 3D Secure:
Imani completes 3D Secure authentication.

AUTHORIZE

€50 authorized

CAPTURE

€50 captured

30 DAYS PASS

Membership continues:
Imani takes workout classes and goes to the gym often.

AUTHORIZE

€50 authorized:
This payment didn’t need to be authenticated because Imani’s bank accepted the fixed-rate subscription and merchant-initiated transaction exemptions.

CAPTURE

€50 captured

Failed payment

Trial starts:
Imani joins her local gym for €50 per month. She enters her email and credit card details so her membership will start immediately after the seven-day trial.

AUTHENTICATE

€50 authenticated using 3D Secure:
Imani completes 3D Secure authentication.

7 DAYS PASS

Trial ends and membership begins:
Imani’s card is charged automatically when the trial ends.

AUTHORIZE

€50 authorized

CAPTURE

€50 captured

30 DAYS PASS

Membership continues:
Imani takes workout classes and goes to the gym often.

AUTHORIZE

€50 authorization attempted

DECLINE

Authorization failed and re-authentication is required

Email sent:
Imani opens an email and clicks a link.

Information updated:
She returns to the gym’s website and enters new card details.

AUTHENTICATE

€50 authenticated using 3D Secure:
Imani completes 3D Secure authentication.

AUTHORIZE

€50 authorized

CAPTURE

€50 captured

Recommendations

Choose an option:

STRIPE BILLING

Manage your subscriptions and take advantage of automated tools to be SCA-ready.

PAYMENTS API

Build dynamic payment flows and maximize exemptions.

Utility bill

Metered billing. Recurring payments.

Utility bills are recurring payments with amounts likely to vary from month to month due to metered billing. If your business has a similar payment flow, 3D Secure authentication is required when a customer saves their card to set up automatic payments. To do this, the customer would complete 3D Secure authentication outside of a transaction.

It’s important to note that exemptions aren’t guaranteed, and subsequent payments may require authentication. Individual banks may apply exemptions differently, so your business needs to design payment flows to bring customers back on-session to re-authenticate when necessary.

Payment with an exemption

Account set up:
Salim moves into a new apartment and signs up to pay his monthly utility bill automatically.

Card saved:
Salim adds a card to his account.

AUTHENTICATE

Automatic billing confirmed using 3D Secure:
Salim completes 3D Secure authentication.

30 DAYS PASS

Bill received:
Salim gets an email from the utility company informing him of a €63 scheduled payment.

AUTHORIZE

€63 authorized:
The utility company authorizes €63 and requests a merchant-initiated transaction exemption.

Salim’s bank accepts the exemption and authorization.

CAPTURE

€63 captured

30 DAYS PASS

Bill received:
Salim gets an email from the utility company informing him of a €91 scheduled payment.

AUTHORIZE

€91 authorization attempted:
The utility company attempts to authorize €91 and requests a merchant-initiated transaction exemption.

DECLINE

Authorization failed, and re-authentication is required

Email sent:
Salim gets an email from the utility company with a bill for €91 and clicks the link.

AUTHENTICATE

€91 authenticated using 3D Secure:
Salim completes 3D Secure authentication.

AUTHORIZE

€91 authorized

CAPTURE

€91 captured

Payment without an exemption

Bill received:
Salim gets an email from the utility company with a bill for €63 and clicks the link.

AUTHENTICATE

€63 authenticated using 3D Secure:
Salim completes 3D Secure authentication.

AUTHORIZE

€63 authorized

CAPTURE

€63 captured

30 DAYS PASS

Bill received:
Salim gets an email from the utility company with a bill for €91 and clicks the link.

AUTHENTICATE

€91 authenticated using 3D Secure:
Salim completes 3D Secure authentication.

AUTHORIZE

€91 authorized

CAPTURE

€91 captured

Recommendations

Choose an option:

STRIPE BILLING

Manage your subscriptions and take advantage of automated tools to be SCA-ready.

PAYMENTS API

Build dynamic payment flows and maximize exemptions.

Ready to get started?

Create an account and start accepting payments—no contracts or banking details required. Or, contact us to design a custom package for your business.
Payments

Payments

Accept payments online, in person, and around the world with a payments solution built for any business.

Payments docs

Find a guide to integrate Stripe's payments APIs.