SCA Enforcement FAQs

    Get answers to common questions about when Strong Customer Authentication (SCA) requirements are enforced.

    I read that enforcement of SCA will be delayed. When should I update my integration?

    Although we anticipate a phased and fragmented enforcement of SCA across Europe, SCA-impacted Stripe users should prepare their payment flows to be SCA-ready as soon as possible. This will help prevent an increase in declines from European cards, or in case of an early enforcement by select banks. Read more about how enforcement varies by country.

    How can I be sure that my integration is SCA-ready?

    Your integration is SCA-ready when all of your payments volume is processed using SCA-ready products.

    • Your business must use an SCA-ready product, such as the new version of Stripe Checkout, Billing, the Payment Intents API, or an SCA-ready partner solution.
    • Test 3D Secure authentication thoroughly. Use our regulatory test cards to ensure that your integration can handle 3D Secure.
    • For off-session payments, make sure you set up and authenticate the card when saving the payment method, and off-session payments are flagged as off-session via the API.
    • If your business uses Stripe Billing’s Subscriptions or Invoice APIs, ensure your integration can handle incomplete statuses.
    What should I do if my payments are stuck at incomplete (requires_action)?

    If you notice in the Dashboard that your payments are not advancing past the incomplete status (requires_action in the API), consider:

    • If this is an on-session payment, this may be expected. Your customer might be in the process of authenticating or they may have abandoned the checkout flow.
    • Make sure you are handling required actions on the client side.
    • If this is an off-session payment, this is not expected. You should be setting off_session to true when creating the payment.
    Where do I see which payments were declined because they required 3D Secure authentication?

    For off-session payments, visit your Dashboard and filter by failed payments. Hovering over the status badge will highlight the decline reason (e.g. authentication required). On-session payments can be viewed by applying the incomplete payments filter and seeing if the payment is incomplete since authentication is required.

    Why are my off-session payments failing when I expect them to be exempt from SCA requirements?

    For off-session payments, make sure that you are authenticating the card when saving card details, either without a payment or after a payment. When saving cards without a payment, use the Setup Intents API and set usage to off_session. When saving cards after a payment, set setup_future_usage to off_session. Finally, note that exemptions are not guaranteed and off-session payments may still require authentication by the bank.

    Is the Stripe plugin I use SCA-ready?

    You can view a list of common SCA-ready Stripe plugins here. If you don’t see the plugin your business uses here, visit the SCA Updates section of the Dashboard for more detailed guidance.

    What happens to disputes when covered by banks?

    Payments that have been successfully authenticated using 3D Secure are covered by a liability shift. Should a 3D Secure payment be disputed as fraudulent by the cardholder, the liability shifts from you to the card issuer. If exemptions are applied, the payment is not authenticated through 3D Secure, and is therefore not covered by a liability shift.

    How do I collect permission to reuse cards?

    When you set up your payment flow to properly save a card with the Payment Intents or Setup Intents API, Stripe marks any subsequent off-session payment as a merchant-initiated transaction (MIT) to reduce the need to authenticate. Merchant-initiated transactions require an agreement (also known as a “mandate”) between you and your customer. Add terms to your website or application on how you plan to process payments that your customer can opt into.

    At a minimum, ensure that your terms cover the following:

    • The customer’s permission to you initiating a payment or a series of payments on their behalf
    • The anticipated frequency of payments (i.e., one-time or recurring)
    • How the payment amount will be determined

    Add text in your checkout flow that references the terms of the payment, for example:

    I authorise [your business name] to send instructions to the financial institution that issued my card to take payments from my card account in accordance with the terms of my agreement with you.

    Was this page helpful?

    Thank you for helping improve Stripe's documentation. If you need help or have any questions, please consider contacting support.

    On this page