Strong Customer Authentication (SCA) requires an additional step of customer authentication, but sometimes you collect payments when your customer isn’t actively using your application. Even if they authenticated in the past, SCA may require your customer to come back online and re-authenticate. To reduce friction in these off-sessionA payment is described as off-session if it occurs without the direct involvement of the customer, using previously-collected payment information. payments, Stripe built APIs that enable upfront authentication—so you can authenticate your customer on-sessionA payment is described as on-session if it occurs while the customer is actively in your checkout flow and able to authenticate the payment method. once and reuse the card off-session repeatedly. Since September 14, 2019, you need to use these APIs to reduce the chance of failed payments when reusing cards or creating subscriptions and invoices.
However, off-session payments made with cards saved before September 14, 2019, are eligible for SCA grandfathering. Grandfathering means you don’t have to use Stripe’s new APIs to set up saved cards again, and your off-session payments can proceed normally—without re-authentication from customers.
How SCA grandfathering works
All off-session payments that meet both of these conditions are eligible for grandfathering, regardless of payment amount and frequency:
- You saved the card details before September 14, 2019
- You explicitly tell Stripe the transaction is off-session
Stripe automatically looks for a transaction made with the card before September 14. If found, Stripe uses the previous authorization agreement to grandfather the current transaction. If the bank accepts Stripe’s grandfathering claim, the transaction is categorized as out of scope for SCA and can proceed without additional authentication.
If the bank declines Stripe’s grandfathering claim, it’s like any other PaymentIntent failing the confirmation step. The PaymentIntent’s status changes to requires_payment_methodThis status appears as “requires_source” in API versions before 2019-02-11., and you have to notify your customer to complete the payment.
Saving cards after September 14, 2019
Preparing your saved cards for SCA
The following off-session payments are eligible for grandfathering. Regardless of how you saved the card, use PaymentIntents and tell Stripe the payment is off-session.
|How you saved the card pre–September 14||Grandfathered after September 14|
|By passing a token, source, or payment method to the
||Create a PaymentIntent with off-session flag|
|By creating a SetupIntent or using save_payment_method in a PaymentIntent||Create a PaymentIntent with off-session flag|
To grandfather subscriptions and invoices managed with Stripe Billing, refer to the Billing SCA guide.
Was this page helpful?