Planning Your SCA Migration

    Learn how to update your integration in order to prepare for Strong Customer Authentication (SCA).

    Preparing your integration for the upcoming Strong Customer Authentication regulation in Europe consists of the following steps:

    1. Identify your payment flow
    2. Determine your integration path
    3. Implement the new integration path
    4. Test dynamic authentication

    Start updating your integration today to be ready for SCA. Once your integration is live, 3D Secure authentication is displayed when required by SCA beginning on September 14, 2019. Updating your integration prior to this deadline has no negative impact on your customers’ experience or your conversion rate.

    Step 1: Identify your payment flow

    First, identify the payment flow that most closely matches your business. The Designing payment flow for SCA Guide goes into further detail about each flow.

    Payment flow Description Example Business Scenario
    One-time payments You charge the customer’s cards immediately after they confirm payment. E-commerce
    Recurring payments You charge the customer on a recurring basis. Gym membership for fixed-amount recurring charges, or utility bill for metered billing
    Payments with separate authorize and capture within 7 days. You separately authorize and capture card payments within 7 days after the customer confirms payment. Ridesharing
    Payment captured more than seven days after authorization. You charge the customer's card more than 7 days after they submit payment details. Crowdfunding, or car rental if final amount may change.
    Other off-session payments You save the customer’s cards and charge some time later when the customer is not available to complete authentication. N/A

    Step 2: Determine your integration path

    Choose an integration option based on your payment flow below:

    One-time payments

    For one-time payments, you can complete the full integration today.

    The new version of Stripe Checkout

    Get pre-built, conversion-optimized checkout flows with minimal code. Choose this option if you prefer a low-maintenance integration.

    For this payment flow, you can complete the full integration today, and no additional work will be needed to handle exemptions.

    Payment Intents API

    Build dynamic payment flows and custom checkout pages by migrating to the Payment Intents API with one of our client libraries:

    For this payment flow, you can complete the full integration today, and no additional work will be needed to handle exemptions.

    Recurring payments

    SCA requires customers to complete 3D Secure for some payments. When this step is required by the bank, the customer must be online to complete authentication. ​​This introduces complexity for businesses that save cards and charge them later when the customer is no longer on the website or application and can’t complete authentication. This is also known as off-session payments. Examples of this include fixed-amount subscriptions, metered-billing subscriptions, crowdfunding campaigns, and car rentals.

    Stripe products and APIs now allow merchants to meet SCA requirements for off-session payments:

    1. Mandate collection. A mandate represents the agreement you have with the customer on how you plan to use their card in the future. In your checkout flow, add some consent text. State that by completing checkout, the customer consents to your initiation of payment on their behalf. State the anticipated frequency of payments. Explain how the amount of the payments will be determined.

    2. Strong authentication of the first transaction. Merchants are required to authenticate the customer when the mandate is set up. This can either be done by the first payment with the card or when saving the card to a customer without making an initial payment.

    3. Flagging subsequent transactions. Any payment made with a saved card when a user is off-session must be marked accordingly, with reference to the first authenticated transaction. Stripe handles this for you.

    By updating your payments integration to use these new APIs and flows, Stripe can request exemptions such as fixed-amount subscriptions and merchant-initiated transactions to process later payments made with a saved card. However, banks can decide to reject a request for exemption. Build a way to notify customers that they need to return to your application and complete authentication if required.

    Stripe Billing with the new version of Checkout

    Checkout is a pre-built checkout page that lets you collect payments and manage simple subscriptions with a single integration.

    Stripe Billing

    Take advantage of automated tools to protect your revenue and scale your business. Build your own custom checkout experience.

    1. Update your client-side integration to save cards to charge later.
    2. Then, implement SCA-changes for Stripe Billing.

    Off-Session Payments with the Payment Intents API

    Build your own off-session payments logic and handle getting users back on-session to complete re-authentication as needed. While this approach takes more work than using Stripe Billing, it provides more flexibility.

    There are three parts to building an off-session payment flow:

    1. Save a card to a customer. You can save a card either in a checkout flow (as the customer is making a payment) or outside of the checkout flow.
    2. Use a saved card to make a payment. Once you have cards saved to a customer, you can make both on-session or off-session payments.
    3. Build a recovery flow. While Stripe requests exemptions to reduce the need for customer reauthentication, there is always a risk that the cardholder’s bank will reject the exemption request. You should always build a recovery flow to bring a customer back on-session in case they need to authenticate again.

    Payments with separate authorize and capture within 7 days

    For payments with separate authorize and capture, you can complete the full integration today.

    The new version of Stripe Checkout Server

    Get pre-built, conversion-optimized checkout flows with minimal code. Choose this option if you prefer a low-maintenance integration.

    1. Integrate with Checkout Server.
    2. Handle the separate auth and capture flow.

    For this payment flow, you can complete the full integration today, and no additional work will be needed to handle exemptions.

    Payment Intents API

    Build dynamic payment flows and custom checkout pages by migrating to the Payment Intents API with one of our client libraries:

    For this payment flow, you can complete the full integration today, and no additional work will be needed to handle exemptions.

    Payment captured more than seven days after authorization

    SCA requires customers to complete 3D Secure for some payments. When this step is required by the bank, the customer must be online to complete authentication. ​​This introduces complexity for businesses that save cards and charge them later when the customer is no longer on the website or application and can’t complete authentication. This is also known as off-session payments. Examples of this include fixed-amount subscriptions, metered-billing subscriptions, crowdfunding campaigns, and car rentals.

    Stripe products and APIs now allow merchants to meet SCA requirements for off-session payments:

    1. Mandate collection. A mandate represents the agreement you have with the customer on how you plan to use their card in the future. In your checkout flow, add some consent text. State that by completing checkout, the customer consents to your initiation of payment on their behalf. State the anticipated frequency of payments. Explain how the amount of the payments will be determined.

    2. Strong authentication of the first transaction. Merchants are required to authenticate the customer when the mandate is set up. This can either be done by the first payment with the card or when saving the card to a customer without making an initial payment.

    3. Flagging subsequent transactions. Any payment made with a saved card when a user is off-session must be marked accordingly, with reference to the first authenticated transaction. Stripe handles this for you.

    By updating your payments integration to use these new APIs and flows, Stripe can request exemptions such as fixed-amount subscriptions and merchant-initiated transactions to process later payments made with a saved card. However, banks can decide to reject a request for exemption. Build a way to notify customers that they need to return to your application and complete authentication if required.

    Off-Session Payments with the Payment Intents API

    Build your own off-session payments logic and handle getting users back on-session to complete re-authentication as needed. While this approach takes more work than using Stripe Billing, it provides more flexibility.

    There are three parts to building an off-session payment flow:

    1. Save a card to a customer. You can save a card either in a checkout flow (as the customer is making a payment) or outside of the checkout flow.
    2. Use a saved card to make a payment. Once you have cards saved to a customer, you can make both on-session or off-session payments.
    3. Build a recovery flow. While Stripe requests exemptions to reduce the need for customer reauthentication, there is always a risk that the cardholder’s bank will reject the exemption request. You should always build a recovery flow to bring a customer back on-session in case they need to authenticate again.

    Other off-session payments

    SCA requires customers to complete 3D Secure for some payments. When this step is required by the bank, the customer must be online to complete authentication. ​​This introduces complexity for businesses that save cards and charge them later when the customer is no longer on the website or application and can’t complete authentication. This is also known as off-session payments. Examples of this include fixed-amount subscriptions, metered-billing subscriptions, crowdfunding campaigns, and car rentals.

    Stripe products and APIs now allow merchants to meet SCA requirements for off-session payments:

    1. Mandate collection. A mandate represents the agreement you have with the customer on how you plan to use their card in the future. In your checkout flow, add some consent text. State that by completing checkout, the customer consents to your initiation of payment on their behalf. State the anticipated frequency of payments. Explain how the amount of the payments will be determined.

    2. Strong authentication of the first transaction. Merchants are required to authenticate the customer when the mandate is set up. This can either be done by the first payment with the card or when saving the card to a customer without making an initial payment.

    3. Flagging subsequent transactions. Any payment made with a saved card when a user is off-session must be marked accordingly, with reference to the first authenticated transaction. Stripe handles this for you.

    By updating your payments integration to use these new APIs and flows, Stripe can request exemptions such as fixed-amount subscriptions and merchant-initiated transactions to process later payments made with a saved card. However, banks can decide to reject a request for exemption. Build a way to notify customers that they need to return to your application and complete authentication if required.

    Off-Session Payments with the Payment Intents API

    Build your own off-session payments logic and handle getting users back on-session to complete re-authentication as needed. While this approach takes more work than using Stripe Billing, it provides more flexibility.

    There are three parts to building an off-session payment flow:

    1. Save a card to a customer. You can save a card either in a checkout flow (as the customer is making a payment) or outside of the checkout flow.
    2. Use a saved card to make a payment. Once you have cards saved to a customer, you can make both on-session or off-session payments.
    3. Build a recovery flow. While Stripe requests exemptions to reduce the need for customer reauthentication, there is always a risk that the cardholder’s bank will reject the exemption request. You should always build a recovery flow to bring a customer back on-session in case they need to authenticate again.

    Step 3: Implement the new integration path

    You will need to make server-side and client-side changes.

    Server-side

    Creating a charge directly through the Charges API is not SCA-ready. Instead, use the Payment Intents API to create a payment. A PaymentIntent tracks the lifecycle of a customer checkout flow and triggers additional authentication steps when required by SCA.

    Follow the migration guide to learn how to migrate from the Charges API to the Payment Intents API.

    Client-side

    In order to dynamically display 3D Secure authentication for card payments, client-side changes are also required alongside server-side changes for the Payment Intents API.

    Follow our guides to learn how to use the Payment Intents API with Stripe.js & Elements, iOS, and Android.

    Step 4: Test dynamic authentication

    To verify that your updated integration handles 3D Secure correctly, be sure to test both cases when authentication is successful and unsuccessful using the regulatory test cards.

    By default, 3D Secure authentication will only be shown when the customer’s bank requires it, so your checkout conversion will not be negatively affected. You can disable the default Dynamic 3D Secure Radar rules if you do not wish to apply them. Starting on September 14, 2019, your updated integration displays the 3D secure authentication flow automatically when required by SCA.

    Next steps

    Was this page helpful? Yes No

    Send

    Thank you for helping improve Stripe's documentation. If you need help or have any questions, please consider contacting support.

    Questions?

    We're always happy to help with code or other questions you might have. Search our documentation, contact support, or connect with our sales team. You can also chat live with other developers in #stripe on freenode.

    On this page