SCA Migration Guide
Learn how to update your integration in order to prepare for Strong Customer Authentication (SCA).
Step 1: Identify your payment flow
First, identify the payment flow that most closely matches your business. The Designing payment flow for SCA Guide goes into further detail about each flow.
| Payment flow | Description | Example Business Scenario |
|---|---|---|
| One-time payments | You charge the customer’s cards immediately after they confirm payment. | E-commerce |
| Recurring payments | You charge the customer on a recurring basis. | Gym membership for fixed-amount recurring charges, or utility bill for metered billing |
| Payments with separate authorize and capture within 7 days. | You separately authorize and capture card payments within 7 days after the customer confirms payment. | Ridesharing |
| Payment captured more than seven days after authorization. | You charge the customer's card more than 7 days after they submit payment details. | Crowdfunding, or car rental if final amount may change. |
| Other off-session payments | You save the customer’s cards and charge some time later when the customer is not available to complete authentication. | N/A |
Step 2: Determine your integration path
Choose an integration option based on your payment flow below:
-
One-time payments
-
For one-time payments, you can complete the full integration today.
The new version of Stripe Checkout
Get pre-built, conversion-optimized checkout flows with minimal code. Choose this option if you prefer a low-maintenance integration.
For this payment flow, you can complete the full integration today, and no additional work will be needed to handle exemptions.
Payment Intents API
Build dynamic payment flows and custom checkout pages by migrating to the Payment Intents API with one of our client libraries:
For this payment flow, you can complete the full integration today, and no additional work will be needed to handle exemptions.
-
Recurring payments
-
SCAStrong Customer Authentication (SCA) is a new regulatory requirement coming into effect on September 14, 2019 which will impact many European online payments. It requires customers to use two-factor authentication like 3D Secure to verify their purchase. requires customers to complete 3D Secure3D Secure provides an additional layer of authentication for credit card transactions that protects merchants from liability for fraudulent card payments. During a transaction that incorporates the 3D Secure authorization process, the customer is prompted to supply a separate password or code to validate their purchase. for some payments. When this step is required by the bank, the customer must be online to complete authentication. This introduces complexity for businesses that save cards and charge them later when the customer is no longer on the website or application and can’t complete authentication. This is also known as off-session paymentsA payment is described as off-session if it occurs without the direct involvement of the customer, using previously-collected payment information.. Examples of this include fixed-amount subscriptions, metered-billing subscriptions, crowdfunding campaigns, and car rentals.
While some of these off-session payments are exempt as fixed-amount subscriptions and merchant-initiated transactions, the exemptions require you to authenticate the customer at the time of payment detail collection or require you to pass additional information. In addition, banks can decide to reject a request for exemption. As such, you should build a way to notify customers that they need to return to your application and complete authentication if required.
Requirements for claiming exemptions on off-session card payments are still being finalized by the card networks and banks. By July 1, 2019, we will update our products and APIs to help you claim exemptions for recurring and off-session payments.
For this payment flow, whether you need to do incremental work to handle all exemptions will vary by which integration path you choose. In all cases, we strongly suggest starting your overall integration update now.
Stripe Billing with the new version of Checkout
Take advantage of automated tools and a pre-built checkout UI to protect your revenue and scale your business. This is the easiest way to manage subscriptions on Stripe.
For this payment flow, you can complete the full integration today, and no additional work will be needed to handle exemptions.
Stripe Billing
Take advantage of automated tools to protect your revenue and scale your business. Build your own custom checkout experience.
- Update your client-side integration to save a payment method for later use.
- Then, implement SCA-changes for Stripe Billing.
- If you offer free trials for subscriptions, you will need to make incremental changes in order to claim exemptions and decrease the rate of authentication challenges required by your customers—this will be ready by July 1, 2019. This step is waiting on regulatory clarity. Sign up for updates when this step is ready.
You can also wait until July 1, 2019 to make these changes altogether. However, we strongly suggest against this approach as you’ll only have two months before the deadline to make all of the required changes.
Off-Session Payments with the Payment Intents API
Build your own off-session payments logic and handle getting users back on-session to complete re-authentication as needed. While this appraoch takes more work than using Stripe Billing, it provides more flexibility.
- Update your client-side integration to save a payment method for later use.
- Then, integrate with the Payment Intents API to handle the off-session payments. We strongly recommend that you integrate now, as this is the bulk of the work and is ready now.
- You will need to make incremental changes in order to claim exemptions and decrease the rate of authentication challenges required by your customers—this will be ready by July 1, 2019. This step is waiting on regulatory clarity. Sign up for updates when this step is ready.
You can also wait until July 1, 2019 to make these changes altogether. However, we strongly advise against this approach as you’ll only have two months before the September deadline to make all of the required changes.
-
Payments with separate authorize and capture within 7 days
-
For payments with separate authorize and capture, you can complete the full integration today.
The new version of Stripe Checkout Server
Get pre-built, conversion-optimized checkout flows with minimal code. Choose this option if you prefer a low-maintenance integration.
- Integrate with Checkout Server.
- Handle the separate auth and capture flow.
For this payment flow, you can complete the full integration today, and no additional work will be needed to handle exemptions.
Payment Intents API
Build dynamic payment flows and custom checkout pages by migrating to the Payment Intents API with one of our client libraries:
For this payment flow, you can complete the full integration today, and no additional work will be needed to handle exemptions.
-
Payment captured more than seven days after authorization
-
SCAStrong Customer Authentication (SCA) is a new regulatory requirement coming into effect on September 14, 2019 which will impact many European online payments. It requires customers to use two-factor authentication like 3D Secure to verify their purchase. requires customers to complete 3D Secure3D Secure provides an additional layer of authentication for credit card transactions that protects merchants from liability for fraudulent card payments. During a transaction that incorporates the 3D Secure authorization process, the customer is prompted to supply a separate password or code to validate their purchase. for some payments. When this step is required by the bank, the customer must be online to complete authentication. This introduces complexity for businesses that save cards and charge them later when the customer is no longer on the website or application and can’t complete authentication. This is also known as off-session paymentsA payment is described as off-session if it occurs without the direct involvement of the customer, using previously-collected payment information.. Examples of this include fixed-amount subscriptions, metered-billing subscriptions, crowdfunding campaigns, and car rentals.
While some of these off-session payments are exempt as fixed-amount subscriptions and merchant-initiated transactions, the exemptions require you to authenticate the customer at the time of payment detail collection or require you to pass additional information. In addition, banks can decide to reject a request for exemption. As such, you should build a way to notify customers that they need to return to your application and complete authentication if required.
Requirements for claiming exemptions on off-session card payments are still being finalized by the card networks and banks. By July 1, 2019, we will update our products and APIs to help you claim exemptions for recurring and off-session payments.
Off-Session Payments with the Payment Intents API
Build your own off-session payments logic and handle getting users back on-session to complete re-authentication as needed. While this appraoch takes more work than using Stripe Billing, it provides more flexibility.
- Update your client-side integration to save a payment method for later use.
- Then, integrate with the Payment Intents API to handle the off-session payments. We strongly recommend that you integrate now, as this is the bulk of the work and is ready now.
- You will need to make incremental changes in order to claim exemptions and decrease the rate of authentication challenges required by your customers—this will be ready by July 1, 2019. This step is waiting on regulatory clarity. Sign up for updates when this step is ready.
You can also wait until July 1, 2019 to make these changes altogether. However, we strongly advise against this approach as you’ll only have two months before the September deadline to make all of the required changes.
-
Other off-session payments
-
SCAStrong Customer Authentication (SCA) is a new regulatory requirement coming into effect on September 14, 2019 which will impact many European online payments. It requires customers to use two-factor authentication like 3D Secure to verify their purchase. requires customers to complete 3D Secure3D Secure provides an additional layer of authentication for credit card transactions that protects merchants from liability for fraudulent card payments. During a transaction that incorporates the 3D Secure authorization process, the customer is prompted to supply a separate password or code to validate their purchase. for some payments. When this step is required by the bank, the customer must be online to complete authentication. This introduces complexity for businesses that save cards and charge them later when the customer is no longer on the website or application and can’t complete authentication. This is also known as off-session paymentsA payment is described as off-session if it occurs without the direct involvement of the customer, using previously-collected payment information.. Examples of this include fixed-amount subscriptions, metered-billing subscriptions, crowdfunding campaigns, and car rentals.
While some of these off-session payments are exempt as fixed-amount subscriptions and merchant-initiated transactions, the exemptions require you to authenticate the customer at the time of payment detail collection or require you to pass additional information. In addition, banks can decide to reject a request for exemption. As such, you should build a way to notify customers that they need to return to your application and complete authentication if required.
Requirements for claiming exemptions on off-session card payments are still being finalized by the card networks and banks. By July 1, 2019, we will update our products and APIs to help you claim exemptions for recurring and off-session payments.
Off-Session Payments with the Payment Intents API
Build your own off-session payments logic and handle getting users back on-session to complete re-authentication as needed. While this appraoch takes more work than using Stripe Billing, it provides more flexibility.
- Update your client-side integration to save a payment method for later use.
- Then, integrate with the Payment Intents API to handle the off-session payments. We strongly recommend that you integrate now, as this is the bulk of the work and is ready now.
- You will need to make incremental changes in order to claim exemptions and decrease the rate of authentication challenges required by your customers—this will be ready by July 1, 2019. This step is waiting on regulatory clarity. Sign up for updates when this step is ready.
You can also wait until July 1, 2019 to make these changes altogether. However, we strongly advise against this approach as you’ll only have two months before the September deadline to make all of the required changes.
Step 3: Implement the new integration path
You will need to make server-side and client-side changes.
Server-side
Creating a charge directly through the Charges API is not SCA-ready. Instead, use the Payment Intents API to create a payment. A PaymentIntent tracks the lifecycle of a customer checkout flow and triggers additional authentication steps when required by SCA.
Follow the migration guide to learn how to migrate from the Charges API to the Payment Intents API.
Client-side
In order to dynamically display 3D Secure authentication for card payments, client-side changes are also required alongside server-side changes for the Payment Intents API.
Follow our guides to learn how to use the Payment Intents API with Stripe.js & Elements, iOS, and Android.
Step 4: Test dynamic authentication
After you have finished implementing the new integration path, configure your Dynamic 3D Secure Radar rules and test your integration using 3D Secure test cards. Make sure to test both cases when the authentication is successful and unsuccessful.
Sign up for SCA updates
We’ll email you when we have updates about Strong Customer Authentication.
Thank you!
We’ll let you know when we publish new guides or updates.