Step 1: Determining your integration path
SCA requires customers to complete 3D Secure authentication for some payments. When this step is required by the bank, the customer must be online to complete authentication. This introduces complexity for businesses that save cards and charge them when the customer is no longer on the website or application and can’t complete authentication. This is also known as off-session payments. Examples of this include subscriptions, crowdfunding campaigns, and car rentals.
While some of these off-session payments are exempt, these exemptions require you to authenticate the customer at the time of payment detail collection or require you to pass additional information. In addition, banks can decide to reject an exemption. As such, you should build a way to notify customers that they need to return to your application and complete authentication if required.
Requirements for claiming exemptions on off-session card payments are still being finalized by the card networks and banks. In the coming months, we will update our products and APIs to help you claim exemptions for recurring and off-session payments. Sign up for updates if you have the following payment flows:
- Recurring payments: You charge the customer on a recurring basis.
- Other off-session payments: You save the customer’s cards and charge some time later when the customer is not available to complete authentication.
For the following payment flows, you can update your integration today to become SCA-ready:
- One-time payments: You charge the customer’s cards immediately after they confirm payment.
- Payments with separate authorize and capture: You separately authorize and capture card payments within 7 days after the customer confirms payment.
Determine your integration path with this table:
|One-time payments or payments with separate authorize and capture|
|Other off-session payments||N/A|
Step 2: Implementing the new integration path
If you decide to use the PaymentIntents API (instead of Checkout or Billing), you will need to make server-side and client-side changes.
Creating a charge directly through the Charges API is not SCA-ready. Instead, use the PaymentIntents API to create a payment. PaymentIntents track the lifecycle of a customer checkout flow and triggers additional authentication steps when required by SCA.
Follow the migration guide to learn how to migrate from the Charges API to the PaymentIntents API.
In order to dynamically display 3D Secure authentication for card payments, client-side changes are also required alongside server-side changes for PaymentIntents.
Step 3: Testing dynamic authentication
After you have finished implementing the new integration path, configure your Dynamic 3D Secure Radar rules and test your integration using 3D Secure test cards. Make sure to test both cases when the authentication is successful and unsuccessful.
Sign up for SCA updates
We’ll email you when we have updates about Strong Customer Authentication.
We’ll let you know when we publish new guides or updates.