Designing card payment flows for SCA

Strong Customer Authentication, or SCA, has changed online payments in Europe. See the impact it may have on your payment flows and learn how Stripe can help.

Payments
Payments

Accept payments online, in person, and around the world with a payments solution built for any business—from scaling startups to global enterprises.

Learn more 
  1. Introduction
  2. How online card payments have changed
  3. Understanding exemptions
  4. Business scenarios
    1. E-commerce
    2. Ridesharing
    3. Crowdfunding
    4. Car hire
    5. Gym membership
    6. Utility bill

Strong Customer Authentication (SCA) requirements are fully enforced in all eligible European countries, causing a massive shift in the European payment landscape.

To meet SCA requirements, a form of two-factor authentication is required for electronic payments and access to payment accounts. Without authentication, many payments may be declined by your customers' banks. We designed foundational payments APIs to help businesses handle this change and take full advantage of any SCA exemptions. Stripe's authentication engine automatically selects the optimal authentication flow for each transaction to maximise conversion while minimising fraud.

We recommend using this guide to understand how different types of payment flows have changed due to SCA and referring to it as you design your payment flows.

STAY INFORMED ABOUT SCA

We're working closely with regulators and the broader payments industry. If you're interested in knowing more about the regulation and our products, please check our recent guide on PSD3 or reach out.

How online card payments have changed

Traditional card payments usually involve two steps: authorisation and capture. A payment is authorised when a customer's bank or card issuer decides to approve a payment, and the payment is captured when the card is charged.

With SCA, there is an additional and mandatory step before authorisation and capture: authentication. This step is aimed at protecting customers by preventing fraud. To authenticate a payment, a customer responds to a prompt from their bank and provides additional information. This may be something they know, such as a password; something they use, such as their phone; or something that's part of who they are, such as their fingerprint.

The most common way to authenticate an online card payment is a method called 3D Secure. You may recognise 3D Secure by its branded names, such as "Visa Secure" or "Mastercard Identity Check". A newer version called 3D Secure 2 has become the standard method to authenticate payments. You can learn about the differences between these methods in our 3D Secure 2 guide. Our SCA-ready products all support 3D Secure 2.

No matter what method you use, customers need to be using your website or app to authenticate. Adding this step can be simpler for businesses that charge customers straight away and more complex for businesses that charge customers after they've left the checkout flow. (This is sometimes referred to as off-session.)

The scenarios in this guide offer examples of how these three steps (authentication, authorisation and capture) can vary depending on how and when you charge your customers.

AUTHENTICATE

A customer authenticates an online payment by responding to a 3D Secure prompt from their bank and providing additional information. See 3D Secure from your customer's perspective.

Multi-factor authentication is required when a payment isn't eligible for an exemption or when the customer's bank denies an exemption request. Our new payments APIs automatically request any eligible exemptions before adding the authentication step. This simplifies checkout flows and protects conversion rates.

Did you know: Authentication has to happen while the customer is on-session, or using your website or app, so this step typically happens when the customer completes the checkout form.

AUTHORISE

Your business asks the customer's bank to approve the payment: The customer's bank decides whether to approve or decline a payment. If approved, the funds are put on hold for seven days. If an authorisation request is declined, your business needs a way to bring the customer back on-session to re-authenticate the payment and then attempt to authorise again.

Did you know: An authorisation request can still be declined by the customer's bank after it's been authenticated. This can, for example, happen if the customer doesn't have enough funds or the card has expired.

Up to 7 days

The standard time period between authorisation and capture can be up to seven days, but most businesses capture a payment immediately after authorisation.

CAPTURE

The business charges the customer's card, completing the payment.

Did you know: A customer's bank may show that a payment is "pending" if it has been authorised but not captured.

Understanding exemptions

There are certain types of payments – such as low-risk transactions, fixed-amount subscriptions, phone sales and merchant-initiated transactions – that may be exempt from SCA. Merchant-initiated transactions are payments made with a saved card when the customer is off-session. Common examples include a gym membership payment or utility bill. To use this exemption, your business must have an agreement with your customer and have them authenticate their card when it's being saved or authenticate the first payment. Our Strong Customer Authentication guide goes into greater detail about these exemptions and others.

Stripe's SCA-ready payment APIs and products help businesses take full advantage of these opportunities by requesting exemptions automatically. When exemptions are accepted by your customers' banks, your customers won't have to authenticate, minimising the impact on conversion.

However, businesses must design their payment flows to authenticate customers if the exemption is declined. This is especially important because the rules around exemptions depend on your customers' banks. The banks evaluate each payment and decide whether an exemption applies – and individual banks will apply exemptions differently.

Business scenarios

To illustrate the impact and application of SCA, we’ve outlined how an authentication step can fit into payment flows for different business models.

E-commerce

One-off payment. Card not saved.

E-commerce businesses typically charge customers while they're on-session, without saving card details for future payments. If your business has a similar payment flow, adding authentication should be simple: you can authenticate with 3D Secure straight after the customer enters their card details and places their order.

Stripe automatically requests any eligible exemptions, so your customers may not need to authenticate. But because individual banks apply exemptions differently, your business still needs to design payment flows to authenticate customers when necessary.

Order placed: Elisa enters her card details and shipping information. The total comes to €29 including tax.

AUTHENTICATE

€29 authenticated using 3D Secure: Elisa completes 3D Secure authentication.

Note: Stripe requests exemptions automatically. If Elisa's bank accepts the exemption, she won't have to complete the 3D Secure authentication challenge.

AUTHORISE

€29 authorised

CAPTURE

€29 captured

Order shipped

Recommendations

Choose an option:

STRIPE CHECKOUT

Get prebuilt, conversion-optimised checkout flows with minimal code.

PAYMENTS API

Build dynamic payment flows and maximise exemptions.

Ridesharing

Payment captured within seven days of authorisation. Final payment amount may change.

Ridesharing businesses and other on-demand marketplaces typically capture payments within seven days of authorisation, and the final amount may increase or decrease. If your business has a similar payment flow, you can authenticate with 3D Secure straight after the customer requests a journey, because they'll still be on-session. If the final amount ends up being more than originally authenticated, the customer would need to authenticate again for the increased amount, unless a tolerance is permitted by the regional policies allowing the amount to differ. If the final amount is less than originally authenticated, there would be no need to authenticate again.

Another way to approach this payment flow would be to authenticate and authorise for a larger amount when the customer first requests a journey. If the customer wants to add a tip later, and the total is below the authenticated amount, the customer won't need to authenticate again. The downside to this approach is that authenticating for a larger amount upfront might deter price-sensitive customers.

Journey requested: Sami opens the app and requests a journey for €20.

AUTHENTICATE

€20 authenticated using 3D Secure: Sami completes 3D Secure authentication.

Note: Stripe requests exemptions automatically. If Sami's bank accepts the exemption, he won't have to complete the 3D Secure authentication challenge.

AUTHORISE

€20 authorised

Customer picked up and dropped off: A driver picks up Sami and takes him to his destination.

Tip added: He opens the app, rates the driver and adds a €3 tip.

AUTHENTICATE

€23 (€20 journey + €3 tip) authenticated using 3D Secure: Sami completes 3D Secure authentication.

Note: Stripe requests exemptions automatically. If Sami's bank accepts an exemption, he won't have to complete the 3D Secure authentication challenge.

CAPTURE

€23 captured

Note: Capturing €23 cancels the previous authorisation for €20.

Recommendation

PAYMENTS API

Build dynamic payment flows and maximise exemptions.

Crowdfunding

Payment captured more than seven days after authorisation.

Crowdfunding platforms typically capture payments more than seven days after authorisation. Each campaign lasts for a set length of time, and payments are captured when a campaign is successful. If your business has a similar payment flow, you can authenticate with 3D Secure when customers pledge to support a campaign, and then authorise and capture when the campaign ends successfully. If authorisation fails, your business will need to bring the customer back on-session to re-authenticate.

Successful payment

Campaign launched

Pledge made:
Luka supports the campaign and pledges €40.

AUTHENTICATE

Card authenticated using 3D Secure:
Luka completes 3D Secure authentication after entering his card details.

30-DAY PASS

Campaign completed:
Luka's card is charged when the campaign ends successfully.

AUTHORISE

€40 authorisation attempted

AUTHENTICATE

€40 authenticated using 3D Secure:
Luka completes 3D Secure authentication.

AUTHORISE

€40 authorised

CAPTURE

€40 captured

Failed payment

Campaign launched

Pledge made:
Luka supports the campaign and pledges €40.

AUTHENTICATE

Card authenticated using 3D Secure:
Luka completes 3D Secure authentication after entering his card details.

30-DAY PASS

Campaign completed:
Luka's card is charged when the campaign ends successfully.

AUTHORISE

€40 authorisation attempted

DECLINE

Authorisation failed because of an expired card, and re-authentication is required.

Email sent:
Luka opens an email from the crowdfunding website and clicks a link.

Information updated:
He returns to the crowdfunding website and enters new card details.

AUTHENTICATE

€40 authenticated using 3D Secure:
Luka completes 3D Secure authentication.

AUTHORISE

€40 authorised

CAPTURE

€40 captured

Recommendation

PAYMENTS API

Build dynamic payment flows and maximise exemptions.

Car hire

Payment captured more than seven days after authorisation. Final payment amount may change.

Car hire companies typically capture payments more than seven days after authorisation, and the final payment amount is likely to increase or decrease because of discounts, upgrades or add-on services at pick-up or drop-off. If your business has a similar payment flow, you can split the payment into separate charges – authenticating the card with 3D Secure when it's being saved, and authorising and capturing the cost of the hire and any incidentals later on.

Car booked: Emma hires a car for an upcoming holiday.

AUTHENTICATE

Card authenticated using 3D Secure: Emma completes 3D Secure authentication after entering her card details.

Car picked up

More than 7 days pass

Car returned: She returns the car without filling up the tank, incurring a €50 fee.

AUTHORISE

€350 authorised (booking)

€50 authorised (fuel fee)

CAPTURE

€350 captured (booking)

€50 captured (fuel fee)

Recommendation

PAYMENTS API

Build dynamic payment flows and maximise exemptions.

Gym membership

Recurring payments. Fixed amount.

Gym memberships are typically recurring payments with a fixed amount and the membership may begin with a free trial period.

Merchant-initiated transactions are payments made with a saved card when the customer is off-session. To qualify, your business must have an agreement with the customer and have them authenticate their card, either when it's being saved or on the first payment.

It's important to note that exemptions aren't guaranteed and subsequent payments may require authentication. Individual banks may apply exemptions differently, so your business needs to design payment flows to bring customers back on-session to re-authenticate.

Successful payment

Membership begins:
Imani enters her email and card details to join her local gym for €50 per month.

AUTHENTICATE

€50 authenticated using 3D Secure:
Imani completes 3D Secure authentication.

AUTHORISE

€50 authorised

CAPTURE

€50 captured

30-DAY PASS

Membership continues:
Imani takes workout classes and goes to the gym often.

AUTHORISE

€50 authorised:
This payment didn't need to be authenticated because Imani's bank accepted the fixed-rate subscription and merchant-initiated transaction exemptions.

CAPTURE

€50 captured

Failed payment

Trial starts:
Imani joins her local gym for €50 per month. She enters her email and credit card details so her membership will start immediately after the seven-day trial.

AUTHENTICATE

€50 authenticated using 3D Secure:
Imani completes 3D Secure authentication.

7 DAYS PASS

Trial ends and membership begins:
Imani's card is charged automatically when the trial ends.

AUTHORISE

€50 authorised

CAPTURE

€50 captured

30-DAY PASS

Membership continues:
Imani takes workout classes and goes to the gym often.

AUTHORISE

€50 authorisation attempted

DECLINE

Authorisation failed and re-authentication is required

Email sent:
Imani opens an email and clicks a link.

Information updated:
She returns to the gym's website and enters new card details.

AUTHENTICATE

€50 authenticated using 3D Secure:
Imani completes 3D Secure authentication.

AUTHORISE

€50 authorised

CAPTURE

€50 captured

Recommendations

Choose an option:

STRIPE BILLING

Manage your subscriptions and take advantage of automated tools to be SCA-ready.

PAYMENTS API

Build dynamic payment flows and maximise exemptions.

Utility bill

Metered billing. Recurring payments.

Utility bills are recurring payments with amounts likely to vary from month to month due to metered billing. If your business has a similar payment flow, 3D Secure authentication is required when a customer saves their card to set up automatic payments. To do this, the customer would complete 3D Secure authentication separately to a transaction.

It's important to note that exemptions aren't guaranteed and subsequent payments may require authentication. Individual banks may apply exemptions differently, so your business needs to design payment flows to bring customers back on-session to re-authenticate when necessary.

Payment with an exemption

Account set up:
Salim moves into a new flat and signs up to pay his monthly utility bill automatically.

Card saved:
Salim adds a card to his account.

AUTHENTICATE

Automatic billing confirmed using 3D Secure:
Salim completes 3D Secure authentication.

30-DAY PASS

Bill received:
Salim gets an email from the utility company informing him of a €63 scheduled payment.

AUTHORISE

€63 authorised:
The utility company authorises €63 and requests a merchant-initiated transaction exemption.

Salim's bank accepts the exemption and authorisation.

CAPTURE

€63 captured

30-DAY PASS

Bill received:
Salim gets an email from the utility company informing him of a €91 scheduled payment.

AUTHORISE

€91 authorisation attempted:
The utility company attempts to authorise €91 and requests a merchant-initiated transaction exemption.

DECLINE

Authorisation failed and re-authentication is required

Email sent:
Salim gets an email from the utility company with a bill for €91 and clicks the link.

AUTHENTICATE

€91 authenticated using 3D Secure:
Salim completes 3D Secure authentication.

AUTHORISE

€91 authorised

CAPTURE

€91 captured

Payment without an exemption

Bill received:
Salim gets an email from the utility company with a bill for €63 and clicks the link.

AUTHENTICATE

€63 authenticated using 3D Secure:
Salim completes 3D Secure authentication.

AUTHORISE

€63 authorised

CAPTURE

€63 captured

30-DAY PASS

Bill received:
Salim gets an email from the utility company with a bill for €91 and clicks the link.

AUTHENTICATE

€91 authenticated using 3D Secure:
Salim completes 3D Secure authentication.

AUTHORISE

€91 authorised

CAPTURE

€91 captured

Recommendations

Choose an option:

STRIPE BILLING

Manage your subscriptions and take advantage of automated tools to be SCA-ready.

PAYMENTS API

Build dynamic payment flows and maximise exemptions.

Ready to get started?

Create an account and start accepting payments – no contracts or banking details required. Or, contact us to design a custom package for your business.