Designing payment flows for SCA

Strong Customer Authentication, or SCA, has changed online payments in Europe. See the impact it may have on your payment flows and learn how Stripe can help.

  1. Introduction
  2. How online payments have changed
  3. Understanding exemptions
  4. Business scenarios
    1. E-commerce
    2. Ridesharing
    3. Crowdfunding
    4. Car rental
    5. Gym membership
    6. Utility bill

Strong Customer Authentication (SCA) requirements are fully enforced in almost all eligible European countries, signalling a massive shift in the European payment landscape.

To meet SCA requirements, a form of two-factor authentication is required for many online card payments in Europe. Without authentication, many payments may be declined by your customers’ banks. We designed foundational payments APIs to help businesses handle this change and take full advantage of any SCA exemptions.

We recommend using this guide to understand how different types of payment flows have to change due to SCA, and to reference it as you redesign your payment flows.

STAY INFORMED ABOUT SCA

We’re working closely with regulators and the broader payments industry. If you’re interested in updates about SCA regulation and our products, please contact.

How online payments have changed

Traditional card payments usually involve two steps: authorisation and capture. A payment is authorised when a customer's bank or card issuer decides to approve a payment, and the payment is captured when the card is charged.

With SCA, there is an additional and mandatory step before authorisation and capture: authentication. This step helps protect customers by preventing fraud. To authenticate a payment, a customer responds to a prompt from their bank and provides additional information. This may be something they know, such as a password; something they use, such as their phone; or something that's part of who they are, such as their fingerprint.

The most common way to authenticate a payment is a method called 3D Secure. You may recognise 3D Secure by its branded names, such as "Visa Secure" or "Mastercard Identity Check". A newer version called 3D Secure 2 has become the standard method to authenticate payments. You can learn about the differences between these methods in our 3D Secure 2 guide. Our payments APIsStripe Billing, and Stripe Checkout all support 3D Secure 2.

No matter which method you use, customers must be on-session to authenticate which means they need to be using your website or app. Adding this step can be simpler for businesses that charge customers straight away, and more complex for businesses that charge customers after they’ve left the checkout flow (this is sometimes called off-session).

The scenarios in this guide offer examples of how these three steps (authentication, authorisation and capture) can vary depending on how and when you charge your customers.

AUTHENTICATE

A customer authenticates an online payment: A customer responds to a 3D Secure prompt from their bank and provides additional information to authenticate the payment. See 3D Secure from the customer’s perspective.

Authentication is required when a payment isn’t eligible for an exemption or when the customer’s bank denies an exemption request. Our new payments APIs automatically request any eligible exemptions before adding the authentication step. This simplifies checkout flows and protects conversion rates.

Did you know: Authentication has to happen while the customer is on-session, or using your website or app, so this step typically happens when the customer completes the checkout form.

AUTHORISE

Your business asks the customer’s bank to approve the payment: The customer’s bank decides whether to approve or decline a payment. If approved, the funds are put on hold and guaranteed for seven days. If an authorisation request is declined, your business needs a way to bring the customer back on-session to re-authenticate the payment and then attempt to authorise again.

Did you know: An authorisation request can still be declined by the customer’s bank after it’s been authenticated. This can happen if the customer doesn’t have enough funds or the card has expired.

Up to 7 days

The time period between authorisation and capture can be up to seven days, but most businesses capture a payment immediately after authorisation.

Did you know: A customer’s bank may show that a payment is "pending" if it has been authorised but not captured.

CAPTURE

The business charges the customer’s card, completing the payment.

Understanding exemptions

There are certain types of payments – such as low-risk transactions, fixed-amount subscriptions, phone sales and merchant-initiated transactions – that may be exempt from SCA. Merchant-initiated transactions are payments made with a saved card when the customer is off-session. Common examples include a gym membership payment or utility bill. To qualify for this exemption, your business must have an agreement with your customer and have them authenticate their card when it’s being saved or authenticate the first payment. Our Strong Customer Authentication guide goes into greater detail about these exemptions and others.

Stripe’s SCA-ready payment APIs and products help businesses take full advantage of these opportunities by automatically requesting exemptions. When exemptions are accepted by your customers’ banks, your customers won’t have to authenticate, minimising the impact on conversion.

However, businesses can’t rely on exemptions and must design their payment flows to authenticate customers when necessary. This is because the rules around exemptions depend on your customers’ banks. The banks evaluate each payment and decide whether an exemption applies – and individual banks will apply exemptions differently.

Business scenarios

To illustrate the impact and application of SCA, we’ve outlined how an authentication step can fit into payment flows for different business models.

E-commerce

One-off payment. Card not saved.

E-commerce businesses typically charge customers while they’re on-session, without saving card details for future payments. If your business has a similar payment flow, adding authentication should be simple: you can authenticate with 3D Secure right after the customer enters their card details and places their order.

Stripe automatically requests any eligible exemptions, so your customers may not need to authenticate at all. But because individual banks apply exemptions differently, your business still needs to design payment flows to authenticate customers when necessary.

Order placed: Elisa enters her card details and shipping information. The total comes to US$29 including tax.

AUTHENTICATE

US$29 authenticated using 3D Secure: Elisa completes 3D Secure authentication.

Note: Stripe requests exemptions automatically. If Elisa’s bank accepts an exemption, she won’t have to complete 3D Secure authentication.

AUTHORISE

US$29 authorised

CAPTURE

US$29 captured

Order shipped

Recommendations

Choose an option:

STRIPE CHECKOUT

Get prebuilt, conversion-optimised checkout flows with minimal code.

PAYMENTS API

Build dynamic payment flows and maximise exemptions.

Ridesharing

Payment captured within seven days of authorisation. Final payment amount may change.

Ridesharing businesses and other on-demand marketplaces typically capture payments within seven days of authorisation, and the final amount may increase or decrease. If your business has a similar payment flow, you can authenticate with 3D Secure right after the customer requests a ride because they’ll still be on-session. If the final amount ends up being more than originally authenticated, the customer would need to authenticate again for the increased amount. If the final amount is less than originally authenticated, there would be no need to authenticate again.

Another way to approach this payment flow would be to authenticate and authorise for a larger amount when the customer first requests a ride. If the customer wants to add a tip later, and the total is below the authenticated amount, the customer won’t need to authenticate again. The downside to this approach is that authenticating for a larger amount upfront might deter price-sensitive customers.

Stripe will automatically request any eligible exemptions, so your customers may not need to authenticate at all. But because individual banks will apply exemptions differently, your business still needs to design payment flows to authenticate customers and bring them back on-session to re-authenticate.

Ride requested: Sami opens the app and requests a ride for US$20.

AUTHENTICATE

US$20 authenticated using 3D Secure: Sami completes 3D Secure authentication.

Note: Stripe requests exemptions automatically. If Sami’s bank accepts an exemption, he won’t have to complete 3D Secure authentication.

AUTHORISE

US$20 authorised

Rider picked up and dropped off: A driver picks up Sami and takes him to his destination.

Tip added: He opens the app, rates the driver and adds a US$3 tip.

Authenticate

US$23 (US$20 ride + US$3 tip) authenticated using 3D Secure: Sami completes 3D Secure authentication.

Note: Stripe requests exemptions automatically. If Sami’s bank accepts an exemption, he won’t have to complete 3D Secure authentication.

CAPTURE

US$23 captured

Note: Capturing US$23 cancels the previous authorisation for US$20.

Recommendation

PAYMENTS API

Build dynamic payment flows and maximise exemptions.

Crowdfunding

Payment captured more than seven days after authorisation.

Crowdfunding platforms typically capture payments more than seven days after authorisation. Each campaign lasts for a set length of time, and payments are captured when a campaign is successful. If your business has a similar payment flow, you can authenticate with 3D Secure when customers pledge to support a campaign, and then authorise and capture when the campaign ends successfully. If authorisation fails, your business will need to bring the customer back on-session to re-authenticate.

Stripe will automatically request any eligible exemptions, but because individual banks will apply exemptions differently, your business still needs to design payment flows to authenticate customers and bring them back on-session to re-authenticate.

Successful payment

Campaign launched

Pledge made: Luka supports the campaign and pledges US$40.

AUTHENTICATE

Card authenticated using 3D Secure: Luka completes 3D Secure authentication after entering his card details.

30 DAYS PASS

Campaign completed: Luka’s card is charged when the campaign ends successfully.

AUTHORISE

US$40 authorisation attempted

DECLINE

Authorisation failed because of an expired card, and re-authentication is required.

Email sent: Luka opens an email from the crowdfunding website and clicks a link.

Information updated: He returns to the crowdfunding website and enters new card details.

AUTHENTICATE

US$40 authenticated using 3D Secure: Luka completes 3D Secure authentication.

AUTHORISE

US$40 authorised

CAPTURE

US$40 captured

Failed payment

Campaign launched

Pledge made: Luka supports the campaign and pledges US$40.

AUTHENTICATE

Card authenticated using 3D Secure: Luka completes 3D Secure authentication after entering his card details.

30 DAYS PASS

Campaign completed: Luka’s card is charged when the campaign ends successfully.

AUTHORISE

US$40 authorisation attempted

DECLINE

Authorisation failed because of an expired card, and re-authentication is required.

Email sent: Luka opens an email from the crowdfunding website and clicks a link.

Information updated: He returns to the crowdfunding website and enters new card details.

AUTHENTICATE

US$40 authenticated using 3D Secure: Luka completes 3D Secure authentication.

AUTHORISE

US$40 authorised

CAPTURE

US$40 captured

Recommendation

PAYMENTS API

Build dynamic payment flows and maximise exemptions.

Car rental

Payment captured more than seven days after authorisation. Final payment amount may change.

Car rental companies typically capture payments more than seven days after authorisation, and the final payment amount is likely to increase or decrease because of discounts, upgrades or add-on services at pickup or drop off. If your business has a similar payment flow, you can split the payment into separate charges –authenticating the card with 3D Secure when it’s being saved, and authorising and capturing the cost of the rental and any incidentals later on.

Stripe will automatically request any eligible exemptions, so your customers may not need to authenticate. But because individual banks will apply exemptions differently, your business still needs to design payment flows to authenticate customers and bring them back on-session to re-authenticate.

Car reserved: Emma rents a car for an upcoming holiday.

AUTHENTICATE

Card authenticated using 3D Secure: Emma completes 3D Secure authentication after entering her card details.

Car picked up

More than 7 days pass

Car returned: She returns the car without filling up the tank, incurring a US$50 fee.

AUTHORISE

US$350 authorised (reservation)

US$50 authorised (fuel fee)

CAPTURE

US$350 captured (reservation)

US$50 captured (fuel fee)

Recommendation

PAYMENTS API

Build dynamic payment flows and maximise exemptions.

Gym membership

Recurring payments. Fixed amount.

Gym memberships are typically recurring payments with a fixed amount, and the membership may begin with a free trial period. If your business has a similar payment flow, 3D Secure authentication is required for the payment that starts the subscription, and Stripe will automatically request exemptions for subsequent payments. In this scenario, the payment may be eligible for fixed-rate subscription and merchant-initiated transaction exemptions. If the customer’s bank accepts the exemption, your customer won't have to authenticate each monthly payment.

Merchant-initiated transactions are payments made with a saved card when the customer is off-session. To qualify, your business must have an agreement with the customer and have them authenticate their card, either when it’s being saved or on the first payment.

It’s important to note that exemptions aren’t guaranteed, and subsequent payments may require authentication. Individual banks may apply exemptions differently, so your business needs to design payment flows to bring customers back on-session to re-authenticate.

Successful payment

Membership begins: Imani enters her email and card details to join her local gym for US$50 per month.

AUTHENTICATE

US$50 authenticated using 3D Secure: Imani completes 3D Secure authentication.

AUTHORISE

US$50 authorised

CAPTURE

US$50 captured

30 DAYS PASS

Membership continues: Imani takes workout classes and often goes to the gym often.

AUTHORISE

US$50 authorised: This payment didn’t need to be authenticated because Imani’s bank accepted the fixed-rate subscription and merchant-initiated transaction exemptions.

CAPTURE

US$50 captured

Failed payment

Trial starts: Imani joins her local gym for US$50 per month. She enters her email and credit card details so her membership will start immediately after the seven-day trial.

AUTHENTICATE

US$50 authenticated using 3D Secure: Imani completes 3D Secure authentication.

7 DAYS PASS

Trial ends and membership begins: Imani’s card is charged automatically when the trial ends.

AUTHORISE

US$50 authorised

CAPTURE

US$50 captured

30 DAYS PASS

Membership continues: Imani takes workout classes and goes to the gym often.

AUTHORISE

US$50 authorisation attempted

DECLINE

Authorisation failed and re-authentication is required

Email sent: Imani opens an email and clicks a link.

Information updated: She returns to the gym’s website and enters new card details.

AUTHENTICATE

US$50 authenticated using 3D Secure: Imani completes 3D Secure authentication.

AUTHORISE

US$50 authorised

CAPTURE

US$50 captured

Recommendations

Choose an option:

STRIPE BILLING

Manage your subscriptions and take advantage of automated tools to comply with SCA.

PAYMENTS API

Build dynamic payment flows and maximise exemptions.

Utility bill

Metered billing. Recurring payments.

Utility bills are recurring payments with amounts likely to vary from month to month due to metered billing. If your business has a similar payment flow, 3D Secure authentication is required when a customer saves their card to set up automatic payments. To do this, the customer would complete 3D Secure authentication separately to a transaction.

Stripe will automatically request exemptions for subsequent payments. In this scenario, the payment may be eligible for a merchant-initiated transaction exemption. If the customer’s bank accepts the exemption, your customer won’t have to authenticate each monthly payment.

It’s important to note that exemptions aren’t guaranteed, and subsequent payments may require authentication. Individual banks may apply exemptions differently, so your business needs to design payment flows to bring customers back on-session to re-authenticate when necessary.

Payment with an exemption

Account set up: Salim moves into a new apartment and signs up to pay his monthly utility bill automatically.

Card saved: Salim adds a card to his account.

AUTHENTICATE

Automatic billing confirmed using 3D Secure: Salim completes 3D Secure authentication.

30 DAYS PASS

Bill received: Salim gets an email from the utility company informing him of a US$63 scheduled payment.

AUTHORISE

US$63 authorised: The utility company authorises US$63 and requests a merchant-initiated transaction exemption.

Salim’s bank accepts the exemption and authorisation.

CAPTURE

US$63 captured

30 DAYS PASS

Bill received: Salim gets an email from the utility company informing him of a US$91 scheduled payment.

AUTHORISE

US$91 authorisation attempted: The utility company attempts to authorise US$91 and requests a merchant-initiated transaction exemption.

DECLINE

Authorisation failed, and re-authentication is required

Email sent: Salim gets an email from the utility company with a bill for US$91 and clicks the link.

AUTHENTICATE

US$91 authenticated using 3D Secure: Salim completes 3D Secure authentication.

AUTHORISE

US$91 authorised

CAPTURE

US$91 captured

Payment without an exemption

Bill received: Salim gets an email from the utility company with a bill for US$63 and clicks the link.

AUTHENTICATE

US$63 authenticated using 3D Secure: Salim completes 3D Secure authentication.

AUTHORISE

US$63 authorised

CAPTURE

US$63 captured

30 DAYS PASS

Bill received: Salim gets an email from the utility company with a bill for US$91 and clicks the link.

AUTHENTICATE

US$91 authenticated using 3D Secure: Salim completes 3D Secure authentication.

AUTHORISE

US$91 authorised

CAPTURE

US$91 captured

Recommendations

Choose an option:

STRIPE BILLING

Manage your subscriptions and take advantage of automated tools to comply with SCA.

PAYMENTS API

Build dynamic payment flows and maximise exemptions.

Ready to get started? Get in touch or create an account.

Create an account and start accepting payments – no contracts or banking details required. Or, contact us to design a custom package for your business.