Introduction
Last updated on April 15, 2019
On September 14, 2019, new regulation will mandate Strong Customer Authentication (SCA) for many online payments in the European Economic Area (EEA), including the UK. SCA is part of the second Payment Services Directive (PSD2).
When SCA goes into effect, a form of two-factor authentication will be required for many online card payments in Europe. Without authentication, many payments will be declined by your customers’ banks. We designed Payment Intents, a new foundational API, to help businesses handle this change and take full advantage of any SCA exemptions.
You will need to update your payment flows and your Stripe integration to prepare for SCA, and the process will depend on your current payment flows and integration. We recommend using this guide to understand how different types of payment flows will have to change due to SCA, and to reference it as you redesign your payment flows.
How payments are changing
Traditional card payments usually involve two steps: authorization and capture. A payment is authorized when a customer’s bank or card issuer decides to approve a payment, and the payment is captured when the card is charged.
When SCA goes into effect in September, there will be an additional and mandatory step before authorization and capture: authentication. This step helps protect customers by preventing fraud. To authenticate a payment, a customer responds to a prompt from their bank and provides additional information. This may be something they know, like a password, something they use, like their phone, or something that’s part of who they are, like their fingerprint.
The most common way to authenticate a payment is a method called 3D Secure. You may recognize 3D Secure by its branded names, such as “Visa Secure” or “Mastercard Identity Check.” There’s a new version, called 3D Secure 2, that will be out later this year. It’s expected to become the standard method to authenticate payments, but 3D Secure 2 is not yet available. You can learn about the differences between these methods in our 3D Secure 2 guide. If your business uses 3D Secure on our Payment Intents API, Stripe Billing, or the new version of Stripe Checkout, you’ll automatically transition to 3D Secure 2 when it’s supported—without any work from you.
No matter what method you use, customers must be on-session to authenticate, which means they need to be using your website or app. Adding this step will be simpler for businesses that charge customers right away, and more complex for businesses that charge customers after they’ve left the checkout flow. (This is sometimes called off-session.)
The scenarios in this guide offer examples of how these three steps (authentication, authorization, and capture) can vary depending on how and when you charge your customers.
-
AuthenticateA customer authenticates an online payment.
A customer responds to a 3D Secure prompt from their bank and provides additional information to authenticate the payment. See 3D Secure from the customer’s perspective.
Authentication is required when a payment isn’t eligible for an exemption or when the customer’s bank denies an exemption request. Our Payment Intents API automatically requests any eligible exemptions before adding the authentication step. This simplifies checkout flows and protects conversion rates.
Did you know: Authentication has to happen while the customer is on-session, or using your website or app, so this step typically happens when the customer completes the checkout form.
-
Up to 7 days
The time period between authorization and capture can be up to seven days, but most businesses capture a payment immediately after authorization.
Did you know: A customer’s bank may show that a payment is “pending” if it has been authorized but not captured.
-
CaptureThe business charges the customer’s card, completing the payment.
Understanding exemptions
There are certain types of payments—such as low-risk transactions, fixed-amount subscriptions, phone sales, and merchant-initiated transactions—that may be exempt from SCA. Merchant-initiated transactions are payments made with a saved card when the customer is off-session. Common examples include a gym membership payment or utility bill. To qualify for this exemption, your business must have an agreement with your customer and have them authenticate their card when it’s being saved or authenticate the first payment. Our Strong Customer Authentication guide goes into greater detail about these exemptions and others.
Stripe’s SCA-ready payment APIs and products will help businesses take full advantage of these opportunities by automatically requesting exemptions. When exemptions are accepted by your customers’ banks, your customers won’t have to authenticate, minimizing the impact on conversion.
However, businesses can’t rely on exemptions and must design their payment flows to authenticate customers when necessary. This is because the rules around exemptions depend on your customers’ banks. The banks evaluate each payment and decide whether an exemption applies—and individual banks will apply exemptions differently.
Business scenarios
To illustrate the impact and application of SCA, we’ve outlined how an authentication step can fit into payment flows for different business models.
E-commerce businesses typically charge customers while they’re on-session, without saving card details for future payments. If your business has a similar payment flow, adding authentication should be simple: you can authenticate with 3D Secure right after the customer enters their card details and places their order.
Stripe will automatically request any eligible exemptions, so your customers may not need to authenticate at all. But because individual banks will apply exemptions differently, your business still needs to design payment flows to authenticate customers when necessary.
-
Order placed
Elisa enters her card details and shipping information. The total comes to R$29 including VAT.
-
AuthenticateR$29 authenticated using 3D Secure
Elisa completes 3D Secure authentication.
-
CaptureR$29 captured
-
Order shipped
Recommendations
Elige una opción:
Obtén flujos de compra prediseñados y optimizados para conversión con un mínimo de programación.
Leer la documentaciónDiseña flujos de pago dinámicos y maximiza las exenciones.
Leer la documentaciónRidesharing businesses and other on-demand marketplaces typically capture payments within seven days of authorization, and the final amount may increase or decrease. If your business has a similar payment flow, you can authenticate with 3D Secure right after the customer requests a ride, because they’ll still be on-session. If the final amount ends up being more than originally authenticated, the customer would need to authenticate again for the increased amount. If the final amount is less than originally authenticated, there would be no need to authenticate again.
Another way to approach this payment flow would be to authenticate and authorize for a larger amount when the customer first requests a ride. If the customer wants to add a tip later, and the total is below the authenticated amount, the customer won’t need to authenticate again. The downside to this approach is that authenticating for a larger amount upfront might deter price sensitive customers.
Stripe will automatically request any eligible exemptions, so your customers may not need to authenticate at all. But because individual banks will apply exemptions differently, your business still needs to design payment flows to authenticate customers and bring them back on-session to re-authenticate.
-
Ride requested
Sami opens the app and requests a ride for R$20.
-
AuthenticateR$20 authenticated using 3D Secure
Sami completes 3D Secure authentication.
-
Rider picked up and dropped off
A driver picks up Sami and takes him to his destination.
-
Tip added
He opens the app, rates the driver, and adds a R$3 tip.
-
AuthenticateR$23 (R$20 ride + R$3 tip) authenticated using 3D Secure
Sami completes 3D Secure authentication.
-
CaptureR$23 captured
Recommendation
Diseña flujos de pago dinámicos y maximiza las exenciones.
Para actualizar tu integración:
-
Antes que nada, haz la actualización a la API Payment Intents.
-
Luego, añade nuevas funciones después del 1 de julio.
Entonces, admitirá todas las exenciones.
Crowdfunding platforms typically capture payments more than seven days after authorization. Each campaign lasts for a set length of time, and payments are captured when a campaign is successful. If your business has a similar payment flow, you can authenticate with 3D Secure when customers pledge to support a campaign, and then authorize and capture when the campaign ends successfully. If authorization fails, your business will need to bring the customer back on-session to re-authenticate.
Stripe will automatically request any eligible exemptions, but because individual banks will apply exemptions differently, your business still needs to design payment flows to authenticate customers and bring them back on-session to re-authenticate.
-
Campaign launched
-
Pledge made
Luka supports the campaign and pledges R$40.
-
AuthenticateR$40 authenticated using 3D Secure
Luka completes 3D Secure authentication.
-
30 days pass
-
Campaign completed
Luka’s card is charged when the campaign ends successfully.
-
CaptureR$40 captured
-
Pledge made
Luka supports a crowdfunding campaign and pledges R$40.
-
AuthenticateR$40 authenticated using 3D Secure
Luka completes 3D Secure authentication.
-
30 days pass
-
Campaign completed
Luka’s card is charged when the campaign ends successfully.
-
DeclineAuthorization failed because of an expired card, and re-authentication is required
-
Email sent
Luka opens an email from the crowdfunding website and clicks a link.
-
Information updated
He returns to the crowdfunding website and enters new card details.
-
AuthenticateR$40 authenticated using 3D Secure
Luka completes 3D Secure authentication.
-
CaptureR$40 captured
Recommendation
Diseña flujos de pago dinámicos y maximiza las exenciones.
Para actualizar tu integración:
-
Antes que nada, haz la actualización a la API Payment Intents.
-
Luego, añade nuevas funciones después del 1 de julio.
Entonces, admitirá todas las exenciones.
Car rental companies typically capture payments more than seven days after authorization, and the final payment amount is likely to increase or decrease because of discounts, upgrades, or add-on services at pickup or dropoff. If your business has a similar payment flow, you can split the payment into separate charges, authenticating with 3D Secure first for the estimated cost of the rental and later to cover any incidentals.
When a payment is authorized, the hold on a customer’s card lasts for up to seven days. If your business tries to capture a payment more than seven days later, you may need the customer to re-authenticate the payment.
Stripe will automatically request any eligible exemptions, so your customers may not need to authenticate or re-authenticate. But because individual banks will apply exemptions differently, your business still needs to design payment flows to authenticate customers and bring them back on-session to re-authenticate.
-
Car reserved
Emma rents a car for an upcoming vacation.
-
AuthenticateR$350 authenticated using 3D Secure
Emma completes 3D Secure authentication.
-
Car rented
When she picks up her rental car, the company puts a R$250 hold on Emma’s card as a deposit for incidentals.
-
AuthenticateR$250 authenticated using 3D Secure
Emma completes 3D Secure authentication.
-
More than 7 days pass
-
Car returned
She returns the car without filling up the tank, incurring a R$50 fee.
-
CaptureR$350 captured (reservation)R$50 captured (fuel fee)
Recommendation
Diseña flujos de pago dinámicos y maximiza las exenciones.
Para actualizar tu integración:
-
Antes que nada, haz la actualización a la API Payment Intents.
-
Luego, añade nuevas funciones después del 1 de julio.
Entonces, admitirá todas las exenciones.
Gym memberships are typically recurring payments with a fixed amount, and the membership may begin with a free trial period. If your business has a similar payment flow, 3D Secure authentication is required for the payment that starts the subscription, and Stripe will automatically request exemptions for subsequent payments. In this scenario, the payment may be eligible for fixed-rate subscription and merchant-initiated transactions exemptions. If the customer’s bank accepts an exemption, your customer won’t have to authenticate each monthly payment.
Merchant-initiated transactions are payments made with a saved card when the customer is off-session. To qualify, your business must have an agreement with the customer and have them authenticate their card, either when it’s being saved or on the first payment.
It’s important to note that exemptions aren’t guaranteed, and subsequent payments may require authentication. Individual banks will apply exemptions differently, so your business needs to design payment flows to bring customers back on-session to re-authenticate.
If your business wants to transition a potential customer directly from a free trial to a membership, your customer will have to complete 3D Secure authentication for the monthly subscription amount when they sign up for their free trial. Note that any recurring payments started before September 14 are exempt from SCA.
-
Membership begins
Imani enters her email and card details to join her local gym for R$50 per month.
-
AuthenticateR$50 authenticated using 3D Secure
Imani completes 3D Secure authentication.
-
CaptureR$50 captured
-
30 days pass
-
Membership continues
Imani takes workout classes and goes to the gym often.
-
CaptureR$50 captured
-
Trial starts
Imani joins her local gym for R$50 per month. She enters her email and credit card details, so her membership will start immediately after the 7-day trial.
-
AuthenticateR$50 authenticated using 3D Secure
Imani completes 3D Secure authentication.
-
7 days pass
-
Trial ends and membership begins
Imani’s card is charged automatically when the trial ends.
-
CaptureR$50 captured
-
30 days pass
-
Membership continues
Imani takes workout classes and goes to the gym often.
-
DeclineAuthorization failed and re-authentication is required
-
Email sent
Imani opens an email and clicks a link.
-
Information updated
She returns to the gym’s website and enters new card details.
-
AuthenticateR$50 authenticated using 3D Secure
Imani completes 3D Secure authentication.
-
CaptureR$50 captured
Recommendations
Elige una opción:
Administra tus suscripciones y saca provecho de las herramientas automáticas para cumplir con la SCA.
-
Antes que nada, implementa Stripe Billing.
-
Luego, añade nuevas funciones después del 1 de julio.
Diseña flujos de pago dinámicos y maximiza las exenciones.
Para actualizar tu integración:
-
Antes que nada, haz la actualización a la API Payment Intents.
-
Luego, añade nuevas funciones después del 1 de julio.
Entonces, admitirá todas las exenciones.
Utility bills are recurring payments with amounts likely to vary from month to month due to metered billing. If your business has a similar payment flow, 3D Secure authentication is required when a customer saves their card to set up automatic payments. To do this, the customer would complete 3D Secure authentication outside of a transaction.
Stripe will automatically request exemptions for subsequent payments. In this scenario, the payment may be eligible for a merchant-initiated transactions exemption. If the customer’s bank accepts the exemptions, your customer won’t have to authenticate each monthly payment.
It’s important to note that exemptions aren’t guaranteed, and subsequent payments may require authentication. Individual banks will apply exemptions differently, so your business needs to design payment flows to bring customers back on-session to re-authenticate when necessary.
-
Account set up
Salim moves into a new flat and signs up to pay his monthly utility bill automatically.
-
Card saved
Salim adds a card to his account.
-
AuthenticateAutomatic billing confirmed using 3D Secure
Salim completes 3D Secure authentication.
-
30 days pass
-
Bill received
Salim gets an email from the utility company informing him of a R$63 scheduled payment.
-
CaptureR$63 captured
-
30 days pass
-
Bill received
Salim gets an email from the utility company informing him of a R$91 scheduled payment.
-
DeclineAuthorization failed, and re-authentication is required
-
Email sent
Salim gets an email from the utility company with a bill for R$91 and clicks the link.
-
AuthenticateR$91 authenticated using 3D Secure
Salim completes 3D Secure authentication.
-
CaptureR$91 captured
-
Bill received
Salim gets an email from the utility company with a bill for R$63 and clicks the link.
-
AuthenticateR$63 authenticated using 3D Secure
Salim completes 3D Secure authentication.
-
CaptureR$63 captured
-
30 days pass
-
Bill received
Salim gets an email from the utility company with a bill for R$91 and clicks the link.
-
AuthenticateR$91 authenticated using 3D Secure
Salim completes 3D Secure authentication.
-
CaptureR$91 captured
Recommendations
Elige una opción:
Administra tus suscripciones y saca provecho de las herramientas automáticas para cumplir con la SCA.
-
Antes que nada, implementa Stripe Billing.
-
Luego, añade nuevas funciones después del 1 de julio.
Diseña flujos de pago dinámicos y maximiza las exenciones.
Para actualizar tu integración:
-
Antes que nada, haz la actualización a la API Payment Intents.
-
Luego, añade nuevas funciones después del 1 de julio.
Entonces, admitirá todas las exenciones.