3D secure authentication and Stripe - stripe-payments

I am creating subscriptions upon completing the Stripe Checkout session and from what I have read, stripe supports 3d secure authentication payment on its checkout session. However, if this is true for the first time the client pays for the subscription (stripe will ask him to enter a code on the checkout session page), how will that be applicable for the remaining payments in the following months? Where will the user enter the code?

Assuming you are using Stripe Billing, your user will be automatically charged on recurring months. So they usually only have to complete 3DS for the initial payment. But if the card issuer requires 3DS to be fulfilled every invoice, you can configure your Stripe settings to automatically email your user to complete 3DS on a Stripe hosted page. However, if you want to write custom failure handling, you will need to add a webhook for customer.subscription.updated and check if the status is past_due.
https://stripe.com/docs/billing/subscriptions/overview#recurring-charges

In my case, Just added off_session when you create charge about user.
$user->charge($price, $paymentMethod, ['off_session' => true]);
Hopefully, it would be worked for you.

Related

Stripe Payment Intents API: How to confirm the payment on the server side?

Before migrating to the Payment Intents API the user's credit card payment was confirmed and charged on the server side using the token (received from stripe.createToken) after the purchase has been completed. This gave us the possibility not to confirm the payment in case any errors happens.
Now, with the Payment Intents API the payment confirmation happens already on the client side (stripe.confirmCardPayment) which is a problem in case an error happens on the server side while completing the purchase as the credit card has already been charged. A refund is not valid solution your Stripe fees won't be refunded.
How can we implement card payments with the Payment Intents API but confirm the payment at the final end of the purchase (as in the legacy workflow)? Or how can we prevent the credit card from being charged in case an error occurs during the checkout workflow?
Unfortunately, we couldn't find a solution to this problem in the documentation.
Help appreciated!
Here are the docs: https://stripe.com/docs/payments/payment-intents/migration
What you are looking for is modeled via "manual confirmation" of a PaymentIntent: https://stripe.com/docs/payments/accept-a-payment-synchronously.
It isn't Stripe's recommended integration. The recommended approach is to confirm client-side and listen to webhooks for payment confirmation.
This is because with manual confirmation, there is a higher chance of customer "drop off" where they authenticate your PaymentIntent on your webpage but close it out, meaning you lose your client->server roundtrip, leaving your payment unconfirmed (eventhough the customer thinks they authenticated hence paid).
Additionally, manual confirmation only works for card type payments, it is not supported for other payment methods based in other regions like iDEAL or SEPA Debit etc.
In our case, we wanted to authenticate the card payment at the end directly after making the charge. The Stripe support was able to help us with the following answer:
As I understand you would like to authenticate the payment at the end directly after making the charge. There is a solution to this, with the capture_method being set to Manual - https://stripe.com/docs/api/payment_intents/create#create_payment_intent-capture_method. What this would mean is, that the charge will be made and the user / client would be able to confirm the payment afterwards in the Dashboard directly.
This method is called Auth and Capture. Place a hold on a card to reserve funds now but only capture them after your business completes the service. When a payment is authorized, the bank guarantees the amount and holds it on the customer’s card for up to seven days, or two days for in-person payments using Terminal. You can find more information along with the API's under this Link: https://stripe.com/docs/payments/capture-later#authorize-only

How can I confirm a card which requires 3D Auth after a card update?

When I create a subscription with stripe and the customer already has a default set payment method, I know how to confirm a card when it requires 3D Auth because I can look at the failure reason but what if a customer updates their card within the month...
How do I check if a new payment method requires 3D Auth when a customer already has an active subscription? And can I perform 3D Auth before the next subscription billing so it will work automatically without interaction?
You should use a SetupIntent to attach a card to a Customer (and also perform any authentication if required), when changing a Customer's card mid-cycle.
SetupIntent's will try to claim authentication exemptions for any future off_session payments (e.g. a recurring Subscription payment). There is still a chance issuing banks might still request authentication on the recurring payment, SetupIntent just try to reduce that chance, to address your point here:
And can I perform 3D Auth before the next subscription billing so it will work automatically without interaction?
In the case that the next recurring payment fails, you would have to bring your Customer back on session (to your payment page) and then authenticate the subscription.latest_invoice.payment_intent.client_secret with confirmCardPayment()

How to add Google Pay and Apple Pay options to Stripe Checkout when session mode is "setup"?

How can I enable options for Google Pay and Apple Pay to appear in Stripe Checkout page when using Checkout Session with mode setup?
I'm trying to add a new payment method for a customer so I can later use it to charge for a subscription upgrade.
The issue is that I cannot figure out how to add these payment options to show on the checkout page and create a payment method for it.
If I change my Checkout Session to mode subscription the options show correctly and the payment method is created correctly, but this mode creates and charge a subscription which I don't want. I only want to add the payment method without charging anything.
Using Google and Apple Pay for Checkout setup mode isn't possible. The point of "setup" mode is to collect payment details and perform a 3DS check on them so you can charge "off-session" later without having to get your user back "on-session" in case 3DS is required.
Apple and Google's wallets are considered exempt from 3DS since they already require a 2FA activation.
If you want to use a digital wallet to create a subscription but not charge till later, you should look into using trial periods.

Migrating stripe subscription to be SCA compliant

I have a subscription, I collect card details on signup with a 7 day trial, after which the subscription bills monthly.
From what I understand the subscription API is not SCA compliant. Instead
An off_session payment Intent must first be setup when collecting card details.
At the end of each month a scheduler must be triggered to attempt to charge the registered card.
Is this the case? Am I now responsible for scheduling payments?
Update
For those who want some starter code, I created a working playground here with subscriptions, frontend (react) and backend (express) on glitch.
It's not true that Stripe's Subscription API is not SCA-ready, it is, and you don't have to set up your own scheduling like that. The docs you linked to are generally aimed at processing one-off payments(like saving a customer's details and then allowing them to use them again when they re-visit your site to purchase something new, for example) as opposed to recurring ones.
https://stripe.com/docs/billing/subscriptions/payment describes how to set up a subscription in a way that is SCA-ready. While the customer is on-session on your payment page, you collect card details and create a subscription for the customer, which will generally attempt a payment for the first billing period. You then check the status of the subscription after it's created, and handle the outcomes:
the subscription is active and the payment was successful, so you can proceed with provisioning your service to the customer.
the subscription is incomplete — for SCA purposes, let's say this is because 3D Secure authentication was required for that first payment. In this case, the latest_invoice of the subscription exposes a PaymentIntent property, and you use that PaymentIntent in conjunction with your frontend code using stripe.js to walk the customer through authenticating the payment, and that activates the subscription.
the subscription is trialing — if the subscription doesn't involve an initial payment, like when using a trial period for example, you can also check if the subscription has a pending_setup_intent. You can use this on your frontend to have the customer complete a 3D Secure authentication, so that future payments(like the first one after the trial) are more likely to successfully claim an exemption and not require having the user authenticate at that point.
You can also instead use Stripe Checkout to easily collect payment details and set up a customer and subscription for you, while also handling any initial authentication that's needed : https://stripe.com/docs/payments/checkout/server#create-subscriptions
As for the recurring payments, Billing can handle that for you. You can configure you settings to automatically email the customer to complete 3D Secure if it's encountered on a recurring payment. So you can absolutely build an SCA-ready solution with the subscriptions API on Stripe.

Implementing SCA into Stripe implementation

I've making a SaaS that allows customers to subscribe to a plan, and use coupons at the checkout stage. The coupons give the customers X% off for X months, and by default, everyone gets a 7 day trial when they subscribe.
What is confusing me is the documentation. In one section it says that you should create SetupIntents to take a payment and elsewhere it says to use tokens.
I'm in the middle of coding the payment flow, but I just wanted to check to see if my logic and understanding is correct. Could anyone validate the below?
Customer enters card number and coupon
Call Stripe, get token for card
Send token and coupon to server
Create Stripe customer with token
Create Subscription with discount and pass customer ID
What has now happened is an authorisation attempt was made. If SCA is required, then the subscription status is incomplete and the latest invoice payment intent status requires action.
At this point, I can redirect my user to the SCA Flow using handleCardPayment() to prompt 3DS, and once complete the subscription status is then active.
If the invoice payment fails for any reason, then the subscription state is incomplete and the payment intent requires has a payment action required status. At this point, I should present my customer with the React Elements form again, and call the stripe.invoices.pay endpoint with the new card token
Going forwards, all subscription charges should not need further SCA approval, however if the customer changes plan or the bank requests it, then I can point my user back through the SCA Flow process
A diagram of the flow is here: Green is UI, Orange is Server, Blue is Stripe
Is there anything I have missed or misunderstood here? I've been reading about creating SetupIntents and PaymentIntents, but I'm not sure I need this?
If you are creating subscriptions using the Stripe Billing product they handle creating the PaymentIntent(if you are taking a payment immediately) or a SetupIntent (if you are setting up a trial or metered billing). All that you really have to do different is handleCardPayment (for payments) or handleCardSetup (for setting up trials and metered billing). This section in the docs is pretty good.
If you are not using billing they have a video on their Stripe Developers Youtube channel which may help clear up any confusion.
Hope this helps :)
Welcome fellow sufferer, cards and tokens are implemented in Stripe Charges API which is not SCA compilant. If you want use Stripe for payments inside the EU you should use payment intents.
Card tokens are also allowed for creating payment intents.
But if you want reduce the number of necessary authentications you should use setup intents (with usage = "off-session") for creating payment methods and not card tokens.
I have a lot of old customers who have still registered with the Charges API. I use the following strategy:
New customers always register via Setup Intents and Payment Methods.
Old customers use the Charges API until their tokens become invalid. Then they must also use setup intents and payment methods.
Of course, the customers do not notice much of it.
In summary, I would always use payment methods and setup intents for new customers and card updates. Only with the setup intents can you ensure that your customers have to authenticate themselves as rarely as possible.
EDIT: The crucial point is off-session payments that occur with subscriptions. The Stripe procedure is described here: https://stripe.com/docs/payments/cards/saving-cards#saving-card-without-payment

Resources