Stripe on-session payments require always authentication - stripe-payments

I am working with the Stripe API and I cannot find enough documentation regarding the on_session scenario.
I am saving the card after the first payment and setting the 'setup_future_usage' to 'on_session' because the customer is going to be always present in the checkout flow. However, this triggers authentication every time I try to pay something with the credit card number (4000002500003155). This type of credit card is intended to show only once the authentication process and to use the saved card for the subsequent off-session payment.

It's still totally possible that the issuing bank will require that you authenticate the future on-session payments. I don't think there's a test card to test the specific case you're trying to test though: https://stripe.com/docs/testing#regulatory-cards

Related

Setting up recurring payments with Apple Pay and Stripe - but not using Stripe subscriptions

We have our own payment processing system. This takes a customer token from Stripe's response after initially checking out, and uses it each month to charge the customers card.
We want to do similar for mobile wallets, like Apple Pay.
However, Stripe docs indicate that it only returns a token which is 'single use', so the customer would have to authenticate the payment each month:
We aren't able to integrate with Stripe's 'subscriptions' service, as we'd have to migrate across entirely to Stripe - which we can't do.
So as a result, is it possible to get a reusable token - or does the 'subscription' it's referring to mean that we can get a reusable token in the same way as a standard card payment?
And by reusable token - I mean, the customer doesn't need to authenticate the payment each month.
Hope that makes sense!
When you accept an Apple Pay payment, you can still save the underlying card for future payments. This will then work whether you use Billing (their recurring payments product) or just create one-time payments yourself.
The call out from Stripe in their docs is more around the rules coming from Apple. If your customer is checking out in your application or website, you are expected to show them the Apple Pay UI to confirm the payment again instead of using a previously saved card. On the other hand, if you are doing recurring payments, you can use the previously saved card for future payments.
The integration itself is fairly straightforward. You would create a PaymentIntent server-side and collect the card details client-side whether via Apple Pay or not. Since you want to save card details for future payments you would also pass setup_future_usage: 'off_session' on the PaymentIntent creation. After a successful payment, a PaymentMethod of type card would be attached to the customer with the id pm_123 and you could use this in future recurring payments.
This flow is covered in Stripe docs here and also applies to Apple Pay and this section covers how to make the future payments.

Stripe Payment Intents API: How to confirm the payment on the server side?

Before migrating to the Payment Intents API the user's credit card payment was confirmed and charged on the server side using the token (received from stripe.createToken) after the purchase has been completed. This gave us the possibility not to confirm the payment in case any errors happens.
Now, with the Payment Intents API the payment confirmation happens already on the client side (stripe.confirmCardPayment) which is a problem in case an error happens on the server side while completing the purchase as the credit card has already been charged. A refund is not valid solution your Stripe fees won't be refunded.
How can we implement card payments with the Payment Intents API but confirm the payment at the final end of the purchase (as in the legacy workflow)? Or how can we prevent the credit card from being charged in case an error occurs during the checkout workflow?
Unfortunately, we couldn't find a solution to this problem in the documentation.
Help appreciated!
Here are the docs: https://stripe.com/docs/payments/payment-intents/migration
What you are looking for is modeled via "manual confirmation" of a PaymentIntent: https://stripe.com/docs/payments/accept-a-payment-synchronously.
It isn't Stripe's recommended integration. The recommended approach is to confirm client-side and listen to webhooks for payment confirmation.
This is because with manual confirmation, there is a higher chance of customer "drop off" where they authenticate your PaymentIntent on your webpage but close it out, meaning you lose your client->server roundtrip, leaving your payment unconfirmed (eventhough the customer thinks they authenticated hence paid).
Additionally, manual confirmation only works for card type payments, it is not supported for other payment methods based in other regions like iDEAL or SEPA Debit etc.
In our case, we wanted to authenticate the card payment at the end directly after making the charge. The Stripe support was able to help us with the following answer:
As I understand you would like to authenticate the payment at the end directly after making the charge. There is a solution to this, with the capture_method being set to Manual - https://stripe.com/docs/api/payment_intents/create#create_payment_intent-capture_method. What this would mean is, that the charge will be made and the user / client would be able to confirm the payment afterwards in the Dashboard directly.
This method is called Auth and Capture. Place a hold on a card to reserve funds now but only capture them after your business completes the service. When a payment is authorized, the bank guarantees the amount and holds it on the customer’s card for up to seven days, or two days for in-person payments using Terminal. You can find more information along with the API's under this Link: https://stripe.com/docs/payments/capture-later#authorize-only

Implementing SCA into Stripe implementation

I've making a SaaS that allows customers to subscribe to a plan, and use coupons at the checkout stage. The coupons give the customers X% off for X months, and by default, everyone gets a 7 day trial when they subscribe.
What is confusing me is the documentation. In one section it says that you should create SetupIntents to take a payment and elsewhere it says to use tokens.
I'm in the middle of coding the payment flow, but I just wanted to check to see if my logic and understanding is correct. Could anyone validate the below?
Customer enters card number and coupon
Call Stripe, get token for card
Send token and coupon to server
Create Stripe customer with token
Create Subscription with discount and pass customer ID
What has now happened is an authorisation attempt was made. If SCA is required, then the subscription status is incomplete and the latest invoice payment intent status requires action.
At this point, I can redirect my user to the SCA Flow using handleCardPayment() to prompt 3DS, and once complete the subscription status is then active.
If the invoice payment fails for any reason, then the subscription state is incomplete and the payment intent requires has a payment action required status. At this point, I should present my customer with the React Elements form again, and call the stripe.invoices.pay endpoint with the new card token
Going forwards, all subscription charges should not need further SCA approval, however if the customer changes plan or the bank requests it, then I can point my user back through the SCA Flow process
A diagram of the flow is here: Green is UI, Orange is Server, Blue is Stripe
Is there anything I have missed or misunderstood here? I've been reading about creating SetupIntents and PaymentIntents, but I'm not sure I need this?
If you are creating subscriptions using the Stripe Billing product they handle creating the PaymentIntent(if you are taking a payment immediately) or a SetupIntent (if you are setting up a trial or metered billing). All that you really have to do different is handleCardPayment (for payments) or handleCardSetup (for setting up trials and metered billing). This section in the docs is pretty good.
If you are not using billing they have a video on their Stripe Developers Youtube channel which may help clear up any confusion.
Hope this helps :)
Welcome fellow sufferer, cards and tokens are implemented in Stripe Charges API which is not SCA compilant. If you want use Stripe for payments inside the EU you should use payment intents.
Card tokens are also allowed for creating payment intents.
But if you want reduce the number of necessary authentications you should use setup intents (with usage = "off-session") for creating payment methods and not card tokens.
I have a lot of old customers who have still registered with the Charges API. I use the following strategy:
New customers always register via Setup Intents and Payment Methods.
Old customers use the Charges API until their tokens become invalid. Then they must also use setup intents and payment methods.
Of course, the customers do not notice much of it.
In summary, I would always use payment methods and setup intents for new customers and card updates. Only with the setup intents can you ensure that your customers have to authenticate themselves as rarely as possible.
EDIT: The crucial point is off-session payments that occur with subscriptions. The Stripe procedure is described here: https://stripe.com/docs/payments/cards/saving-cards#saving-card-without-payment

Check if existing stripe customer's cards are still valid

I have an application which uses Stripe. Stripe stores credit card information for every customer. Some of these cards are already expired and not valid anymore.
How can I go through all customers and validate their credit cards (if they are still valid or not)?
In many cases, Stripe will automatically update the cards: https://stripe.com/blog/smarter-saved-cards.
Otherwise, there is no way of checking that a saved card is still valid short of trying to charge it. But you should not try to create charges just to test if a card is still valid -- the credit card networks rules and Stripe's own ToS forbid from creating charges that are not for the actual selling of a good or service.
From Stripe documentation
In many cases, Stripe will automatically update the cards: https://stripe.com/blog/smarter-saved-cards.
Otherwise, there is no way of checking that a saved card is still valid short of trying to charge it. But you should not try to create charges just to test if a card is still valid -- the credit card networks rules and Stripe's own ToS forbid from creating charges that are not for the actual selling of a good or service.
Although you can always test the card without charging using the "save card" function
More here - https://support.stripe.com/questions/check-if-a-card-is-valid-without-a-charge

save card to customer with Stripe.js

How do I save a card to a customer with Stripe.js?
I don't want to change them at this point. I just want to save the credit card info to their stripe account so I can use it later.
It seems like I'd need to use createToken from Stipe.js. But my understanding is that this is a one time use token. I want to save the credit card info for later use.
This seems to be a similar question: Stripe Payment: Save token and customer and make payment later from token
but the solution isn't clear. I'm not sure if it means for the customer I need to save card=token and everything will work fine.
Though the question is an old one and solution of this problem is now pretty straightforward in the current Stripe API, I'm just answering for those who accidentally reached or will reach here without reading the Official Stripe Doc properly(like me) searching for this question.
To make a stripe payment You first need to make a call to the Stripe API(Using Stripe's Checkout widget, Elements or Mobile SDKs) with the User's card information. As a response, you will get a token. Then you can charge your customer immediately using Stripe's Charge API. This is for just one-time payment. You will find an example here.
If you want to save customer's information for later payment, you need to create a 'Customer' first using Stripe's API and then using that customer's ID (returned as a response from the previous API call) you can charge this customer. Example here.
I just described the process briefly to show the idea at a glance. But you should really need to read this quickstart guide in Stripe's documentation. This explains the process very well.
I just want to save the credit card info to their stripe account so I
can use it later.
Then that's exactly what you can do!
If you're already passing the token back into your server-side code, you just need to update that server-side code to retrieve the customer and create the card on that customer record using the token.
Not knowing what language you're using I can't provide relevant sample code, but the Stripe API reference has functional examples for Ruby, Python, PHP, Java, and Node.js.
Note that if the customer has any outstanding invoices, this card will be used the next time they attempt to settle—so while simply adding the card won't create a charge by itself, it's possible the card may still be billed.
A key point that the prior answers seems to dance around but do not explicitly state is that you can't simply save the credit card (token) in Stripe. Stripe's API's don't save credit cards per se, however, they can save a customer and attached to the customer you can save one more credit cards (or payment sources). So a credit card (or payment source) is not a stand alone entity in the Stripe storage system, it's a child entity of a Customer.

Resources