Strong Customer Authentication
Strong Customer Authentication, or SCA, is part of the the Revised Payment Services Directive (PSD2). The SCA is a new requirement for authenticating online payments and will be mandatory in Europe from the 14 September 2019. The goal is to reduce the risk of fraud and make transactions more secure.
If you want to learn more about SCA, please read this excellent article from Stripe: Strong Customer Authentication​
SCA will ONLY apply to transactions where both the business and the cardholder’s bank are located in the European Economic Area.
For example purposes we are showing the code snippets in javascript
Create a Payment Method , setting just the payment_method attribute to stripe. This will return an empty payment method with a Stripe setup intent.
fetch('/payment_methods', {method: 'POST',body: {payment_method: 'stripe'}}).then(function(emptyPaymentMethod) {// emptyPaymentMethod containing the setupIntent});
Example below is using the Stripe.js SDK
// https://stripe.com/docs/stripe-js/reference#stripe-handle-card-actionstripe.handleCardSetup(emptyPaymentMethod.setup_intent.client_secret).then(function(stripeResponse) {// Handle stripeResponse.error or stripeResponse.paymentIntent});
Update the empty payment method in our API with the returned Stripe payment method id
fetch(`/payment_methods/${paymentIntent._id.$oid}`, {method: 'PUT',body: {payment_method_id: stripeResponse.setupIntent.payment_method}}).then(function(fullPaymentMethod) {// Contains the fully populated payment method (retrieved from Stripe in the backend)});
Implementing proper flows to handle SCA related errors is crucial! We explain the two possible SCA related errors below
Case: While trying to pay for an order on a client, we get an error notifying us
Solution: We will return an error with the status code 422 if a payment requires further authentication from the bank. The API response will include the 3 following parameters needed to re-authentication:
payment_id- The ID of the Payment​payment_intent_id- The Stripe PaymentIntent IDintent_client_secret- The Stripe PaymentIntent secret for re-authentication
Using the payment_intent_id and intent_client_secret, you need to confirm the payment using the Stripe SDK
stripe.confirmPaymentIntent(PAYMENT_INTENT_CLIENT_SECRET).then(function(result) {// Handle result.error or result.paymentIntent});
Case: While trying to charge a customer for a recurring subscription, the bank notifies us that the payment needs to be re-authenticated.
Solution: BuiltOn API will trigger a specific Webhook,payment.requires_auth , every time the subscription charge needs to be re-authenticated. You will need to handle the flow to ensure that your customer's card is re-authenticated. This could be handled by sending an email or a push notification to your customer notifying them on that a payment needs to be re-authenticated. Have a look at our SCA confirm payment page example to get a better understanding of the flow required to re-authenticate a payment (or just clone and copy our example!).
Make sure you created a Webhook listening to the event: payment.requires_auth. The event will contain all the parameters you need to re-authenticate.
Once the customer has re-authenticated the payment, you will be able to effectively charge them by calling our API route: POST /payments/<payment_id>/confirm with thepayment_intent_idand the payment_client_secretproperties in the body.
POST /payments/<payment_id>/confirm HTTP/1.1Content-Type: application/jsonX-Builton-Api-Key: <builton-api-key>Host: api.builton.dev​{"payment_intent_id": "seti_payment_intent_id","payment_client_secret": "set_payment_client_secret"}
