Strong Customer Authentication

What is SCA?

Strong Customer Authentication, or SCA, is part of the the Revised Payment Services Directive (PSD2). The SCA is a new requirement for authenticating online payments and will be mandatory in Europe from the 14 September 2019. The goal is to reduce the risk of fraud and make transactions more secure.

If you want to learn more about SCA, please read this excellent article from Stripe: Strong Customer Authentication

SCA will ONLY apply to transactions where both the business and the cardholder’s bank are located in the European Economic Area.

How to use our Payment Methods API and Stripe with SCA

For example purposes we are showing the code snippets in javascript

1. Create and save a payment method

Create a Payment Method , setting just the payment_method attribute to stripe. This will return an empty payment method with a Stripe setup intent.

fetch('/payment_methods', {
method: 'POST',
body: {
payment_method: 'stripe'
}
}).then(function(emptyPaymentMethod) {
// emptyPaymentMethod containing the setupIntent
});

2. Use setup intent with your Stripe SDK

Example below is using the Stripe.js SDK

// https://stripe.com/docs/stripe-js/reference#stripe-handle-card-action
stripe.handleCardSetup(emptyPaymentMethod.setup_intent.client_secret)
.then(function(stripeResponse) {
// Handle stripeResponse.error or stripeResponse.paymentIntent
});

3. Update payment method

Update the empty payment method in our API with the returned Stripe payment method id

fetch(`/payment_methods/${paymentIntent._id.$oid}`, {
method: 'PUT',
body: {
payment_method_id: stripeResponse.setupIntent.payment_method
}
}).then(function(fullPaymentMethod) {
// Contains the fully populated payment method (retrieved from Stripe in the backend)
});

Handling SCA related errors

Implementing proper flows to handle SCA related errors is crucial! We explain the two possible SCA related errors below

In-session order payment requires re-authentication

Case: While trying to pay for an order on a client, we get an error notifying us

Solution: We will return an error with the status code 422 if a payment requires further authentication from the bank. The API response will include the 3 following parameters needed to re-authentication:

Using the payment_intent_id and intent_client_secret, you need to confirm the payment using the Stripe SDK

stripe.confirmPaymentIntent(PAYMENT_INTENT_CLIENT_SECRET).then(function(result) {
// Handle result.error or result.paymentIntent
});

Off-session subscription payment requires re-authentication

Case: While trying to charge a customer for a recurring subscription, the bank notifies us that the payment needs to be re-authenticated.

Solution: BuiltOn API will trigger a specific Webhook,payment.requires_auth , every time the subscription charge needs to be re-authenticated. You will need to handle the flow to ensure that your customer's card is re-authenticated. This could be handled by sending an email or a push notification to your customer notifying them on that a payment needs to be re-authenticated. Have a look at our SCA confirm payment page example to get a better understanding of the flow required to re-authenticate a payment (or just clone and copy our example!).

Make sure you created a Webhook listening to the event: payment.requires_auth. The event will contain all the parameters you need to re-authenticate.

Confirm Payment after successful re-authentication

Once the customer has re-authenticated the payment, you will be able to effectively charge them by calling our API route: POST /payments/<payment_id>/confirm with thepayment_intent_idand the payment_client_secretproperties in the body.

POST /payments/<payment_id>/confirm HTTP/1.1
Content-Type: application/json
X-Builton-Api-Key: <builton-api-key>
Host: api.builton.dev
{
"payment_intent_id": "seti_payment_intent_id",
"payment_client_secret": "set_payment_client_secret"
}