Stripe Changes

[JimJ]

Email from Stripe today:

Quote

Hello,

On 14 September 2019, a new European regulatory requirement called Strong Customer Authentication (SCA) will introduce two-factor authentication requirements for many online payments in Europe. We expect this regulation to be enforced in the UK regardless of the outcome of Brexit. Payments that aren’t authenticated will be declined by your customers’ banks.

We’ve released a new payments API and SCA-ready products to help you prepare for this change. To get ready for these new rules and avoid having many European payments declined, you’ll need to make changes to your payment flows and Stripe integration by 14 September 2019. Read our docs to learn more about SCA and the required changes.

Read the docs

 

[redit]

I've had the same eMail.

As WHMCS now have the Strip module built into the product I would expect that they would already know of this and be working on it for the next release which now also gives us a deadline for when we can expect a release by.

 

[brian!]

9 minutes ago, redit said:

As WHMCS now have the Strip module built into the product I would expect that they would already know of this and be working on it for the next release which now also gives us a deadline for when we can expect a release by. 

it's rumoured to be in v7.8....

even if it's not in v7.8, there will be at least one other release after that (e.g v7.8.1 a fortnight after the v7.8.0 release!) before that September deadline. 🙂

[redit]

Well we can at least hope to have a release by September, two would just be spoiling us.

[brian!]

Just now, redit said:

Well we can at least hope to have a release by September, two would just be spoiling us.

I was just working on the safe assumption that v7.8 will be buggy, require a handful of hotfixes within a week and a maintenance release a week or two later... it seems to be what's happened with every major release for the last few years.

if the next release is v7.8 next month (or the month after), then I can't see v8 being launched before that September deadline... and I would hope there would be a long thorough beta period for v8 if there are any significant changes to it (and if there aren't, then there's little point in calling it v8)

[steven99]

From what I have read on Stripe's 3D secure docs is that any automated payments done to a 3D secure required card must be authenticated again by the client.  They call this off-session transactions.  According to Stripe's migration docs for subscriptions and SCA, this includes subscriptions.  Basically, the client has to go in their client area and authenticate the payment by paying the invoice manually.  So no more automated payments for these types of cards and I hope most will have the "supported" card types instead of required.  Also, existing customer tokens may not work for automated payments unless they use both the charges API and paymentintents API and decide which to use based on token.  This is because the paymentintents API requires both the customer ID and the payment method ID and only the Stripe customer ID is stored with the current module.  The PaymentIntents API is used for 3DS so they will need to provide both and store both.  (hope this info helps the dev responsible for updating their module )

[inteldigital]

As an aside to this, and being at risk of hijacking a topic I came in search of (thank you, by the way, I also got the same email) – how do you guys handle compliance within WHMCS using Stripe? Stripe have recently asked us to confirm our PCI compliance, but of course, WHMCS isn't compliant. How do you handle this?

[steven99]

At this point it may be to late for you, but what you need to do is use use Stripe with Elements so that Stripe uses the pre-filled SAQ-A form .  The current Stripe module in WHMCS uses the old Stripe.js v2 and they require the full SAQ-A-EP. with that usage.  According to this request it is in progress for the built-in module.

[Jafar Muhammed]

On 16/04/2019 at 8:33 PM, steven99 said:

any automated payments done to a 3D secure required card must be authenticated again by the client

Means, when a client placed an order for a monthly package; they would go through the 3DS and finish the transaction. And in next month, the client should log in to Client Area and initiate the renewal process and complete it in the 3DS page.

Is that what you are saying?

[steven99]

From my understand, yes that is correct.  Basically any time you want to charge a card that is "3DS required", it needs to go through the 3DS process.  There cards that are 3DS "supported", which means they support 3DS but wont block if 3DS isn't provided.  Though for those countries requiring merchants to do 3DS, I would imagine there is a regulation for cards to be 3DS required also.  

[Jafar Muhammed]

Ah, then I must wake up and stop dreaming about automatic renewal and fewer missed-payments.

I was knocking at every door with a hope that Stripe will make the recurring payment hassle-free for both my customers and me. 😆

Edited April 18, 2019 by Jafar Muhammed

[steven99]

It would be an issue for any other gateway also as long as 3DS is involved.

[Jafar Muhammed]

@steven99, I am using Razorpay, an Indian Payment Gateway provider.

They have a WHMCS module, and they offer Subscriptions. Though, their WHMCS module doesn't support the subscription feature yet.

In India, 3DS is mandatory.

See Razorpay's subscriptions page. Scroll down to Multiple Payment Modes available section.

Under Credit Cards or Debit Cards, it says that 

Quote

can be added to a subscription for automated recurring transactions requiring no customer intervention after a one-time authentication

I will try to confirm this with Stripe ASAP.

[steven99]

Their documentation page also says this for subscriptions.  Do update on Stripe's answer.

[Jafar Muhammed]

Stripe's response.

Quote

Yes, for recurring domestic charges 3Ds is mandatory for the first successful payment of your subscription, but for the succeeding payments it depends on you if you'd like to capture 3Ds or not. However it's also worth noting to consider whether the card issuing bank will allow payments without the 3DS as local banks in India usually impose 3Ds for processing every transaction.

 

[steven99]

Uh, why would you want to not capture a payment? There are authorizations and capture.  Authorization just hits the card with a pending transaction that then expires after a time. With just authorization, funds never reach you and funds go back to the client after the authorization expires.  Capture means to you have done the authorization and also want to collect / capture the funds. 

So it does still seem for at least Stripe they require 3DS to actually get the funds.   I wonder how Razorpay is doing this without that bit then.  And how they / if they are getting around the last bit Stripe mentioned of local banks requiring 3DS .

[Jafar Muhammed]

[Update] Stripe rolls-out its subscription billing service in Europe.

This is a new EU regulation that comes into effect in September that is forecast to radically change the way European customers buy online.

The legislation, which forms part of the PSD2 “open banking” regulations, requires businesses to build an extra layer of authentication into online card payments.

And read, Why did Stripe acquire Dublin-based Touchtech Payments?

WHMCS should be ready with 3DS and other SCA features before September. 

[Jafar Muhammed]

On 23/04/2019 at 1:43 AM, steven99 said:

I wonder how Razorpay is doing this without that bit then.  And how they / if they are getting around the last bit Stripe mentioned of local banks requiring 3DS .

I have asked this question and shared Razorpay's doc with Stripe Support.

Stripe Support from Non-India said that they need to get this confirmed with the Stripe India team. I am along with Stripe Support team waiting for Stripe India's response to this.

I like the payment flow of Razorpay, but I guess that Razorpay seems a bit lied to its customers.

See this Github issue.

I have attended https://razorpay.com/ftx/, and the Razorpay team at the booth assured me that their WHMCS module has their Subscription support.

Later when I came back to my office, I chatted with Razorpay team, and they said Subscription isn't available for their WHMCS module.

 

Can anyone tell me what is the current 3DS flow in your country for a recurring payment?

[steven99]

From looking at the code on that github page, I would say no it doesn't support subscriptions for the simple fact that no subscription parameters are passed during the checkout phase and the callback file is capturing payments  and again no mention of subscriptions.  Also, their PHP code related to WHMCS, specifically mysql queries, is outdated . 

[Jafar Muhammed]

16 minutes ago, steven99 said:

Also, their PHP code related to WHMCS, specifically mysql queries, is outdated . 

Ah, that's another reason to stop using them once Stripe 3D Secure is live.

[WHMCS John]

Hi all,

In version 7.8 we intend to include an update to the Stripe module which will have support for Stripe's Payment Intents API. This is currently being advertised by Stripe as being "SCA Ready".

Please stay tuned to our blog and the community in the coming weeks for news on the 7.8 beta. Your help in testing these Stripe module updates will be appreciated.

[Jafar Muhammed]

Thanks for the update @WHMCS John, I am super excited to try it out.

[inteldigital]

6 hours ago, WHMCS John said:

Hi all,

In version 7.8 we intend to include an update to the Stripe module which will have support for Stripe's Payment Intents API. This is currently being advertised by Stripe as being "SCA Ready".

Please stay tuned to our blog and the community in the coming weeks for news on the 7.8 beta. Your help in testing these Stripe module updates will be appreciated.

Hi John,

You've taken a lot of headaches and worry away from me. Looking forward to the release, and being compliant!

[Jafar Muhammed]

19 hours ago, Jafar Muhammed said:

Stripe Support from Non-India said that they need to get this confirmed with the Stripe India team. I am along with Stripe Support team waiting for Stripe India's response to this.

@steven99, I got another confirmation from Stripe.

Quote

Our team has confirmed that 3DS is only required on the first payment and 3Ds on succeeding payments is optional depending on you integration.
So basically, as long as the 1st payment has been authenticated via 3DS and as flagged as a recurring payment then succeeding payments should without 3DS should go through.

Since they mentioned depending on you integration, I am tagging @WHMCS John here

[brian!]

11 hours ago, inteldigital said:

You've taken a lot of headaches and worry away from me.

at this stage, it's merely a gentle rub on the temples rather than a guaranteed cure for those headaches... 🤕

11 hours ago, inteldigital said:

Looking forward to the release, and being compliant!

if it arrives a) before the deadline, b) is compliant and c) relatively bug free, then the headaches will disappear... but don't count your chickens until that point arrives as we've been here plenty of times in the past with deadlines approaching. 🐔