Jump to content

Stripe Changes


JimJ

Recommended Posts

Email from Stripe today:

Quote

Hello,

On 14 September 2019, a new European regulatory requirement called Strong Customer Authentication (SCA) will introduce two-factor authentication requirements for many online payments in Europe. We expect this regulation to be enforced in the UK regardless of the outcome of Brexit. Payments that aren’t authenticated will be declined by your customers’ banks.

We’ve released a new payments API and SCA-ready products to help you prepare for this change. To get ready for these new rules and avoid having many European payments declined, you’ll need to make changes to your payment flows and Stripe integration by 14 September 2019. Read our docs to learn more about SCA and the required changes.

 

Link to comment
Share on other sites

I've had the same eMail.

As WHMCS now have the Strip module built into the product I would expect that they would already know of this and be working on it for the next release which now also gives us a deadline for when we can expect a release by.

 

Link to comment
Share on other sites

9 minutes ago, redit said:

As WHMCS now have the Strip module built into the product I would expect that they would already know of this and be working on it for the next release which now also gives us a deadline for when we can expect a release by. 

it's rumoured to be in v7.8....

even if it's not in v7.8, there will be at least one other release after that (e.g v7.8.1 a fortnight after the v7.8.0 release!) before that September deadline. 🙂

Link to comment
Share on other sites

Just now, redit said:

Well we can at least hope to have a release by September, two would just be spoiling us.

I was just working on the safe assumption that v7.8 will be buggy, require a handful of hotfixes within a week and a maintenance release a week or two later... it seems to be what's happened with every major release for the last few years.

if the next release is v7.8 next month (or the month after), then I can't see v8 being launched before that September deadline... and I would hope there would be a long thorough beta period for v8 if there are any significant changes to it (and if there aren't, then there's little point in calling it v8)

Link to comment
Share on other sites

From what I have read on Stripe's 3D secure docs is that any automated payments done to a 3D secure required card must be authenticated again by the client.  They call this off-session transactions.  According to Stripe's migration docs for subscriptions and SCA, this includes subscriptions.  Basically, the client has to go in their client area and authenticate the payment by paying the invoice manually.  So no more automated payments for these types of cards and I hope most will have the "supported" card types instead of required.  Also, existing customer tokens may not work for automated payments unless they use both the charges API and paymentintents API and decide which to use based on token.  This is because the paymentintents API requires both the customer ID and the payment method ID and only the Stripe customer ID is stored with the current module.  The PaymentIntents API is used for 3DS so they will need to provide both and store both.  (hope this info helps the dev responsible for updating their module )

Link to comment
Share on other sites

As an aside to this, and being at risk of hijacking a topic I came in search of (thank you, by the way, I also got the same email) – how do you guys handle compliance within WHMCS using Stripe? Stripe have recently asked us to confirm our PCI compliance, but of course, WHMCS isn't compliant. How do you handle this?

Link to comment
Share on other sites

At this point it may be to late for you, but what you need to do is use use Stripe with Elements so that Stripe uses the pre-filled SAQ-A form .  The current Stripe module in WHMCS uses the old Stripe.js v2 and they require the full SAQ-A-EP. with that usage.  According to this request it is in progress for the built-in module.

Link to comment
Share on other sites

On 16/04/2019 at 8:33 PM, steven99 said:

any automated payments done to a 3D secure required card must be authenticated again by the client

Means, when a client placed an order for a monthly package; they would go through the 3DS and finish the transaction. And in next month, the client should log in to Client Area and initiate the renewal process and complete it in the 3DS page.

Is that what you are saying?

Link to comment
Share on other sites

From my understand, yes that is correct.  Basically any time you want to charge a card that is "3DS required", it needs to go through the 3DS process.  There cards that are 3DS "supported", which means they support 3DS but wont block if 3DS isn't provided.  Though for those countries requiring merchants to do 3DS, I would imagine there is a regulation for cards to be 3DS required also.  

Link to comment
Share on other sites

@steven99, I am using Razorpay, an Indian Payment Gateway provider.

They have a WHMCS module, and they offer Subscriptions. Though, their WHMCS module doesn't support the subscription feature yet.

In India, 3DS is mandatory.

See Razorpay's subscriptions page. Scroll down to Multiple Payment Modes available section.

Under Credit Cards or Debit Cards, it says that 

Quote

can be added to a subscription for automated recurring transactions requiring no customer intervention after a one-time authentication

I will try to confirm this with Stripe ASAP.

Link to comment
Share on other sites

Stripe's response.

Quote

Yes, for recurring domestic charges 3Ds is mandatory for the first successful payment of your subscription, but for the succeeding payments it depends on you if you'd like to capture 3Ds or not. However it's also worth noting to consider whether the card issuing bank will allow payments without the 3DS as local banks in India usually impose 3Ds for processing every transaction.

 

Link to comment
Share on other sites

Uh, why would you want to not capture a payment? There are authorizations and capture.  Authorization just hits the card with a pending transaction that then expires after a time. With just authorization, funds never reach you and funds go back to the client after the authorization expires.  Capture means to you have done the authorization and also want to collect / capture the funds. 

So it does still seem for at least Stripe they require 3DS to actually get the funds.   I wonder how Razorpay is doing this without that bit then.  And how they / if they are getting around the last bit Stripe mentioned of local banks requiring 3DS .

Link to comment
Share on other sites

[Update] Stripe rolls-out its subscription billing service in Europe.

This is a new EU regulation that comes into effect in September that is forecast to radically change the way European customers buy online.

The legislation, which forms part of the PSD2 “open banking” regulations, requires businesses to build an extra layer of authentication into online card payments.

And read, Why did Stripe acquire Dublin-based Touchtech Payments?

WHMCS should be ready with 3DS and other SCA features before September. 

Link to comment
Share on other sites

On 23/04/2019 at 1:43 AM, steven99 said:

I wonder how Razorpay is doing this without that bit then.  And how they / if they are getting around the last bit Stripe mentioned of local banks requiring 3DS .

I have asked this question and shared Razorpay's doc with Stripe Support.

Stripe Support from Non-India said that they need to get this confirmed with the Stripe India team. I am along with Stripe Support team waiting for Stripe India's response to this.

I like the payment flow of Razorpay, but I guess that Razorpay seems a bit lied to its customers.

See this Github issue.

I have attended https://razorpay.com/ftx/, and the Razorpay team at the booth assured me that their WHMCS module has their Subscription support.

Later when I came back to my office, I chatted with Razorpay team, and they said Subscription isn't available for their WHMCS module.

 

Can anyone tell me what is the current 3DS flow in your country for a recurring payment?

Link to comment
Share on other sites

From looking at the code on that github page, I would say no it doesn't support subscriptions for the simple fact that no subscription parameters are passed during the checkout phase and the callback file is capturing payments  and again no mention of subscriptions.  Also, their PHP code related to WHMCS, specifically mysql queries, is outdated . 

Link to comment
Share on other sites

  • WHMCS Support Manager

Hi all,

In version 7.8 we intend to include an update to the Stripe module which will have support for Stripe's Payment Intents API. This is currently being advertised by Stripe as being "SCA Ready".

Please stay tuned to our blog and the community in the coming weeks for news on the 7.8 beta. Your help in testing these Stripe module updates will be appreciated.

Link to comment
Share on other sites

6 hours ago, WHMCS John said:

Hi all,

In version 7.8 we intend to include an update to the Stripe module which will have support for Stripe's Payment Intents API. This is currently being advertised by Stripe as being "SCA Ready".

Please stay tuned to our blog and the community in the coming weeks for news on the 7.8 beta. Your help in testing these Stripe module updates will be appreciated.

Hi John,

You've taken a lot of headaches and worry away from me. Looking forward to the release, and being compliant!

Link to comment
Share on other sites

19 hours ago, Jafar Muhammed said:

Stripe Support from Non-India said that they need to get this confirmed with the Stripe India team. I am along with Stripe Support team waiting for Stripe India's response to this.


@steven99, I got another confirmation from Stripe.

Quote

Our team has confirmed that 3DS is only required on the first payment and 3Ds on succeeding payments is optional depending on you integration.
So basically, as long as the 1st payment has been authenticated via 3DS and as flagged as a recurring payment then succeeding payments should without 3DS should go through.

Since they mentioned depending on you integration, I am tagging @WHMCS John here

Link to comment
Share on other sites

11 hours ago, inteldigital said:

You've taken a lot of headaches and worry away from me.

at this stage, it's merely a gentle rub on the temples rather than a guaranteed cure for those headaches... 🤕

11 hours ago, inteldigital said:

Looking forward to the release, and being compliant!

if it arrives a) before the deadline, b) is compliant and c) relatively bug free, then the headaches will disappear... but don't count your chickens until that point arrives as we've been here plenty of times in the past with deadlines approaching. 🐔

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated