Stripe
We use Stripe's Payment Intents API to handle our complex payment workflow. It tracks a payment from creation through checkout and triggers additional authentication steps when required.
Some of the advantages of using the Payment Intents API include:
Support for Strong Customer Authentication (SCA) and similar regulatory changes
Automatic authentication handling
No double charges
No idempotency key issues (safely retrying requests without accidentally performing the same operation twice)
When both the business and the card issuer bank are located in the European Economic Area (EEA), these requirements apply to online transactions with cards.
NOTE: SCA regulatory requirements may be enforced in the UK, regardless of the outcome of Brexit.
There are some exemptions, such as:
Payments below 30€ are considered "low value." They may be exempted from SCA if the exemption has been used less than five times since the last successful authentication or if the sum of previously exempted payments exceeds 100€.
When you use Stripe Radar, they perform a real-time risk analysis to determine whether to apply SCA to a transaction with the condition that the payment provider or card issuer's overall fraud rates are low. Otherwise, either Stripe or the bank may require authentication.
Recurring payments to the same business for the same amount require SCA only for the customer's first payment; subsequent charges, however, may be exempted from SCA.
Renewals, technically known as "off-session" payments, are marked as a "merchant-initiated transaction," which will be similar to requesting an exemption.
NOTE: The bank has the final word on whether the transaction requires authentication, regardless of the exemption.
PayPal
PayPal is SCA compliant and handles the authentication requests and processing for you.