Spark, Cashier and Stripe SCA considerations

Yes, but I am still not sure how much of my business is impacted. Will it only affect European customers? Or also my US customers.

It should only affect EU customers, but I'm far from certain on that. For example, Stripe has a page "Update your integration to prepare for SCA" showing what part Payments at risk we have. Though most of our customers are based in the USA, Stripe tells us here that close to 100% of our payments are at risk. 🤔

As there are many may's and may-not's, it's best to check out https://stripe.com/en-nl/guides/sca-payment-flows#understanding-exemptions:

There are certain types of payments—such as low-risk transactions, fixed-amount subscriptions, phone sales, and merchant-initiated transactions—that may be exempt from SCA. [...] However, businesses can’t rely on exemptions and must design their payment flows to authenticate customers when necessary. This is because the rules around exemptions depend on your customers’ banks.

Hmm ... hope for the best, but prepare for the worst?

We're still digging into the docs and see how big the impact would be to replace Cashier by native Stripe ... Will update later on this.

@DR-BOB - Yes, I also was first under the impression only my EU customers were affected but then indeed the "Payments at risk" showed a much larger number I would expect based on their revenue.

I am also worried about existing monthly subscriptions, I think I am running Spark 4? And probably 5.6. Going to the newest Spark environment already would require lots of development and do I then have the guarantee my existing subscriptions keep on being functional?

You should follow this https://github.com/laravel/cashier/pull/667

@hazzazimi if we want to be able to upgrade to Cashier v10, we're also required to upgrade Spark, as we're on Spark 5. Upgrading is not advised by the Spark team:

While the back-end changes to from Spark 5.0 to Spark 6.0 are relatively minor, the front-end changes are extensive. [...] For this reason, you may wish to reserve usage of Spark 6.0 to new Spark projects only. https://spark.laravel.com/docs/6.0/upgrade

I'm starting to regret we've decided to use Spark in the first place ... so now we have (more or less) decided to drop Cashier and implement "native" Stripe stuff (Elements, Stripe.js, Stripe API) ...

@DR-BOB - I started using Spark from version 6 and now I've upgraded everything the way I wanted, mostly front end to the version 8.

The Cashier will provide an update for the backend but usually is expected us as developers to be able to use our own assets for front-end depending if you are using Checkout, which is easier or Stripe.js and Element. I agree it's a huge deal and upgrade to do. I have to update at least 5 Laravel website myself. Still, there are so many little things to be done by Stripe for completing SCA by 3 months, I guess their backlog is full.

Here is what I am aiming for, please feel to correct me or suggest improvements.

• wait for 1st July and Cashier 10 is finished
• wait for Cashier 10 implementation in Spark 8 (or 9?)
• acquire Spark 8 (or 9), migrate codebase of Spark 5 to 8. Most of my stuff is in Laravel blade, I barely touched the VUE code, only the subscriptions part.

Pray for the best. I probably still have to migrate my existing users/subscriptions and that is what worries me the most. However, I did read some that existing recurring payments (so before somewhere in September) are free from SCA so I guess they will keep on being functional.

How does this look, are there things I overlooked or misinterpreted?

@hellomars Sounds like a good plan, the thing that would worry me most if I were you is the Spark (from 5 to 8) migration as for the Bootstrap changes. But that's just a gut feeling - maybe if you have most templates untouched the impact of the change is minimal. Might you wanna be sure asap, you wouldn't have to wait for the release of Cashier 10.

We've decided to wait making plans till Aug 1st and see what the latest Stripe info is by then. Though not all info seems to be final just yet - like: how would we need to embed PSD2 validation in our current credit card form? - I expect Stripe will do most of the heavy lifting. But it's too early to tell just yet 😅

I am affected by this too. Thank you for the PR link @hazzazimi

I'm following your plan @hellomars , although a 45 day window to implement all the changes in that Cashier PR then migrating over into Spark (including all the front-end changes) isn't as comfortable as I would've liked.

I haven't heard anything about this on Twitter, which is surprising because this is a change that will all EU Stripe integrations from September 14th! A PSA from Taylor that someone is working on this would be appreciated.

@AAKARIM - No worries, keep in mind that Spark is getting fewer updates, I am a Spark contributor myself but most of the stuff I recently am trying to do (upgrade ES5 to ES6, laravel-mix v4, sweetalert new version and more) on Vue files are getting rejected for no reason. I believe Spark can be much better and faster than what currently is. To upgrade to Cashier 10 there will be a guide and If I manage to upgrade everything on Spark on my end, I'll update you here.

Here is the Cashier 10 milestone:

https://github.com/laravel/cashier/milestone/1

Looks like we've missed that 1st July Cashier deadline!

Per the docs it seems internal to EU / EEA countries.

But I wouldn't be surprised if this quickly becomes an industry thing. The deadline and push now is just due to the regulation, is my guess. Basically, this is the two-factor equivalent for financial stuff going everywhere eventually. We've had Visa Secure, BankID and a handful of similar things in Norway for quite a while, and I'd presume I'll be needing my BankID on more and more purchases going forward.

https://stripe.com/docs/strong-customer-authentication

Prepare for SCA and update your Stripe integration if all of the following apply:

• Your business is based in the European Economic Area (EEA) or you create payments on behalf of connected accounts based in the EEA
• You serve customers in the EEA
• You accept cards (credit or debit)

I'm a little confused, if Stripe is handling the payment then isn't it the case that it is their responsibility to handle this second level of authentication?

What is the status of the latest version of Spark in regards to this?

Thank you!

If Stripe is handling the payment then isn't it the case that it is their responsibility to handle this second level of authentication?

Yes, they are and they will. But it also means that you need to use their latest API and/or be compatible with their latest workflow and tooling.

Though it hasn't been officially confirmed, I expect that Stripe will email customers automatically to get a confirmation on the strong customer authentication anyway.

What is the status of the latest version of Spark in regards to this?

No word about it in the latest (v8.0) docs ...

That's really helpful - thank you @dr-bob :)

Hopefully something good will come in Spark v9!

mmm the clock is still ticking. I did get an email of Stripe in which they use a more realistic percentage of affected customers. Is there some info available for release of Spark 9?

Received the same email today:

Our information shows that 29% of your yearly payments volume could be impacted by upcoming SCA requirements. Although we anticipate a gradual enforcement of SCA, we expect the first banks to start declining payments without two-factor authentication on 14 September. As a result, we still recommend updating your integration before 14 September to help avoid increases in declined payments.

This percentage seems more realistic than the ~100% they say is affected on my dashboard. I might be wrong, but at the moment I don't expect we'll have a huge problem if we do nothing. Though the email says 29% in our case, I have no idea where they based this number on. And even if a certain percentage will be rejected at first, Stripe will email the customer for the additional authentication if required.

Still I'm leaning towards dropping Cashier from our Spark 5, as in creating a native Stripe workaround based on Billing or Checkout.

The milestone is now complete on the Github repo. Now I guess we await a v10 full release of Cashier and integration into Spark.

Cashier 10 is out! https://twitter.com/laravelphp/status/1161292728237547520 https://github.com/laravel/cashier/blob/10.0/UPGRADE.md

I'll be waiting until September 1st for a Spark upgrade, if we don't hear anything then I'll be frantically working to upgrade it myself.

Email update from Stripe:

Earlier this week, the UK regulator granted an 18 month phase-in period to give banks and businesses more time to prepare for these new requirements. As a result, we don’t expect banks to fully require SCA for payments from UK cards until March 2021.

Stripe updates will be posted here: https://support.stripe.com/questions/strong-customer-authentication-sca-enforcement-date

Stripe made a useful change to https://dashboard.stripe.com/sca-update as it now shows real data from your own transactions:

So I'll be keeping an eye on this page closely in the next few weeks 🙄😅

Although it's a nice idea it doesn't work so well for us Spark users, it only tells you whether you're using the correct API, not whether 3D Secure is implemented correctly in your app, which is the issue with Spark.

So .... SCA-Day was 3 days ago ... anyone experiencing issues yet? We are currently testing with the Regulatory test card numbers that Stripe now provides.

We do need to make adjustments in our Spark 5 app when testing with the card that "requires authentication on all transactions, regardless of how the card is set up" and are currently trying out some options. If successful, I will share details here later.