Card payment security rules in the European Union require stronger authentication for online transactions. This is known as Strong Customer Authentication (SCA) and, in many cases, involves 3D Secure (3DS) verification. With OfficeRnD Flex's Stripe integration, payments are SCA-compliant, but you need to understand how 3DS works to manage member payments effectively.
This article will help you learn when 3DS verification is triggered, how on-session and off-session payments differ, what "Setup Intents" and "Payment Intents" mean, and what actions you and your members need to take when a payment requires authorization.
Summary
3DS verification is mandatory for card payments under Strong Customer Authentication (SCA) regulations in the EU.
On-session payments are verified directly by the member on the Member Portal.
Off-session payments send an email with a bank-issued authorization link.
Authorization links can expire at any time, up to a maximum of 72 hours.
A "Setup Intent" can reduce, but not remove, future authorization requests.
Banks may invalidate setup intents without notice, requiring card re-authorization.
What is Stripe 3DS verification?
3DS verification is an extra security step required by banks to confirm that the person making a card payment is the legitimate cardholder. It is part of the Strong Customer Authentication (SCA) regulations in the EU.
You may encounter 3DS verification if:
A member pays through the Member Portal (on-session).
An admin processes a payment on behalf of a member, or an automated payment is scheduled (off-session).
A card is added to a member's account for the first time.
The bank's fraud detection system flags the transaction.
Admins might deal with 3DS in scenarios where:
Members fail to authorize an off-session payment.
The email link for payment authorization expires.
A bank changes its rules, causing previously authorized cards to require reauthorization.
How 3DS verification works
3DS verification is a security requirement for card payments under EU SCA regulations. It applies to all members and cannot be disabled. Understanding how it works will help you manage payments effectively and avoid unnecessary failures.
In practice, 3DS verification allows you to:
Ensure all card payments comply with EU SCA requirements.
Manage on-session and off-session payments effectively.
Prompt members to authorize payments securely via email or portal actions.
Reduce failed payments by encouraging members to set up and maintain a valid "Setup Intent".
Understand why some payments still require authorization even after a card is authorized.
When a member pays on-session through the Member Portal, they only need to click a confirmation button to complete 3DS. Off-session payments trigger an email with an authorization link. If that link is not used before it expires (up to a maximum of 72 hours), the payment will fail and may need to be retried.
Managing payments with 3DS verification
Read the following points to understand how to handle authorization in different scenarios.
Handle on-session payments
When members pay while logged into the Member Portal, they authorize the payment in real time.
When members pay directly in the Member Portal, they complete 3DS verification by clicking the bank's authorization button.
No admin action is required unless the payment fails for another reason.
Handle off-session payments
Off-session payments require extra steps, as the member is not present to approve the payment directly.
Off-session payments are processed by an admin or scheduled automatically (for example, during a Bill Run).
The member receives an email from Stripe with a bank-issued authorization link.
Link expiration time is set by the member's bank and can range from a few minutes to several hours.
OfficeRnD automatically fails pending card payments after 72 hours. If no action is taken, the bank may fail them after about a week.
Add a new card
Adding a card always requires member authorization to approve its future use for payments.
Adding a card always requires authorization, called a Setup Intent.
If the member adds the card, they complete authorization directly in the Member Portal.
If an admin adds the card, the member receives an email with a link to authorize it.
Understand Setup Intents and Payment Intents
Knowing the difference between these two terms helps you manage payment flows and authorization prompts effectively.
Setup Intent: Authorizes a card for future use. Improves the chance that payments will not require 3DS, but does not guarantee it.
Payment Intent: Created whenever a payment is attempted. Without a valid Setup Intent, authorization will always be required.
Changes in bank policies
Be aware that changes in bank security rules can affect whether payments require reauthorization.
Banks may change security rules at any time, which may invalidate existing Setup Intents.
Stripe and OfficeRnD are not notified when this happens.
Members may need to re-add and reauthorize their card to reduce future 3DS prompts.
FAQ: Stripe 3DS verification
Why do some payments still require 3DS even after a card is authorized?
Why do some payments still require 3DS even after a card is authorized?
Even if a card has a valid Setup Intent, the member's bank can still require 3DS verification based on its internal risk and security checks. For example, if a member suddenly makes a much larger payment than usual or pays from a new location or to a new vendor, the bank may trigger 3DS as an extra layer of security.
How long does a payment authorization link last?
How long does a payment authorization link last?
The expiration time for the link is determined by the member's bank and can vary from minutes to several hours. OfficeRnD automatically fails pending payments after 72 hours if they remain unauthorized.
What happens if a payment fails due to an expired 3DS link?
What happens if a payment fails due to an expired 3DS link?
If a member does not authorize the payment before the link expires, the payment will fail. The admin can retry the payment after confirming the member is ready to complete 3DS authorization.
What is the difference between Setup Intent and Payment Intent?
What is the difference between Setup Intent and Payment Intent?
A Setup Intent authorizes a card for future use and can reduce the frequency of 3DS prompts. A Payment Intent is created for every attempted payment, and without a valid Setup Intent, the payment will always require 3DS.
Why do members sometimes have to re-add their card?
Why do members sometimes have to re-add their card?
Bank policy changes can invalidate existing Setup Intents without notice to OfficeRnD or Stripe. For example, a bank might tighten security rules after a data breach, which could cause all previously authorized cards to require reauthorization. Re-adding and reauthorizing the card helps reduce the chances of repeated 3DS prompts.
Can admins bypass 3DS for members?
Can admins bypass 3DS for members?
No, 3DS is a bank-mandated security process. Admins cannot bypass it. The member must authorize the payment through their bank's verification process. For example, if a member calls in asking an admin to “approve the payment for them,” the admin must explain that only the bank’s verification process can complete the authorization.