Openfoodnetwork: [Spike] Stripe, Subs and changes to EU money laundering legislation

Interesting.
I think I disagree with the S2 tag. This is very important and needs to be addressed before September 2019 but should not block the closing and release of the subs epic/feature. I think we should release the feature, close the epic, and iterate from there with things like this.
A new regulatory requirement is not really a bug is it?

Yes, I agree with you @luisramos0

@luisramos0 I am not attached in any way to how this is prioritised. Now it is reported. Change as you will.

we discussed in slack, this is an improvement under "All the things", could go to "Bug backlog" where there are other improvements like this.
We dont really have a process for these yet but looks like the most sensible thing to do is to get it on the agenda for the next delivery train catch up meeting and decide where does this fit in "Dev Ready".

Removing from subs v1 epic as this is extra scope.

We missed this topic in the delivery train catch up July 2nd, didnt we?
I am not attending the del train catch up on the aug 6th, how do we add this to the agenda?

@luisramos0 the item is on the agenda for Aug 6th, so I guess we will assess priority at that point. Do you want to be in that conversation? If yes we might need to schedule a special call then.

ok. no, I don't need to be on this call.

I think this investigation is closely related to banc contact spike #3901 because I think banc contact will require 2 step auth just like psd2.

One important thing to check is, can we be exempt? https://stripe.com/gb/guides/strong-customer-authentication#exemptions-to-strong-customer-authentication

I started having look at this, but I'm not sure I'll have time to get very far with it this week.

Notes:

• We use the stripe gem, and it's updated by Stripe really often.
• Our integrations use the Stripe.js library, which integrates with most Stripe API functionality.
• We collect credit card details with the Elements component, and store them on Stripe Customer objects.

The new systems Stripe has created seem to be designed to make it as easy as possible to continue taking payments, like automatically applying whatever exemptions can be applied at all times. To use the new systems we need to use the Payment Intents and Setup Intents APIs.

Setup Intents is available in version 4.21.0 of the stripe gem: https://github.com/stripe/stripe-ruby/pull/803/files and applies more to subscriptions.

Using stripe Elements we should be able to have Stripe show a modal during payments that handles any extra authentication requirements for the SCA.

For subs we'll need to use SetupIntents when creating a new sub, and it may require a new authentication step at the point the sub is first made. In some cases if we're processing a payment asynchronously (like a sub) and it fails due to triggering an SCA rule (seems like this could be totally unpredictable), we may need to capture that response and send a notification to the user and ask them to log in and authorise the payment.

We might need a new non-checkout payment-handling/card-authorising page for these cases?

Thanks for starting on this @Matt-Yorkley
Question for whoever is next picking up the baton....

Will there be any change to the flow when customers are saving a card for the first time now - do we need to manage any additional authentification?

Will there be any change for customers that saved a card previously? Will this be solved by asking them to reenter their card details or do we need an additional step to the payment flow to handle this?

It looks like Subs will be most affected. Again, will existing saved cards be affected? Or only new subs?

I agree that triggering SCA rules will be totally unpredictable. Banks will be pulling out different stops to abide by the rules. So we need to make sure we can handle the the cases of triggering with minimal disruption to users.

Would be good to get to a t-shirt size on the required changes.

And unless someone can irrevocably and demonstrably prove otherwise my instinct is that we need to be able to handle triggering an SCA rule in each of our payment flows.

I think regular payments will be affected by this, yes. We'll need to put them through the PaymentIntents API, and it may trigger an additional verification step, but it looks like the idea is that Stripe will basically handle this step for us, by showing a modal to the user via Stripe's Elements module, which I think we already use. I think code-wise this part will be pretty easy, but we'll need a lot of testing and speccing. Size: M.

Payments are now basically categorised as "on-session" (user is at the computer) and "off-session" (user is AFK). The latter will be more complicated.

No idea about existing cards or subs.

I'm reluctant to give a t-shirt size for subs just yet, but it won't be small. I think we need to start immediately, and given that we have ~4 weeks and multiple devs will be on holiday for some of that time, I think we should get everyone on this until it's done.

Stripe has some really handy test credit cards that respond in different ways, to simulate different bank requirements or requests for authentication in development: https://stripe.com/docs/payments/payment-intents/quickstart#testing

Thanks @Matt-Yorkley
Ok I'll dedicate my next test time (after release testing) to this

Hi all,
Today UK received this email:

_Earlier this week, the UK regulator granted an 18 month phase-in period to give banks and businesses more time to prepare for these new requirements. As a result, we don’t expect banks to fully require SCA for payments from UK cards until March 2021._

For the UK this means we'd be happy downgrading the issue.

Of course these changes are EU wide and not just UK so it would be good to hear from other instances.

@RachL @myriamboure @sauloperez @luisramos0 @theo @sigmundpetersen @kirstenalarsen (for Germany) ....
Have you had any similar updates?

hurray for the FCA!
but that doesn't mean Stripe will not enforce it in September, does it?

The email was from Stripe. It is exactly what it means.

They also said:
_Our information shows that 99% of your yearly payments volume is from UK cardholders. We still recommend updating your payments flow as early as possible to help avoid an increase in declines from other European cards, or in case of an early enforcement by select banks._

Other EU countries may well be subject to SCA rules earlier... and some UK banks might implement earlier.

No problem for Germany at this point, not using Stripe that I know of. With @myriamboure @RachL and @sauloperez on leave, and @luisramos0 from tomorrow, I'd be inclined to apply the precautionary principle here i.e. assume this is still a problem until we have evidence otherwise. We're going to have to do it anyway, so might as well do it now?

I've started creating issues for this epic. The tentative general requirements are already here: #4170. Do let me know your thoughts.

@lin-d-hop maybe you could "code review" this and close if you are happy with the scope of #4170 👍 Great work btw @kristinalim 🎉

Awesome work @kristinalim !!

@lin-d-hop Stripe hasn't send us this email. I will try to search a bit on it.

I think I'll close this one now, as the outcome of the spike is now covered very thoroughly in epic: #4170