How to configure API Keys

Support for API 2020-03-02

The API keys are necessary for the plugin to process the payment requests with Stripe. You have two different pairs of Secret Key and Publishable Key keys, both for the test mode and real one.

API Keys

If you still don’t have them, go now to dashboard.stripe.com, register your account and click to “Account settings”.Account settings

Go to “API Keys” field to obtain the requested credentials for plugin settings dashboard.

API Keys

Testing & Debug

Enable in plugin panel the testing mode, to debug the payment system before going into production. You can also activate the log procedure, so that all that actions that the plugin makes with test orders are recorded. The path of the log file is showed under the Enable Logging option, as here showed. Administrators can consult the recorded logs even from their account, without the Enable Logging activated.

Enable test mode

With an automatic check over the site url, the Test Mode will be activated automatically when plugin is enabled on a staging installation.

test mode

By normal usage you should never see the warning, but if you do something like creating a staging installation or cloning your production site, the Test Mode will be activated and a warning will be shown. This will protect both you and your customer.

Payment methods that can be used

YITH WooCommerec Stripe offers four different payment options:

  1. Standard Checkout: the form card payment form is embedded on the checkout page of your website (SSL procedure requested)
    Standard_checkout - embedded
  2. Stripe Checkout: this opens Stripe checkout on a separate page after clicking on Place order button.
  3. Elements Checkout: shows an embedded form hosted by Stripe and certified.
    Stripe_Elements

A quick note about PCI Compliance.

Whatever the form selected, the transaction is always handled by Stripe and never by your own server.
Yet, some users require the PCI compliance to certify that all the card sensitive data are treated safely, especially when it’s your site that receives (even if it does not store) the card details. In this case we recommend using Elements Checkout, even if it’s always required that an official institution certifies the site PCI compliance.

So, what’s the real difference between Stripe Checkout and Elements Checkout?

With Stripe checkout, the form is printed out by your server (so, it gives room for collecting data and handling them), whereas with Elements checkout, the form is entirely handled and printed out by Stripe, so there’s no way for the sensitive data to even go through your server.

Please, note: in no way the plugin stores sensitive data. Nonetheless, if you want to add this to your Terms and Conditions, it’s required that a third institution certifies this, even if you use Elements.

You can refer to Stripe official documentation to learn more about this at https://stripe.com/docs/security

Decide when to collect the payment

The administrator of the shop can decide to collect the payment right after the request of the users, or postpone it to when the order will be set as “Completed”. If the order will not be set as “Completed” within seven days, it will be automatically cancelled.

Capture payment

Save card options

If you enable “Save Cards” in the plugin options dashboard, users can pay with one of their cards that they have used for previous orders (and saved). This will spare them the trouble of inserting their data once again.

Save cards

Users can refer to the complete list of credit cards used right inside “Payment Cards” section on “My Account” page.

Save cards in My Account page

Clicking on “Add new”, users will also be able to add the details of a new card, and the card will be available for future purchases as well.

New card

You can also choose whether to automatically register all the cards that users enter or to let them decide every time if they want to save the card or not.
You can set this option from the plugin settings in the Card registration mode section:

Save cards automatically

If you select Let user choose, then, the system will register cards only when customer ticks the checkbox “Save card” during the payment.

Add billing fields

If you have installed any WooCommerce extension to edit checkout fields, this option allows you require some necessary information associated to the credit card, in order to further reduce the risk of fraudulent transactions.

Billing fields

Blacklist options

The “blacklist” allows to hide the payment with credit card, if the request comes from a user or an IP address with a previous rejected payment. In fact, when a payment request is rejected, user is added to blacklist, which you can check in YIT PLugins -> Stripe.

Blacklist

Refund options with Stripe

Plugin allows to partially or totally refund the order directly in order detail page. You only need to click the “Refund via Stripe” button.

Refund

Manage payment operations directly with webhooks

Webhooks configuration lets administrators manage the payment operations directly from the account linked to Stripe.
Let us give you an example. We want to make a refund: once logged in to the Stripe account, you have two Refund options, partial or complete. In the first case, in the “Order” section of WooCommerce, the correspondent order will be set as “Completed”; in the second case, if the refund will be “Total”, the order will be set as “Refunded”. In both cases, a line with the refunded amount will be added in the “Refund” section of the order.

The plugin is already configured for Webhooks, you just have to add the URL you can find in the option panel to your account, as showed here below.

webhook URL

Webhook endpoint

If you have correctly configured the API keys for your account, you can just click on the following button to configure the webhooks automatically.

Config webhooks

For further information about webhooks, please read the documentation.

SCA compliance

Since version 2.0.0. the plugin is fully compliant with SCA (Strong Customer Authentication), but what changes for the user?

On 14 September 2019, new requirements for authenticating online payments have been introduced in Europe as part of the second Payment Services Directive (PSD2). So, based on specific conditions in the checkout, European customers might be asked to two-factor authenticate their payment with additional control, which will depend on the bank’s preferred system (e.g., a one-time code sent to their phone or fingerprint authentication through their mobile banking app).

This applies to all payments that are customer-initiated but does not apply to payments that are considered merchant-initiated, like recurring direct debits.

Recurring payments with YITH Subscriptions (v. 1.6.1 or greater)

Under this new regulation, specific types of low-risk payments may be exempted from Strong Customer Authentication. Payment providers like Stripe can request these exemptions when processing the payment. The cardholder’s bank will then receive the request, assess the risk level of the transaction, and ultimately decide whether to approve the exemption or whether authentication is still necessary.

The most relevant exemptions for internet businesses are:

  • Low-risk transactions
  • Payments below €30
  • Fixed-amount subscriptions
  • Merchant-initiated transactions (including variable subscriptions)
  • Trusted beneficiaries
  • Phone sales
  • Corporate payments

Please, refer to this section of Stripe documentation for more information about each of these exemptions.

Two additional exemptions apply regardless of payment amount and frequency:

  • You saved the card details before September 14, 2019
  • You explicitly tell Stripe the transaction is off-session (all recurring payments initiated by our YITH Stripe plugin are marked as off-session)

To learn more about SCA grandfathering, please, refer to this page.

Non-authenticated saved cards

For those customers that have saved their card details on Stripe before, it may happen that the bank will require them to authenticate also renewal orders with the same card, as the payment was not originally authenticated through this system. Our plugin gives users the possibility to authenticate the payment from My Account > Payment Methods, by simply clicking on the Confirm button, as shown below.

Non-authenticated renewal orders – Email

You can set up an email that will be sent whenever a recurring payment is stopped by the bank because it requires strong customer authentication. Thanks to it, you can make sure your customers get the right explanation about why the order requires these additional controls and guidance about how to go on with the authentication and payment.

The email will look like this, but you’ll be able to customize it from WooCommerce > Settings > Emails > YITH WooCommerce Stripe – Payment confirmation email and will include a Confirm Payment button that will let your customers authenticate the payment.

This is a preview of the email that you can send:

Email preview

Please, refer to Stripe official documentation about SCA for further details.

To read the full text of the European Directive about it, please, refer to this page.