Subscriptions within EU

Well, I spoke with the Stripe team before. They are speaking about SEPA Direct Debit – you actually refer to that page yourself -, but I simply cannot find that in your plugin. Pls correct me if I’m wrong.

So pls tell me how I can add SEPA Direct Debit with your plugin.

I did a SEPA Payment through your plugin. The only thing I was asked was the IBAN number and my name. There was not any authentication that I was the accountholder.
Instead of immediately pointing to the Stripe team: it’s your plugin, not from Stripe. You may be a partner, but it’s your plugin so I am asking you to think along with me and explain to me how this can be a secure debit, if there is no other checking then IBAN number and name.

I don’t want to be negative or critical, I actually would prefer your plugin over the one from the WooCommerce team. But I need to understand how to configure it correctly. So expecting your help.

Thanks, kind regards,
Eddy

In SEPA there is a fundamental difference between a credit transfer and a direct debit.
A credit transfer is initiated by the accountholder and cannot be revoked by the him, as he himself intiated and signed the payment. The credit transfer is a guaranteed payment: when the beneficiary (shop owner) is advised of the credit, he can be sure he is paid.

A direct debit is initiated by the beneficiary. For collecting the money, he needs a SIGNED mandate from the accountholder. Every time he collects the funds, he needs to advise the accountholder, the funds takes 2-3 days to arrive (if there is sufficient balance on the account) and the accountholder can revoke the collection (I believe within 8 weeks).
So with a direct debit, the beneficiary is uncertain about the credit for at least the initial 2-3 days.

If I sell products in a webshop (not subscriptions!), my client’s payment through the local EU payment methods like iDEAL, Sofort and Bancontact are credit transfers, and are guaranteed payments. I can release the products upon payment.
I sell downloadable products, my client expects he can download immediately after the payment. With iDEAL and others this can be done.

If I sell a membership (subscription) with renewal option, that’s a direct debit. One may argue that the 1st payment should be considered a sort of credit transfer with a check of sufficient balance, but definitely the renewals are initiated by the shop owner and he’s unsure for 2-3 days if funds will arrive.
As I said: for the collection I need a signed mandate.

Both credit transfer and direct debit are SEPA payments.
Stripe Documentation handles STRIPE Direct Debit, your plugin does not make this difference, it’s just SEPA.
So there is a difference between the Stripe documentation and your plugin!!

SEPA direct debits are to be used for collections, SEPA credit transfers for payment products, not being renewable subscriptions/memberships.

With your plugin, how can I activate SEPA direct debits for subscriptions only, and not for (downloadable) products??

I activated SEPA in your plugin in LIVE environment. It opened the option for the client to pay for (my downloadable) products that I only want to deliver when I have received the funds. I was able to pay for a product by just filling out the IBAN number, the name and the email address, and the order was marked as complete and I had access to the product. Not in test, in LIVE!
There was no authentication whatsoever.

If I use your plugin for SEPA direct debit, then how do I get a SIGNED mandate without any authentication? The only solution I can think of is by making the client authenticate it through iDEAL, Sofort or Bancontact. I.e. the same payment methods used for the credit tranfer.
But that’s not what’s happening.

That’s why I am trying to understand how I can safely use your plugin for SEPA direct debits as well.

I hope I made my concerns clear.
Again: I’m not criticizing your plugin, don’t get me wrong. Just trying to understand that I as shop owner am not opening risks.

Thanks, regards.

I did a payment in live environment, and I was not asked to authenticate anything

Pointing to the Stripe documentation:
“In order to debit an account, businesses must collect their customer’s name and bank account number in IBAN format. During the payment flow, customers must accept a mandate that gives the business an authorization to debit the account. Stripe is able to generate this mandate for businesses to present to their customers.”

Customer must accept… That’s not by just entering an IBAN number and a name, one needs a signature!

And pls, pls, pls, mind the difference: Stripe talks about SEPA Direct Debit, your plugin opens SEPA for both direct debits and credit tansfers.

To start with the last part: you’re right, the marking as Completed is forced by my functions.php. My mistake.

The mandate that I see is a line on screen, and a statement “that I accept the mandate by proceeding”. That’s in no way a legal signature, not any proof that I’m the owner of the account.

If I happen to know your account number I can enter it and get instant access – on your expenses. It may be wrong from me as shop owner to grant immediate access, but if the product is a virtual product, then the client expects instant access, not after x days when funds are confirmed.

Instead of immediately pointing to the Stripe docs and function calls, I would like to get your view whether or not my observation is valid. Just think along with me.
If my observation is not valid, pls tell me so – and explain, so I’ll understand and can rest in peace.
If my observation is valid, I expect you as partner of Stripe to be in a position to get a legal acceptable response here.

I hope you understand.

Thanks, kind regards

So you implemented an insecure SEPA Direct Debit solution, because Stripe doesn’t offer the authentication mechanism? Did you discuss it with them? Or you didn’t see the legal gap?

To me it seems you don’t understand the SEPA payment instruments. I’ve tried to explain, but looks like I didn’t succeed.
You still say “SEPA is an asynchronous payment method, meaning it can take days for Stripe to complete the payment.” No, it’s not. SEPA DIRECT DEBIT is that. But SEPA is also a credit transfer, a guaranteed payment instrument that merchants can act on instantly. Because you are continuously mixing them together, you’ve opened a gap for paying for products in WooCommerce. SEPA Direct Debit is an instrument for subscriptions, not for products.
For products there are the iDEAL, Bancontact Sofort a.o. as implementations of the credit transfers.

“How is knowing someone’s credit card number or social security number for identity theft much different than that?” It’s totally different. As merchant I publish my IBAN, as I want to get paid. It’s on all my invoices. When I see my bank statement, I see the IBANs of those who paid me. IBAN bank account numbers are not secret.
Even if it would be secret, that doesn’t mean you don’t have to obtain a signature. But you don’t, you’ve left the door open.
What do you think the police will say when you tell them that things are stolen out of your house, and you left the door open?

Authentication can be done by the payment instruments that are implemented for the SEPA credit transfer: iDEAL, Bancontact etc. It’s all there. A matter of using it.
Perhaps you need Stripe to help implementing it? Go talk to them.

I am expecting from a Stripe partner that he’s open to discuss issues with Stripe, but I don’t see that in your responses. Disappointing.

I’ve tried to get this sorted out with you, but I didn’t succeed. A pity, because – as I said couple of times – I like your solution for the credit transfer more than the one from the WooCommerce team. But they are more open and understanding, so I’ll proceed with them.

Thanks for your time, all the best.