Stripe SCA Compliance

As full SCA compliance was enforced at the beginning of this week in the UK we’ve been supporting various users through the issues that have cropped up.

One to note is around Stripe and the API versions that you may be using within the Stripe portal. If, like many of our clients, you setup stripe some time ago and enabled a version of the API in Stripe to use at the time, you may not have needed to go into Stripe and update to the latest or you may have the default set to an older one if you’re using multiple accounts.

If that is the case then you may now experience a high volume of rejections and depending on the way that CiviCRM is configured, can lead to further problems as customers retry and funds are held on their card for up to an hour.

In order to cure this, you probably need to update the API being used within Stripe.

  • Login into stripe account
  • Click ‘Developer’ link (top right of the page)
  • In ‘API version’ section, check if the ‘latest’ API version 2020-08-27 is set as ‘default’, if not, upgrade API version to latest version 2020-08-27 (upgrade link should on the right side in ‘API version’ section)

If you are finding Stripe and CiviCRM challenging feel free to reach out to us.

We’ve Launched CiviCRM.TV!

Last Friday, Team Veda streamed our first episode of a brand new bi-weekly YouTube Live Stream called CiviCRM.Tea{with}Veda ☕ – CiviCRM.TV for short!

Every other Friday, we will choose a different CiviCRM topic to discuss, build and demo live on air to help you on your own CiviCRM journey. It’s an informal, interactive session with something for all CiviCRM skill levels including end-users, administrators and developers. 

Bar a few initial technical difficulties, we successfully streatmed EP01 ‘Installing CiviCRM in WordPress’  last Friday. We’ve previously hosted webinars and online meetups but this was our first time ever doing a YouTube Live Stream and we thought it would be useful to share some lessons learned from the experience.

We used Open Broadcaster Software (OBS) to stream directly to YouTube and control the scenes. It’s an incredibly powerful piece of open source software that can be used to control your stream scenes, layout, thumbnails, video and audio sources, integrate chat windows etc and we’d highly recommend it.


  • STREAM KEYS: Ensure you have the correct stream key from your YouTube Live Stream. We scheduled the episode on YouTube first, took the stream key and added it to OBS. It appears there are some inconsistencies with OBS if you don’t consistently stick to either the new YouTube stream interface or the classic. Get your stream keys with ample time before you go-live.
  • MULTITASKING: I worked from two screens. One was my main screen sharing monitor with the browser, terminal etc to be shown on the stream. The other with my episode notes and OBS. It’s easy to miss the incoming YouTube Live chat and interaction from viewers, a third monitor/tablet of some kind would solve the need to keep alt-tabbing and breaking the flow. 
  • NOTIFICATIONS: Turn incoming notifications off. I usually use Muzzleapp to block notifications when screen sharing. It was buggy with OBS and live streaming and we had a few instances of internal IM chat pop up on screen.
  • FEEDBACK: I’m sure I’m not the first to acknowledge that presenting to a virtual audience can be challenging! In face to face presentations you can see faces, reactions, engagement and read the room to adjust accordingly. Presenting to an invisible audience where the only feedback loop available is the live chat box can initially feel disconcerting. Keep calm, keep checking in for questions and carry on!


Go to the official Veda Consulting Company YouTube channel and SUBSCRIBE and CLICK THE BELL ? icon to be notified when we go live. The next episode will be on the Friday 24th of July at 2PM BST and will continue bi-weekly after.

If you miss a CiviCRM.TV episode, don’t worry, it will be available to watch on our YouTube channel after the broadcast has ended.


Is there an area of CiviCRM you’d like to learn about? Some specific functionality or an extension you’d like us to deploy and configure live on-air? 

If you have an idea for a Tea{with}Veda episode, we’d love to hear it! Please post your suggestion to our ideas hub, and/or upvote an existing suggestion for a topic you’d most like to see us talk about!

Look forward to seeing you at our future episodes! 



If you’re a Stripe or Paypal customer you may have had received communications around the Strong Customer Authentication (SCA) requirements.

Although the changes are pertinent, the SCA requirement has been delayed in the UK until 2021.

Stripe among other payment processors, have continued to indicate that their clients must update their systems to comply with the SCA regulations stating that failure to do so could result in declined payments however, having contacted Stripe they have confirmed that the enforcement is not going to take effect for British cards. However, if there are European card payments from outside the UK where there is no enforcement delay, then this may lead to declines.

Veda NFP Consulting is working with the CiviCRM community to update payment processors to comply with this regulation with the aim of having an update to the payment extensions within a few weeks, an updated CiviCRM Stripe extension was released on the 13th of September 2019 and we are in the process of evaluating the new version.

More information from the FCA here


CiviCRM online registrations / signups in wordpress are generally hit by session / qfkey errors, and are more common in wordpress than drupal. There is a list of incompatible plugins listed on the CiviCRM docs site –

We experienced this issue and now would like to share our findings with you in this post.


Open a CiviCRM event registration page in one browser, no details are completed, hit submit – throws an error, which is expected.

Open the same event registration page in another browser, again don’t compelte any details, hit submit => does not throw any errors, just refreshes the page OR throws invalid session key error OR if used with a shortcode gives id not found error.


If we look at the source code of a page in the second browser, the hidden qfKey element is ppopulated with qfKey from the first browser. Which is wrong because browsers would have their own different session key producing the separate qfKeys for civi. When we looked at the code, the code was correctly producing the new qfKeys, but html was producing different (stale) qfKey, causing invalid session key errors. Concluding that the page is getting cached somewhere.

We tried disabling all the cache plugins, and / or setting up cache plugins and adding exceptions for civi pages, which didn’t seem to work for our case.

There were some php save-path errors as well (php v5.6 on plesk), but resolving them didn’t solve our issue.

We started looking at theme, and found that the custom theme was using Timber which was caching the pages. (Timber helps you create fully-customized WordPress themes faster with more sustainable code. With Timber, you write your HTML using the Twig Template Engine separate from your PHP files.)

Specifying a small cache timeout with Timber solved the problem.

Conclusion / findings:

Disabling caching with Civi front end forms would resolve most of the session key errors with wordpress. It looks as though if we can automate and compare the qfkey generated by html vs code, this problem can be resolved quickly.

So, whats causes a page to cache? If its not wordpress, then it looks like a plugin or theme.

We hope you find this blog useful and that it will save you some time to troubleshoot this issue. Do leave us a comment below if you have any feedback!

GDPR and CiviCRM

Our new extension aims to enable charities/organisations to manage their supporters in a GDPR compliant manner. GDPR in itself does not introduce many new requirements however it does introduce a number of new obligations on organisations that hold and use data about individuals.

It’s important to understand that simply moving to an opt in process and regarding all existing contacts as being opted out overnight is probably not what is best for your organisation.  There are many factors to consider before determining whether to base your marketing contacts on an opt in . For example a membership organisation is likely to be well within its rights to base member communications on the organisation’s ‘legitimate interests’ unless the member explicitly opts out. You may also be able to import contacts from third party fundraising systems, where they have already stated that they are happy to be contacted by the charity they are fundraising for. The overall aim of this extension is to help organisations navigate the journey to GDPR compliance without compromising their presence with and income from their existing supporters.

Under GDPR, therefore, you need to be able to record whether your contacts have given consent to receive marketing.  If so, you must be able to show who consented, when they consented, how the consent was given, and exactly what the consent is for (including for which communications channel – post, email or phone, for example).

If you have not asked them to provide consent, your marketing would be based on ‘legitimate interests’.  In this case you must record any contact from them asking not to receive marketing, or specifying which marketing they do not want to receive.  You should also be able to show that your legitimate interests are not outweighed by their interests.  If people don’t respond to your communications over a period of time, the longer this goes on, the harder it might be to argue that you still have a legitimate interest in contacting them.

More details about GDPR and CiviCRM can be found at

The current version of this extension does the following;

  • Allow you to record the data protection officer for your organisation
  • A new tab ‘GDPR’ in contact summary will display group subscription log for the contact
  • Custom search ‘Search Group Subscription by Date Range’ which can be access from GDPR Dashboard
  • Access list of contacts who have not had any activity for a set period of days from GDPR Dashboard
  • Ability to force acceptance of data policy/terms and conditions when a contact logs in and recording this as an activity against the contact with a copy of the terms and conditions agreed to. This is currently Drupal specific.
  • The right to be forgotten, allowing users of CivicRM to easily anonymise a contact record, hiding any person details but keeping the financial and other history. The action also exists as an API and therefore can be bolted into other processes.

Future releases will include

  • User friendly communication preferences, moving to explicitly worded opt in mechanisms.
  • Communication preference to include medium per group. Currently CiviCRM supports include or exclude from a group but it does not allow for the selection of the communication medium that should be used for example happy to receive email newsletters but please don’t send me any other emails.
  • Recording audit information when a contact is exported
  • Allowing all exports to be produced with passwords if produced with the MS Excel Extension.