4 years ago

Stripe.js CVC and Zipcode checks can be bypassed easily!

Posted 4 years ago by cristian9509

From Stripe dashboard settings: We will not decline charges if you do not pass us a CVC or postal code, nor cards with an "unavailable" check result from the bank.

I am using Stripe.js meaning that my server never touches credit card sensitive data. However I am required to make sure the CVC and Zipcode are checked. I have added to 'Declline cards if both zipcode and cvc checks fail` on my dashboard but as the above quote states, those settings have very little meaning. I have found out the you can easily bypass both and the card would still be validated.


  • user lands on my credit card details page. They enter their credit card data.
  • before they click on submit which would activate Stripe.js and send data to the Stripe servers, they manually remove the data-stripe attributes from zipcode and cvc input fields and place whatever zipcode and cvc they want. Stripe.js would never send them since the inputs don't have a data-stripe anymore.
  • Stripe validates number and expiration date, sends back a token, my server adds the card to the user
  • the card gets attached to my Stripe customer and I can go ahead and charge it

With this scenario, someone with a stolen credit card would be able to just enter a credit card number and expiration date and bypass cvc and zipcode. Zipcode and even CVC, could make a difference. I say this from experience, my card was "read" at a gas station, they tried to buy stuff but charges failed due to wrong zipcode and cvc.

How can I do the checks on my server somehow (without touching sensitive data) for both zipcode and cvc? I cannot do much with Stripe.js since everything happens on the client side which I have no control of.

Please sign in or create an account to participate in this conversation.