From Stripe dashboard settings: We will not decline charges if you do not pass us a CVC or postal code, nor cards with an "unavailable" check result from the bank.
I am using Stripe.js meaning that my server never touches credit card sensitive data. However I am required to make sure the CVC and Zipcode are checked. I have added to 'Declline cards if both zipcode and cvc checks fail` on my dashboard but as the above quote states, those settings have very little meaning. I have found out the you can easily bypass both and the card would still be validated.
data-stripeattributes from zipcode and cvc input fields and place whatever zipcode and cvc they want. Stripe.js would never send them since the inputs don't have a
With this scenario, someone with a stolen credit card would be able to just enter a credit card number and expiration date and bypass cvc and zipcode. Zipcode and even CVC, could make a difference. I say this from experience, my card was "read" at a gas station, they tried to buy stuff but charges failed due to wrong zipcode and cvc.
How can I do the checks on my server somehow (without touching sensitive data) for both zipcode and cvc? I cannot do much with Stripe.js since everything happens on the client side which I have no control of.