From Stripe dashboard settings: We will not decline charges if you do not pass us a CVC or postal code, nor cards with an "unavailable" check result from the bank.
I am using Stripe.js meaning that my server never touches credit card sensitive data. However I am required to make sure the CVC and Zipcode are checked. I have added to 'Declline cards if both zipcode and cvc checks fail` on my dashboard but as the above quote states, those settings have very little meaning. I have found out the you can easily bypass both and the card would still be validated.
data-stripeattributes from zipcode and cvc input fields and place whatever zipcode and cvc they want. Stripe.js would never send them since the inputs don't have a
With this scenario, someone with a stolen credit card would be able to just enter a credit card number and expiration date and bypass cvc and zipcode. Zipcode and even CVC, could make a difference. I say this from experience, my card was "read" at a gas station, they tried to buy stuff but charges failed due to wrong zipcode and cvc.
How can I do the checks on my server somehow (without touching sensitive data) for both zipcode and cvc? I cannot do much with Stripe.js since everything happens on the client side which I have no control of.
Did you know that, in addition to the forum, Laracasts includes well over 1000 lessons on modern web development? All for the price of one lunch out per month.