Stripe.js CVC and Zipcode checks can be bypassed easily!

Published 2 years ago by cristian9509

From Stripe dashboard settings: We will not decline charges if you do not pass us a CVC or postal code, nor cards with an "unavailable" check result from the bank.

I am using Stripe.js meaning that my server never touches credit card sensitive data. However I am required to make sure the CVC and Zipcode are checked. I have added to 'Declline cards if both zipcode and cvc checks fail` on my dashboard but as the above quote states, those settings have very little meaning. I have found out the you can easily bypass both and the card would still be validated.


  • user lands on my credit card details page. They enter their credit card data.
  • before they click on submit which would activate Stripe.js and send data to the Stripe servers, they manually remove the data-stripe attributes from zipcode and cvc input fields and place whatever zipcode and cvc they want. Stripe.js would never send them since the inputs don't have a data-stripe anymore.
  • Stripe validates number and expiration date, sends back a token, my server adds the card to the user
  • the card gets attached to my Stripe customer and I can go ahead and charge it

With this scenario, someone with a stolen credit card would be able to just enter a credit card number and expiration date and bypass cvc and zipcode. Zipcode and even CVC, could make a difference. I say this from experience, my card was "read" at a gas station, they tried to buy stuff but charges failed due to wrong zipcode and cvc.

How can I do the checks on my server somehow (without touching sensitive data) for both zipcode and cvc? I cannot do much with Stripe.js since everything happens on the client side which I have no control of.

2 years ago (61,410 XP)
you can enable a setting to automatically refuse all payments where the zip check fails. You can enable this setting by heading to your account settings and choosing to “Decline charges that fail zip code verification.“



@mehany i have mentioned already that those settings are checked. And i can still bypass those checks.

2 years ago (215,385 XP)

Ideally you charge the card before returning back. But if you offer a free trial but a card upfront, nothing you can do until the payment time.

Generally I use stripes API instead of cashier as I can set up plans and coupons from my backend vs going to stripes site. So I can say for sure what cashier does exactly. But I know the API allows you to charge the card immediately and sends appropriate successful charge response along with the invoice.



So you should just look at the cvc_check returned on the token object. Assuming a CVC was provided, it should return as "unchecked". If it's null, that means that someone has deliberately not provided a CVC. You can add that as a check in your form-handler (after your Javascript has executed, but before your code has actually created a customer) to help prevent fraud.

Cheers, Korben

PS; Sorry for my necromancy! I didn't mean to resurrect a dead thread. :)

Please sign in or create an account to participate in this conversation.