Published 2 years ago by cristian9509
From Stripe dashboard settings: We will not decline charges if you do not pass us a CVC or postal code, nor cards with an "unavailable" check result from the bank.
I am using Stripe.js meaning that my server never touches credit card sensitive data. However I am required to make sure the CVC and Zipcode are checked. I have added to 'Declline cards if both zipcode and cvc checks fail` on my dashboard but as the above quote states, those settings have very little meaning. I have found out the you can easily bypass both and the card would still be validated.
data-stripeattributes from zipcode and cvc input fields and place whatever zipcode and cvc they want. Stripe.js would never send them since the inputs don't have a
With this scenario, someone with a stolen credit card would be able to just enter a credit card number and expiration date and bypass cvc and zipcode. Zipcode and even CVC, could make a difference. I say this from experience, my card was "read" at a gas station, they tried to buy stuff but charges failed due to wrong zipcode and cvc.
How can I do the checks on my server somehow (without touching sensitive data) for both zipcode and cvc? I cannot do much with Stripe.js since everything happens on the client side which I have no control of.
Ideally you charge the card before returning back. But if you offer a free trial but a card upfront, nothing you can do until the payment time.
Generally I use stripes API instead of cashier as I can set up plans and coupons from my backend vs going to stripes site. So I can say for sure what cashier does exactly. But I know the API allows you to charge the card immediately and sends appropriate successful charge response along with the invoice.
So you should just look at the
cvc_check returned on the token object. Assuming a CVC was provided, it should return as "unchecked". If it's
PS; Sorry for my necromancy! I didn't mean to resurrect a dead thread. :)