#Sam Gralla - Saving Cards

Hello! Stripe will validate cards at certain points in various flows, such as when a Setup Intent is used. The CVC may or may not be checked depending on the specifics of a given scenario. Can you provide more details about the exact operations you're performing?

Hi Rubeus! Thanks for the super-quick response. Let me check my code - it was a while since I implemented this

Okay. It looks like I create a setup intent associated with my customer using the stripe python api. This is sent to client-side javascript which then uses stripe elemends and stripe.confirmCardSetup. So the user sees a form with card #, exp data, cvc, and zip, which are passed to stripe. Stripe passes back a success or error message. Sometimes stripe performs a cvc check at this stage, and sometimes it doesn't.

That sounds like expected behavior. Sometimes Stripe will perform a heuristic validation, meaning we have reason to believe the card is valid without requiring us to talk to the card issuer. In those cases the CVC will remain unchecked, as we only mark the CVC as passed or failed when we talk to the card issuer. This is no way to force different behavior.

Can you provide more details about the reason to believe the card is valid? This came up because I had a card fail a zip check, and ultimately the charge was disputed as fraudulent. It all could have been avoided if the zip check were performed at the time of saving the card, but apparently Stripe had reason to believe the card was valid?

You can enable Radar rules to block charges when the CVC or ZIP check fails, as described here: https://support.stripe.com/questions/charge-succeeded-despite-cvc-or-zip-check-mismatch

I am aware of that, but it is too late at the time of charging. In my business, the customer leaves a card on file, and is charged after receiving the service (online tutoring). The check needs to be performed at the time of leaving the card on file - which sometimes it is!

Beyond that I can't go into more detail about how validations work here, as it's outside the scope of this chat, but Stripe support should be able to help you further: https://support.stripe.com/contact/email

Yeah I appreciate you are dev support, but perhaps you can help me craft my question

Because the stripe support people tell me to talk to dev...

Not sure I understand. Who exactly did Stripe Support tell you to talk to?

Well they said they needed to hear back from their backend people or something

Oh, meaning they're asking internally inside Stripe?

And then they converted it to an email ticket

yes, internally

That makes sense, they're probably gathering the details you asked for and will respond once they have them.

yes, but I don't know the right question. I think I am closer thanks to your help. Basically I am upset that stripe only performed a "heuristic validation", because it turned out later the card was invalid. Is that what I should complain about? Is there a clearer way to put it?

I think the best thing to do would be to clearly explain how your Stripe integration works, specifically this part is a critical detail:

In my business, the customer leaves a card on file, and is charged after receiving the service (online tutoring). The check needs to be performed at the time of leaving the card on file - which sometimes it is!

That will help them understand why the validation piece is so important to you.

That said, I will say that relying on validations like that is not recommended.

How much time passes between when the card info is collected/validated and when you actually charge people?

Thank you for the advice on how to contact them. Usually only a few days passes - from the time they book the lesson, to the time after it happens. I cannot think of a better way to run this business. I believe other online tutoring businesses do the payment flow the same way.

I would recommend placing a hold on the funds: https://stripe.com/docs/payments/place-a-hold-on-a-payment-method

You can place a hold, which will confirm not just that the card is valid, but also confirm that they have enough funds to cover the charge. Then, after services are rendered, you can capture the funds. If services are not rendered you can release the hold.

The hold can last up to seven days for card payments.

And placing a hold will always confirm the card and funds availability with the card issuer.

All this just to convince stripe not to rely on "heuristic checks"?

It's more about making sure the funds are available for your business. Validations, even when the card issuer is contacted, can't tell you if there are enough funds available to cover a future transaction, or if the card will work tomorrow.

Placing a hold doesn't have those limitations.

yes, but then the customer will have to re-authorize a hold for every lesson...

Maybe I can treat it as a subscription or something, and they wouldn't have to?

The customer doesn't need to be present for you to place a hold on their card if you've saved it to a Customer object previously.

oh, ok... is it visible on their statement?

Yes, the hold will be visible to the cardholder

ok, so when they book a lesson, I place a hold for the lesson amount, and that will force stripe to do the cvc and zip checks? (Actually just the zip check, right? Because you are not alloewd to store cvcs, right?)

Correct. It will also confirm the card has enough money to cover the charge, and will place a hold on those funds until you capture it, cancel it, or the hold expires.

OK thank you for that advice. Is there a greater than 0% chance of success that I can convince stripe to instead just check the cvc and zip when my customer enters them? (Can I pay for this service?)

I don't know, that's something you would need to talk to support about. However, even if they do allow for something like what you're describing I recommend against relying on just validations. If a card has $1 in the available balance, or even 1¢, it will still pass a validation check. Relying on validations also opens you up to scenarios where a card validated on Monday then gets canceled/lost/stolen/expired on Tuesday and then you can't charge it on Friday.

yeah, I get it, thanks. This was super helpful. Is there somewhere I can tell stripe how helpful you were?

You just did. 🙂 I'll note your feedback internally, thank you!

Glad I could help!

great 🙂 have a nice day!