Andrew Samir | Stripe Developers | Page 1

azure hatch Oct 26, 2022, 2:47 PM

#

Hello, can you explain your question a bit more? The bank decides when to request 3DS so it is always possible that any payment on a supported card will require 3DS

chrome wedge Oct 26, 2022, 2:50 PM

#

I am making a user subscription with payment intents with a renewal date and i am making a cronjob to check this renewal date and according to it i want to pay and confirm the payment intent

#

So i need that payment authentication happens first time i pay only

azure hatch Oct 26, 2022, 2:57 PM

#

With subscriptions, Stripe will tell the bank that the recurring payments are offline, which makes the bank much less likely to request 3DS. They still might request 3DS though, there is no way to prevent that. So the options there are supporting 3DS on those payments (you can even just turn on a Stripe option so that Stripe emails the user to do 3DS) or you can fail all payments that do that https://stripe.com/docs/billing/subscriptions/overview#requires-action

#

I can look to see if there is a setting to auto-fail the payments once they require 3DS if that is what you are looking to do

chrome wedge Oct 26, 2022, 3:00 PM

#

Yes i need something like that

#

May i ask you another question

#

is all the client_secret contains firstpart payment_intent_id and second part customer_id ? if yes .. is that secure ?

azure hatch Oct 26, 2022, 3:14 PM

#

Yes they are always in that format and yes that is secure. The client secret can only be used to confirm payments, it can't be used to modify them in any other way unless the user has your Stripe API secret key

#

I will look in to whether there is a setting for that and will get back to you

chrome wedge Oct 26, 2022, 3:16 PM

#

Okay

chrome wedge Oct 26, 2022, 3:18 PM

#

azure hatch Yes they are always in that format and yes that is secure. The client secret can...

But i have the client_secret and the publishable key i can confirm a payment without user know .. and these data are available in network when using confirmCardPayment in stripe.js

azure hatch Oct 26, 2022, 3:22 PM

#

Yes, in that way the secret can be vulnerable. There is a practice called card testing where someone tries to find valid cards by trying to confirm card payments over and over. We have some guidelines on mitigating this now and are working to prevent this issue in future https://stripe.com/docs/disputes/prevention/card-testing

#

One upcoming thing that can make client secrets useless for card testing is our server driven integration. With it, you can disable client secrets from being confirmed with a publishable key https://stripe.com/docs/payments/run-custom-actions-before-confirmation

#

But otherwise that doc lays out best practices. You can try to limit how and how often a user can get a client secret from your site, and can limit how much they can try to confirm a card with that secret

#Andrew Samir