#Nars

hi! Elements doesn't do that really. What you would do is call https://stripe.com/docs/api/payment_methods/customer_list and build your own UI that displays the details like brand/last etc in a custom component on your page.

Okay how can I confirm the payment

With the payment token?

yeah if you have created the PaymentIntent using the customer ID of the customer, then on the frontend you can call https://stripe.com/docs/js/payment_intents/confirm_card_payment#stripe_confirm_card_payment-existing with the ID of a selected PaymentMethod to pay it with that card

Okay is there any risk to approach? the frontend now has the publishable key, client secret and the payment method ID which means someone could tamper the app and make a payment without the card owner's authorization

there's no added risk really beyond a normal payment. Having the publishable key and client secret lets anyone attempt an API call to make a payment

the main thing is you should only be providing a client_secret to the frontend when you have authenticated the user(i.e. they've logged into their customer account in your system or so on)

Yes but in case of not displaying saved cards, the customer has to enter card details on their own

So they would be aware they are making a payment

Slightly concerned about user's consent in case of saved cards

Is there any way by which when I display the last 4 digits in the UI I can also ask for their CVC which can later be authenticated?

I mean if someone is running code on the user's browser without their consent they're already compromised

Lol okay

yes, trying to finding the docs

https://stripe.com/docs/js/tokens_sources/create_token?type=cvc_update
https://www.youtube.com/watch?v=MM3ezC89178
the docs are not great unfortunately but the idea is to add a CardCvcElement to the page as well and use a token from it

Got it will check this out

One more thing

Do other apps also follow this approach (without cvc auth) I mean is this the conventional approach to display saved cards?

yes