#benflynn

Sounds like you are implementing the most common ways to address this at the moment. This doc has a couple more suggestions if you haven't seen it https://stripe.com/docs/disputes/prevention/card-testing

Thanks @obtuse hound . Yeah- we've been using that document, just wanted to make sure we weren't missing some seurity recommendations serving up that token. I appreciate it!

Yeah, those are the most actionable and easy things to add to an existing integration now. One other thing you can do, that can often be too cumbersome, is tracking how many times they have tried to confirm each payment intent and cancelling the intent after too many attempts. Even a high limit like 100 would almost never be reached by a legitimate customer but is way less than what a bad actor could try without that limit.

In terms of larger changes, we do have this beta which allows you to disable payment intents from being confirmed with public keys at all. But it is a different flow from the current one, so switching to it is also not trivial
https://stripe.com/docs/payments/run-custom-actions-before-confirmation

Trying to think of more actionable things for now. Will get back to you

Oh interesting. Thanks @obtuse hound - we will do the three I mentioned first, but already sent the beta link to the dev team to investigate. This is great.

I appreciate it!