#boundaryboys04

Hello! We'll be with you shortly. Below are links to other discussions we've had with you in the past week in case you want to review that information. If your question is related to one of these previous discussions, please provide a comprehensive summary of the current state and what you need help with now. We help many users simultaneously, so a summary allows us to resolve your issue as soon as possible.

• boundaryboys-cardelement-cvcpostalcheck, 2 days ago, 84 messages

Hi let's chat in here

What's your question

hi

i had conversation with one of you team member

on SetupIntent

for some reason when we do that card validation is not happening. i.e no CVV,exp and zip validation is happening

i was told to perform completeintent call from client side

Can you share a sample setupintent id where this happened?

public async Task<(string customerId, string ClientSecret, string errorMessage)> CreateCustomerWithSetupIntent(string paymentInfoToken, string email, string name)
{
try
{
var paymentMethodService = new PaymentMethodService();
var paymentMethodOptions = new PaymentMethodCreateOptions
{
Type = "card",
Card = new PaymentMethodCardOptions
{
Token = paymentInfoToken
}
};

            var paymentMethod = await paymentMethodService.CreateAsync(paymentMethodOptions);

            var customerService = new CustomerService();
            var customerOptions = new CustomerCreateOptions
            {
                Email = email,
                Description = name,
                PaymentMethod = paymentMethod.Id,
                InvoiceSettings = new CustomerInvoiceSettingsOptions
                {
                    DefaultPaymentMethod = paymentMethod.Id
                }
            };

            var customer = await customerService.CreateAsync(customerOptions);

            return await this.PerformSetupIntentCreateAndConfirm(customer.Id, paymentMethod.Id);
        }
        catch (Exception ex)
        {
            return (null,null, ex.Message);
        }
    }

public async Task<(string customerId, string ClientSecret, string errorMessage)> PerformSetupIntentCreateAndConfirm(string customerId, string paymentMethodId)
{
try
{
var setupIntentService = new SetupIntentService();

            // Create Setup Intent
            var setupIntentOptions = new SetupIntentCreateOptions
            {
                Customer = customerId,
                PaymentMethod = paymentMethodId,
                PaymentMethodTypes = new List<string> { "card" },
                Usage = "off_session",
                Description = "Setup intent for customer: " + customerId
            };

            var setupIntent = await setupIntentService.CreateAsync(setupIntentOptions);

            return (customerId, setupIntent.ClientSecret, null);
        }
        catch (StripeException ex)
        {
            return (null,null, ex.Message);
        }
        catch (Exception ex)
        {
            return (null,null, ex.Message);
        }
    }

👋 stepping in here

That code doesn't really help at all here.

Above is my bakend code

doing customer create and setup intent

The reality is that a SetupIntent won't always trigger an authorization. This is a counter for card testing. See: https://support.stripe.com/questions/check-if-a-card-is-valid-without-a-charge

If you want, I can look at a specific SetupIntent ID to ensure you are saving cards correctly

But there won't always be a CVC/AVS check

this is my front end

const { token, error } = await stripe.createToken(cardElement, { name: cardHolderName });
if (error || !token) {
props.handleRedeemFailed((error && error.message) || 'Failed to connect credit card');
return;
}
const setupIntentSecret = await props.performSetupIntent(token.id);
if (!setupIntentSecret) {
props.handleRedeemFailed('Failed to Valide Credit Card Details');
return;
}
if (setupIntentSecret) {
// perform stripe confirm setup intent
const confirmResult = await stripe.confirmCardSetup(setupIntentSecret, {
payment_method: {
card: cardElement,
billing_details: { name: cardHolderName }
}
});
if (confirmResult.error) {
props.handleRedeemFailed(confirmResult.error.message || 'Failed to Valide Credit Card Details');
return;
}

Yeah you can stop dropping code in here at this point

ooo sorry

didnt mean to do that

i thought you wanted to see the code

All good

See my responses above

basically we are creating customer, creating setup intent on back end and sending the intent client secret to front end and performing the completed setup on the front end

ya, saw that

what can we do to enforce card validation, its taking any card expiry and cvv and zipcode and letting the details save on stripe

no authentication is happening

When you say "authentication", do you mean a CVC/AVS check being performed?

let me run a new transaction i will share the customer, payment and intent details

yes

Okay so see my answer above

This doesn't happen every time

Because then card testers can use your account to check cards. So when we detect card testing or other reasons to not run this card validation, it is skipped.

This is all expected

when we setup customer and accept card details we dont charge teh customer, we only charge them when they have to pay. How can we gurintee that card details provided by them are valid

when we need to actually perform transaction

You can never guarantee that. Even if a CVC/AVS check happened initially, the issuing bank could always decline the transaction later on.

You are already doing the optimal/correct thing.

we were told to use setup intent for the purpose

There isn't anything more you should be doing.

Yes, a SetupIntent is indeed the correct route.

It will optimize your conversion as much as possible.

there is no gurantee but atleast we want to do some level of validation like exp date, cvv and zipcode

also they were able to just add a gift card and go to next step

no validation happening as part of customer and setup intent create and confirm flow

that is our issue

we bought a gift card and tried with that

Yeah I understand what you want

But it just doesn't work that way

also took my card and put in cvv as 123 and zip as 23432 its all taken as valid card info

So when you test like this, we oftentimes know that you aren't a real customer

And it looks like card testing

So we don't run the authorization

ok

I really can't help you any further. I understand you want a card authorization to run on every SetupIntent confirmation but that just isn't how the product works.

It would open you and us up to a ton of fraud if that were the case

As well as network penalties

There are lots of reasons that we have to use fraud models to determine whether to actually run a card authorization when saving a card

So what you are doing now is the correct and most optimized route, even if it isn't what you would want in your ideal world.

ok thanks for confirming

You are always going to need to handle declines, they are a natural part of payment processing

So you need to invest in a strong mechanism to bring your customers back on-session and collect a new PaymentMethod if that is necessary

how about not allowing gift cards

is athere a setting of some kind

You could block prepaid cards if you so desire

is that done at setting level or through code?

You can either do that via Radar (https://stripe.com/docs/radar/rules/supported-attributes#card-info) or you can do it through your integration (code)

Doing it via code is cleaner as you can show a specific error to your customers when this is the case

But it also depends a little on your integration

As you need to create the PaymentMethod first in this flow

radar is an additional product or its part of the basic

yes, we do the paymentmethod first and then create customer and then perform setupintent and confirm setupintent on the uI side

You need Radar for fraud Teams to create customer rules like this.

do we need to enable this on rules?

looks like only required is enabled

Yeah you would need to write a custom block rule

we have this enabled

these are the rules we have

are they good

Not if you want to block by card funding (like prepaid)

You need Radar for Fraud Teams enabled so you would write a custom rule (use that grayed out "Add rule" button)

I don't actually know much about the Dashboard as we just focus on the API here so if you don't see an obvious place to enable Radar for Fraud Teams then you will want to talk to our Support team about how to get that enabled via https://support.stripe.com/contact/login

ok

another quick Q

do we need to perform complete intent on front end or we can also do it on back end after setup intent is done?

i see a method for complete on backend but we were told earlier by one of your support to perform this in the front end

You would confirm on your backend since you already created/setup the PaymentMethod previuosly and your customer is no longer on-session

We recommend you confirm on your frontend for initial collection or if you are taking payment from a customer that is present in your flow.

ok thanks

Sure