#wallybanger_unexpected

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1288222755996700885

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

adding the full user response here since it did not fit in the form "Yes once I entered my card details I hit submit and I received a prompt from my bank to enter the second factor code that was sent to my phone. I didn't have my phone in hand so I hit cancel and was redirected back to you the merchant with the transaction cancelled or expired error message. I tried again hoping it would go through without my phone nearby and this time it was successful."

but both transactions were approved, even the first

Hello
Do you have any example payments?

i can give you the two that just happened earlier

one moment

sure

pi_3Q2c74FCgD0OjU1x0jB4mIis is the first, asked for 2 factor code, user backed out, returned to site, shown as canceled

pi_3Q2cAHFCgD0OjU1x0A3FGUzg is second that was successful which then made the first one above also go through as procesed (i have refunded that one

i believe from what he has said, neither one then needed the 2 factor code

The first payment did require an action to be completed as you can see from this confirm request triggering requires_source_action status: https://dashboard.stripe.com/logs/req_LiaQ1d6zk5beeP

The second payment confirmation request did not trigger that..

Does your code check for existing PaymentIntent when user backs out of the checkout?
Because it seems like there was another confirmation request that came in from your integration at 2024-09-24 17:04:23 UTC for the first payment: https://dashboard.stripe.com/logs/req_qQsVoN4X0EGxTo which succeeded without any actions required.

After which the second PaymentIntent was created https://dashboard.stripe.com/logs/req_rnazc44KLKpZCc at 2024-09-24 17:04:41 UTC

"Does your code check for existing PaymentIntent when user backs out of the checkout? "......it is possible it does not, this is using a shopping cart system that just started using the Stripe Element option over the summer

i guess i assumed that the canceled / expired error was coming from stripe and the first payment was essentially null and void at that point

is it common for a bank to simply ignore asking for 2FA if a user restarts a second payment? seems like an easy way around the security of it

It is upto the bank to trigger the auth flow unfortunately.. All banks behave differently and have different parameters to ask for authentication

looking at the logs, did the first one go to approved because of some user action or did it happen because the 2nd transaction triggered no 2FA needed?

both payments were approved with different user action as both timestamps are different

the difference between the two success messages is about 45 seconds or so

yes

possible something was cached?

sounds like the solution is "check for existing PaymentIntent when user backs out of the checkout" ?

Correct, you could retry the same PaymentIntent without creating a new one or cancel the previous one

okay i will mention to the shopping cart developers. While I have you, does the Stripe Element option give the same protections as say using the checkout option that redirects to the Stripe website to complete the charge (cant remember the formal name of it).

I had a problem with bad actors card testing my site last year so i changed checkout method to send the user to the stripe website to process the charge (and redirect back to my site after success) and that stopped the issue since obviously Stripe has a better way to handle this since they will see user info and what not and can throttle requests directly. Does the Element box being embedded in my site afford the same protections?

Do you mean Stripe Radar?

https://docs.stripe.com/radar/integration#integration-types

no, i swapped to this to stop the brute force card testing: https://stripe.com/payments/checkout

i think the URL wa salways checkout.stripe.com or something to that effect

and then user was redirected back to me after succesful charge

That's Stripe Checkout (which is a different product)..

sorry "Stripe Hosted Checkout"

I'm confused by the part "protection"

what do you mean by that exactly

well, it stopped the card testing. i can only assume bcause stripe had more details and could throttle the user back completely. before i switched checkout method, the user entered there card #, expiration and CVC directly on my website at checkout (it was a small embedded box) and they really went to town trying hundreds of card details. swapping it to Stripe Hosted Checkout stopped that in some way (i dont know specifics)

maybe it was the "Payment Links" hosted directly on stripe. they have some many names for different products lol

Gotcha. Here: https://docs.stripe.com/disputes/prevention/card-testing#optimize-integration
It outlines the protections Elements offer 🙂

okay cool thanks.

PaymentLinks use Stripe Hosted Checkout page for payments

okay that looks like it answers my question thanks

Awesome

thanks for the help have a great day