#Gary4091-cvc

@bright dirge honestly this is the wrong question to ask, you shouldn't need to know this and you should never based your logic on this information

just collect the CVC for every payment if that's what you need/care about

@bright dirge did that make sense?

Gary4091-cvc

No

Does not make any sense to me

I asked a valid question

And I don't quite understand why I can't have the asnwer

Hello @bright dirge , I will take over and catching up. Could you describe what you want to achieve? Maybe we can find a better approach for you

Sure

Thank you

Currently we process CC payments manually:

We collect Credit Card data on site and run each order via our own Risk management system (takes 1-3 minutes).

If the order is approved we enter credit card data manually to our Intuit Payment system

We are moving to Stripe now (integrating our checkout with stripe)

We are planning to do the same logic - collect the card info, run the risk security application on each order (1-3 minutes) and if approved - create PaymentIntent - charge the card

The reason I asked about CVC time on stripe server

is to understand if we need to collect CVC, specifically: will CVC will be still available at the time of charge (1-3 minutes after created)

You mean, 1-3 minutes from collecting the card info, to creating PaymentIntent?

Yes correct

Which API are you using to collect the card info?

We will be using Stripe Elements and SetupIntent

we just started integrating to our existing checkout

Is this the guide you are following? https://stripe.com/docs/payments/save-and-reuse

Yes

Our specifics is that time between save and re-use is really small

1-3 min

Customer still can use the same card in next orders

Let me clarify a bit more. Following this guide you would create a SetupIntent first, then collet the Card Info, then Confirm it later. We don't create PaymentIntent here

Is that 1-3 min is between collect the Card Info, and Confirm it?

Yes, we are planning tol use SetupIntent

1-3 minutes between setting up SetupIntent and Charging the card using PaymentIntent

So, 1-3 minutes to submit PaymentIntent after SetupIntent is created with Customer/PaymentMethod

Once again, we are new to Stripe, but this is how we understand is the best case for our current business logic

Sure, I am just trying to grasp the scenario

Sorry for questions, it's helping me to assist you the best I can

No, I appreciate your quiestions - it helps us also to better understand

One thing I consider is, will you run that risk security application on your server? meaning you will have credit card information in your server?

No, We only will have non-sensitive data:

Billing Address, Shipping Address, Items ordered, (Total amount etc)

Okie that's great. It clears the most critical part of using Stripe 🙂

For example: if we have multiple returns from this particular shipping address

we will consider total amount and billing address to mitigate the risk

also, few background checks on billing address

and shipping address

so after creating SetupIntent on server, collect card info on client, you will send those information to your server, run the risk application, return ok to client, and client continue to confirm the SetupIntent?

Our understanding was this:

We create SetupIntent while saving non-sensetive data on our server

After we completed scenario "Save Card for Future Use"

with Setup Intent

We immediately run risk management task on our site and if approved

we will manually send PaymentIntent via our custom Dashboard or via Stripe's DashBoard

to charge credit card

okie

I think 1-3 minutes is not a problem in that case

The same person, who currently enter credit card information manually to current Intuit payment processing system will do the same by clicking "Process Payment" on some dashboard

The flow is designed to work in much more later scenario

The thing to consider is 3D secure

hmm

Yes, I understand this, we will use much more later scemario if customer save the card and place another order later

but for the first order - this is correct

3D Secure is not very popular in USA, right?

Worst case scenario the card will be declined

In this case we were planning to send a Stripe payment link to customer via email

Will this work?

Currently we enter cards manually and don't see much declined cards

I think at the time of confirming SetupIntent, our SDK already asked the customer to verify 3D Secure

so after it's confirmed, you wouldn't need to worry about it

Ahh, I see. That is good

But is this mandatory step in SDK?

If the Card require 3DS, yes the SDK will handle it for you

it will display a 3DS popup to the customer, and they will need to process it

We were planning to implement https://stripe.com/docs/payments/save-card-without-authentication

Understood

We will consider this implementation then:

https://stripe.com/docs/payments/payment-intents/upgrade-to-handle-actions

Yeah that 2 guide should work also. But TBH I think SetupIntent flow is better as it will do all the handling of requries_action for you. In this flow you inspect the requires_action status on your server, sending back to the client and let the client handle it

Understood

Thank you so much for your detailed explanation.

Yeah, np. If you encounter issues feel free to ping us later

Back to my original question 🙂 Do you think the CVC will be still available in 3 mins

or it is just unusable data we will collect because it expires very soon?

not expiring, but rather, not saved

We were planning to use CVC in Radar (if CVC does not match - we don't want to charge the card)

Um the answer is, we collect CVC, but we won't provide it to merchant. Stripe integration is designed that merchant shouldn't worry about CVC, as my colleague said in the first place.

I understand. We don't need CVC

CVC is PII, dealing with it means you will need to deal with a bunch of compliance

Stripe do it all for you

It is misunderstanding, sorry, we don't need CVC

We need STRIPE to charge the card using PaymentIntent which will include Credit Card Data

Stripe collected from our site using Elements (Card Number, CVC, Exp Date)

yes

So I wanted to understand, at want time Stripe will not submit CVC. By reading PCI requirement

CVC must be held for short period of time and only in Volatile Memory

I couldn't find answer - what exact time

Lets say time is 1 min

In this case we don't need to setup rule in Radar - deny payment if CVC does not match

because all our payments will be denied since PaymentIntent will be sent in 1-3 minites

So I was wondering during what time frame CVC will be submited. But if this information is not available it is ok with us

will just experiment with Radar rules

to see what works for us

I am not too familiar with Radar. I think it only inspect when the Payment be made, that after you already run your own application.

Technically when you collect the Card detail on client, all information including CVC will be sent and saved by Stripe

Stripe will use that information later, when a Payment is made, to score the risk

Understood. Excellent. Once again thank you for your time and help and have an excellent evening!

Yeah np! Feel free to come back anytime