#justinkennedy10 - Setup Intents

Hello! If you're not using Stripe.js you should confirm Setup Intents server-side and handle 3D Secure manually if needed as outlined here: https://stripe.com/docs/payments/3d-secure#when-to-use-3d-secure

Also, I strongly recommend you use Stripe.js and Elements. If there's a specific reason they're not working for you I may be able to provide a workaround?

gotcha - so basically call https://stripe.com/docs/js/payment_methods/create_payment_method from Stripe.js publishable key (we only want to avoid Elements), and send the Payment Method ID to the server to do a createSetupIntent call with confirm=true as a param, and take into account 3DS as well

let me ask my frontend engineer why he doesn't want to use elements and get back to you (5mins)

sis the above correct though (assuming he is right)?

Well, it's highly unusual to use Stripe.js but not use Elements. Usually people don't want to use Stripe.js at all, but if using it is an option there are other approaches you can take. Can you tell me more about the flow? Specifically, how are you creating the Payment Methods you're using and attaching them to the Payment Intents?

Sure! We have users of our app that can configure one payment method each for now. We were planning on just calling createSetupIntent server side for the customer + pass the secret to the client where confirmation would occur but my frontend engineer doesn't want to use Elements (he is still afk). Then for Payment Intents we would simply include the Customer ID + Payment Method ID when calling CreatePaymentIntent, and doing the same client-side confirmation with the payment intent secret key

You can confirm a Setup Intent client-side without using Elements if you associate an existing Payment Method with it ahead of time: https://stripe.com/docs/js/payment_intents/confirm_card_payment#stripe_confirm_card_payment-token

So are you fully PCI compliant?

I ask because if you're not using Elements and you're handling raw card info you will need to be: https://stripe.com/docs/security/guide#validating-pci-compliance

Hmm maybe he is misunderstanding the confirmSetupIntent Stripe.js API

https://stripe.com/docs/js/setup_intents/confirm_card_setup#stripe_confirm_card_setup-data-payment_method

Do you know if in the "data" parameter here he needs to provide anything related to Elements? Or just a JSON object with the card info he gets from our UI?

Ah I think we need an actual cardElement in there

That's the wrong API.

That's the one that works with Elements, which you're not using.

Have a look at the link I provided above.

It links to a different version of that method.

I think the one you linked is for confirming a payment

not a setup

Or you can use this one if you're attaching the Payment Method server-side: https://stripe.com/docs/js/payment_intents/confirm_card_payment#stripe_confirm_card_payment-attached

Oh, sorry.

(correct me if I'm wrong)

No prob at all - I appreciate you helping me out here

This should be the right one: https://stripe.com/docs/js/setup_intents/confirm_card_setup#stripe_confirm_card_setup-attached

Sorry about that!

Let me know if that looks right or not.

yes perfect!

and I think I can. use this: https://stripe.com/docs/js/setup_intents/confirm_card_setup#stripe_confirm_card_setup-existing

If I create a payment method first

Yep, you can use that if you have the Payment Method ID client-side.

And do you know of anyway to create a payment method client side without Elements (haha sorry)

I assume you can do so with the publishable key

You really should use Elements unless you're fully PCI compliant and know all the risks involved.

Can you confirm you're fully PCI compliant?

I convinced him to go with Elements

not trying F around with PCI stuff hahahaha

thank you so much for your help though

we can just follow the normal SetupIntents guide now