#stripe-connect-platform-fraud

Hi there, sure thing go ahead and share the invoice ID.

in_1LFShOHZhKpqBVFyNoadBRVJ

This customer is unforunately using legacy Checkout.

If the card is a bad number, Stripe Checkout is blocking it, but the problem we are seeing I think is people with a list of real credit card numbers who make multiple purchases with different cards. Radar is blocking the payment, but we are still creating the Customer and also now handling the webhook well.

So yeah that looks like it was blocked by Radar for high risk

I am checking the code now, but I think we
1.) Create Customer
2.) Create Subscription
But we are left with the Customer.
Do you recommend we delete the Customer?

Gotcha

What is the best way to handle a payment blocked by Radar?

Yeah so this is mostly up to you for how you want to do clean up here. Or if you want to ask the Customer to try again with another card

And where in the flow?

You would handle it the same as a bank decline really

Hm.. Since we are a Connect platform, we are a little bit limited.

OK, right now we ask for a thank-you page URL and I think they are being redirected to that without seeing a good message of failure.

When does the message come from Stripe? On Subscription.create?

Let me check the code and make sure how we are doing this.....

Is there a good testing card number for "block by Radar but a valid cc #"

?

Well that invoice is a one-off invoice

So no Subscription at all

But the failure comes on whatever is triggering the pay endpoint: https://dashboard.stripe.com/logs/req_J1gCls5jil23wT

To reproduce that in test mode you would use 4100000000000019

https://stripe.com/docs/testing#fraud-prevention

That has the different Fraud test cards that you can block via Radar.

OK, it still produces invoice.payment_succeeded? or no?

Nope should be invoice.payment_failed

Yep: evt_1LFShRHZhKpqBVFykexAykIN is your invoice.payment_failed for your example above

give me one min. mocking this

👍

OK, we are doing a more complex version of:
customer = Stripe::Customer.create({
:email => stripe_email,
:source => stripe_source,
}, {:stripe_account => stripe_user_id})

Is there any way to get back an error here if the stripe_source would result in a blocked Radar? Or no?

When testing?

right now i am testing

Like when you attach the card to the customer you want Radar to block

but when i am done, i want to fix this in production

The first step is we are creating a Customer.

Yep okay so you want to allow it to attach but then block on payment attempt?

But then if the payment is blocked, our connected account sees a customer who is a fraudulent buyer. If they try this 100 times, they get 100 fake customers. 😦

Yeah no way around that really

Other than deleting Customers

I'm trying to catch the fraud as early in the flow as possible and clean up whatever was created

Yep so there are two points then.

Ok, let me look at the next step in the flow

First, it is possible that it declines on attachment

"Attachment" here is when you create your Customer

Second then is that it declines on the actual invoice payment

After creating the customer, we get the customer ID and then create the subscription passing in the customer ID.

Is there something to look for so if we get that specific reponse, we maybe delete the Customer.
I don't love deleting customers in a connected account though

The response that it was blocked by radar for high risk?

right now i am seeing a clear error message so maybe we are not responding well to a webhook. Hmmm.

Yeah you should be seeing a fraudulent decline code in your handler

does it throw a Stripe error, or just end up with an incomplete status invoice? Checking this now.

Yeah, no error, just a status of incomplete.

There is a last_payment_error yes

On the PaymentIntent

OK let me look at that

subscription.status == "incomplete" does not necessarily mean fraud though right? Like OXXO or SEPA or other "delayed payment notificaiton" payment methods have an incomplete on creation correct and it is normal right?

Is there anything on the Subcription?

I don't believe it is incomplete here but I don't remember 100%. Let me double check

This case is a legacy button so not sure - is there even a PaymentIntent on legacy?

Yes all Invoices use PaymentIntents

sub_1LGVtBDGwdV8H45OiRS4g9x1

I just made that test sub

So now that I have the sub object, the next step is to?

I don't see a pi_ on the sub obj

subscription.latest_invoice
"in_1LGVtBDGwdV8H45Oz08naXfk"

PaymentIntents are assoicated with Invoices

Invoices are associated with Subs

What are you trying to accomplish?

You lost me a bit in what you are testing exactly here.

Trying to catch the fraud early

There are only two places you can "catch it". When the card is attached to the Customer (if it declines on attachment). Or, when a payment attempt is made.

Looks like we
1.) Create Customer
2.) Try to create Subscription. Always just also get the Invoice, look up the PaymentIntent on the Invoice and look for last_payment_error yes?

Yep

OK I have the PI

so if stripe_payment_intent.last_payment_error
is ?

You could use decline_code: "fraudulent",

That will specifically catch these high risk payments that are blocked by Radar

OK, so best practice. Should we delete the Customer? Or just leave it in Stripe to have a record?

That's really up to you.

I'd leave it.

OK, super helpful. Thank you.

😉

👍