#davidfox-payment-nextjs

Hi there, can you tell me more about why react-stripe-js is not suitable here?

We strongly don't recommend handling raw card details yourself.

As it involves a heavy PCI burden

Because we are getting card tested and, from what I can tell, there is no way for us to prevent it while the payment is processed on the front end.

We need to send a captcha to an API route, verify it within the API route, then process the payment.

Unless I'm mistaken, there's no way to handle this on the front end and be sure that the captcha validation has not been tampered with

Presumably you have stripe payment flows for apps which have a front end that interfaces with a backend api, could we use something like that?

See this discussion I had earlier about the card testing if you need further information on what's going on - #dev-help message

So a few things here... reCAPTCHA should still be overall effective and I would recommend implementing that first and seeing if it does the trick to decreasing the card testing you are seeing before you change your entire integration. Most of these attacks are script based and will not get around reCAPTCHA.

That said, another option would be to collect card details securely on the frontend using Elements and create a PaymentMethod that way and then pass to your backend to create the payment via your backend if you so desire.

Mostly I would not recommend collecting the raw details yourself and passing them to the backend

Just to clarify about reCAPTCHA -

The Stripe employee I spoke with earlier said I should call the Google API and then only run the card payment process if the response I received from Google is a ‘pass’.

Even though we know that it’s easy to ‘spoof’ the response from Google as a pass (even when they’ve not actually passed the CAPTCHA test), you’re saying that you think that it should still be an effective enough deterrant against the typical card testing attack?

The implication here is that it’s easier for them to go and try on a different website, as opposed to having to dig into the code and work out how to circumvent any measures that have been put in place.

Is my understanding of what you’re saying correct?

Overall yes.

I'm saying I would implement that first and see how it affects things.

From my experience, implementing a CAPTCHA leads to a significant decrease in card testing. Definitely not saying it will stop, and maybe this won't be sufficient. But this is the low-hanging-fruit place to start.

Okay that’s great, thank you for clarifying that. I’ll definitely give the CAPTCHA a go in that case, I thought it wouldn’t be worth trying it but I’m happy to hear that it could work

You’re saying also that if this doesn’t work, I can still use Stripe Elements, but convert it to create the PaymentMethod and then process it on the back end. This would be fairly straightforward, PCI compliant and would allow me to retain handling of the 3D secure validation?

Yep

Assuming you are just using Card Element here?

As opposed to Payment Element?

We’re using the Card Elements, but using all of the different parts separately (CardCvcElement, CardExpiryElement, CardNumberElement)

Do you know where in the docs I can see an example of the PaymentMethod flow you mentioned?

Yes that works. You would use https://stripe.com/docs/js/payment_methods/create_payment_method

There isn't a full example of the flow. But basically you create the PaymentMethod using that method on your frontend. Then pass the PaymentMethod to your backend and confirm the PaymentIntent. If 3DS is required, you redirect your customer based on the PaymentIntent response of requires_action.

Okay that’s very helpful thank you 🙏 At least we have a plan now for dealing with this situation. I’m a bit unsure of how I’d handle the 3DS from the PaymentIntent response as currently there is no redirect, it’s handled as an iFrame. I’m sure I can get back in touch in the future for further clarity on this though

For the moment we’ll try the captcha and get back in touch if we need further support

Thanks again!

Yeah you can always confirm again on the frontend to use the iFrame instead of redirecting

That is fine too