Create Token - CVV & Address Checks
639 views
Skip to first unread message
Jonathan Parker
Apr 14, 2015, 4:40:47 PM4/14/15
to api-d...@lists.stripe.com
Does the Stripe.card.createToken call return back values for address_line1_check, address_zip_check, or cvc_check other than "unchecked" or null?
The way my application is built, knowing if the card failed any those checks on the client rather than having to handle an error on the server, would make my life so much easier.
Also, once a card token is created does it ever expire? If something happens between the time that we create the token on the client and it's actually used in an API, does it ever become invalid?
Remi J.
Apr 14, 2015, 4:45:49 PM4/14/15
to api-d...@lists.stripe.com
Hey Jonathan,
Stripe.js doesn't run an authorization on the card but only validates
the number itself and the associated values (expiration date and CVC)
before returning a token. This means that those fields would not be
checked until you use that token on your server to create a charge or
a customer.
As for the token validity, we only guarantee that it will work for up
to 5 minutes. If you want to delay the charge further you should
create a customer first with that token and then charge that customer.
All the best,
Remi
> --
> You received this message because you are subscribed to the Google Groups
> "Stripe API Discussion" group.
> To post to this group, send email to api-d...@lists.stripe.com.
> Visit this group at
> http://groups.google.com/a/lists.stripe.com/group/api-discuss/.
>
> To unsubscribe from this group and stop receiving emails from it, send an
> email to api-discuss...@lists.stripe.com.
Stripe.js doesn't run an authorization on the card but only validates
the number itself and the associated values (expiration date and CVC)
before returning a token. This means that those fields would not be
checked until you use that token on your server to create a charge or
a customer.
As for the token validity, we only guarantee that it will work for up
to 5 minutes. If you want to delay the charge further you should
create a customer first with that token and then charge that customer.
All the best,
Remi
> You received this message because you are subscribed to the Google Groups
> "Stripe API Discussion" group.
> To post to this group, send email to api-d...@lists.stripe.com.
> Visit this group at
> http://groups.google.com/a/lists.stripe.com/group/api-discuss/.
>
> To unsubscribe from this group and stop receiving emails from it, send an
> email to api-discuss...@lists.stripe.com.
Matthew Arkin
Apr 14, 2015, 4:47:38 PM4/14/15
to api-d...@lists.stripe.com
Hey Jonathan,
Stripe.js doesn’t return these checks, Stripe checkout does if you pass the amount parameter (it just does a quick authorization on the card).
I saw this hack on some random tutorial / sample code somewhere and it looks like if you pass an amount as the second parameter to createToken, testing with some test card numbers, it functions the same way Checkout does by doing that authorization.
For example:
$("#customButton").on("click", function() {
Stripe.card.createToken({
number: $('#cardNumber').val(),
cvc: $('#CVC').val(),
exp_month: $('#expMonth').val(),
exp_year: $('#expYear').val()
},100, stripeResponseHandler);
});
Note this isn’t documented anywhere, and I suppose is subject to all the risks that come with using undocumented stuff, but it does save you from using Checkout.
Also note that the authorization is normally just for $0 or $1 so the charge you attempt to make for can still be declined for insufficient funds or some other reason.
Jonathan Parker
Apr 14, 2015, 5:21:16 PM4/14/15
to api-d...@lists.stripe.com
Awesome...thanks. I've implemented a quick test case and verified that passing the amount as the second parameter does properly validate those fields. I will check with the powers that be to see if we want to implement another un-documented feature. Thanks for your help!
--
-Parker
Shawn Grunberger
Apr 15, 2015, 2:27:22 PM4/15/15
to api-d...@lists.stripe.com
As a side note, any validation done in the browser can be easily bypassed and therefore shouldn't be relied upon if you really care about blocking cards which fail those checks.
In other words, it's great to be able to show immediate UI feedback without hitting your server, but anyone with some Javascript knowledge is free to hack the call to Stripe.js, ignore the result of those checks, and then submit the charge to your server. So the best approach is to always enforce the checks on the server too.
Shawn
In other words, it's great to be able to show immediate UI feedback without hitting your server, but anyone with some Javascript knowledge is free to hack the call to Stripe.js, ignore the result of those checks, and then submit the charge to your server. So the best approach is to always enforce the checks on the server too.
Shawn
Jonathan Parker
Apr 15, 2015, 2:36:33 PM4/15/15
to api-d...@lists.stripe.com
Shawn,
I completely agree. We are still doing the server side validation via the account settings on our Stripe account. In this scenario, attempting to do the client side validation first would help mitigate the chance of users seeing an error page.
thanks for all the help.
--
You received this message because you are subscribed to the Google Groups "Stripe API Discussion" group.
To post to this group, send email to api-d...@lists.stripe.com.
Visit this group at http://groups.google.com/a/lists.stripe.com/group/api-discuss/.
To unsubscribe from this group and stop receiving emails from it, send an email to api-discuss...@lists.stripe.com.
-Parker
Shawn Grunberger
Apr 15, 2015, 6:00:53 PM4/15/15
to api-d...@lists.stripe.com
Got it, makes sense.
Shawn
Shawn
Reply all
Reply to author
Forward
0 new messages