Checking for Duplicate Cards within a Stripe Customer

[Charles Zhang]

Hello,

Due a the decentralized nature of our app, the user / stripe customer may input the same credit card number multiple times.

When adding a card to a stripe customer, does stripe automatically checks if that card has already been saved to or will we have to check it ourselves?

Thanks!

Charles

https://donorbox.org/

https://www.linkedin.com/in/charlesxzhang

[Jim Danz]

We do not check, as many people have their own policies around when
duplicates are acceptable or aren't.
However, you can look at the "fingerprint" property on cards that you
have saved in order to dedup.

Jim

> --
> You received this message because you are subscribed to the Google Groups
> "Stripe API Discussion" group.
> To post to this group, send email to api-d...@lists.stripe.com.
> Visit this group at
> http://groups.google.com/a/lists.stripe.com/group/api-discuss/.
>
> To unsubscribe from this group and stop receiving emails from it, send an
> email to api-discuss...@lists.stripe.com.

[Charles Zhang]

Thank you, the fingerprint attribute is helpful.

I have another related question. Let say I have a saved card is under a subscription plan, the card expiration date is 6/14. In 5/14 the credit card company sends me a new card with the CC number unchanged. Will the expiring saved card still work after 6/14? If it doesn't work, will the fingerprint attribute differentiate the cards with the same number but different expiration date?

[Matthew]

I have the exact same question as Charles. It seems the fingerprint is exactly the same, even when the expiration and/or CVVs change. It's a bit tricky to test for duplicate cards if you can't determine if the current card in question is exactly the same or not when you don't actually know the CVV. 

[Remi J.]

Hey Matthew,

The fingerprint only identifies the card's number. It does not take the CVC or expiration date into account. Whenever someone tries to update his card, you should compare both the fingerprint and the expiration date to see if it's a duplicate or not of an existing one.

Separately, PCI rules prevents us (and any processor) from storing the CVC on our end. This means that once you store the card on a customer or create a one-time charge, we automatically discard the CVC. There's no way to know if the CVC has changed and it shouldn't be important either if you're only updating a card's expiration date. Otherwise, you should collect the full details and tokenize it, and replace the card with the same fingerprint with the new card token that was just created.

I hope this helps!

Remi

Visit this group at https://groups.google.com/a/lists.stripe.com/group/api-discuss/.

[Aaron Christy]

Hey everyone,

Since we're having a discussion about CVC codes and fingerprinting, it might be a good time to remind you that some banks derive the expiration date from the CVC field during validation.  This is perhaps a bit off-topic, but I found it quite interesting.

This information comes from a Stripe engineer during an email conversation I had a few months back:

The CVC value of a card is derived from the card's expiration date. Normally, banks store the card's expiration date locally, and then generate the CVC from that stored value, and match this generated CVC to what the customer has input.

Some banks, however, generate the CVC value from the expiration date the customer inputs. This means if the customer inputs the wrong expiration date, the bank generates the wrong CVC. Then they try to match this number against what the customer inputs, and they see it's different, and return an incorrect CVC message.

In this particular case, the validation error returned from Stripe stated that they entered an incorrect CVC, when in reality they had entered an incorrect expiration date.

Thanks,

Aaron

[Matthew]

Hi Remy,

I can definitely appreciate the PCI rules as I've been dealing with them for years, and all of what you said makes sense.

However, if the expiration date stays the same, but the CVC changes, then there will most definitely be issues when duplication checks only check the number (fingerprint) and expiration. The card will never truly get updated because we'll think it's the same card and we will not attempt to update the card in Stripe, so when the card is attempted to be charged on Stripe, it will fail. Perhaps the CVC and expiration are always in sync (I don't know if this true or not, anyone have any insight?), and this won't be an issue, but if the CVC can change independently of the card's expiration changing, there will be big synchronization problems between the card saved on our side and the Stripe side.

- Matt

[Remi J.]

Hey Matthew

I don't think what you're saying is true here. When we charge a card, we send the card number and expiration date to the bank. Since we can't store the CVC, we don't send it along after the first attempt. This means that if a card is updated with the same card number, same expiration date and different CVC, the bank has no way to know if we have the latest CVC or not since we don't send it at all. It also seems fairly unlikely that you'd renew a card, get the exact same number and expiration date but a different CVC. Usually you get a new card or at least a new expiration date.

I understand where you're coming from but I think this wouldn't be an issue at all here and I've never seen this raised before by other users either. When someone gets a new card, you should collect their card details, and replace the old card if one matches the same fingerprint. The CVC shouldn't have any impact in that case.

All the best,

Remi

[Matthew]

That all sounds great to me, Remi! My mind is at ease, thanks for your responses.

- Matt