Token call returns "Your card's security code is incorrect."
1,037 views
Skip to first unread message
Bob Cravens
Oct 3, 2014, 12:32:29 PM10/3/14
to api-d...@lists.stripe.com
I have a client that has configured their system to not decline 'Charges that fail CVC verification'. However, the JS call that creates a token is receiving a response with the 'error' set to true and 'message' set to "Your card's security code is incorrect.".
Thanks for you help.
Seems like the JS call should not treat this as an error in this case. Is that the intent?
Thanks for you help.
Bob
Matthew Arkin
Oct 3, 2014, 12:49:55 PM10/3/14
to api-d...@lists.stripe.com
Hi Bob,
The Stripe.js CreateToken API does not do any verifications of the card against the card networks, the AVS checks would happen when you attempt to add the card to the customer. At this point, the API will do a quick authorization check against the card, do all the AVS checks and potentially fail with an error if the the account is set to fail charges that fail CVC / Zip code checks.
If you use Stripe Checkout, Checkout will do the AVS checks if you set the amount parameter.
Matt
--
You received this message because you are subscribed to the Google Groups "Stripe API Discussion" group.
To post to this group, send email to api-d...@lists.stripe.com.
Visit this group at http://groups.google.com/a/lists.stripe.com/group/api-discuss/.To unsubscribe from this group and stop receiving emails from it, send an email to api-discuss...@lists.stripe.com.
Bob Cravens
Oct 3, 2014, 1:17:24 PM10/3/14
to api-d...@lists.stripe.com
Since the js is returning info that the security code is incorrect there is some checking going on somewhere. Since the js doesn't have knowledge about the configuration how are we to handle this error?
Sent from my iPhone
Sent from my iPhone
Matthew Arkin
Oct 3, 2014, 1:21:22 PM10/3/14
to api-d...@lists.stripe.com, api-d...@lists.stripe.com
Normally you would receive the token from Stripe, then send that to your server side code. In your server side code, if there was an error, re-render the card entry page and inform the user of the error and to try again. (You could also do this over ajax).
It's a bit easier than doing some checks in javascript client side based on the token, and still having to handle some server side issues (like if the card is declined for insufficient funds)
—
Sent from Mailbox
Sent from Mailbox
Bob Cravens
Oct 3, 2014, 1:27:56 PM10/3/14
to api-d...@lists.stripe.com
I think I am not being clear. We are doing the token workflow as you describe. However the call to create the token is return the error mentioned below. That seems to be related to a cvc/cvv check. But my client had their dashboard configured to ignore these errors. Seems like they are not being ignored on the token creation call.
Sent from my iPhone
Sent from my iPhone
Brian Krausz
Oct 3, 2014, 3:30:28 PM10/3/14
to api-d...@lists.stripe.com
Hi Bob,
We do actually validate cards on token creation. Additionally, even if
you have "Decline on CVC failure" unchecked, banks will sometimes
force a decline based on a failed CVC check and other risk factors.
That setting states that *all* CVC check failures will be declined.
If you want to email me off-list with the particular transaction /
account you're referring to, I'm happy to dig into it further to see
if there are more details I can add.
Thanks,
Brian
We do actually validate cards on token creation. Additionally, even if
you have "Decline on CVC failure" unchecked, banks will sometimes
force a decline based on a failed CVC check and other risk factors.
That setting states that *all* CVC check failures will be declined.
If you want to email me off-list with the particular transaction /
account you're referring to, I'm happy to dig into it further to see
if there are more details I can add.
Thanks,
Brian
Matthew Arkin
Oct 3, 2014, 3:33:56 PM10/3/14
to api-d...@lists.stripe.com
Is this a new thing? Maybe its a Friday and my mind is half asleep but I’m pretty sure I remember that Stripe.js didn’t result in any validation besides a luhn check, and that checkout would do the verification only if you set an amount. In fact that is how its documented at https://support.stripe.com/questions/what-controls-for-fraud-prevention-does-stripe-offer
"Stripe.js and the Checkout don’t result in talking to your customer’s bank, so the check values for these fields will be
null in the Stripe.js token. The actual results will be available in a charge object in the card hash, or in acustomer object in the cards list.”Brian Krausz
Oct 3, 2014, 4:31:26 PM10/3/14
to api-d...@lists.stripe.com
Sorry, I should have been a little clearer: our default behavior is to
not validate on token creation. However, there are a few other factors
in addition to specifying an amount that can cause accounts to have
tokens validated against banks. If you're curious if your account has
any of these settings enabled, I'm happy to check off-list.
I will look into updating that document: the vast majority of token
creations do not have validation, though there are exceptions.
Thanks,
Brian
not validate on token creation. However, there are a few other factors
in addition to specifying an amount that can cause accounts to have
tokens validated against banks. If you're curious if your account has
any of these settings enabled, I'm happy to check off-list.
I will look into updating that document: the vast majority of token
creations do not have validation, though there are exceptions.
Thanks,
Brian
Reply all
Reply to author
Forward
0 new messages