Wrong Expiration MM/YY returns "Your card's security code is incorrect." message
2,628 views
Skip to first unread message
Charles Zhang (donorbox.org)
May 7, 2016, 7:30:18 PM5/7/16
to Stripe API Discussion
Hello,
Our users and I have tested this several times and wanted to bring it to Stripe's attention.
When paying using a live card, if we put in the wrong expiration year but the right cvc code for the card the transaction would decline. This is fine but the error message from the stripe api is "Your card's security code is incorrect." This is confusing to our users because they think the issue is with their cvc code and not the expiration date.
Our users and I have tested this several times and wanted to bring it to Stripe's attention.
When paying using a live card, if we put in the wrong expiration year but the right cvc code for the card the transaction would decline. This is fine but the error message from the stripe api is "Your card's security code is incorrect." This is confusing to our users because they think the issue is with their cvc code and not the expiration date.
Let me know your thoughts.
Thanks a lot!
Remi J.
May 7, 2016, 7:31:24 PM5/7/16
to api-d...@lists.stripe.com
Hey Charles,
The result of the CVC check is decided by the card's issuing bank and sometimes banks will conflate an expiration date error with a CVC error. There is unfortunately no way for us to know whether the problem lies with the CVC or the expiry date so that's why you sometimes end up with this error code instead of the more explicit error about the expiration date.
I hope this helps clarify the issue.
Remi
--
You received this message because you are subscribed to the Google Groups "Stripe API Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-discuss...@lists.stripe.com.
To post to this group, send email to api-d...@lists.stripe.com.
Visit this group at https://groups.google.com/a/lists.stripe.com/group/api-discuss/.
Peter Raboud
May 8, 2016, 10:15:56 AM5/8/16
to Stripe API Discussion
To provide a bit of colour on this, the CVC is calculated as a function of the PAN (aka the card number), the expiration date, and the service code of the card, which are encrypted/MAC'd with secret keys belonging to the card issuer. [0] When the issuing bank processes an authorization request, it recomputes the CVC with this method, and compares it with the value supplied by the user. Interestingly, some issuing banks seem to use the *user-supplied* expiration date as an input to this computation - so, if the wrong expiration date is supplied, the CVC calculated by the bank will be wrong. When this incorrect value is compared against the (correct) user-supplied CVC, this causes the validation message that you described above.
While there's a totally coherent argument to be made that this is a bug, this is a bug in the the issuing bank's code. Moreover, Stripe has no way of distinguishing "real" CVC validation issues from expiration date validation failing, so there isn't really a viable downstream fix.
Hopefully this provides a bit more context about why this behaviour exists.
Cheers,
Peter
Reply all
Reply to author
Forward
0 new messages