Stripe API - CVC Verification

[Jaimil Prajapati]

Hello,

I am in a situation where I have stored the Customer object in Stripe (which includes Stripe.js CC token).

Now, I am asking customer to re-enter only their CVC, which I want to verify against their saved token. How can I achieve this?

Thanks!

[Michelle Bu]

Hi Jaimil,

You can update the customer's card with the new CVC:
https://stripe.com/docs/api#update_card.
- Michelle

> --
> You received this message because you are subscribed to the Google Groups
> "Stripe API Discussion" group.
> To post to this group, send email to api-d...@lists.stripe.com.
> Visit this group at
> http://groups.google.com/a/lists.stripe.com/group/api-discuss/.
>
> To unsubscribe from this group and stop receiving emails from it, send an
> email to api-discuss...@lists.stripe.com.

[Jaimil Prajapati]

Thanks Michelle for quick reply!

I initially had that idea, but then the CVC hits my server and I have to be PCI compliant. Can I not do this via Stripe.js?

[Michelle Bu]

Ah, apologies. You can't actually update CVC via the card update API.
Unfortunately, your customer will have to reenter both the card number
and the CVC details. Sorry if I'm misunderstanding, but are you just
trying to check something that your customer entered against the card
that you have stored?
- Michelle

[Jaimil Prajapati]

I see, Michelle. Yes, I am trying to verify CVC against stored CC. This additional CVC verification prevents usage of Credit Card, in case of account hijack. There should really be a way to verify this info, using Stripe.js, if possible...

[John Obelenus]

This isn't a very good method of security. There are only 720 possibilities for CVC. If they already have someones password (a much higher amount of entropy), it won't take much effort to brute force a CVC match.

[Patrick Collison]

Right. On top of that, the point of the CVC is that it can't be
stored. (The idea is that even a breach of a database somewhere
shouldn't result in CVCs being leaked.) As a result, we definitely
can't provide a CVC matching API.

[Jaimil Prajapati]

Thank you John and Patrick for your replies.

I understand. Yes, if I access CVC via token, it will obviously open the path for others too. It is definitely better than no one gets to access this info.

Thanks for your help!

[Michelle Bu]

You could also consider using billing ZIP to verify a user if your
audience is mainly in Canada and the US--you can store billing address
information without running into issues.
- Michelle

[Jaimil Prajapati]

Hello Michelle,

Yeah, that's a great idea! Thanks! :)

[Nathan LeMesurier]

Actually, this use case has a place even given the limitation of not storing CVCs.  For example, Apple and Amazon both occasionally ask for CVC value when purchasing with a saved card.

- When creating storing a new card, Stripe.js allows a CVC value to be passed along with card details and does a check on the CVC (presumably).

- Stripe.js could allow a stored card ID + CVC value to check to be sent and return a true/false result of the CVC check. This wouldn’t necessitate storing the CVC, just merging the supplied CVC value with the stored card details referenced by the ID and re-run the CVC check.  

Thus you could re-verify a stored card without the customer/user entering all of the card details again before using the API to create a charge against the card.

-Nathan

[Andy Cohen]

@Nathan   +1. That is a great idea, can anyone from Stripe give this a thought and comment on the logistics from your perspective? Thanks,

-Andy

Sent from my iPad

[Michelle Bu]

Thanks for the suggestion, Nathan! It's possible from our end, so
we'll definitely look into adding this functionality.
- Michelle

[Matt Button]

Just out of interest, if you were to implement it would there be some kind of rate limit per card? Just wondering if someone might be able to use it to brute force some cvcs.

[Michelle Bu]

Yes, if we were to implement this, there would be rate limiting in place.
- Michelle

[Nathan LeMesurier]

If the “attacker” already has the other card data, then you could already try and brute force the CVC using the existing store card API.  And brute forcing the CVC only helps you if you have the other card data anyway.

So I would expect a CVC check method would have the same limits as storing a card.

-Nathan

[Víctor Hernández]

Hi everybody!

I have the same issue: I want to allow old users to select a previously used card only by the pan (last4). As Nathan suggested, my idea was to only ask for the CVC and check it in stripe with the customer id or even creating a card object if needed. Michelle, is this feature already developed? If not, what is the properly way to do this? Because the problem is most of the my users use FB or TW connect, or a quick register, so I prefer not to ask for the pass.

Thanks in advance