Stripe card validation behaves differently in development vs. production

StackOverflow https://stackoverflow.com/questions/21165884

  •  28-09-2022
  •  | 
  •  

Question

I'm having a weird problem with Stripe (on Rails, but the Rails part is probably irrelevant).

When I fill out my sign-up form in production with a syntactically valid but non-working card number (e.g. 4242424242424242), I get this response when I try to create a token:

sjsonp1389885476573({
  "error": {
    "message": "Your card was declined.",
    "type": "card_error",
    "code": "card_declined"
  }
}
, 402)

When in development I use the "always returns card_declined" card number (4000000000000002), Stripe takes it as if it were perfectly good:

sjsonp1389885473743({
  "id": "tok_3JvncLYlEZ5NMF",
  "livemode": false,
  "created": 1389885584,
  "used": false,
  "object": "token",
  "type": "card",
  "card": {
    "id": "card_3Jvnr4MtIxzzd5",
    "object": "card",
    "last4": "0002",
    "type": "Visa",
    "exp_month": 2,
    "exp_year": 2020,
    "fingerprint": "dWQBpXrSXnyqoOxe",
    "customer": null,
    "country": "US",
    "name": null,
    "address_line1": null,
    "address_line2": null,
    "address_city": null,
    "address_state": null,
    "address_zip": null,
    "address_country": null,
    "address_line1_check": null,
    "address_zip_check": null,
    "cvc_check": null
  }
}
, 200)

So it seems that either this part of Stripe's API is not working as advertised or I myself am making some kind of stupid mistake or something.

I'm kind of at a loss. Any thoughts?

Was it helpful?

Solution

I can't attest to the accuracy of the following but it's the best of my understanding. Feel free to set me straight if you know better.

There are two steps that happen when a user creates an account:

  1. Tokenization. This happens via an XHR request.
  2. Account creation. This happens on the server side.

In Stripe test mode, I understand that all numbers that pass the Luhn check will get successfully tokenized, including, significantly, Stripe's special test numbers. Where the (correct) failure will happen is when the server-side account creation happens.

In Stripe live mode, I understand that all numbers that pass the Luhn check will get successfully tokenized EXCEPT Stripe's test numbers. Stripe will reject these numbers precisely because they're Stripe's test numbers.

So the best solution I can think of is to tell the client that Stripe's test numbers will always silently fail in production, and our options are to a) live with that or b) write code that will specifically catch the Stripe test numbers and present an error in production when those numbers are used.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top