Reputation: 19067
Possible to block payment through stripe-node + webhooks?
Scenario:
- I'm listening to Stripe webhook events via the Stripe Node.js library.
- My product is set up as a subscription.
- My checkout page is hosted through a payment link.
- Since payment link pages require no registration and have no CAPTCHA, they are a prime tool for card testers.
- All fraudulent transactions can be traced to a number of email domains.
- I'm not paying for Radar for Fraud Teams.
Question:
How can I leverage the webhook event listeners I'm already using to block a payment if the customer's email domain matches a domain in a block list that I maintain?
Solutions I've considered:
- Immediately delete the invoice after the
invoice.createdevent. Unfortunately, this won't work because you can't delete invoices created by subscriptions. - Cancel the PaymentIntent. I'm not sure if this is possible through payment links because I need to separate payment authorization and capture by setting
capture_method: 'manual'through the API, and I haven't found a way to configure payment links to manual capture. I need to research this more. - Expire the checkout session before it's completed. This is a promising solution, but I don't see a
checkout.session.startedwebhook event I can listen to in order to get the checkout session ID (cs_*) that is required to expire the checkout session.
Does anyone out there have a good solution to mitigate card testing headaches using Stripe payment links?
Upvotes: 0
Views: 314
Answers (1)
Reputation: 2960
Unfortunately I don't think there is a great answer for you if you are committed to using the current Stripe integration. Stripe Payment Links attempt to reduce as much friction as possible between the initial click and the processing of the payment. That being said, Stripe uses a large number of tools to monitor and prevent card testing by default so you may be better protected than you expect.
That being said, if you want to prevent payment based on email domain you may need to either pay for Radar and write your own custom rules or switch to collecting customer email as part of some authentication system in your own integration.
Fundamentally, to implement your own block/validation you need to either use the Stripe functionality (i.e. Radar) or collect the customer email at some point where you have control. For the initial subscription sign-up the first invoice is automatically generated and finalized and the payment attempted before you have a chance to intervene.
Upvotes: 0
Related Questions
- Is it possible to create a Stripe invoice for payment using previously created PaymentIntent with pre-authorization
- Pay using the customer's saved payment method in Stripe Elements
- How to emulate stripe requires capture event for webhooks?
- Stripe : No card attached to customer after a checkout session payment
- Stripe Checkout: Avoid creating new customer for every payment
- Stripe: handle multiple Webhooks
- STRIPE API Payment Intent incomplete payment
- Stripe payment incomplete - missing customer payment method