When integrating an application payment flow with Stripe, the recommended method is to use Stripe.js to handle all of the frontend logic and limit your applications PCI scope. Stripe.js limits your applications PCI scope through a feature to tokenize the credit card and then your application uses the token for any server side api calls to Stripe. Thus your application never handles the actual full credit card data itself.
Stripe also has a great tool, Radar, that allows to build your own custom rules for how to handle cards and help block fraudulent charges.
Upon further inspection and experience using Radar, I found that Radar rules are only applied when making a charge but are not applied when customers are managing the cards in their account. Thus, if you have a payment flow that is post paid (ie a taxi ride), the customer could have a card in their account that has a high probability of declining, such as a prepaid card.
In my case, I needed to block prepaid credit cards from being added to customer accounts so that my application would not consider the customer as having a valid payment method, allowing them to consume services and would probably be uncollectable in the future when payment collection is attempted.
With Stripe.js, it will create a card token that your application will use for server side processing and integration with the Stripe API. In order to know if the card is prepaid or not, we can query the Stripe API to check the funding type of the card before sending it to Stripe as a payment method on their customer account.
import stripe
token_data = stripe.Token.retrieve(token)
print(token_data)
Example Token Data
{
"card": {
"address_city": "Somewhere",
"address_country": "US",
"address_line1": "Test Pl W",
"address_line1_check": null,
"address_line2": null,
"address_state": "CA",
"address_zip": "90210",
"address_zip_check": null,
"brand": "MasterCard",
"country": "US",
"customer": null,
"cvc_check": null,
"dynamic_last4": null,
"exp_month": 8,
"exp_year": 2023,
"fingerprint": "UUwe81ikWgLkbPpj",
"funding": "prepaid",
"id": "card_1Edv9DB45AjajgJfOqsxaq7w",
"last4": "5100",
"metadata": {},
"name": "John Snow",
"object": "card",
"tokenization_method": null,
"type": "MasterCard"
},
"client_ip": "171.101.36.48",
"created": 1558772555,
"id": "tok_1Edv9DB45AjajgJfLazHYXaj",
"livemode": false,
"object": "token",
"type": "card",
"used": false
}
Now that we know we can retrieve the token data, we can create function that accepts the Stripe.js token and test if it is prepaid or not. This function can then easily be included in our application logic that creates payment methods in your stripe account.
import json
import stripe
def prepaid_card_funding(token):
is_prepaid = False
token_data = stripe.Token.retrieve(token)
token_data = json.dumps(token_data)
token_data = json.loads(token_data)
if token_data['card']['funding'] == 'prepaid':
is_prepaid = True
return is_prepaid
With this, you can now block prepaid cards from being added as payment methods to customer accounts which will prevent future payment collection issues due to prepaid cards not having any funds.