I just had a customer who accidentally put in a valid credit card, but a wrong security code (or some other cc info) and pressed purchase though my Square checkout URL. My server then received a successful purchase order from Square via webhooks. I checked my Square account order history and there was no sign of a recent order. I just had to go through support and manually debug this. Please fix this issue with webhooks as it is a major exploit and can cause accounts to be generated in my application automatically without a valid order purchase.
What was the payload of the webhook? Failed payment will generate a payment.created webhook event and it will contain the details of the failed payment. 
Yes I am using payment.created. I did not realize this. Thank you for a quick response! I also changed the title of the post to not cause any panic for other forum users.
1 Like