Unable to add customer card - INVALID_REQUEST_ERROR / INVALID_CARD_DATA / source_id

We are seeing issues with card creation (POST /v2/cards) using the web SDK (version 2023-10-20).

The following error is being reported: Invalid card data (source_id).

We are successfully storing cards (350+ in the past month) with 63 reported failures like this during the same period.

Below is our latest example of failure:

    "idempotency_key": "657b4dede6112",
    "source_id": "cnon:CBASEExIK5JYkJ5aSDFgJzenV6Q",
    "card": {
        "billing_address": null,
        "cardholder_name": "",
        "customer_id": "JR3QTAR3R0KKKHMZBMY8V59CB0"

This is under application ID sq0idp-mWRA6OZ7ff-zyPi24pIY1A.

Is there a way to get more information to better understand what is happening?

Any assistance will be greatly appreciated.

:wave: I’m Square Dev AI, here to help answer your question!
Based on the information you’ve provided, the following documentation will help answer your question:

Additional Documentation

Cards API Overview
Manage Customer Cards on File
Card Payments

If this documentation helped you find a solution, please check the box indicating that this reply solves the problem.
Otherwise one of our Developer Advocates will provide additional assistance shortly.

The invalid card data error means that the card information that was tokenized by the Web payments SDK was invalid. This is often caused by a customer incorrectly inputing the card information. You’ll need to have the customer re-enter their information and try again.

We specifically return this generic error so bad actors don’t take advantage of a specific incorrect field like CVV or AVS for malicious purposes. :slightly_smiling_face:

Your reply helped me to understand more about Square’s tokenise process, which led me to find this: Even if the CVV of the credit card is wrong, a token can be generated, is this correct behavior? - #2 by Bryan-Square

So basically, the card tokenisation generated from Square’s card web form will tokenise both valid AND invalid cards. It’s not until the cards API step that the card details are truly validated. Is that correct?

Yes, this is the correct behavior with the tokenized card. :slightly_smiling_face: