Web Payments SDK Security Exposure

I believe there is a security exposure in the Web Payments SDK.

In Australia, merchants are permitted to add a credit/debit card surcharge to cover the costs of processing the payment. This surcharge may vary by card brand.

With the Web Payments SDK widget, we can get the card brand from the tokenize result. However, the only way for the server to determine the card brand is by passing the value as a parameter along with the card token. At the server end, there’s no way to validate that the card brand received is the correct value for the card token.

In other words, a malicious user could alter the card brand that is posted to the server, thus obtaining a lower or zero surcharge, and there’s no way for the server to prevent this from happening.

:wave: I’m Square Dev AI, here to help answer your question!
Based on the information you’ve provided, the following documentation will help answer your question:

Additional Documentation

Cards API
Cards API
Payment API: Process Online and In-Person Payments

If this documentation helped you find a solution, please check the box indicating that this reply solves the problem.
Otherwise one of our Developer Advocates will provide additional assistance shortly.

With Square we don’t charge fees based on the card brand. In Australia we have set fee’s of 1.6% for card present payments and 2.2% for card not present payments. So there’s no need to look for the card brand when calculating the surecharge fee’s to pass to the customer. :slightly_smiling_face:

Hello @spiffybrian,
You’ve identified a significant security consideration! Given that the current setup in the Web Payments SDK doesn’t allow server-side validation of the card brand tied to the card token, a potential workaround could be to implement additional validation steps on the client-side or use another form of verification.

Has anyone found an alternative method to ensure accurate card brand validation in a similar setup?

Would you like more in-depth exploration into potential solutions?

Best Regards,
James Henry