In order to maintain transaction security, Stripe requires that merchants collect card verification codes, or CVCs, from customers when collecting card details on a client-side surface using a Publishable Key. This requirement excludes cases where such collection isn’t possible, like digital wallets (Link, Apple Pay, Google Pay, etc.) and card details collected in person using Terminal. Cards collected client-side without a CVC will result in an API error if you attempt to charge them. In order to comply with this requirement, we recommend one of the following integration patterns to securely collect cards details:

1. Using one of our pre-built hosted surfaces for an optimized checkout experience that will automatically collect all required details from cardholders.
2. If you’re using Stripe.js, we recommend using the card Element to collect complete card details from buyers. If you need to use the cardNumber Element, however, you must use the cardCvc Element to collect CVC as well.
3. If you’ve built your own frontend which collects card details and then passes them to the Stripe API using your publishable key, you must collect the CVC on your frontend and pass it to the Stripe API along with other card details like the card number and expiry date.

If you have any questions about the above options or notice another use case where you cannot collect CVCs, please reach out to Stripe support.