What does the "Charge 403 PCI keys" error mean?

When you see a Charge 403 PCI keys error it means your payment form is configured in an invalid state, and Charge is rejecting the request for your own safety and PCI Compliance.

The actual full message shown to non-admin users will be the following :

This request is invalid. Please contact the site admin, quoting the code - "Charge 403 PCI keys"

Alternatively, if the user is logged in as an admin at the time, they'll see this message :

Invalid Request, code "Charge 403 PCI keys". The request included a forbidden input. For PCI compliance card details must never be passed to the server directly, and must first be tokenized via javascript. Please consult the usage documentation for Charge. The invalid key was : ...

The posible error keys are cardNumber, cardCvc, and cardCvv.

This response is part of a safety and security mechanism within Charge that's designed to protect your account, and keep you within full PCI compliance requirements.


Cause #

This error is thrown when a payment form with inputs named cardNumber, cardCvc, or cardCvv are submitted.

You must explicitly never submit those values to your server. Stripe is designed to take those values, and create a tokenised version of them, which is what should be submitted.

The javascript in jquery.charge.js will handle the tokenisation for you, based on inputs with data-stripe=".." attributes.


Solution #

Fixing the error is very simple.

Just make sure your card number, and cvc inputs do not have a name attribute.

Incorrect Setup

<input type="text" name="cardNumber" data-stripe="number" placeholder="•••• •••• •••• ••••"/>
<input type="text" name="cardCvc" data-stripe="cvc" placeholder="•••"/>

Correct Setup

To the correct setup, removing the name attributes one the card number and cvc inputs, like this :

<input type="text" data-stripe="number" placeholder="•••• •••• •••• ••••"/>
<input type="text" data-stripe="cvc" placeholder="•••"/>