Getting Started
1. Install the App
Install CertNode Evidence Vault from the Stripe App Marketplace. The app adds three views to your Stripe Dashboard:
- Home Overview, Dashboard stats, billing preview, recent evidence
- Payment Detail, Per-payment evidence checklist on each payment page
- Settings, Enable/disable collection, setup status, pricing info
2. Enable Evidence Collection
Navigate to the Evidence Vault settings page in your Stripe Dashboard and toggle “Enable Evidence Collection” on. Evidence capture begins immediately on all new successful payments.
3. Add collect.js (Recommended)
For the full evidence stack, add the collect.js script to your checkout page. This captures device fingerprint and IP address, data that Stripe does not include in payment events. One line, no wiring — it passively associates the signal with the payment for you.
Place this before your Stripe Elements or Checkout code. It runs silently with no visible UI.
collect.js Integration
What It Collects
- Device fingerprint, canvas, WebGL, screen resolution, timezone, installed fonts, audio context
- IP address, resolved server-side at collection time
How It Works (one line, no wiring)
Drop the single script tag on your checkout page and you're done. collect.js generates a device fingerprint hash, then passively watches your Stripe.js calls (it never modifies them), sees the PaymentIntent / PaymentMethod id, and securely sends the device + IP signal to CertNode. The Vault webhook joins it to the payment at capture time and stores it alongside 3DS/AVS/CVC data. No metadata wiring required.
Place it on the page before your Stripe Elements or Checkout code. Works with Stripe Elements, Checkout (redirect), and server-created PaymentIntents alike.
Advanced: attach metadata yourself (classic fallback)
Optional. If you create PaymentIntents fully server-side and would rather attach the signal to the PaymentIntent directly, the classic API still works and takes precedence over the passive path:
<!-- collect.js is already on the page -->
<script>
const md = await new Promise((r) => CertNode.onReady(r));
// → { device_fingerprint, ip_address, certnode_collected_at }
// Pass md to your server and set it as PaymentIntent metadata
</script>Evidence Data Captured
| Data Point | Source | Dispute Value |
|---|---|---|
| 3D Secure | Stripe (automatic) | Proves cardholder authenticated. Near-automatic win for fraud disputes. |
| AVS | Stripe (automatic) | Billing address matched card records. |
| CVC | Stripe (automatic) | Card verification code correct, card was present. |
| Device Fingerprint | collect.js | Ties purchase to specific device. Matches prior legitimate purchases. |
| IP Address | collect.js | Geographic consistency with billing address. |
| RFC 3161 Timestamp | CertNode (automatic) | Independent proof that evidence existed at payment time, before any dispute. |
Pricing
Monthly fee
$0
Per-transaction fee
$0.03 per captured transaction ($0.02 for Reflex users, 33% discount)
Monthly minimum
$5/month. Waived if zero transactions are captured in the billing period.
Billing cycle
Monthly invoices generated on the 1st for the previous month's usage.
Example: 1,000 payments captured × $0.03 = $30.00/month. With Reflex bundle: 1,000 × $0.02 = $20.00/month.
Data Retention
Our retention policy is 13 months from the date of capture. This covers the full chargeback window for all major card networks:
- Visa: 120 days from transaction date
- Mastercard: 120 days from transaction date
- American Express: 120 days from transaction date
- Discover: 120 days from transaction date
Beyond the 13-month policy window, evidence data is eligible for deletion on request. RFC 3161 timestamp tokens are retained indefinitely as they contain no PII. To request deletion of evidence for your account, contact support@certnode.io.
Privacy & Compliance
Evidence Vault collects only data necessary for payment fraud prevention, a legitimate interest under GDPR Article 6(1)(f) and similar regulations.
What we store: Authentication results (3DS, AVS, CVC), device fingerprint hash (not raw signals), IP address, card brand/last4/country, risk level.
What we do NOT store: Full card numbers, customer names, email addresses, billing addresses, or any data beyond what is needed for chargeback defense.
Device fingerprints are stored as a non-reversible hash, never the raw browser signals (canvas, WebGL, fonts) — only the hash, for matching purposes.
For full details, see our Privacy Policy.