ACME Security for Online Sales
In order to provide card fraud management for online/B2C (consumer) ticket sales, ACME requires for any checkout originating in a consumer browser the integrated use of Google’s reCAPTCHA library which will read cookies and monitor the behavior of the customer and give us a score from 0 to 1 as to how likely this is a real person. We are using Invisible reCaptcha V3.
ACME has two main checkout APIs: our v3/b2c/checkout which is used from the server, with a private key; and our CORS (cross origin) used from the browser with a public key. In the server integration scenario, the integrator will need to originate the recaptcha token via the Google JS, pass it to the server and then relay into our api. In the CORS scenario, the browser will call our API directly with the token.
This is called “invisible” reCaptcha, as there is no additional clicks or other steps required by any valid visitor. By default, reCaptcha will obstruct high volume “scripted” order attempts placed to guess credit card credentials. reCaptcha will simply block traffic which attempts to bypass a hosted ticketing page, while allowing orders that are placed using the hosted ticketing page.
reCAPTCHA Settings
We embed Google’s Javascript on our checkout page with a key that will generate a token which we pass as part of the checkout. The Javascript that Google provides reads cookies and monitors the behavior while a customer is on that page, and reports this back to Google to associate it with the token. The user does not have to click pictures or enter text and the only UI is a small logo for Google reCAPTCHA.
When someone completes an order, ACME makes a call to Google using a private key and that token, and Google will then tell us how likely this was a human and not a bot and assign a score. Currently we have set a very low threshold, and all sessions that pass will be able to complete checkout. The vast majority of ACME sessions receive a passing score, though some guests may be blocked. We can recommend trying the following troubleshooting steps, or the staff can complete the order on the clients behalf in Backoffice or via the POS:
Try purchasing on another browser, such as Google Chrome
If that is not desired, try clearing cookies and website history from Safari
Review any blockers that may be enabled on the browser and disable them if not needed.
You can use the following variable in your Backoffice Theme to customize the message guests see in the event of a reCAPTCHA failure. A standard language option has been included below:
"checkout-process-recaptcha-message": "Your order cannot be completed at this time. Please call us for assistance."
Custom API Online Checkout
If you host your own Online Checkout page that communicates with ACME via API, please refer to the Preventing B2C Credit Card Phishing Attacks documentation.
ACME utilizes other security measures for Online Checkout traffic including:
- Blocking a user if they submit 5 checkout requests in 3 minutes. This block will last no more than 10 minutes and the user will get an error message stating "We are unable to complete your order. Please try again."