ACME Security for Online Sales
In order to provide card fraud management for B2C (consumer) online ticket sales, ACME requires for any checkout originating in a consumer browser the integrated use of Google’s reCaptcha library which will read cookies and monitor the behavior of the customer and give us a score from 0 to 1 as to how likely this is a real person. We are using Invisible reCaptcha V3.
Note that we have 2 main checkout APIs, our v3/b2c/checkout which is used from the server, with a private key, and our CORS (cross origin) used from the browser with a public key. In the server integration scenario, the integrator will need to originate the recaptcha token via the Google JS , pass it to the server and then relay into our api. In the CORS scenario, the browser will call our API directly with the token.
This is called “invisible” reCaptcha, as there is no additional clicks or other steps required by any valid visitor. By default, reCaptcha will obstruct high volume “scripted” order attempts placed to guess credit card credentials. reCaptcha will simply block traffic which attempts to bypass a hosted ticketing page, while allowing orders that are placed using the hosted ticketing page.
When someone completes an order, ACME makes a call to Google using a private key and that token, and Google will then tell us how likely this was a human and not a bot. Currently we have set a threshold to 0, so any checkout that has gone through reCaptcha will pass (every customer going through the browser should pass).
You can use the following variable in your Back Office Theme to customize the message guests see in the event of a reCapcha failure. A standard language option has been included below:
"checkout-process-recaptcha-message": "Your order cannot be completed at this time. Please call us for assistance."