ACME Security for Online Sales

In order to provide card fraud management for B2C (consumer) online ticket sales, ACME requires for any checkout originating in a consumer browser the integrated use of Google’s reCaptcha library which will read cookies and monitor the behavior of the customer and give us a score from 0 to 1 as to how likely this is a real person. We are using Invisible reCaptcha V3


Note that we have 2 main checkout APIs, our v3/b2c/checkout which is used from the server, with a private key,  and our CORS (cross origin) used from the browser with a public key. In the server integration scenario, the integrator will need to originate the recaptcha token via the Google JS , pass it to the server and then relay into our api.  In the CORS scenario, the browser will call our API directly with the token.


This is called “invisible” reCaptcha, as there is no additional clicks or other steps required by any valid visitor. By default, reCaptcha will obstruct high volume “scripted” order attempts placed to guess credit card credentials. reCaptcha will simply block traffic which attempts to bypass a hosted ticketing page, while allowing orders that are placed using the hosted ticketing page.  


ReCapcha Settings


We embed Google’s Javascript on our checkout page with a key that will generate a token which we pass as part of the checkout. The Javascript that Google provides reads cookies and monitors the behavior while a customer is on that page, and reports this back to Google to associate it with the token. The user does not have to click pictures or enter text and the only UI is a small logo for Google reCaptcha.


When someone completes an order, ACME makes a call to Google using a private key and that token, and Google will then tell us how likely this was a human and not a bot. Currently we have set a threshold to 0, so any checkout that has gone through reCaptcha will pass (every customer going through the browser should pass).


You can use the following variable in your Back Office Theme to customize the message guests see in the event of a reCapcha failure. A standard language option has been included below: 


"checkout-process-recaptcha-message": "Your order cannot be completed at this time. Please call us for assistance."


Custom API Online Checkout

If you host your own Online Checkout page that communicates with ACME via API, please refer to the Preventing B2C Credit Card Phishing Attacks documentation.