TIME SENSITIVE: For those utilizing B2C API endpoints
In order to strengthen our fraud and security requirements, we request three integration changes to be done by 02/28/2023 for any consumer-facing API integrations. Please review the information below. The changes only apply to card not present integrations.
The first two changes relate to compliance with our fraud shield to respond to fraud evolutions. Our compliance changes are defined primarily by Visa rules and regulations to ensure our payment facilitator infrastructure is robust and cost effective for all customers. The trust and safety on our platform is fundamentally derived from collaborating with Visa’s own rules for healthy card processing ecosystems.
Change #1: Browser IP address required in checkout API
In order to better stop card testing attacks, we will request any browser consumer-facing integrations to pass the browser IP address into the checkout API endpoint with a new request header called ‘x-acme-browser-ip’. This header must be set with a valid IPV6 or IPV4 format address, or else checkout will fail. We added some sample JS code here to compute the IP address in the appropriate format so our IP block tools can be activated in the event of an attack. From the code sample, please use the Cloudflare trace URL as it is a reliable way to get the IP address well formatted in a way our system understands and to avoid any checkout validation issues.
Change #2: Add "I am not a robot" on your checkout page
Additionally, to help block fraud bots at the browser level, you will need to add an “I am not a robot” checkbox on the page that calls our checkout endpoint underneath. Documentation can be found here for implementation. We have a scoring block system based on a server-side reCAPTCHA, however, the “I am not a robot” checkout feature, also called reCAPTCHA V2, is orthogonal to the server one based on recent attacks. Therefore we now require the reCaptcha on the browser and the server for compliance.
Change #3: API-key based authentication required
To strengthen authentication and security access, we will enforce an API key-based authentication* for any server-to-server integrations for all of our B2C API endpoints. Historically, due to guest checkout buying flows, we felt strict authentication was not needed. However, as our platform evolves to signed-in checkout integration flows and we add richer data under our endpoints, we need strong authentication for visitor data access.
We recommend rolling your code change into production ahead of 02/28/2023 in order to keep your checkout flow working.
*Reminder: API keys should never be exposed into a browser other than the publishable key for our CORS checkout endpoint, which by design can be public. The API keys are confidential and must be properly safeguarded to stay only in your possession or via your trusted development partners.