Protect payment transactions with Fraud Prevention

This page describes how to effectively protect payment transactions against attacks, such as carding, stolen instrument fraud, and account takeover payment fraud by using reCAPTCHA Enterprise Fraud Prevention.

reCAPTCHA Enterprise Fraud Prevention helps you protect payment transactions by identifying targeted manual attacks and scaled fraud attempts. It automatically trains behavior and transaction models to identify events that are likely fraudulent and can result in a dispute or chargeback if accepted.

As part of these models, reCAPTCHA Enterprise Fraud Prevention examines transaction signals to enable detection of fraud. For example, a series of purchase attempts with low prices might indicate a carding attack. In the response, you receive risk scores for different types of fraud, which you can use to send the transaction to a manual review, or directly block sufficiently suspicious transactions.

To set up reCAPTCHA Enterprise Fraud Prevention, you need to complete the following steps:

Install reCAPTCHA Enterprise JavaScript on your payment frontend by installing a score-based reCAPTCHA key.

Note: This is the same JavaScript that is used for other reCAPTCHA Enterprise use cases such as bot detection and account protection.

When the JavaScript is executed, reCAPTCHA generates a unique reCAPTCHA token for every user session and collects user behavioral data to evaluate the user.
Submit a create assessment API request from your backend with transaction data on user events in your payment workflow.

In the response of the create assessment API request, reCAPTCHA Enterprise provides a score for transaction risk and additional reason code (for example, suspected_carding), if applicable.
Determine the next action for your users based on the scores.

You can choose to allow the transaction, ask for additional verification, forward to a manual review, or block the transaction.

Before you begin

If you are new to reCAPTCHA Enterprise, then do the following:
1. Configure reCAPTCHA Enterprise on your Google Cloud project.
2. Create a score-based reCAPTCHA key.
Enable reCAPTCHA Fraud Prevention on your Google Cloud project:
1. In the Google Cloud console, go to the reCAPTCHA Enterprise page.
  
  Go to reCAPTCHA Enterprise
2. Verify that the name of your project appears in the resource selector.
  
  If you don't see the name of your project, click the resource selector, then select your project.
3. Click Settings.
4. In the Fraud Prevention pane, click Configure.
5. Click the Enable toggle, and click Save.
Ensure that your environment supports tokens larger than 8 KB because reCAPTCHA Enterprise Fraud Prevention might use larger tokens.

Install reCAPTCHA Enterprise on your payment frontend

To start detecting attacks, install a score-based reCAPTCHA key on each page in your payment user flow. This includes the interface where a user reviews their cart, selects their payment method, and completes the purchase. After the user has made their selection at each step, call grecaptcha.enterprise.execute() to generate a token. To learn how to install score-based keys and call execute(), see Install score-based keys.

The following example shows how to integrate a score-based key on a credit card transaction event:

function submitForm() {
  grecaptcha.enterprise.ready(function() {
    grecaptcha.enterprise.execute(
      'reCAPTCHA_site_key', {action: 'purchase'}).then(function(token) {
       document.getElementById("token").value = token;
       document.getElementByID("paymentForm").submit();
    });
  });
}

<form id="paymentForm" action="?" method="POST">
  Total: $1.99
  Credit Card Number: <input name="cc-number" id="cc-number" autocomplete="cc-number"><br/>
  <input type="hidden" id="token" name="recaptcha_token"/>
  <button onclick="submitForm()">Purchase</button>
</form>

<script src="https://www.google.com/recaptcha/enterprise.js" async defer></script>

You can experiment with this code in JSFiddle by clicking the <> icon in the top-right corner of the code window.

<html>
  <head>
    <title>Protected Payment</title>
    <script src="https://www.google.com/recaptcha/enterprise.js" async defer></script>
    <script>
    function submitForm() {
      grecaptcha.enterprise.ready(function() {
        grecaptcha.enterprise.execute(
          'reCAPTCHA_site_key', {action: 'purchase'}).then(function(token) {
           document.getElementById("token").value = token;
           document.getElementByID("paymentForm").submit();
        });
      });
    }
    </script>
  </head>
  <body>
    <form id="paymentForm" action="?" method="POST">
      Total: $1.99
      Credit Card Number: <input name="cc-number" id="cc-number" autocomplete="cc-number"><br/>
      <input type="hidden" id="token" name="recaptcha_token"/>
      <button onclick="submitForm()">Purchase</button>
    </form>
  </body>
</html>

Create assessments with transaction data

To enable payment fraud verdicts, create assessments with transaction data by using the additional fields in the projects.assessments.create method.

The simplest integration includes the transaction_id, payment_method, currency_code, and value. To improve the detection quality, we recommend adding optional fields such as email and billing_address.

{
  "event": {
    "token": "YOUR_TOKEN",
    "site_key": "KEY_ID",
    "expected_action": "YOUR_CHECKOUT_ACTION_NAME",
    "transaction_data": {
      "transaction_id": "txid-1234567890",
      "payment_method": "credit-card",
      "card_bin": "411111",
      "card_last_four": "1234",
      "currency_code": "USD",
      "value": 39.98,
    }
   user: {
    email: "someEmailAddress@example.com",
   },
   billing_address: {
    "recipient": "name1 name2",
        "address": "123 Street Name",
        "address": "Apt 1",
        "locality": "Sunnyvale",
        "administrative_area": "CA",
        "region_code": "USA",
        "postal_code": "123456"
  }
 }
}

To improve the quality of scores, we recommend that you send additional signals.

To learn about how to create assessments, see Create an assessment for your website. reCAPTCHA Enterprise Fraud Prevention might use larger tokens, so ensure that the request is sent in a POST request rather than GET; and in the body, not in a header.

Interpret assessments

After you start sending the transaction data, you receive assessments as a JSON response with the fraudPreventionAssessment component in riskAnalysis.

The following example is a sample response:

{
  "event": {....
  ....
  }
  .....
  ....
  ....
"riskAnalysis": {
    "score": "0.5"
    "reasons": SUSPECTED_CARDING
}
"fraudPreventionAssessment": {
    "transactionRisk": 0.9,
}
}

The response you receive includes a score and reason codes wherever applicable. The higher the score, the more likely the transaction is fraudulent and risky; the lower the score, the more likely the transaction is legitimate. For example, a score of 0.9 indicates that the transaction is more likely fraudulent and risky, and a score of 0.1 indicates that the transaction is more likely legitimate.

You are responsible for the actions you take based on the assessment. For the simplest integration, you can set thresholds on transactionRisk to contribute to your decision. For example, it can contribute to sending to a manual review or directly rejecting likely fraudulent transactions. You can also use the score in your own fraud workflows, or as part of rules with your existing system. Because reCAPTCHA Enterprise examines unique signals and has a unique visibility of behavior across the internet, you can expect incremental value even with an already mature fraud-detection engine.

What's next

To improve the quality of fraud detection, learn about additional signals.
To annotate assessments, see Annotate assessments with transaction events.