Protecting payment workflows

This page describes how to effectively protect payment workflows against attacks such as carding and Card-Not-Present fraud using reCAPTCHA Enterprise.

Fraudsters take advantage of any website that accepts payments to test stolen card details, brute force missing information, and make fraudulent purchases. These types of attacks are critical to protect against because they adversely affect both your users and your revenue.

Whether attacks are carried out manually by humans or with automation at scale, reCAPTCHA Enterprise can help identify and block them in your payment workflows. reCAPTCHA Enterprise is particularly effective at detecting fraud because of its visibility of attacks across millions of sites on the web. Fraudsters rarely stop at one site, so when you install reCAPTCHA Enterprise you benefit from early warning signals based on the combined network.

reCAPTCHA Enterprise only uses transaction information from your webpages to improve your site's scoring. However, aggregated metadata can contribute to improving reCAPTCHA Enterprise.

Before you begin

Choose the best method for setting up reCAPTCHA Enterprise in your environment and complete the setup.

Installing reCAPTCHA for your payment workflow

To start detecting attacks, install a score-based site key on each page in your payment workflow. This should include the interface where a user selects their payment method, such as by entering card details or selecting a saved payment method. After the user has made their selection, call grecaptcha.enterprise.execute() to generate a token. To learn more about calling execute(), see Installing score-based site keys.

reCAPTCHA Enterprise automatically detects the payment event and builds a customized fraud model to improve the scores for these sessions.

The following example shows how to integrate a score-based site key on a credit card transaction event.

function submitForm() {
  grecaptcha.enterprise.ready(function() {
    grecaptcha.enterprise.execute(
      'reCAPTCHA_site_key', {action: 'purchase'}).then(function(token) {
       document.getElementById("token").value = token;
       document.getElementByID("paymentForm").submit();
    });
  });
}
<form id="paymentForm" action="?" method="POST">
  Total: $1.99
  Credit Card Number: <input name="cc-number" id="cc-number" autocomplete="cc-number"><br/>
  <input type="hidden" id="token" name="recaptcha_token"/>
  <button onclick="submitForm()">Purchase</button>
</form>
<script src="https://www.google.com/recaptcha/enterprise.js" async defer></script>

You can experiment with this code in JSFiddle by clicking the <> icon in the top-right corner of the code window.

<html>
  <head>
    <title>Protected Payment</title>
    <script src="https://www.google.com/recaptcha/enterprise.js" async defer></script>
    <script>
    function submitForm() {
      grecaptcha.enterprise.ready(function() {
        grecaptcha.enterprise.execute(
          'reCAPTCHA_site_key', {action: 'purchase'}).then(function(token) {
           document.getElementById("token").value = token;
           document.getElementByID("paymentForm").submit();
        });
      });
    }
    </script>
  </head>
  <body>
    <form id="paymentForm" action="?" method="POST">
      Total: $1.99
      Credit Card Number: <input name="cc-number" id="cc-number" autocomplete="cc-number"><br/>
      <input type="hidden" id="token" name="recaptcha_token"/>
      <button onclick="submitForm()">Purchase</button>
    </form>
  </body>
</html>

Improving the model with chargeback annotations

Certain types of fraud on your website might be unique to your business model. reCAPTCHA Enterprise can improve your site's model based on chargeback annotations. When a chargeback occurs, we recommend sending a CHARGEBACK annotation regardless of the score of the corresponding assessment. With this information, reCAPTCHA Enterprise further targets fraud specific to your business.

The following table specifies labels that you must use to annotate assessments when a chargeback occurs:

Annotation reason Description
CHARGEBACK_FRAUD Represents chargebacks related to an alleged unauthorized transaction from the perspective of the cardholder (for example, the card number was stolen).
CHARGEBACK_DISPUTE Represents chargebacks related to the cardholder having provided their card but allegedly not being satisfied with the purchase (for example, misrepresentation, attempted cancellation).
CHARGEBACK Represents chargebacks either uncategorized or when specific details are unknown.

The following example shows an example annotation payload. For more details, see the Annotating an assessment.

POST https://recaptchaenterprise.googleapis.com/v1/ASSESSMENT_ID:annotate
{
  "reasons": ["CHARGEBACK"]
}