This page describes how to effectively protect payment transactions against attacks, such as carding, stolen instrument fraud, and account takeover payment fraud by using reCAPTCHA Fraud Prevention.
reCAPTCHA Fraud Prevention helps you protect payment transactions by identifying targeted manual attacks and scaled fraud attempts. It automatically trains behavior and transaction models to identify events that are likely fraudulent and can result in a dispute or chargeback if accepted.
As part of these models, reCAPTCHA Fraud Prevention examines transaction signals to enable detection of fraud. For example, a series of purchase attempts with low prices might indicate a carding attack. In the response, you receive risk scores for different types of fraud, which you can use to send the transaction to a manual review, or directly block sufficiently suspicious transactions.
To set up reCAPTCHA Fraud Prevention, you need to complete the following steps:
Install reCAPTCHA JavaScript on your payment frontend by installing a score-based reCAPTCHA key.
When the JavaScript is executed, reCAPTCHA generates a unique reCAPTCHA token for every user session and collects user behavioral data to evaluate the user.
-
In the response of the create assessment API request, reCAPTCHA provides a score for transaction risk and additional reason code (for example,
suspected_carding
), if applicable. Determine the next action for your users based on the scores.
You can choose to allow the transaction, ask for additional verification, forward to a manual review, or block the transaction.
Before you begin
If you are new to reCAPTCHA, then do the following:
Enable reCAPTCHA Fraud Prevention on your Google Cloud project:
In the Google Cloud console, go to the reCAPTCHA page.
Verify that the name of your project appears in the resource selector.
If you don't see the name of your project, click the resource selector, then select your project.
Click
Settings.In the Fraud Prevention pane, click Configure.
Click the Enable toggle, and click Save.
Ensure that your environment supports tokens larger than 8 KB because reCAPTCHA Fraud Prevention might use larger tokens.
Install reCAPTCHA on your payment frontend
To start detecting attacks, install a score-based reCAPTCHA key on each page in
your payment user flow. This includes the interface where a user reviews their
cart, selects their payment method, and completes the purchase. After the user
has made their selection at each step, call grecaptcha.enterprise.execute()
to
generate a token. To learn how to install score-based keys and call
execute()
, see Install score-based keys.
The following example shows how to integrate a score-based key on a credit card transaction event:
function submitForm() { grecaptcha.enterprise.ready(function() { grecaptcha.enterprise.execute( 'reCAPTCHA_site_key', {action: 'purchase'}).then(function(token) { document.getElementById("token").value = token; document.getElementByID("paymentForm").submit(); }); }); }
<form id="paymentForm" action="?" method="POST"> Total: $1.99 Credit Card Number: <input name="cc-number" id="cc-number" autocomplete="cc-number"><br/> <input type="hidden" id="token" name="recaptcha_token"/> <button onclick="submitForm()">Purchase</button> </form>
<script src="https://www.google.com/recaptcha/enterprise.js" async defer></script>
You can experiment with this code in JSFiddle by clicking the <>
icon in the
top-right corner of the code window.
<html> <head> <title>Protected Payment</title> <script src="https://www.google.com/recaptcha/enterprise.js" async defer></script> <script> function submitForm() { grecaptcha.enterprise.ready(function() { grecaptcha.enterprise.execute( 'reCAPTCHA_site_key', {action: 'purchase'}).then(function(token) { document.getElementById("token").value = token; document.getElementByID("paymentForm").submit(); }); }); } </script> </head> <body> <form id="paymentForm" action="?" method="POST"> Total: $1.99 Credit Card Number: <input name="cc-number" id="cc-number" autocomplete="cc-number"><br/> <input type="hidden" id="token" name="recaptcha_token"/> <button onclick="submitForm()">Purchase</button> </form> </body> </html>
Create assessments with transaction data
To enable payment fraud verdicts, create assessments with transaction data by using the additional fields in the projects.assessments.create method.
The simplest integration includes the transaction_id
, payment_method
,
card_bin
, and value
. To improve the detection quality, we recommend
adding optional fields such as email
and billing_address
.
{ "event": { "token": "YOUR_TOKEN", "site_key": "KEY_ID", "expected_action": "YOUR_CHECKOUT_ACTION_NAME", "transaction_data": { "transaction_id": "txid-1234567890", "payment_method": "credit-card", "card_bin": "411111", "card_last_four": "1234", "currency_code": "USD", "value": 39.98, "user": { "email": "someEmailAddress@example.com" }, "billing_address": { "recipient": "name1 name2", "address": [ "123 Street Name", "Apt 1" ], "locality": "Sunnyvale", "administrative_area": "CA", "region_code": "USA", "postal_code": "123456" } } } }
To improve the quality of scores, we recommend that you send additional signals.
To learn about how to create assessments, see Create an assessment for your website. reCAPTCHA Fraud Prevention might use larger tokens, so ensure that the request is sent in a POST request rather than GET; and in the body, not in a header.
Interpret assessments
After you start sending the transaction data, you receive assessments as a
JSON response with the fraudPreventionAssessment
component in riskAnalysis
.
The following example is a sample response:
{ "event": {.... .... } ..... .... .... "riskAnalysis": { "score": "0.5" "reasons": SUSPECTED_CARDING } "fraudPreventionAssessment": { "transactionRisk": 0.9, } }
The response you receive includes a score and reason codes wherever applicable. The higher the score, the more likely the transaction is fraudulent and risky; the lower the score, the more likely the transaction is legitimate. For example, a score of 0.9 indicates that the transaction is more likely fraudulent and risky, and a score of 0.1 indicates that the transaction is more likely legitimate.
You are responsible for the actions you take based on the assessment.
For the simplest integration, you can set thresholds on transactionRisk
to contribute to your decision. For example, it can contribute to sending to a
manual review or directly rejecting likely fraudulent transactions.
You can also use the score in your own fraud workflows, or as part of rules with
your existing system. Because reCAPTCHA examines unique signals
and has a unique visibility of behavior across the internet, you can expect
incremental value even with an already mature fraud-detection engine.
What's next
- To improve the quality of fraud detection, learn about additional signals.
- To annotate assessments, see Annotate assessments with transaction events.