Captcha Requirements


Captcha will reduce fraud

Adding captcha to your PMT hosting page is a requirement in order to prevent fraudulent transactions. We have seen a number of ways that bad actors attempt to run thousands of credit cards through client side PMT forms. Captcha is a powerful tool to help prevent this and reduce downtime to your site.

Create an API Key
It’s best to create separate keys for each environment (Development, QA, Sandbox, Production) and to keep the keys extremely secure. It’s highly recommended (but not required) to set up domain verification with the API key by specifying all the of the domains your code is hosted on in the API key settings page (see here)

Google reCAPTCHA v3 client-side documentation
It’s recommended to use the “programmatically invoke the challenge” option, and to do that when the “Submit Payment” button is clicked, to avoid tokens timing out while users enter address / payment method information. It is also highly recommended (though not required) to send an “action” value when generating the reCAPTCHA token, and verifying that value with the verification response. See here

Verification step back-end documentation
Send the generated token (and “action” value, if used) along with payment information to your server, then verify the token with Google’s API before processing payment. The response will contain a “score” between 0.0 and 1.0 (where 1.0 is the most trustworthy, and 0.0 is the least). It’s standard to use a threshold “good score” of 0.5, but you can adjust based on data collected on the reCAPTCHA Admin Dashboard. If the “score” value is below your threshold, then immediately reject the payment attempt.