24/7 Support: 800.608.6482

Get Started

Reference Guide


Payment Rules

This section lets you redirect customers to any page in your store if no payment method is available.


The Fraud section has several features that protect your store from fraudulent credit card use

Failed Authorization Delay:

During checkout, the customer submits their credit card information at the Payment Information screen (OPAY). If a credit card authorization fails, you can make the customer wait a certain amount of time before they are allowed to try again. Enter the wait time in milliseconds.

During the delay, the customer will usually see a browser message that says: "Trying to connect." When the wait time is over, Miva Merchant shows the customer an authorization failure message. At that point, the customer can submit their credit card information again.

Invalidate Checkout Session After:

The Invalidate Checkout Session field is another way you can make it more difficult for criminals to launch scripted attacks against your store.

When a customer visits your store, Miva Merchant creates several session cookies. For example, there is a cookie that keeps track of the customer's basket (see Basket Timeout).

Another cookie, the checkout session cookie, is created when the customer clicks past the Order Details page (OCST). If you check this box, and the customer's credit card fails authorization a certain number of times, Miva Merchant automatically expires the checkout session cookie. The customer is taken to the Basket page and has to start the checkout process again.

Use Authorization Token:

The Authorization Token helps insure that a credit card authorization request is coming from a human being, and not an automated attack on your store.

If you enable this option, Miva Merchant adds a random, 32 character alphanumeric string to your Payment Information page (OPAY). The customer cannot see this string, but when Miva Merchant is authorizing a credit card, it checks to see if the credit card data is accompanied by the token. If the token is missing or incorrect, the credit card authorization request is ignored.

Authorization Blacklist:

When a customer visits your on-line store, Miva Merchant can see their IP address. The Authorization Blacklist is a list of IP addresses that you aren't going to accept credit cards from.

To manually add IP addresses to your blacklist:

  1. Set Authorization Blacklist to Manual.
  2. Go to Menu> Payment > Authorization Blacklist tab, and click Add Blacklisted IP Add.
  3. You can also manually add IP addresses to the blacklist by going to: Menu> Order Processing > Authorization Failures tab. Select a failed authorization and click the Blacklist button.

To automatically add IP addresses to your blacklist:

  1. Set Authorization Blacklist to Automatic.
  2. Set the Threshold and Duration fields (below).

If you set the Authorization Blacklist field to Automatic, use the Threshold field to decide how many credit card authentication failures you'll allow before an IP address is added to your blacklist.


In this example, if there are 10 credit card authorization failures from the same IP address within a 30 minute period, that IP address is automatically added to the blacklist.


If you set the Authorization Blacklist field to Automatic, use the Duration field to decide how long an IP address stays on your blacklist.


In this example, if an IP address is automatically added to the blacklist, the IP will stay on the blacklist for 1 hour.


reCAPTCHA helps you make sure that your store is being used by human beings and not a scripted attack. There are many types of reCAPTCHA, but they all ask the user to take some action.

Check a Box

Captcha - Add Text

Captcha - Select Image

Different styles of reCAPTCHA

Miva Merchant uses Google reCAPTCHA. It's easy to add to your store, but the reCAPTCHA boxes are (almost) completely controlled by Google. In the simplest case, Google reCAPTCHA asks you to click a checkbox to prove that you are a human being. However, Google reCAPTCHA has code running in the background. If their code suspects the page is being accessed by a script, it will ask for a more complicated proof that you are human.

After you install Google reCAPTCHA in your store, customers will see the reCAPTCHA challenge on your Payment Information page (OPAY).

Payment Info

To Install Google reCAPTCHA in Your Store

  1. Sign up for a Google account if you don't already have one.
  2. Login to your Google account.
  3. Go to: https://www.google.com/recaptcha/intro/index.html
  4. 3.1. Click the Get reCAPTCHA button.

    3.2. Register your store with Google reCAPTCHA.

    Google Recaptcha

  5. When you register your domain at the Google reCAPTCHA page, make a note of the following:
  6. 4.1. The Site Key.

    4.2. The Secret Key

    Note that, when you register your Miva Merchant store with Google reCAPTCHA, their registration page will show you some fairly complicated instructions for adding Google JavaScript to your store pages. You can ignore all of those instructions. Miva Merchant will do that for you automatically.

  7. Login to the admin interface.
  8. Go to Menu> Payment > Settings tab > reCAPTCHA section.
  9. Set the options in the reCAPTCHA section.
  10. Mode:
    • Off: Never use reCAPTCHA.
    • On: Always use reCAPTCHA.
    • Velocity - Activate After [ ] failed attempts within [ ] hours:
    • If any customer has a certain number of credit card authorization failures in a certain amount of time, all customers will see the reCAPTCHA prompt.

      For example:


      In this case, if any customer has 5 authorization failures within 1 hour, all customers will see the reCAPTCHA prompt. The reCAPTCHA prompt will disappear when the number of failures drops below 5 in one hour.

    Theme: Sets the background color of the reCAPTCHA box to either Light or Dark, to show better contrast with your store pages.

    Not a Robot

    Type: Set the reCAPTCHA box to either Audio or Image.

    Press Play

    Choose Image

    Size: Set the reCAPTCHA box to either Normal or Compact.

    Recaptcha Size


    Sets the language of the reCAPTCHA box.

    Recaptcha Language

    Public Key: Enter the site key that you got when you added your Miva Merchant store domain to the Google reCAPTCHA page.
    Private Key: Confirm Private Key: Enter the secret key that you got when you added your Miva Merchant store domain to the Google reCAPTCHA page.
    Disable reCAPTCHA for Free Orders If you enable this option, and the customer's entire order is free, the customer will not be shown a reCAPTCHA prompt.
    Current Status

    This is a read only field that shows the Mode you selected. If you set the Mode to Velocity, you'll see that the Velocity mode is either active or inactive.

    Velocity Inactive

  11. When you have finished setting the options in the reCAPTCHA section, click Update

Looking for Developer Docs?

We have a whole section for that, including: Developer Training Series, Template Language docs, Module Development tutorials and much, much more.

Head to the Developer Section

Miva believes that all online businesses should have access to a scalable ecommerce platform that can meet their unique business requirements. Miva offers PCI compliant ecommerce, hosting, and custom website design and development solutions. Miva customers have processed over $100 billion in online sales since 1997.

Copyright © 2016 Miva, Inc - All Rights Reserved   Privacy Policy | Store Policy

Contact Us
Receive Tips & Updates

Copyright © 2016 Miva, Inc - All Rights Reserved

Back To The Top