A common form of attack cybercriminals like to use against eCommerce stores is to attempt to exploit the checkout process; to trick the web stores credit card processor into verifying the validity of stolen credit card information. These attacks are automated using programs called “Bots” to systematically check hundreds of potential credit card numbers in a fraction of a second. Miva Merchant 9.53 introduces a collection of settings that can help protect your store from automated credit card fraud attacks. To access the fraud settings, log into your Miva Merchant store and go into payment settings and click on the “Settings” tab. You'll find a section called “Fraud.” The first fraud setting you'll see here is called “Failed Authorization Delay.” This setting aims to interrupt the Bot attack by introducing a cool down timer in the event of failed authorization occurs. For instance, if we set this field to 2000 milliseconds, if a credit card fails authorization, your store will not allow another credit card authorization attempt for the next two seconds. This added delay will likely go unnoticed by people shopping on your store, but it's just long enough to prove bothersome to automated Bot attacks, encouraging them to go somewhere else. Moving on, Miva Merchant assigns a unique check out session ID to every shopper that comes to your store. Because of this, Miva Merchant is able to monitor how many failed credit card authorization attempts come from each unique check out session ID. You can configure your store to automatically invalidate a check out session after a specified number of failed credit card authorization attempts. If you leave this field set to 0, this setting is essentially off and not in use. But, if you type “5” in this field for instance, in the event that 5 failed credit card authorizations come from the same check out session ID, the store will void the check out session further interrupting the Bot attack process. Next we have the authorization token, which works behind the scenes and is invisible to the shopper. Turning this on will add an extra factor of protection on your Payment Information page at Checkout in the form of a random 32 character alphanumeric token. When your store is asked to authorize a credit card it will first check to see if the request is accompanied with the valid authorization token. If the authorization token is included in the authorization request, your store knows that the credit card authorization request came from the payment information screen of your checkout process and honors the authorization request. If the 32 character token is not present, then the system knows that the request did not originate from your payment information screen and the credit card authorization request is ignored. The last three settings pertain to the Authorization Blacklist. We’ll cover the Authorization Blacklist more in-depth in another video, but the gist is if an IP address is added to the Blacklist, any credit card authorization requests coming from that IP address will automatically be ignored. This setting is set to manual by default, but if you set this to automatic your store can add IP addresses to the Blacklist on its own, depending on how your threshold and duration settings are configured. For example, with Authorization Blacklist threshold and duration configured as shown in the event that 10 credit card authorization failures are triggered by a single IP address within a 30-minute window, that IP address will automatically be placed on to your store’s Blacklist for one hour. While that IP address is on the Black List, any attempts by that IP to run a credit card check will automatically be ignored.