24/7 Support: 800.608.6482

How To Guides

How To Guides

Credit Card Fraud Tools

Authorization Failure Log

Authorization Blacklist

View & Edit Blacklisted IP Addresses

Authorization Token

Authorization Delay & Max Authorizations

Recaptcha Settings

Miva 9.00053 introduces a new suite of tools to help you fight credit card fraud. Specifically a practice called "carding" where attackers use bots and other automated tools to test credit cards against your gateway to see if they are valid or not. These new fraud prevention tools allow you to setup both manual and automated checks to help prevent your site from being used to test credit cards.

Authorization Failure Log

In Miva 9.00053 there is a new Tab for Authorize Failures. You can locate it under the "Order Processing" Menu. Any time a credit card fails to authorize, a log is now kept so you can view important information about the failures. It will list the Time, Order #, IP Address, Payment Module, Payment Method, the Amount and the Error Message or reason why the authorization failed.

Sorting Records

This log can be used to help see patterns and identify attacks from automated tools.

If the customers card fails to go through it could be for a number of reasons:

When the authorization fails to go through the customer will get an error message like this which is now logged in the Failed Authorization Log.

Client Error

These errors are not logged to give you visibility to what is happening on your Miva Store.

Authorization Blacklist

A new Authorization Blacklist feature now allows you to block specific IP addresses from performing credit card authorizations. IP addresses may be added to this list manually or automatically if more than the configured number of authorization failures occur in a specified period of time.

If you find that the same IP Address is showing up multiple times in your Authorize Failure area, you can "Blacklist" that IP from getting through the gateway again. Here's how:

On the Authorization Failures Tab, click on the IP Address you want to blacklist. Then select the "Blacklist" Button. As long as that IP is blacklisted, their card will be stopped by Miva Merchant and all future transactions will be prevented from being sent to the payment gateway.

Blacklist

A window will pop up giving you options of whether you want to blacklist them forever, for a period of hours, or days. The option defaults to never, but there may be an instance where you just want to be safe and block them for a shorter period of time.

Blacklist

When an IP address is blacklisted, if they try and place another order, they will get an error generic error message like this. This message is purposely vague to prevent an attacker from knowing they have been blocked.

Error Message

In addition to manually blocking an IP address, you can configure Miva to automatically block an IP after a certain number of failed authorizations. This setting is located under Payment Settings -> Settings -> Fraud Tab Group

If set to automatic, when it reaches the threshold number of failures in the specified time period it will automatically block that IP for the duration you set.

Fraud

View & Edit Blacklisted IP Addresses

You can review the addresses you have blacklisted by clicking on "Menu" then "Payment" and clicking on the "Authorization Blacklist" tab.

Fraud

This will show you a list of all the IP addresses you have blacklisted and allow you to edit, add or delete them.

Authorization Token

A new option allows an authorization token to be used during order placement. The token must be submitted with each AUTH action. The token will be unique to each basket and will change every time an AUTH action is performed, requiring bots or other attackers attempting to validate cards through automated means to view the OPAY page prior to submitting the AUTH action.

Hidden Inputs

This feature is enabled by default on new stores. However on upgrade stores it needs to be turned on under Payment -> Settings -> Fraud

There are no page template changes required to implement this feature. Once it is enabled, a hidden input with the token will automatically be added to the OPAY page. This token will then be validated prior to sending the credit card to the gateway for an authorization.

Authorization Delay & Max Authorizations

Failed authorization attempts can now be rate limited by adding a delay after an authorization failure. This will prevent a bot from being able to submit 100's of attempts per second. The default authorization delay is 5000 milliseconds (.5 seconds) and can be adjusted up or down.

Miva can also be configured to require a shopper to restart the checkout process after a specified number of authorization failures. This will force the shopper back to the Basket screen and will require them to restart checkout.

The default value for this is 0 (never) but this can be adjusted higher as needed.

Fraud

Recaptcha Settings

reCAPTCHA can now be added to the checkout process to force the customer to enter in a reCAPTCHA before being able to complete checkout. The reCAPTCHA may be turned on manually or enabled whenever a threshold number of authorization failures occur within a specified period of time.

Step #1 - You'll need to set up an account here:** [https://www.google.com/recaptcha](https://www.google.com/recaptcha)

Adding reCAPTCHA to your site

Step #2 - Once you set up your account, you'll need the Site Key and the Secret Key to set up your reCAPTCHA settings.

Keys

Copy and paste the keys into your Public and Private Key fields below:

Recaptcha

There are 3 settings for reCAPTCHA

Off - (default) This means that no reCAPTCHA will be shown on on the website.

On - reCAPTCHA will always be required for all shoppers to complete checkout

Velocity - This allows Miva to automatically turn on reCAPTCHA for all shoppers when a certain amount of failed attempts is reached in a timeframe. Once the decline attempts falls below that threshold, the reCAPTCHA automatically turns off.

Here is an example of what the reCAPTCHA looks like on the website

Recaptcha

ReCAPTCHA requires no template changes and works on both MMUI and CSSUI stores.

Looking for Developer Docs?

We have a whole section for that, including: Developer Training Series, Template Language docs, Module Development tutorials and much, much more.

Head to the Developer Section

This website uses cookies to identify visitors, track visitors to our website, store login session information and to remember your user preferences. By continuing to use this site you agree to our use of cookies. Learn More.

This website uses cookies. By continuing to use this site you agree to our use of cookies. Learn More.

Accept

Copyright © 1997 – 2024 Miva®, Miva Merchant®, MivaPay®, MivaCon®, Camp Miva®, Miva Connect®, Miva, Inc. All Rights Reserved.