Try our new AI assistant by clicking the chat icon in the lower right corner.


reCAPTCHA v3

The reCAPTCHA v3 module is available to provide added protection against carding attacks and other potentially malicious activities aimed at your Miva store website. This guide will help you understand why we are moving to the new module and help you install it on your site.

On this Page

Why a Different reCAPTCHA?

The tactics used by hackers and bots is ever-evolving. To protect our store owners’ businesses, stronger security measures are needed. Attackers have found ways to circumvent existing protections, making them ineffective. The reCAPTCHA v3 module is a seamless, easy-to-implement solution that can protect a business’ entire website, not just checkout pages.

For a quick explanation of reCAPTCHA v3, view this Google reCAPTCHA v3 video.

How does reCAPTCHA v3 differ from previous reCAPTCHA versions?

With reCAPTCHA v2, shoppers were required to interact with a website in ways that were aimed to determine if they were human or not. For example, a shopper may be shown several pictures and be asked to click on all the pictures that had a bicycle in them.

In addition, its scope was limited to only certain pages, such as the payment (OPAY) screen.

Now, with reCAPTCHA v3, the experience is transparent to your shoppers, and it is present on every page of the store, including pages for account creation or forms submission. It observes the shopper’s interaction with the pages of your store and creates a score for that shopper, indicating its relative humanity. By using this score, a store owner can adjust the threshold for rejecting or allowing actions as needed to best protect their site.

How Do I Install reCAPTCHA v3?

1. Download the module from the app store here: reCAPTCHA v3. Upload it to your Miva store under Domain Settings > Modules.

2. In the Miva admin, click Settings>Modules>Search and search for “reCAPTCHA v3.” In the app’s box, click Install.

3. If you haven’t already, you will need to sign up for an API key pair for your site. You can begin that process with the Google reCAPTCHA create page.

Important

After the launch of Multi-Domain functionality in Miva version 10.09, in order to use reCAPTCHA v3 on multiple domains, you MUST add any subdomains you have created to the Domains section of the Google reCAPTCHA admin panel. This section is found immediately following the reCAPTCHA keys section mentioned in the next step.

4. Once signed up for reCAPTCHA, copy both the Site Key and the Secret Key from the reCAPTCHA page, and paste into the corresponding field at Settings>Utilities>reCAPTCHA v3 Settings. The keys are validated by the Miva admin.

Caution

ReCAPTCHA v3 will NOT work with AmazonPayv2 or Affirm, without adding a new exclusion within the module. In the Miva admin, within the exclusions for the AUTH action, you will need to add the following:

Parameter: PaymentMethod

Value: amazonpayv2: or affirm: depending on the one you are configuring.

5. Select the actions you want to protect. Settings>Utilities>reCAPTCHA v3 Action Configuration. Actions are selected by clicking the slider adjacent to it.

6. Optionally, you can choose to alter the Score Threshold the module will use to score interactions. Google suggests a default value of .5 on a 1.0 scale. A lower score threshold means less scrutiny, while a higher value means more scrutiny of the action. For example, if an action is given a Score Threshold value of 0.0, the module will validate the reCAPTCHA, but with very little scrutiny, every action is ultimately approved.

Note

As a best practice, it may be a good idea to set the threshold to .0 initially for a few days which would approve all actions. This allows Google time to collect data, and let you see the average threshold scores to determine if you need to adjust the 0.5 default score up or down.  

Important

Miva logs and compiles all the rejections from a given time period, with the default time period being seven days. The logs are found at Settings>Utilities>reCAPTCHA v3 Rejections. You may have to adjust the score threshold based on the data in the log, and in the reCAPTCHA data from Google.

If, for example, you are seeing a high number of rejections and you fear those rejections may have been incorrect, you may want to lower the threshold. On the other hand, if you are seeing higher than usual traffic, you may want to increase the score threshold to protect against, for example, a bot attack.

Form Flex Component Integration

Introduced in Version 10.10.00 the Contact Form Flex Component allows users to create contact forms right in the Miva admin, giving them an easy way for customers to reach out to their business

Below is an example of how to integrate the Contact Form Flex Component with the reCAPTCHA v3 module:

Contact Form reCAPTCHA Settings

Note

The CSS Query Selector (Comma Separated) value can be customized to be page specific so you can customize which forms use reCAPTCHA v3. For example if using the Shadows default framework and the form was on page code SIGNUP then the value would be #js-SIGNUP form input[name="Action"][value="MMX_CONTACT_FORM_SUBMITTED"]

What Actions Are Protected?

The reCAPTCHA v3 module comes pre-configured to protect several common actions, including things like password reset, payment authorization and customer account creation. It does so by identifying the forms that require selection and then automatically generating the necessary reCAPTCHA for them.

Other actions can be added as well through the use of a code snippet shown below:

Likewise, actions can be excluded from reCAPTCHA v3. For example, if you have the module set up for the Payment Authorization page, but a shopper is going to check out through Bread, which has its own security system, you can tell the module to exclude any payment actions being made through Bread. In addition, the module automatically detects modules that indicate they have off site checkouts, like PayPal, and those are automatically excluded from verification.

FAQs

What actions should I use reCAPTCHA v3 to verify at the outset?

Miva recommends using the module on the AUTH action at the very least, and possibly other customer-actions as desired, like the Create Account action, which is another frequent bot target.

How can I be sure that legitimate traffic is not being blocked?

While the default threshold setting is typically recommended as 0.5, you can if you wish, set it to 0.0. This allows all traffic, and will help Google create a behavioral model for your website. Wait a few days, then review the log for data trends and reset the threshold accordingly.

Can I use reCAPTCHA v3 with reCAPTCHA v2?

You can use both if you desire. Using the older version will not interfere with the new, and vice versa. 

Looking for Developer Docs?

We have a whole section for that, including: Developer Training Series, Template Language docs, Module Development tutorials and much, much more.

Head to the Developer Section

This website uses cookies to identify visitors, track visitors to our website, store login session information and to remember your user preferences. By continuing to use this site you agree to our use of cookies. Learn More.

This website uses cookies. By continuing to use this site you agree to our use of cookies. Learn More.

Accept

Copyright © 1997 – 2021 Miva©, Miva Merchant©, MivaPay©, MivaCon© Miva, Inc. All Rights Reserved.