TABLE OF CONTENTS
What is a CAPTCHA?
A CAPTCHA test is designed to determine if an online user is really a human and not a bot. CAPTCHA is an acronym that stands for "Completely Automated Public Turing test to tell Computers and Humans Apart." Users often encounter CAPTCHA and reCAPTCHA tests on the Internet when submitting contact forms, logins and checkouts, to ensure the person submitting the form is a real person. Such tests are one way of managing bot activity, although the approach has its drawbacks.
Although CAPTCHAs are designed to block automated bots, CAPTCHAs are themselves automated. They're programmed to pop up in certain places on a website, and they automatically pass or fail users.
CAPTCHAs can be user interactive or fully automated. Fully automated/invisible CAPTCHAs use the providers intelligence to determine if the entity browsing a page is real. it bases this on IP address, browser type, and various other HTTP header type of information. This, along with taking a holistic look at a user's behaviour and history of interacting with content on the Internet helps to determine the likelihood of being a bot. Most of the time, the program can decide based on those factors whether or not the user is a bot, without providing the user with a challenge to complete. If not, then the user will get a typical reCAPTCHA challenge.
Some examples of a visible CAPTCHA are below.
Note: Bots themselves are not necessarily harmful. Google and other search engines use bots to trawl web pages for search purposes. However, not all bots are as pleasant and some are used for nefarious purposes
ReCaptcha is a free service offered by Google to allow websites to utilise a CAPTCHA on their own websites, and does require code implementation at the point a site wants to check the authenticity of a user.
CAPTCHAs are not foolproof. They are simply one way of helping to reduce the risk of bot attacks. Several hundreds of thousands of pounds can be spent on cybersecurity and bots can still get around it. So it is a rick/reward scenario when considering the use of a CAPTCHA.
Merac Ticketing and ReCaptcha
We have added support for Google ReCaptcha's Invisible captcha into our core product for new websites, but does require implementation on to existing sites, and will require a conversation with your success manager for this to be enabled.
Our ReCaptcha implementation is designed to check the authenticity of the user immediately before forwarding them to the payment gateway. It happens when the user clicks on the Pay Now button. This is designed to reduce the bot traffic to any potential payment gateway.
Our implementation allows you to fine tune how "aggressive" the ReCaptcha is in deciding if a transaction is a human or bot as shown below. The setting is highlighted below in the website config which you can access on your online portal.
Note that the GoogleCaptchaSilentMode allows activity logging to be done without actually having any Captcha process stop/allow transactions.
If the CAPTCHA check fails, they do not reach the payment gateway. There will be a visible indicator on this page to tell them it has failed, and it is impossible for a failed CAPTCHA to reach the Gateway.
Some human interaction may be interpreted by Google's ReCaptcha due to settings the user has on cookies, using Incognito mode etc
A Note About Gateways
Payment gateways typically utilise their own threat detection systems, including CAPTCHA systems.
If the user is getting a CAPTCHA fail on the Payment Gateway, it is not something we can manage or control.