Stripe's new CAPTCHA feature: challenges for WiFi captive portals

Recently, Stripe introduced a new CAPTCHA feature aimed at safeguarding their customers and platform against fraudulent activities, specifically against card testing.

Stripe explain their rationale in more details here:
https://docs.stripe.com/disputes/prevention/card-testing#optimize-integration

While this move enhances security for their platform and customers, it introduces challenges for businesses operating WiFi captive portals to accept payments for paid access, especially those integrated with the UniFi platform.

This what users will see after they have completed the checkout form and the CAPTCHA is triggered by Stripe:

The text the users see is "One more step before you're finished" and "Select the tickbox below", "Select the checkbox below" or similar.

It is clear the user has to perform an action, but the remainder of the popup is unavailable to the user, causing the checkout process to stall.

Let's explore how this feature impacts online payments through captive portals and practical steps to address these challenges, specifically using the Art of WiFi captive portal for paid access.

Understanding the Impact

Stripe's CAPTCHA feature, through their partner hcaptcha, leverages Cloudflare for the delivery of Javascript, CSS, HTML and other resources. This poses a challenge for WiFi captive portals that rely on IP address-based access lists; adding all of Cloudflare's IP addresses or subnets to the Pre-Authorization Allowances list is virtually impossible. This is the term used by the UniFi platform, other platforms may use other terminology.

Consequently, businesses relying on captive portals integrated with the UniFi platform and Stripe are likely to encounter disruptions in their online payment processes. This also applies to businesses relying on other networking vendors that use IP address-based access lists.

Navigating Challenges

As a general solution, businesses encountering difficulties with the Stripe CAPTCHA feature can request assistance from Stripe Support to disable the CAPTCHA feature for their account. Stripe may not always be able to apply that change though.

For businesses running a captive portal using a networking platform that supports wildcard-based entries for the access list, the solution is to add an entry for *.hcaptcha.com.

For businesses using a UniFi-based network and the Art of WiFi captive portal for paid access, these are the steps to follow:

1. Enable SCA Compliant Payment Flow: For versions 2.0.5 and higher of our captive portal for paid access, enabling the SCA compliant payment flow fixes the issue.

2. Adjust Temporary Access Settings: Configure the Temporary Access settings to values that make sense for your specific use case. These are recommended values that apply to most environments:

By setting the correct values, you can ensure that users can interact with CAPTCHA challenges without disruption to the payment process.

Embracing Security and Innovation

While Stripe's CAPTCHA feature presents challenges for WiFi captive portals, it underscores the importance of prioritizing flexible security measures in online payments. With increased emphasis on Strong Customer Authentication (SCA) and 3D Secure protocols, implementing robust payment integrations becomes imperative to mitigate such challenges.

Here are some links that cover these topics in greater detail:
https://www.visa.co.uk/partner-with-us/payment-technology/strong-customer-authentication.html
https://en.wikipedia.org/wiki/Strong_customer_authentication
https://www.mastercard.co.uk/en-gb/personal/safety-security/strong-customer-authentication.html
https://www.visa.com.au/pay-with-visa/security/secure-online-shopping.html

Conclusion

In the evolving landscape of online transactions, security remains paramount. The introduction of Stripe's CAPTCHA feature is yet another step towards enhancing payment security, albeit with implications for WiFi captive portals. By understanding the impact of this feature and implementing practical solutions, businesses can overcome challenges and maintain seamless online payment functionality.

At Art of WiFi are committed to ensure our captive portal solutions support current and future security controls while focussing on streamlining the end-user experience throughout the entire checkout process as much as possible.