Merchant Guide: Understanding CAPTCHA and How It Protects Your Checkout

This article includes the following sections:

• What is CAPTCHA?
• How Does CAPTCHA Work?
• What Does CAPTCHA Protect Against?
• How CAPTCHA Appears on Peach Payments Checkout
• CAPTCHA FAQ's

What is CAPTCHA?

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. In simple terms, it is a security challenge that helps determine whether the person interacting with a website or payment page is a real human being — or an automated bot or script.

You've likely encountered CAPTCHA before: a checkbox that says "I'm not a robot," a prompt to identify traffic lights in a grid of images, or an invisible check that runs silently in the background. These are all forms of CAPTCHA in action.

At Peach Payments, CAPTCHA is integrated into our Checkout integration as an additional layer of fraud protection, helping to ensure that every payment attempt on your checkout page originates from a real customer.

Please note: CAPTCHA is currently available exclusively on the Peach Payments Checkout integration upon request. It is not available on Copy and Pay, Server-to-Server or any other integration type at this moment in time.

How Does CAPTCHA Work?

CAPTCHA works by presenting a challenge — either visible or invisible — that is easy for a human to complete but extremely difficult for an automated system (bot) to pass.

When a customer interacts with your Peach Payments Checkout page, CAPTCHA evaluates the session against multiple risk signals before the payment is submitted. Here's what happens step by step:

This means that potentially fraudulent or automated payment attempts are stopped at the door — before they create transaction noise, consume your risk limits, or generate unnecessary declines.

What Does CAPTCHA Protect Against?

CAPTCHA is specifically designed to counter threats driven by bots and automated scripts. The most common threats it defends against include:

Card Testing / Carding Attacks This is one of the most damaging fraud patterns merchants face. Fraudsters use stolen card numbers and automated scripts to rapidly test thousands of cards on a merchant's checkout page — looking for cards that are still active. CAPTCHA makes this process significantly harder by blocking the automated scripts responsible.

Credential Stuffing Bots use large lists of stolen usernames and passwords to try to access accounts at scale. CAPTCHA breaks the automation loop these attacks rely on.

Brute Force Payment Attempts Automated systems repeatedly trying different card details, expiry dates, or CVV combinations to find a working combination. CAPTCHA interrupts this cycle by requiring human verification.

Scraping and Enumeration Bots probing your checkout page to map out how it responds to different inputs — a precursor to more targeted fraud. CAPTCHA helps obscure this information from automated systems.

The combined benefit: fewer fraudulent transaction attempts reaching your payment processor, lower dispute rates, and a cleaner transaction history — all without meaningfully impacting your legitimate customers' checkout experience.

How CAPTCHA Appears on Peach Payments Checkout

When CAPTCHA is active on your Checkout integration, the experience for your customers is designed to be as seamless as possible. In most cases, CAPTCHA runs invisibly — the customer will not notice it at all, and the checkout experience remains smooth and uninterrupted.

Where a session cannot be confidently verified based on the available risk signals, a visible CAPTCHA challenge will appear. This is typically a simple task that a real customer can complete within seconds. Once passed, the customer proceeds to complete their payment as normal.

What this means for your customers: Legitimate shoppers will rarely, if ever, see a CAPTCHA challenge. The experience is designed to protect your checkout without creating friction for genuine buyers.

Important: CAPTCHA forms part of a broader fraud prevention strategy and should not be relied upon as a sole control. Peach Payments recommends using CAPTCHA alongside other available measures — such as 3D Secure authentication and advanced risk checks — to build a layered and resilient defence against fraud. Speak to your Account Manager to understand what combination of controls is right for your business.

CAPTCHA FAQ's

1. Do I need to do anything to enable CAPTCHA on my checkout? CAPTCHA availability on Checkout is managed by Peach Payments. Please reach out to our Support Team via the Submit a Ticket button below or by speaking to your Peach Account Manager, to discuss whether CAPTCHA can be enabled on your account.
2. Does CAPTCHA slow down my checkout? No. Where CAPTCHA runs invisibly, it adds no perceptible delay to your checkout experience. Even when a visible challenge is triggered, it adds only a few seconds for the customer to complete.
3. Will CAPTCHA block my legitimate customers? CAPTCHA is designed to be highly accurate in distinguishing humans from bots. False positives (legitimate customers being incorrectly challenged or blocked) are rare. If you notice customers reporting unusual checkout friction, please contact our support team to investigate.
4. Does CAPTCHA work on mobile devices? Yes. CAPTCHA on Peach Payments Checkout is optimised for both desktop and mobile browsing experiences.
5. I use Copy and Pay / the REST API. Can I still use CAPTCHA? CAPTCHA is currently only available on the Peach Payments Checkout integration. If you are on a different integration type and are concerned about automated fraud, please speak to your Account Manager about other available fraud prevention measures, including our advanced risk check suite.
6. Does CAPTCHA replace 3D Secure? No. CAPTCHA and 3D Secure serve different purposes and work together as complementary layers of security. 3D Secure authenticates the cardholder with their issuing bank, while CAPTCHA verifies that the person initiating the checkout session is human. Both can — and should — be active simultaneously for maximum protection.