When a shopper places an order on your store paying with a credit or debit card, they may or may not be required to perform reCAPTCHA validation according to the criteria set in the orderForm configuration.
vtexCriteria option uses an algorithm to determine which sessions are trustworthy. This reduces the application of reCAPTCHA validation, improving security with no impact conversion. This is the recommended option if you are using checkbox validation (equivalent to reCAPTCHA v2).
Regardless of this configuration, reCAPTCHA verification will not be required in some cases:
Fulfillment orders, meaning orders received through a marketplace, in which your store is responsible only for the fulfillment. In this case, reCAPTCHA validation is applied in the marketplace where the order was made by the shopper according to its own configuration.
Orders made by authenticated administrator users, including call center users.
Orders made through the private (
/pvt) placeOrder API endpoint, which is commonly used by integrations and authenticated with appKey and appToken.
Orders where payment does not include a debit or credit card.