SuiteCommerce 2025.2: CAPTCHA, Email Verification, Domain Blocklist, and SCIS Default Change

What Changed

CAPTCHA Support (hCaptcha & Google reCAPTCHA)

SuiteCommerce now supports third-party CAPTCHA challenges on registration, login, guest checkout, and place-order flows. Configuration is managed through the SuiteCommerce Configuration record under Integrations > CAPTCHA Settings. New configuration property IDs:

• captcha.enableRegister
• captcha.enableLogin
• captcha.enableGuestCheckout
• captcha.enablePlaceOrder
• captcha.type — selects the provider (hCaptcha or reCAPTCHA)
• captcha.siteKey
• captcha.secretKey

Email Domain Blocklist

A new blocklist feature prevents registration from disposable or untrusted email domains. Managed under Advanced > Blocklist Email Domains in the SuiteCommerce Configuration record. Properties:

• blockListEmailDomains.enableEmailBlockList
• blockListEmailDomains.domainList

Email Verification

An optional email verification flow can now be enforced before account creation or purchase. Configured under Advanced > Email Verification. Properties:

• emailVerification.enabled
• emailVerification.senderId — the employee record used as the sender
• emailVerification.templateId — the email template record
• emailVerification.codeTTL — verification code lifetime in seconds
• emailVerification.codeRequestInterval — minimum seconds between code requests

Pricing Display Security Fix

A bug allowed quantity pricing to appear in search engine results even when Require Login for Pricing was enabled on the Website Setup record. This is now fixed — pricing is hidden from unauthenticated views in search engine results.

SCIS Integration Default Changed

The Is SCIS integration enabled setting on the SuiteCommerce Configuration record now defaults to disabled. Previously, the SuiteCommerce Configuration bundle enabled this by default even when SuiteCommerce InStore was not installed, causing search errors and unnecessary logging. New domains created on 2025.2 are unaffected. Existing domains on earlier versions that do not use SCIS should disable this setting manually (see migration steps below).

Third-Party Library Update

jquery-bxslider updated from 4.2.15 to 4.2.17. The updated version is reflected in distro.json. Any themes or extensions using this library must be tested for compatibility. Deprecated methods should be removed before migrating.

Node.js Requirement

Developer tools (Theme, Extension, and core SCA tooling) continue to require Node.js 20.10.0. No change from the previous release.

What to Do

1. CAPTCHA setup: If you want bot protection, obtain site/secret keys from hCaptcha or Google reCAPTCHA, then configure the captcha.* properties in the SuiteCommerce Configuration record under Integrations > CAPTCHA Settings. Test registration, login, guest checkout, and order placement flows in your sandbox.
2. Email verification: To enable, set emailVerification.enabled to true and configure the sender employee, email template, TTL, and request interval. Verify the email template renders correctly and that the TTL is reasonable for your user base.
3. Email domain blocklist: Enable via blockListEmailDomains.enableEmailBlockList and populate blockListEmailDomains.domainList with domains to block. Review the predefined blocklist and add any disposable email providers specific to your market.
4. Disable SCIS integration (existing sites not using SCIS): Navigate to Commerce > Websites > Configuration, select your website/domain, click Configure, go to My Account > SCIS Integration, clear the Is SCIS integration enabled checkbox, and save. This eliminates unnecessary search errors and logging noise.
5. jquery-bxslider compatibility: Audit any custom themes or extensions that depend on jquery-bxslider. Check for deprecated methods removed between 4.2.15 and 4.2.17. Test slider behavior in your sandbox before deploying.
6. Verify pricing fix: If you use Require Login for Pricing on the Website Setup record, confirm that pricing data no longer leaks in search engine results by inspecting your site's cached search snippets.