Skip to content

Understand our fraud and risk management solution

Last updated: 25th May 2022

This page explains how to use our fraud and risk management solution, so you control what type of payments you accept and reduce the risk of fraud. If you have permissions to alter your risk settings, you will be able to add, edit and delete rules.

Configuring your risk settings

If you want to change your risk settings, please get in touch with our Risk team at risk@checkout.com.


Risk strategies

Pre-3DS and post-auth are the stages in the payment lifecycle that you can use our solution to decide what happens to a transaction. The process the transaction goes through before reaching that outcome is called routing, and each stage has its own route. Routes have several data points that a transaction passes through. These data points can be rules, outcomes or decline lists.

Live strategy

The decision groups you see under Live strategy are affecting your live transactions. It is view only, so you will not be able to directly edit and affect live transactions.

Test strategy

Safely test changes to your decision points under the Test strategy section. It has no effect on your live transactions, but you will be able to see the hypothetical outcome of these changes.

Once you are happy with the results of your test, you can select Replace live strategy to affect your live transactions. This cannot be undone.


Rules

Rules are set by Checkout.com and are the building blocks of your fraud strategy. They take the form of an expression that can be evaluated as true or false.

When a transaction is compared against a rule, it returns either true or false. This determines how it will be routed and the ultimate outcome of that transaction. Each true and false option is referred to as a branch on your decision tree.

Examples of non-combined rules:

  • Information within a transaction payload, for example ‘Transaction amount over 100USD’
  • Additional contextual information, for example, ‘Billing address is valid’
  • Statistical data derived from your traffic, for example, ‘Same card used more than 3 times in the last 1 hour’

See all rule categories available.

Velocities

When creating new rules, you can set the frequency in which the rule is triggered – we call this velocity. Transaction count checks the occurrence of a single attribute over a time period. For example, velocity (billing_address, 24h, _attempted_) > 10 will trigger when the number of approved requests for a particular billing address goes above 10 in a 24-hour period.

Manage rule groups

These are lists of rules that are grouped by outcome. At pre-3DS, there are decline and 3DS rule groups. At post-auth, there are void and flag rule groups.

Add rules groups by selecting Add rules at the bottom of each group. To remove a rule, select the 3 dots in the corner of the rule card and select Remove rule.

Edit a rule

Velocity rules and amount threshold rules are editable. For example, when changing the daily velocity trigger value from 7 to 10.

  1. Select the rule
  2. Edit the number in the text editor and select Check rule
  3. Select Save rule

Lists

Lists are sets of custom values that can be referenced in the rules. By default, you have access to a list of high-risk countries that are referenced in verified information rules. For example, the payment IP country is in a list of high-risk countries.

Add a list entry

  1. Navigate to Lists tab
  2. Select Add entry and enter the new value

If you are adding to a country list, for example, your high-risk country list, you should enter it as the 2-letter ISO code in capital letters.


Outcomes

Outcomes are what will happen to the transaction. The recommended outcomes for each transaction risk level are specified in the following tables. We’ve split them by routing type – pre-3DS and post-auth. See the full description of each stage in the payment lifecycle.

    3DS transactions are subject to a liability shift. The shift occurs when the liability for fraudulent chargebacks (stolen or counterfeit cards) shifts from you to the card issuer. Use the Liability shift column to determine what outcomes it applies to.

    OutcomeRecommended transaction risk levelLiability shift

    Decline

    High risk

    N/A

    3DS check

    Medium risk

    Yes

    Accept

    Low risk

    No – unless the issuer decides to challenge the transaction

    A 3DS check means that your customer will have to prove their identity, such as through the use of a one-time pass code. This will reduce fraud, but also may impact your conversion rate.


    Decline lists

    If a transaction being routed matches an item on a decline list (also known as a blocklist), the transaction will be immediately declined. You can create a decline list for 6 fields:

    • Card number – the card’s 16-digit long number
    • BIN – the first 6 to 8 digits of the card number, used to identify which issuer the card belongs to
    • Email address – a customer’s full email address
    • Phone – a customer’s phone number
    • Payment IP – a customer’s IP address
    • Email domain – the domain of a customer’s email, which comes after the @ symbol

    Add to a decline list

    You can add to a decline list 2 ways:

    1. Select a transaction from the Payment details view in the Hub, and use the "blacklist" button
    2. Add to a decline list from the Decline list tab within the fraud solution

    Card numbers can only be added to a decline list from the Hub.


    Risk profiles

    Risk profiles are a collection of rules used for scoring based decision-making. They are made up of 2 sections – scoring rules and decision rules.

    Scoring rules

    Each rule has a score between 0 and 100 – 0 being low risk, and 100 the highest. Transactions are compared against each rule in a risk profile, and if a transaction meets the rule criteria, the transaction will receive the points associated with it.

    Scores can be a negative or positive number, and the ultimate risk score of a transaction is the sum of all the rules the transaction met the criteria for.

    You can select as many rules as you want to be evaluated. The order the rules are defined is not important, because a transaction will be evaluated against each rule.

    A transaction risk score must always be a number from 0 to 100. If the sum of scores is less than 0, the transaction risk score will be 0. If the sum is greater than 100, the transaction risk score will be 100.

    Decision rules

    After specifying scores for each rule, you can decide the outcome of the transaction. The set of outcomes available to choose from will depend on whether the risk profile is applied at the pre- 3DS or post-auth stages.

    Once the decisions have been selected, you can define the risk score bands that correspond to them. For example, you may decide to Decline all transactions with risk score above 90, and to Force challenge all transactions with risk scores between 70 and 90.

    Where to next?


    Troubleshoot our fraud and risk management solution

    Understand why certain errors happen, and how to fix them.

    Rule categories

    Learn about the risk management categories that can be used when setting up rules.