WooPayments: Fraud Protection

From version 5.9.0, WooPayments offers a more configurable fraud protection experience for merchants. This helps you avoid disputes by setting the security and fraud protection risk level that best suits your business.

This page explains how fraud protection works, what the various settings do, and how they interact with incoming orders from your customers.

How fraud protection works

↑ Back to top

When a new order is placed, it is first evaluated by the fraud protection rules you’ve configured. Those rules determine if the order will be allowed to go through or if it will be blocked.

  • Allowed: The customer will be charged and the order will go through normally. In short, these orders will behave just the same as orders that use any other payment gateway.
  • Blocked: The customer’s payment method is not charged, and the order is set to the Pending Payment status. Optionally, you can remove blocked transactions after a set time.

Allowed orders will be shown under WooCommerce > Orders and Payments > Transactions, just as they always have. We have also added a Blocked tab to the Payments > Transactions page, which shows the orders that have been automatically cancelled.

The blocked transactions list.

Configuring fraud protection rules

↑ Back to top

Fraud protection rules are configured on the Payments > Settings page, in the Fraud Protection section. There are two options:

  • Basic: Similar to the protection WooPayments had before version 5.9.0. Orders will only be blocked if the card’s issuing bank can’t verify the card security code.
  • Advanced: This option allows you to customize the fraud protection rules as you see fit.
The fraud protection settings.

Advanced configuration

↑ Back to top

If you want more control than the Basic risk level offers, you can select the Advanced risk level and configure additional rules. The rules you can add are the following:

  • AVS Mismatch: Compares postcode submitted by the customer to the postcode on file with their card’s issuing bank. Orders will be blocked if the two do not match up.
  • International IP Address: Blocks the order if the customer’s IP address is from outside the countries you sell to, even if the billing country they entered is one you sell to.
  • IP Address Mismatch: Compares the customer’s billing country to the country that their IP address seems to originate from. Blocks the order if those do not match.
  • Address Mismatch: Blocks orders if the billing country and shipping country are different.
  • Purchase Price Threshold: Compares the total order price to the minimum and maximum that you’ve allowed. Blocks orders if the total is outside the range.
  • Order Items Threshold: Blocks orders if the total number of items in the order is lower than or greater than the range you’ve allowed.

Enabling a rule will block orders if they meet that rule’s conditions. For example, the following configuration will automatically block orders with over 20 products:

Blocking transactions with more than 20 items

The CVC Verification rule at the bottom of the page cannot be disabled. Card payments that fail CVC verification will always be blocked. (Note that some payment methods, e.g. express checkouts, do not utilize the CVC check at all. This is normal.)

AVS Mismatch notes

↑ Back to top

There are a couple things to keep in mind with regard to the AVS Mismatch rule:

  • Some countries and card issuers do not support AVS mismatch checks. (For example, some countries don’t use postcodes at all.) However, AVS is commonly supported for cards issued in the U.S., Canada, and the UK.
  • Disabling the AVS Mismatch rule does not mean that all transactions with non-matching postcodes will be allowed. Banks may or may not block such transactions depending on their own criteria. This is outside of the control of WooPayments.

Viewing rule results

↑ Back to top

When an order is placed, it’s evaluated according to the fraud protection rules you’ve configured. The outcome is noted on the order details page under WooCommerce > Orders. Clicking either of the View more details links will take you to the transaction details page.

You can also get to the transaction details page directly, by going to Payments > Transactions and clicking a transaction. As noted above, blocked transactions will be added to the Blocked tab, instead of the main Transactions list.

By clicking a blocked transaction to see its timeline, you can find the fraud protection rule(s) that were triggered for that specific transaction.

What customers see

↑ Back to top

In order to avoid revealing your specific fraud protection rules to customers, WooPayments will show a generic error message when the rules block a transaction.

Customers who see this message will be able to retry the order if they wish.

Removing blocked transactions

↑ Back to top

If you wish, you can automatically delete blocked orders after a period of time by configuring the “Retain pending orders” setting under WooCommerce > Settings > Accounts & Privacy.

Note, however, that this will affect all Pending Payment orders, not just those that were blocked by the WooPayments fraud protection rules.

Setting a retention period for pending orders
Use of your personal data
We and our partners process your personal data (such as browsing data, IP Addresses, cookie information, and other unique identifiers) based on your consent and/or our legitimate interest to optimize our website, marketing activities, and your user experience.