From version 5.9.0, WooCommerce Payments offers a more configurable fraud protection experience for merchants. This helps you avoid disputes by setting the security and fraud protection risk level that best suits your business.
This page explains how fraud protection works, what the various settings do, and how they interact with incoming orders from your customers.
How fraud protection works↑ Back to top
When a new order is placed, it is first evaluated by the fraud protection rules you’ve configured. Those rules determine if the order will be allowed to go through or if it will be blocked.
- Allowed: The customer will be charged and the order will go through normally. In short, these orders will behave just the same as orders that use any other payment gateway.
- Blocked: The customer’s payment method is not charged, and the order is set to the Pending Payment status. Optionally, you can remove blocked transactions after a set time.
Allowed orders will be shown under WooCommerce > Orders and Payments > Transactions, just as they always have. We have also added a Blocked tab to the Payments > Transactions page, which shows the orders that have been automatically cancelled.
Configuring fraud protection rules↑ Back to top
Fraud protection rules are configured on the Payments > Settings page, in the Fraud Protection section. There are two options:
- Basic: Similar to the protection WooCommerce Payments had before version 5.9.0. Orders will only be blocked if the card’s issuing bank can’t verify the card security code.
- Advanced: This option allows you to customize the fraud protection rules as you see fit.
Advanced configuration↑ Back to top
If you want more control than the Basic risk level offers, you can select the Advanced risk level and configure additional rules. The rules you can add are the following:
- AVS Mismatch: Compares the street number and postal/ZIP code submitted by the customer to the street number and postal/ZIP code on file with the card’s issuing bank. Orders will be blocked if the two pieces of information do not match up.
- International IP Address: Blocks the order if the customer’s IP address is from outside the countries you sell to, even if the billing country they entered is one you sell to.
- IP Address Mismatch: Compares the customer’s billing country to the country that their IP address seems to originate from. Blocks the order if those do not match.
- Address Mismatch: Blocks orders if the billing country and shipping country are different.
- Purchase Price Threshold: Compares the total order price to the minimum and maximum that you’ve allowed. Blocks orders if the total is outside the range.
- Order Items Threshold: Blocks orders if the total number of items in the order is lower than or greater than the range you’ve allowed.
NOTE: Some countries and card issuers do not support AVS mismatch checks. (For example, some countries don’t use postal codes at all.) However, AVS is commonly supported for cards issued in the U.S., Canada, and the UK.
Enabling a rule will block orders if they meet that rule’s conditions. For example, the following configuration will automatically block orders with over 20 products:
The CVC Verification rule at the bottom of the advanced configuration page cannot be disabled. Orders that fail CVC verification will always be blocked.
Viewing rule results↑ Back to top
When an order is placed, it’s evaluated according to the fraud protection rules you’ve configured. The outcome is noted on the order details page under WooCommerce > Orders. Clicking either of the View more details links will take you to the transaction details page.
You can also get to the transaction details page directly, by going to Payments > Transactions and clicking a transaction. As noted above, blocked transactions will be added to the Blocked tab, instead of the main Transactions list.
By clicking a blocked transaction to see its timeline, you can find the fraud protection rule(s) that were triggered for that specific transaction.
What customers see↑ Back to top
In order to avoid revealing your specific fraud protection rules to customers, WooCommerce Payments will show a generic error message when the rules block a transaction.
Customers who see this message will be able to retry the order if they wish.
Removing blocked transactions↑ Back to top
If you wish, you can automatically delete blocked orders after a period of time by configuring the “Retain pending orders” setting under WooCommerce > Settings > Accounts & Privacy.
Note, however, that this will affect all Pending Payment orders, not just those that were blocked by the WooCommerce Payments fraud protection rules.