Skip to main content

Fraud

Fraud hurts twice. You lose money on bad orders, then you lose more when you panic and block good customers.

You don't pick a single fraud strategy. You run a series of bets and keep the ones that improve your loss-adjusted margin.

Pick Your Mode​

πŸ”§
Operator
Actions for this week. Configure processor rules, set up AVS/CVV, tune velocity limits.
Start: Processor Rules Config
πŸ“Š
Analyst
Metrics and measurement. Fraud rates, false positives, rules vs ML analysis.
Start: Fraud Metrics
πŸ“š
Reference
Codes and patterns. Fraud types, card-present vs CNP, liability rules.
Start: Fraud Types
Popular
βœ“
AVS & CVV Start Here
The basics everyone should use
πŸ”
3D Secure
Liability shift for online transactions
⚑
Velocity Rules Popular
Quick wins for fraud detection
βš™οΈ
Processor Rules Configuration
Free tools first
🎭
Fraud Types
Know what you're fighting

Before You Do Anything Else​

Most merchants buy fraud tools before doing the basics. Do these first:

  1. Configure your processor's built-in fraud tools. Stripe Radar, Braintree rules, Adyen RevenueProtect. These are free or cheap and catch obvious stuff. β†’ Processor Rules Configuration
  2. Use AVS and CVV. Turn them on. Decline on full mismatch. β†’ AVS & CVV
  3. Prefer chip/tap for in-person. If you're still swiping, stop. EMV shifts liability. β†’ Card-Present Fraud
  4. Fix your descriptor and communication. "I don't recognize this charge" is the most preventable dispute type. β†’ Descriptors and Comms
  5. Make refunds easy. A refund costs 3%. A chargeback costs $50+. β†’ Refund Strategy
  6. Be cautious with real-time bank payments. RTP and FedNow are irrevocable. β†’ FX and Settlement
If You Only Have 2 Hours This Week
  1. Pull your last 20 chargebacks and classify them: actual fraud vs. friendly fraud vs. merchant error
  2. Call 2 customers who disputed. Ask what actually happened.
  3. Check if your chargeback ratio is trending up or down

That's it. Everything else can wait.

What's Actually Happening to You?​

Merchants often misdiagnose their fraud problem. Different loss types require different responses.

Loss Types (Merchant-Recognizable Buckets)​

Loss TypeWhat It IsPrimary Response
Unauthorized transaction fraudStolen card used on your site/store3DS, device signals, velocity rules
Friendly fraud / chargeback abuseCustomer lies about receiving goods or authorizing chargeClear comms, delivery proof, CE 3.0
Account takeover (ATO)Criminal gains access to customer accountStep-up auth, device fingerprinting
Refund / return abuseCustomers exploit return policiesPolicy limits, abuse detection
Promo / loyalty abuseCoupon stacking, fake referrals, trial cyclingVelocity rules, device linking
Identity / signup abuseFake accounts, synthetic identitiesIDV, device fingerprinting
Marketplace / seller fraudBad actors on your platformPlatform-specific controls
Bank payment fraud (ACH/RTP)Unauthorized or fraudulent bank transfersAccount verification, irrevocability awareness
Quick Classification Exercise

Pull your last 30 losses. Classify each one:

  • Stolen card (third-party)
  • Customer lying (first-party)
  • Family member used card (second-party)
  • Customer forgot or regrets (friendly)
  • Your mistake (merchant error)

If more than half are friendly fraud, you don't have a fraud problem. You have a customer experience problem.

Who's Behind It​

Different actors require different responses:

TypeWhoYour ExposureWhat Works
Third-PartyCriminal with stolen cardFull liability until you shift it3DS, device signals, velocity
First-PartyYour customer, lyingChargebacks you'll probably loseBetter policies, clear descriptors
Second-PartyCustomer's friend/familyChargebacks, "unauthorized" claims3DS, delivery confirmation
Friendly FraudCustomer who forgot or regretsWinnable chargebacksTransaction enrichment, clear billing
Synthetic IdentityManufactured identityBust-out after credit builtMostly an issuer problem
Account TakeoverCriminal with stolen loginDepends on your auth flowDevice fingerprinting, step-up auth

The uncomfortable truth: Most small merchant "fraud" is first-party or friendly fraud. Stolen cards are dramatic but less common than customers claiming they didn't authorize a charge they definitely made.

Action Plan by Volume​

Under $100K/year
Do nothing special. Use your processor's defaults. Your "fraud" is probably friendly fraud. Focus on chargebacks instead.
$100K-$1M/year
Turn on AVS + CVV, configure your processor's rules, and watch your chargeback ratio. Test one rule change per month.
$1M-$10M/year
Time for real tooling. Evaluate dedicated fraud tools. Run a pilot on a segment before going all-in. Read the Selection Guide.
Over $10M/year
You need a person, not just tools. Build the function. Layer experiments across segments.

Liability Shift: What Actually Protects You​

Not everything that helps you detect fraud shifts liability. The distinction matters.

MethodShifts Liability?When It Applies
3D Secure (3DS)βœ… YesCNP transactions where cardholder authenticates
EMV Chip (contact)βœ… YesCP transactions; counterfeit liability shifts to issuer
EMV Contactless/Tapβœ… YesCP transactions; same as chip
Visa CE 3.0βœ… YesRepeat CNP customers with prior undisputed transactions
AVS❌ NoHelps you decline; doesn't shift liability
CVV/CVC❌ NoDefense tool, not liability tool
Signature on delivery❌ NoWins disputes; doesn't shift liability
Device fingerprinting❌ NoDetection tool only

The hierarchy: 3DS > Chip/Tap > Visa CE 3.0 > Everything else. If you want liability off your plate, 3DS is the answer. Everything else just helps you make better decisions.

Card-Present vs. Card-Not-Present​

Different worlds, different fraud, different experiments.

Card-present (retail, restaurants): Your main risk is counterfeit cards, which EMV chip largely solved. If you're still swiping, stop. Chip/tap shifts counterfeit liability to the issuer. Remaining risk is mostly employee fraud and return abuse.

Card-not-present (ecommerce, phone orders): This is where the real fraud lives. No chip to verify, no signature that matters. You're relying on AVS, CVV, device signals, and 3DS. Default liability is on you unless you authenticate with 3DS.

Most of this site focuses on CNP fraud because that's where merchants have real decisions to make.

Network Thresholds You Need to Know​

Visa and Mastercard will put you in monitoring programs (and eventually shut you down) if your dispute rate gets too high:

Visa:

  • 0.65% + 75 disputes/month: Early warning (VDMP)
  • 0.9% + 100 disputes/month: Standard program, fines begin
  • 1.8% + 1,000 disputes/month: Excessive program

Mastercard:

  • 1.0% + 100 disputes/month: ECM
  • 1.5% + 100 disputes/month: HECM

These are dispute ratios, not fraud ratios. Friendly fraud counts. "Fraud" chargebacks from angry customers count. The networks don't care why you're getting disputes.

If you're above 0.5%, start worrying. If you're above 0.75%, act now. See Reduce Chargebacks Fast.

Detection

Start here: Rules vs. ML. Most teams under $10M should start with rules.

⚑
Velocity Rules
The 80/20 of fraud detection. Quick wins that catch obvious patterns.
πŸ“±
Device Fingerprinting
When it works, when it doesn't. Browser vs native considerations.
πŸ”
Evidence Framework
Tier 1 vs Tier 2 indicators. What signals actually matter.
πŸ‘οΈ
Manual Review
Building a review queue that doesn't waste time.
Prevention
βœ“
AVS & CVV
The basics everyone should use. Free and effective.
πŸ”
3D Secure
Liability shift and when it's worth the friction.
πŸ“ˆ
Risk Scoring
Building or buying a scoring system.
Vendors

Under $1M: Use your processor's built-in tools. Stripe Radar is fine. Don't buy anything else yet.

$1M-$10M: If you want to outsource the decision, look at Signifyd, Forter, or Riskified (chargeback guarantees). Test their guarantee model on a segment before going all-in. If you want control, look at Kount or Sift. If account-level fraud (ATO, onboarding) is your problem, look at Sardine.

Over $10M: Layer tools. Consider Sardine for device/behavior alongside a transaction scoring tool.

πŸ—ΊοΈ
Vendor Landscape
Full breakdown of who does what in the fraud prevention market.
πŸ“‹
Selection Guide
How to evaluate and choose the right tools for your business.

Metrics​

Fraud Metrics covers what to measure: fraud rate, false positive rate, detection rate, and benchmarks by vertical.

For Issuers​

If you're on the issuing side (banks, fintechs issuing cards), the fraud picture looks different. We see things merchants can't: the authorization request, the cardholder's history, the TC40/SAFE reports.

🏦
Issuer Perspective
How we see fraud differently
βš–οΈ
Authorization Decisioning
Real-time auth decisions
πŸ“Š
Portfolio Monitoring
Patterns across your book

Next Steps​

New to fraud prevention?
  1. Fraud Economics - Understand the math
  2. AVS & CVV - The basics everyone should use
  3. Processor Rules - Free tools first
Experiencing fraud now?
  1. Survive a Fraud Attack - Stop the bleeding
  2. Velocity Rules - Quick wins
  3. Manual Review - Triage suspicious orders
Building a fraud program?
  1. Rules vs ML - Choose your approach
  2. Vendor Selection - When to buy tools
  3. Fraud Metrics - What to measure

See Also​

πŸ’³ ChargebacksπŸ’° PaymentsπŸ“‹ Compliance🚨 Network ProgramsπŸ“Š Benchmarks