Home » Payment Processing » Fraud Prevention

Online Payment Fraud Prevention for Ecommerce

Online merchants lose an average of 1.4% of revenue to payment fraud, and every dollar of fraud costs approximately $3.75 when you account for chargebacks, fees, lost merchandise, and operational costs. The most effective fraud prevention combines automated tools (AVS, CVV, machine learning fraud scoring) with manual review processes for borderline orders, catching the majority of fraud before it costs you money while avoiding false declines that reject legitimate customers.

Step 1: Enable AVS and CVV Verification

Address Verification Service (AVS) and Card Verification Value (CVV) are the simplest fraud prevention tools available, and they should be enabled on every ecommerce store from day one.

AVS checks the billing address entered by the customer against the billing address registered with the card-issuing bank. Your payment gateway returns a code indicating the match level: full match (street and ZIP), partial match (ZIP only or street only), or no match. Configure your gateway to decline transactions where both the street number and ZIP code fail to match. This catches fraud attempts using stolen card numbers without the cardholder's address.

AVS has limitations. It only works reliably for US, Canadian, and UK addresses. International address formats vary widely, and many international banks do not support AVS at all. Apartment numbers, suite numbers, and address abbreviations can cause false mismatches. For this reason, a partial match (ZIP matches but street does not) should trigger a review rather than an automatic decline.

CVV (Card Verification Value, also called CVC, CVV2, or CID) is the three-digit number on the back of Visa, Mastercard, and Discover cards, or the four-digit number on the front of American Express cards. CVV is not stored in merchant databases and is not encoded on the magnetic stripe, so a fraudster who obtains a card number from a data breach will not have the CVV unless they also have the physical card. Always require CVV for online transactions. There is no legitimate reason to skip it.

Step 2: Activate Machine Learning Fraud Detection

Modern fraud detection uses machine learning to analyze hundreds of signals per transaction and assign a risk score. These systems are far more effective than static rules alone because they adapt to new fraud patterns, learn from the billions of transactions across the processor's network, and evaluate complex combinations of signals that no human reviewer could assess in real time.

Stripe Radar: Included free with every Stripe account, Radar evaluates signals including the card's history across all Stripe merchants, the customer's email age and reputation, IP geolocation and proxy/VPN detection, device characteristics and browser fingerprint, transaction velocity, and behavioral patterns during the checkout session. Radar blocks an estimated 99% of fraud without requiring merchant configuration. Stripe Radar for Fraud Teams ($0.07 per screened transaction) adds manual review queues, customizable risk thresholds, and advanced rule creation.

PayPal Fraud Protection: PayPal's fraud detection runs automatically on all transactions. The Seller Protection program covers eligible transactions against unauthorized payments and "item not received" claims, absorbing the chargeback cost for qualifying orders. Coverage depends on meeting specific requirements: shipping with tracking, delivering to the confirmed address, and responding to documentation requests within the stated timeframe.

Third-party fraud tools: Services like Signifyd, Riskified, and ClearSale offer guaranteed fraud protection where they approve or decline transactions and absorb the cost of any chargebacks on orders they approved. These services charge 0.5% to 1.5% per transaction and are typically used by larger merchants processing $500,000+ per year where the chargeback cost savings justify the screening fee.

Step 3: Implement 3D Secure

3D Secure (3DS) is a cardholder authentication protocol that adds a verification step to online purchases. When 3DS is triggered, the customer's bank asks them to verify their identity through a one-time SMS code, a banking app confirmation, a biometric scan, or a security question. The latest version (3DS2) makes this process seamless for low-risk transactions, where the authentication happens invisibly in the background, and only prompts the customer for active verification on higher-risk transactions.

The primary benefit of 3DS for merchants is liability shift. When a transaction is authenticated through 3DS and later turns out to be fraudulent, the card-issuing bank absorbs the chargeback cost, not you. This applies to both "unauthorized transaction" disputes and many "item not received" claims on 3DS-authenticated orders.

The tradeoff is friction. Every additional step in the checkout process risks losing customers. 3DS2 has reduced this friction significantly compared to the original 3DS (which redirected customers to a clunky bank page), but some customers still abandon when prompted for verification. The recommended approach is to apply 3DS selectively: require it for transactions above a certain amount (such as $200), for orders shipping to a different address than the billing address, for first-time customers with high-risk signals, and for all cross-border transactions.

In the European Union, 3DS is not optional. The Strong Customer Authentication (SCA) regulation requires 3DS or equivalent authentication on most online transactions. If you sell to EU customers, your payment processor must support SCA-compliant 3DS2. Stripe, PayPal, and all major processors handle this automatically for EU transactions.

Step 4: Set Up Velocity Checks and Custom Rules

Velocity checks detect patterns that indicate fraud by monitoring the speed and frequency of transactions from the same source. Common velocity rules include:

Multiple orders from the same IP address: More than three orders from the same IP address within one hour is unusual for legitimate customers. Flag or block when this threshold is exceeded. Be aware that shared IP addresses (corporate networks, university campuses, VPNs) can trigger false positives.

Multiple cards from the same email or device: A legitimate customer uses one or two cards. A fraudster testing stolen card numbers might try five, ten, or more cards in rapid succession from the same device or email address. Block after three different cards from the same identifier within 24 hours.

Rapid-fire small transactions: Fraudsters often test stolen cards with small purchases ($1 to $5) to verify the card is active before placing a larger order. A pattern of multiple small transactions followed by a large order from the same source is a strong fraud signal.

Shipping to freight forwarders: Fraudsters frequently ship to freight forwarding addresses because these services reship packages internationally, making the merchandise nearly impossible to recover. Maintain a list of known freight forwarder addresses and flag orders shipping to them for manual review.

Stripe Radar lets you create custom rules using a simple rule language. For example, "Block if risk score is above 75 AND shipping country differs from card country" or "Review if order total exceeds $500 AND customer has no previous orders." These rules layer on top of Radar's machine learning to catch fraud patterns specific to your business.

Step 5: Implement Device Fingerprinting

Device fingerprinting creates a unique identifier for each device that visits your store based on characteristics like browser type and version, installed plugins and fonts, screen resolution and color depth, timezone and language settings, hardware specifications, and WebGL rendering patterns. This fingerprint persists across sessions, meaning you can recognize when the same device returns, even if the user clears cookies, uses a different email address, or changes IP addresses.

For fraud prevention, device fingerprinting connects the dots between seemingly unrelated fraud attempts. A fraudster using ten different stolen cards from the same laptop leaves one device fingerprint, making it easy to identify and block all ten attempts. Stripe Radar includes device fingerprinting automatically. Third-party services like Fingerprint (formerly FingerprintJS) offer standalone device identification that integrates with any payment processor.

Step 6: Establish a Manual Review Process

Automated tools catch the majority of fraud, but some transactions fall into a gray area: too risky to approve automatically, but not risky enough to decline outright. A manual review process for these borderline orders recovers legitimate sales that automated tools would reject while catching sophisticated fraud that automated tools miss.

Red flags that warrant manual review include: billing address in one country and shipping address in another, first-time customer placing an order above your average order value, multiple failed payment attempts before a successful one, email address that does not match the customer name (randomstring@gmail.com for "John Smith"), shipping to a commercial address for consumer products, and rush shipping selected on a high-value order from a new customer.

For manual review, contact the customer directly. A quick email ("We want to confirm your order details before shipping") or phone call resolves most ambiguity. Legitimate customers respond promptly and appreciate the security check. Fraudsters rarely respond at all. Stores processing fewer than 100 orders per day can typically handle manual review with a simple email-based workflow. Larger stores need dedicated review queues in their fraud tool (Stripe Radar for Fraud Teams, Signifyd, or Riskified).

Common Fraud Types and How to Stop Them

Card testing: Fraudsters use bots to test thousands of stolen card numbers with small purchases on your store. They keep the cards that work and sell them or use them for larger purchases elsewhere. Prevention: rate-limit checkout attempts, block after multiple declines from the same IP or device, add CAPTCHA to your checkout if bot testing is frequent.

Friendly fraud: A legitimate customer makes a purchase, receives the product, and then disputes the charge with their bank claiming it was unauthorized. This accounts for 40% to 80% of all ecommerce chargebacks. Prevention: use clear billing descriptors, send detailed order confirmation emails, ship with tracking and signature confirmation for high-value items, and maintain evidence (IP logs, delivery confirmation) to fight disputes.

Account takeover: A fraudster gains access to a legitimate customer's account (through credential stuffing, phishing, or data breaches) and places orders using the saved payment methods. Prevention: require two-factor authentication on customer accounts, send email notifications for password changes and new shipping addresses, and flag orders from existing accounts that suddenly change shipping address or order pattern.

Triangulation fraud: A fraudster sets up a fake storefront, takes orders from real customers, then fulfills those orders by purchasing from your store with a stolen credit card and shipping directly to the real customer. The real customer receives a legitimate product and has no idea fraud was involved. You eat the chargeback when the cardholder disputes. Prevention: this is difficult to detect because the shipping address belongs to a real customer. Watch for patterns of orders with different cards all going to different addresses but placed by the same account, device, or IP.