Risk scoring
Use risk scoring to automatically manage the level of risk that is associated with each transaction, and to automate specific actions based on that level of risk. A common use case for risk scoring is to add a customer to a blocklist and to stop the transaction.
All transactions start the risk scoring process with a score of 0. If a risk factor is confirmed, the risk score increases by the corresponding weight. For example, if the Has Fake Name risk score adjustment weight is set to 5, and the risk factor is confirmed, the transaction risk score increases by 5.
For specific risk factors, it may be useful to decrease the risk score. For example, you may want to decrease the risk score for a customer with a high lifetime value. To do this, set the weight to a negative value. Example: Customer lifetime value risk score is set -5, if the value is between $5000 and $50,000. For more information, see Risk factors.
To view transaction risk scores, see View payment transaction details.
Configure risk scoring
Use this process to configure the score by which a transaction passes or fails the risk scoring process. Adjust risk score weights based on the checks that you determine are important. If a transaction exceeds the configured risk score threshold new blocklist records are created. To view blocklist records, see View active blocklists.
- In the left navigation bar, click Automations .
- In the Risk section, click Risk score settings.
- Click Update risk score setting.
- In the Blocklist entry section, to the define the overall transaction risk score threshold and attributes to add to a block list, select from the following:
- To permanently block a transaction that exceeds a risk score threshold:
- In the Permanently block above section, in the Threshold field, enter the risk score threshold value.
- In the Blocklist attribute dropdown, select one or more attributes to add to a blocklist. For more information, see Blocklist.
- To temporarily block a transaction that exceeds a risk score threshold:
- In the Temporary block above section, in the Threshold field, enter the risk score threshold value.
- In the Temporary block duration field, enter the duration of the temporary block in minutes.
- In the Blocklist attribute dropdown, select one or more attributes to add to a blocklist. For more information, see Blocklist.
- To permanently block a transaction that exceeds a risk score threshold:
- In the Risk score section, to define the risk score adjustment for each risk factor, click Add new risk factor.
- Select a risk factor and define the conditions. You can add multiple risk factors. For more information, see Risk factors.
- Click Update.
Risk factors
The following table describes all risk factors. Use this table to understand how each check works and to help determine which risk score adjustments you want to use in transaction risk scoring.
| Name | Description |
|---|---|
| Ad block enabled | Specifies whether the customer's browser has an ad blocker enabled. It may be useful to decrease the risk score for customers who have an ad blocker enabled. To do this, set the weight to a negative value. |
| Billing address velocity | Number of transactions for this billing address in the last 24 hours. |
| Customer lifetime value | Specifies the total amount revenue from customer. It may be useful to decrease the risk score for customers who have a high lifetime value. To do this, set the weight to a negative value. |
| Declined payment instrument velocity | Number of declined transactions for this payment instrument fingerprint in the last 24 hours. |
| Device velocity | Number of transactions for this device, based on fingerprint, in the last 24 hours. A device fingerprint is a unique token that is used to identify the user. The device fingerprint is generated based on device attributes, such as: hardware, software, IP address, language, browser, and more. |
| Email velocity | Number of transactions for this email address in the last 24 hours. |
| Has fake name | Specifies whether the holder name seems fake. |
| Has mismatched bank country | Specifies whether the customer's bank country and the customer's billing address country are not the same. |
| Has mismatched billing address country | Specifies whether the customer's billing address country and geo-IP address are not the same. |
| Has mismatched holder name | Specifies whether the customer's billing address name and primary address name are not the same. |
| Has mismatched time zone | Specifies whether the customer's browser time zone and the IP address associated time zone are not the same. |
| Payment instrument approved transaction count | Number of approved transactions for this payment instrument fingerprint in the last 24 hours. It may be useful to decrease the risk score payment instruments that have a high number of approved transactions. To do this, set the weight to a negative value. |
| Payment instrument velocity | Number of transactions for this payment instrument, based on payment instrument fingerprint, in the last 24 hours. A payment instrument fingerprint is a unique value that is used to identify the payment instrument. This value is generated from the bin and the last4 values. This value contains alphanumeric characters. |
| IP velocity | Number of transactions for this IP address in the last 24 hours. |
| Is rebill | Specifies whether the transaction is recurring payment. For more information, see Rebill. It may be useful to decrease the risk score for transaction that are recurring payments. To do this, set the weight to a negative value. |
| Is retry | Specifies whether the transaction is being retried from a previous failure. It may be useful to decrease the risk score for a customer with a retry payment. It may be useful to decrease the risk score for transactions that are being retried from a previous failure. To do this, set the weight to a negative value. |
| Is high risk country | Specifies whether the geo-IP country, or the customer's billing country, is considered a high risk country. High risk countries are: North Korea, Iran, Afghanistan, Iraq, Syria, and Sudan. |
| Is hosting | Specifies whether the customer's IP address is related to hosting. |
| Is proxy | Specifies whether the customer's IP address is related to a proxy. |
| Is Tor | Specifies whether the customer's IP address is related to TOR. |
| Is VPN | Specifies whether the customer's IP address is related to a VPN. |
Consistency checks
Use the risk metadata mismatched items to filter for inconsistent information. Merchants commonly check for consistent:
- Bank country
- Billing country
- Time zone
- Cardholder name and name in primary address
VPN, proxy, and TOR usage check
Use the transaction risk metadata to search for VPN, proxy, or TOR usage.
Distance check
If you sell a physical product, use the risk metadata to check the distance between the shipping address and the billing address.
Velocity checks
Velocity refers to the number of transactions in the last 24 hours. Use the risk metadata to perform the following velocity checks:
- Velocity - the number of transactions made by a customer for a single merchant.
- Payment instrument velocity - the number of transactions made with the same payment instrument (PAN fingerprint for payment cards or bank account fingerprint for bank transfers) for a single merchant.
- Declined payment instrument velocity - the number of declined transactions made with the same payment instrument (PAN fingerprint for payment cards or bank account fingerprint for bank transfers) for a single merchant.
- Device velocity - the number of transactions made from the same device (using device fingerprint) for a single merchant.
- Billing address velocity - the number of transactions made with the same billing address for a single merchant.
- Email velocity - the number of transactions made with the same email address for a single merchant.
- IP velocity - the number of transactions made with the same IP address for a single merchant.
Use the conditions to filter for transactions with a velocity higher than X. For example, I'll use a velocity higher than 5.