Skip to main content

Third-Party Fraud

TL;DR
  • Third-party fraud = Criminal using a stolen card or account (not their own)
  • The cardholder is the victim—they didn't make the purchase
  • Different from friendly fraud (cardholder lying) and first-party fraud (customer abusing own identity)
  • Detect via device signals, address mismatches, velocity patterns
  • Prevent with 3D Secure, AVS/CVV, device fingerprinting
  • Get liability shift with 3DS — otherwise you eat the loss

When a criminal uses someone else's stolen payment credentials at your store.

Definition

Third-party fraud occurs when a fraudster uses stolen payment information to make purchases at your business. The real cardholder didn't authorize the transaction and will dispute it.

Your Liability

Without 3D Secure, you bear the loss when the cardholder disputes. The card was stolen, the cardholder is innocent, and you shipped goods to a fraudster.

How Stolen Cards Reach You

Where Fraudsters Get Card Data

SourceWhat's Stolen
Data breachesCard numbers, CVVs, billing addresses
PhishingFull card details, passwords
SkimmingMag stripe data (card-present)
Account takeoverSaved cards in compromised accounts
Card testingValidated stolen cards
Dark web marketsBulk card data for sale

Why Your Business Is Targeted

FactorWhy Fraudsters Like It
Digital goodsInstant delivery, no shipping address
High-value itemsElectronics, jewelry, gift cards
Easy resalePopular brands, liquid markets
Weak fraud controlsNo 3DS, no velocity limits
Fast shippingLess time for detection

Detection Signals

High-Risk Indicators

Use these in your risk scoring:

SignalRisk LevelWhy
Shipping ≠ billing addressMediumFraudster's address vs. victim's
AVS mismatchMedium-HighWrong billing address
CVV mismatchHighCard not physically present
New account + high-value orderHighCreated just for fraud
Device seen on prior fraudCriticalKnown fraudster device
IP location ≠ billing countryMediumGeographic mismatch
Multiple cards same deviceHighCycling through stolen cards
Rush shipping selectedMediumWants goods before detection

Velocity Red Flags

PatternWhat It Means
Multiple orders, different cards, same addressDrop address
Multiple orders, same card, different addressesTesting before big purchase
Multiple failed transactions, then successCard testing
High-value order from new accountNew account fraud

Prevention Strategies

1. Use 3D Secure

This is the most important defense. 3D Secure shifts liability to the issuer for fraud disputes.

Without 3DSWith 3DS
You eat fraud lossesIssuer covers fraud losses
Win rate: 15-25%Liability shift: ~100%
Fraudsters target youFraudsters avoid you

See 3DS implementation guide for setup.

2. Verify Address and CVV

CheckWhat to Do
AVSRequire match on street number + zip
CVVAlways require, decline on mismatch
Shipping addressFlag if different from billing

3. Device Intelligence

Device fingerprinting catches:

  • Devices linked to prior fraud
  • VPN/proxy usage (hiding location)
  • Device age (just created = suspicious)
  • Multiple accounts same device

4. Velocity Controls

Set limits on:

  • Orders per hour/day from same device
  • Cards used per account
  • Failed authorization attempts
  • Orders to same shipping address

High-Risk Scenarios

Shipping to Drop Addresses

Fraudsters use:

  • Rented mailboxes
  • Vacant homes
  • Package forwarding services
  • "Reshipping mule" addresses (recruited victims)

Detection: Address was never associated with the cardholder.

Digital Goods Fraud

Highest risk because:

  • Instant delivery (no time to detect)
  • No shipping address to verify
  • No tracking or signature
  • Easy resale (gift cards, game codes)

Prevention: Higher 3DS trigger thresholds for digital goods.

Gift Card Fraud

Gift cards are "as good as cash":

  • Can be resold instantly
  • Untraceable once used
  • Often targets of card testing

Prevention: Limit quantities, require 3DS, delay delivery.

Responding to Third-Party Fraud

When You Catch It Before Shipping

  1. Cancel the order – Don't ship
  2. Refund if captured – Avoid chargeback
  3. Blacklist device/email – Prevent retry
  4. No customer contact – Fraudster will lie

When Cardholder Disputes

Without 3DS, your options are limited:

SituationWhat to Do
Goods not yet shippedAccept dispute, no fight
Digital goods deliveredFight with IP/device evidence (low win rate)
Physical goods deliveredFight with tracking + signature (still low win rate)
3DS was usedLiability shift—issuer covers
Key Insight

With true third-party fraud, the cardholder really IS innocent. Fighting these disputes is often futile unless you have 3DS liability shift. Focus your energy on prevention.

Fighting Third-Party Chargebacks

If you must fight (and you have evidence):

EvidenceWhat It Proves
3DS authenticationLiability shift (fight ends)
CE 3.0 device matchSame device as prior undisputed order
Signed delivery confirmationSomeone at address received it
IP + device consistencyLegitimate usage pattern

Realistic win rates without 3DS: 15-25%

See Compelling Evidence for details.

Prevention Checklist

  • 3D Secure enabled on all transactions (or risk-based)
  • AVS verification required
  • CVV required, decline on mismatch
  • Device fingerprinting active
  • Velocity limits configured
  • High-risk products (gift cards, electronics) have extra scrutiny
  • Digital goods have higher friction
  • Address verification flags ship ≠ bill

Next Steps

Preventing third-party fraud?

  1. Implement 3DS – Get liability shift
  2. Add device fingerprinting – Track fraudster devices
  3. Configure velocity rules – Catch patterns

Detecting third-party fraud?

  1. Review AVS/CVV settings – Baseline protection
  2. Check risk scoring – Combine signals
  3. Set up alerts – Real-time detection

Fighting third-party chargebacks?

  1. Check 3DS liability – Were you protected?
  2. Review CE 3.0 evidence – What can you prove?
  3. Accept if true fraud – Focus on prevention