Setting Up Fraud Protection
Now that you understand what fraud looks like, it's time to turn on your defenses. The good news: the most effective protections are either free or already included with your payment processor.
- Turn on AVS and CVV. Free, catches obvious fraud
- Set up velocity limits. Blocks card testing attacks
- Fix your billing descriptor. Prevents friendly fraud before it starts
- Consider 3D Secure for high-risk transactions. Shifts fraud liability to the card issuer
On this page
Step 1: Enable AVS and CVV (Free)
AVS (Address Verification Service) checks if the billing address matches what the card issuer has on file. CVV checks the 3-4 digit code on the card. Both are free.
What to do:
- Log into your processor dashboard
- Find fraud rules or risk settings
- Enable CVV requirement for all transactions
- Enable AVS checking
Where to find it by processor:
- Stripe: Dashboard > Radar > Rules (AVS/CVV are on by default)
- Square: Dashboard > Account & Settings > Risk Manager
- Shopify Payments: Settings > Payments > Fraud analysis (basic fraud analysis is automatic)
- Braintree: Control Panel > Fraud Management
How to use the results:
| Signal | What to Do |
|---|---|
| CVV doesn't match | Decline. The card isn't present. This is almost always fraud. |
| AVS full match (address + zip) | Good signal. Process normally. |
| AVS partial match (zip only) | Moderate risk. Fine for most orders. |
| AVS no match | Higher risk. Review the order manually if it's large. |
| AVS unavailable (international cards) | Don't auto-decline. 40-60% of non-US cards can't check AVS. Use other signals. |
About 20-30% of legitimate customers fail AVS checks. They recently moved, entered their address differently, or their bank has outdated records. Declining all AVS mismatches will cost you more in lost sales than you save in fraud.
Step 2: Set Up Velocity Limits (Free)
Velocity limits restrict how many transactions can come from the same card, IP address, or device in a given time period. They're your best defense against card testing attacks.
Start with these limits:
| Rule | Threshold | Why |
|---|---|---|
| Transactions per card per hour | 3 | Normal customers don't buy 4+ times in an hour |
| Transactions per IP per hour | 5 | Catches automated testing |
| Failed authorizations per card (10 min) | 3 | Fraudsters test until one works |
| Unique cards per device per day | 5 | One person doesn't normally use 6 cards |
Where to set these:
- Stripe: Dashboard > Radar > Rules > Add rule (e.g., "Block if :card_count_for_ip: > 5")
- Square: Dashboard > Account & Settings > Risk Manager > Velocity rules
- Shopify Payments: Settings > Payments > Fraud analysis (limited built-in; use Shopify Flow for custom rules)
- Braintree: Control Panel > Fraud Management > Advanced Fraud Tools
If your processor supports it, run rules in "shadow mode" first. Flag transactions without blocking them. After 2 weeks, check how many flagged transactions were actually fraud. If fewer than 30% of flags are fraud, your rule is too aggressive.
Step 3: Fix Your Billing Descriptor (Free)
This is the single highest-impact change for preventing friendly fraud. Your billing descriptor is what appears on your customer's credit card statement.
Bad descriptors that cause disputes:
PAY*ACME LLCSP * JOHN DOESTRIPE 8472910
Good descriptors that prevent disputes:
ACME WIDGETS(your recognizable business name)PETSTORE.COM(your website URL)ACME 800-555-0199(name + phone number)
How to fix it:
- Stripe: Dashboard > Settings > Public details > Statement descriptor
- Square: Dashboard > Account & Settings > Business information > Statement descriptor
- Shopify Payments: Settings > Payments > Statement descriptor
- PayPal: Settings > Payment preferences > Statement descriptor
Set it to your recognizable business name or website URL. If your processor allows it, add your phone number.
Test it: Make a $1 test purchase on your own card and check your statement in 2-3 days. If you can't immediately tell what the charge is for, your customers can't either.
Step 4: Send Purchase Confirmations (Free)
Email or SMS confirmations immediately after purchase do two things:
- Remind the customer what they bought (prevents "I don't recognize this" disputes)
- Give them a way to contact you instead of their bank
Your confirmation should include:
- Your business name (matching the billing descriptor)
- What they bought (specific items, not just "Order #12345")
- The amount charged
- Your contact information for questions
- How to request a refund
Step 5: Consider 3D Secure for High-Risk Orders
3D Secure (3DS) is the "Visa Secure" or "Mastercard Identity Check" prompt that sometimes appears during checkout (you may also see the older names "Verified by Visa" or "Mastercard SecureCode"). It's powerful because it shifts fraud liability to the card issuer. If a fraud chargeback comes in on a 3DS-authenticated transaction, the issuer eats it, not you.
The tradeoff: 3DS adds friction to checkout. Expect a 2-5% drop in authorization rate when you first enable it.
When 3DS is worth it:
- Your fraud rate is above 0.5%
- You sell digital goods (no shipping address to verify)
- You're approaching chargeback warning thresholds (acquirers often act well below the network threshold of 2.2%)
- Individual orders are high value
When to skip 3DS:
- Your fraud rate is low
- You sell low-value items where chargebacks are cheaper than lost sales
- Your customers are mostly repeat buyers (low fraud risk)
How to enable it:
- Stripe: Dashboard > Settings > Payments > 3D Secure rules (or use Radar rules to trigger selectively)
- Square: Not available for most SMB accounts
- Shopify Payments: Enabled automatically for high-risk transactions
- Braintree: Control Panel > Processing > 3D Secure
How to roll it out:
- Start with your highest-risk segment only (new customers + orders above your average fraud amount)
- Run for 2-4 weeks and measure the impact on auth rate and fraud
- If auth rate drops more than 5% with no fraud improvement, scale it back
Your Protection Setup Checklist
Do these in order, this week:
□ Enable CVV requirement (5 minutes)
□ Enable AVS checking (5 minutes)
□ Set velocity limits on your processor (15 minutes)
□ Fix your billing descriptor (10 minutes)
□ Set up purchase confirmation emails (30 minutes)
□ Make a test purchase and check your own statement (2 days to verify)
□ Review if 3DS makes sense for your risk level (15 minutes)