How to prevent fraudulent transactions with WordPress + WooCommerce

While most of these guidelines will help you with any eCommerce application, there will be specific mentions for WooCommerce related plugins as it has (arguably) become the standard for eCommerce on WordPress.

Fraud and Website Security

The first thing to understand about managing fraudulent transactions is that they don’t directly have anything to do with your website’s security; fraud is technically a separate, though tangentially related, topic. There’s really only one way to mitigate fraudulent transactions: analyze the data provided by the cardholder and determine how likely that data is to be truly theirs or if it has been stolen. The specific techniques to analyzing that data, however, do vary. The remaining item to consider is whether you are liable to prevent fraudulent transactions or your credit card processor is.

Merchant Account Liability Shift

There are two levels of credit card processors when it comes to fraud:

1. You are not liable: Credit card processors like PayPal, Stripe.com, and Square.com do everything for you, including fraud detection and reporting. This means you don’t have to do anything on your end to help prevent fraud, but it also means they’re more likely to block a potentially sketchy transaction even if it’s from a legitimate customer (this is called a false positive). Note: Please check with each processor to confirm liability. We are making assumptions based on our experiences with them.
2. You are liable: The more traditional processors expect you to detect and prevent fraud. These would be companies like Chase Paymentech, Moneris, etc. When using these processors, it’s in your best interest to implement some method (or multiple methods) of fraud detection. That could be using tools the processor provide for you (but you must enable), like AVS (Address Verification System) and CVV or CVC code verification from the back of the credit card, or it could be using fraud detection software in your eCommerce system.

Typical CC Processor Fraud Systems

1. AVS, or Address Verification System, is a service provided by all credit card processors (including the ones that shift the liability to you) that compares the billing address provided by the customer during their order to the address the customer has supplied to their credit card issuer. When there isn’t a match, a flag is returned by the credit card processor to your eCommerce software.
2. CVV (also known as CSC or CVD) is that three digit Card Security Code (or Card Verification Value) on the back of credit cards. On AMEX cards it’s 4 digits and on the front. Often people committing fraud online have purchased the card card details without the CVV number and so validating that number can help reduce fraud.
3. 3D Secure (Verified by Visa or Mastercard SecureCode) is a system that requires that your customers create a completely separate password with Visa or Mastercard to be used on every transaction where the company billing the card has opted to use 3D Secure systems. This one is especially tricky because it adds a whole extra step to the payment process where the customer is redirected to a 3rd party site (the Verified by Visa or SecureCode website) to verify their identity. If the customer hasn’t yet set up VbV or SC passwords with their card, they’ll need to go through an entire registration process with them prior to completing the transaction. Even worse, every time they get a new card number, they have to re-register in the system. While 3D secure makes fraud near-impossible, it also adds a considerable barrier to easily completing orders on your website. Consider how tech savvy your customer base is and weigh that against the number or dollar value of all of your fraudulent orders prior to enabling it.

If you’re using a credit card processing company that does manage fraud for you, then they’ll likely automatically block orders that fail AVS, CVV, or 3D Secure checks. If the liability is on you, then in most cases you can then choose what to do with those transactions that fail the tests, like hold it for manual review and then follow up with the customer by email or telephone to see if they’re the legitimate card-holder.

At some point you have to make sacrifices to get improved security, and there’s no difference when it comes to fraud. A client enabled AVS and CVV and reported:

After we changed everything to [hold transactions flagged as AVS mismatch] I chatted with [the processor] and they insisted that we be more strict with the rules. They recommended that if even ONE thing was off then we wouldn’t process the orders. The problem with that is, we have been getting alot of legit sales orders being denied because of AVS.

Unfortunately that’s the way these things work. If you wish to prevent fradulent transactions you may have to manually intervene in more transactions in order to make the whole process work smoothly.

Also note that the payment processing module being used on your website needs to support each of these features to be able to use them. For example, the primary Moneris module for WooCommerce supports enabling AVS and CVV checks, but it does not yet support 3D Secure.

If you do not see an option within the payment module’s settings that you’d like to enable to improve your fraud protection, then I’m afraid it’s not available to you and you should reach out to the developer of the payment module for WooCommerce to find out if they would be interested in implementing it, or look for an alternate module made by another company that has the features you want.

Another alterative would be to switch credit card processors to one that includes better fraud protection and shifts the liability to them.

Software Fraud Management

If you are liable to prevent fraud, there are additional plugins to help mitigate fraudulent transactions before they’re even sent to the credit card processor. If you’re using WooCommerce, check out the WooCommerce Anti Fraud module as a potential option (note: we haven’t tested it).

On our own website, we use a similar sounding system. Rather than focusing on credit card data, these modules focus more on public data points, like:

1. Checking with fraud databases to see if the email address supplied by the customer has been used in prior fraudulent transactions
2. Identifying the customer’s IP to see if it’s trying to be spoofed (faked location)
3. Comparing the customer’s IP (estimated) location to the location of their billing address (if there’s a large gap, that’s a red flag)
4. Treating free email accounts as slightly less reliable than emails with a custom/corporate domain (this is less common these days).

Keep in mind that plugins like that are also prone to false-positives (perhaps even moreso than CVV + AVS), so you may get orders blocked because of such a plugin and you’ll have to take manual action to correct the situation each time it occurs.

It’s entirely up to you which of these systems you’d prefer to implement.

If you wish to ensure the smoothest transaction for your customers that doesn’t get interrupted by possible fraud blockers, but you understand that any amount of reduction in fraud protection could allow a fraudulent transaction through, we recommend relying on your credit card processor’s systems like AVS + CVV to mitigate fraud as they will probably catch most fraudulent transactions while balancing simplicity for customer purchases.

If you wish to ensure as few fraudulent transactions as possible, but you understand that this will likely cause some amount of frustration among customers and add more manual verification for you and/or your employees, then it’s recommended to enable all possible fraud protection systems available within your payment extensions configuration.