They are sneaky. They are malicious. And with a decent amount of regular orders, no matter how secured your website is…they are inevitable.
Orders placed using stolen credit cards are more common than one would think. More so if there are serious security holes in your defense system against it. Fortunately, there are ways to slow down or prevent fraudulent transactions and automatically decrease the number of chargebacks filed to your payment gateway.
Although there seem to be many anti-fraudulent solutions for WooCommerce in form of a plugin, I found that these do not help as much as I hoped for. They either don’t really work, work temporarily or provide a large number of false positive results. Most of anti-fraud plugins for WooCommerce rely on this kind of data:
- Compares approximate address of a customer with address linked to their credit card
- Compares customers email with a list of previously used fraudulent email addresses
- Checks and refuses IP that uses a proxy/VPN
- Highs risk shipping address based on previous inputs
- Or they completely rely on a 3rd-party solution such as MaxMind anti-fraud service
As you can see, these checks are not ideal and while they DO provide some guidance on orders that potentially have a higher chance to be fraudulent – you need to check them manually anyway.
You’ll get much better results from setting up reCaptcha and adjusting your payment gateway fraud prevention settings.
reCaptcha for WooCommerce
Having a stolen credit card used on your website is a major hassle, but carding can be a whole different level of trouble. Carding refers to hackers using malicious script to test hundreds of thousands compromised credit cards in a matter of minutes or hours. Not only are they using the bandwidth and slowing down your server by these actions, but the risk of your payment gateway blocking your account is increasingly high if you let this happen on a regular basis.
This is where Google reCaptcha comes to the rescue.
I’ve tested and used various reCaptcha plugins for WooCommerce and found that the official plugin from Automatic – reCaptcha for WooCommerce works the best. They recently released a new version that supports Google reCaptcha v3 that works behind the scene without interrupting user experience during the checkout process. And at $29, it can be one of the best tools in your effort to protect yourself against carding.
Here are some of the features that will make your life easier:
I suggest setting it up for both Checkout and Add Payment Method pages to prevent fraudulent orders and carding. The threshold level may differ from one store to another, but I found anything between 0.3 and 0.5 worked the best for me, providing a very good balance between protection and false positives results.
Payment Gateway fraud prevention settings
Every major payment gateway has a set of tools to help you prevent fraudulent orders, and that’s the first thing you should look into in order to prevent & manage fraudulent transactions – whether in WooCommerce or otherwise. If you are unsure where to change the settings listed below, get in touch with your payment gateway and they can do it for you (or point you in the right direction).
Make CCV2 mandatory
CCV2 is a secret 3 or 4 digit code on the back of every credit card and it’s used to decrease the chance of fraudulent activity as you would usually need to have a physical credit card in hand to access this information. There is no reason to allow transactions without entering CVV2 secret code and making this field mandatory will greatly reduce the chance of having fraudulent transactions in your WooCommerce store.
Adjust AVS filters
AVS stands for Address Verification Services and it’s one of the tools used to help you identify potentially fraudulent orders. Each time a transaction occurs, AVS compares ZIP code and billing address from the order to what’s on file at the card issuing bank.
These are the main filters available in most payment gateway settings, which can be set to Accept, Reject, Accept and Report, or Authorize and Hold for Review every time one of the following happens:
I would strongly recommend having the first rule (No AVS match) set to authorize and hold for review. These orders require further investigation to ensure they’re legitimate. Any stricter settings than this would depend on the case by case basis and require additional testing to figure out the best settings for your store.
Set up Velocity settings
Most payment gateways have some sort of velocity filter – mostly on a daily or hourly basis. Velocity filters can be set up to specify the number of transactions allowed per day or an hour before a certain rule is applied.For instance, if you usually process around 100 transactions per day, you may want to set the daily velocity filter to 200 transactions as that would be unusually high for your store, meaning something could be off. Each transaction exceeding the 200 transactions threshold would trigger the filter and one of the following can happen (based on your choice):
There are ways to fight against fraudulent orders and carding, but most solutions in the form of anti-fraud plugins aren’t effective unless you are manually reviewing all those orders as well. Stick to setting up reCaptcha for your most important pages and setting up rules and filters in your payment gateway. That’ll give you the most bang for your buck.