Disputes are an unfortunate aspect of accepting payments online and the best way to manage them is to prevent them from happening at all. An effective dispute and fraud prevention strategy uses a number of methods that are best suited for your business while keeping any customer burden—and losses—to a minimum.
Radar, our fraud prevention toolset, is built directly into the payment flow and combines a customizable rules engine with powerful machine learning algorithms. This process detects patterns across payments processed with Stripe, assessing the risk level of each.
Use the following information to create an effective disputes and fraud prevention strategy. Depending on the service you provide, the goods you sell, or how your business operates, certain methods may be more effective than others.
Collect as much payment information as possible
Some disputes are lost because only the minimum information was required during checkout. This makes it difficult (sometimes impossible) for Stripe or the bank to verify that the customer is legitimate. For instance, while a billing ZIP code is not always necessary to process a card payment, including it allows it to be verified by the bank. If verification fails, you may want to consider rejecting the payment as this may be an indication of fraud.
- Customer name
- Customer email address
- CVC number
- Full billing address and ZIP code
- Shipping address (if different from billing address)
Make use of verification checks
When a card payment is submitted to your customer’s bank for authorization, Stripe provides the CVC, ZIP code, and billing street address for them to verify (if collected). The bank checks this against the information they have on file for the cardholder. If the provided information doesn’t match, the verification check fails. A failed CVC or ZIP code check can indicate the payment is fraudulent, so you should review it carefully before fulfilling the order.
If no information is collected, the bank cannot perform a verification check. It’s strongly recommended to collect the CVC, ZIP code, and billing address for every payment. The results of verification checks help improve the detection of potentially fraudulent activity.
Card verification code check (CVC)
The CVC (also referred to as CVV) is the three- or four-digit number printed directly on the credit card, usually either on the signature strip or the front of the card. Radar includes a built-in rule to block any payments that fail the CVC verification check (note that this does not affect payments where the CVC check could not be performed). This can be enabled or disabled within the Dashboard.
In general, only cardholders in physical possession of the card should have access to the CVC number. Businesses are not permitted to store the CVC number, so it’s unlikely that a fraudster can obtain this information through a computer breach. However, CVC verification does not protect against physical theft of a card, or card information used on a compromised computer or website that isn’t secure.
Address verification (AVS)
AVS is comprised of two checks: one based on the ZIP code and another based on the billing street address. AVS checks determine whether these pieces of information match the billing address on file with the card issuer. Radar includes a default rule to block any payments that fail ZIP code verification, which can be enabled or disabled within the Dashboard.
There are situations where these address checks can fail on legitimate payments. For example, a customer entered their address incorrectly, or has recently moved and not yet updated their address with their bank.
ZIP code verification is widely supported by banks in many countries, while street address verification is commonly supported for cards issued in the United States, Canada, and the United Kingdom. Support for both AVS checks varies from country to country (e.g., certain countries do not use a postal code or some banks do not support street address verification).
Effective customer communication
Clear and frequent contact with your customers can help prevent many of the reasons for disputes. By responding to issues and processing refunds or replacement orders quickly, your customers are far less likely to take the time to dispute a payment. Make your customer service contact information prominent and keep customers updated throughout their order process and provide updates to delivery information.
In general, you should make your terms of service and policies easy to find on your website, and require customers to agree to them. Rather than simply linking to them during checkout, provide them in full text on the checkout page or as a pop-up with a requirement to agree prior to submitting the order.
Banks can be very specific about how policies are presented to your customers. If you have a checkbox that your customer must accept which only contains a link, this can often be rejected by the bank as satisfactory evidence that your customer had been aware of your policies. There must be reasonable evidence that your customer was presented with a full copy of your policies prior to their purchase.
When shipping physical goods to customers, use carriers and services that provide online tracking and delivery confirmation whenever possible. Provide this information to your customers as soon as it’s available (if you need to submit tracking information as dispute evidence, note that banks do not follow links so screenshots must be provided).
Use a recognizable name for your statement descriptor. This can be set or updated in your account settings and we recommend using your website domain or business name. This helps avoid customer confusion when they look at their statement. Statement descriptors are limited to 22 characters, and cannot use the special characters
Avoid using the same Stripe account for separate businesses. Each Stripe account should represent a single business, which allows for separate statement descriptors and contact information. If you need to process payments for multiple business, you can create additional accounts for each.
Avoiding fraudulent payments
A payment is considered fraudulent when the cardholder did not authorize it. Most fraudulent payments are made using stolen cards or card numbers. When a cardholder is notified that the payment has been made or they review their card statement, they contact their bank to dispute it.
Common types of online fraud
Online fraud is fundamentally different to fraud that occurs at brick-and-mortar businesses as it’s harder to be certain that the person you’re selling to is who they say they are. Some fraudsters adopt more sophisticated methods than just trying to make purchases on a stolen card.
When accepting payments online, it’s important to be aware of the different kinds of fraud and what your liability is (click on each one to expand it and show more information).
This type of fraud makes use of stolen credit or card details to make a purchase online. The fraudster may be in possession of a physical card, but it’s more likely that the cardholder’s details were stolen electronically. A business ships goods or provides service to the fraudster, with the assumption that the payment is legitimate.
If a cardholder has not yet realized that their card is lost or stolen (and so has not notified the bank), payments can still be processed successfully. Even if a payment is not declined, this does not mean that it was authorized.
Once the cardholder discovers the fraudulent use of their card, the payment is disputed with the bank. Once the dispute is found in favor of the cardholder, the business suffers a loss equal to the amount of the payment, the cost of any goods or services already provided, as well as an additional dispute fee.
Overpayment fraud (also known as a payout scam) is a variant of stolen card fraud. The fraudster presents themselves as requiring the services of a third-party service in connection with the purchase. The fraudster then offers to pay the seller the cost of the goods, an extra sum for the fraudulent third-party, and often an additional convenience (tip) for accommodating the request. The fraud being committed here is that the third-party service doesn’t exist—the fraudster has taken the additional funds while the seller is left with a dispute.
For example, an online antique business may be approached by a fraudster claiming to live overseas. They request that the business use their preferred freight company, who they ask the business to make payment to. Using stolen card information, the fraudster pays the business for the goods and fake freight fee, and includes a gratuity for the seller as an incentive.
The business complies and pays the fee to this fake freight company but no shipment ever occurs because there is no legitimate shipper. The actual cardholder discovers the unauthorized payment and disputes it with their bank. The payment is automatically refunded and a dispute fee deducted, even though they’ve already paid out funds separately to a fraudulent third-party.
In this form of fraud, the fraudster deliberately pays more than was required, then contacts the business and claims they accidentally entered the wrong amount. The fraudster requests a partial refund to rectify this, but claims they have closed the card that was used and would like a refund sent using an alternative method that is outside of the card network (e.g., check or wire transfer).
For example, a fraudster donates $500 to a charity and contacts them shortly after to say that it should have been a $50 donation. The fraudster asks for the return of $450 using a different method, so no refund is made back to the original card. When the legitimate cardholder disputes the fraudulent payment, the charity is not only responsible for disputed amount, they have also lost the amount sent using the alternative method.
Never refund payments using a different method than the one originally used. If a card has legitimately been closed, you can still perform a refund. The customer should then contact that bank or card issuer to arrange the funds to be retrieved.
If you run a marketplace business (such as a Connect platform) where your users are responsible for providing service to your customers, this type of fraud occurs when a fraudulent merchant absconds with any payments before providing the services or goods to customers.
For example, a marketplace that connects buyers and sellers can run the risk of a seller taking payment from the buyer and not sending the goods. In such cases, if the funds cannot be recovered from the seller, responsibility for the disputed amount and fee is ultimately on the platform.
This is practice of testing a card (or multiple cards) on one site to see if it’s still valid before using it on another site to make a fraudulent payment. Sites with free text fields, such as donation sites and “pay what you like” e-commerce businesses, are predominately the targets of card testing.
Implementing CAPTCHA or rate-limiting charges can help combat this type of fraud.
Friendly fraud occurs when a legitimate cardholder makes a purchase, but then disputes it at a later date. This can either be accidental, because they didn’t recognize the transaction on their statement, or deliberate (e.g., due to buyer’s remorse or as an attempt to fraudulently obtain merchandise without paying).
It can be difficult to know whether friendly fraud has occurred, especially in digital sales. For those selling physical goods, shipping to a verified billing address and requiring signature on delivery can help combat this. In addition, having clear return policies prominently displayed at checkout to which the customer must agree prior to making a purchase can also help.
Identifying potential fraud
As Stripe users are responsible for fulfilling orders for customers, and possess the most information about their customer at the time of purchase, they are best equipped to determine whether or not a payment is potentially fraudulent. There are many indications of fraudulent activity that, while alone may seem fine, together can clearly indicate fraud.
Card payments that have an elevated risk of fraud are automatically placed into review. However, you may want to create additional rules based on the following factors to place additional payments into review—or block them completely.
Although our recommendations can help prevent disputes and fraud, they cannot eliminate them completely. We want our users to be as informed as possible, both so that they can accept or refund any payments they believe are fraudulent and so they are equipped to accept the financial responsibility of any suspicious payments that enter their Stripe account.
- Use of likely false information (e.g., fake phone numbers and email addresses like firstname.lastname@example.org).
- Inconsistencies in customer details across multiple purchases (e.g., using the same e-mail address but a different name for another payment).
- Communication that doesn’t sounds quite right. Fraudsters often use a canned response that is sent to multiple sellers using common phrases. If any communication appears scripted, use a search engine (putting the short phrase in quotes) to see if it’s been used elsewhere (e.g., this particular phrase has been used many times).
- Unusually large orders (e.g., multiples of the same item, only your most expensive merchandise, expensive items or total order amount that seems inconsistent with normal customer behavior)
- Many payments (including those that have been declined) made with:
- The same card but different shipping addresses.
- Many cards that use the same shipping address.
- The same card from the same IP address.
- The same customer name/email address.
- If each failed attempt is associated with a different credit card, any successful payment carries a much greater risk for fraud.
- similar or the same card numbers, especially over a short duration and for smaller amount. This is especially true for crowdfunding/fundraising sites.
- Any requests to:
- Split a large order into multiple payments across different cards that do not share the same verified billing address information.
- Process a payment manually, either through the Dashboard or your store. Fraudsters may make this request in order to have the charge run with your local IP address instead of their own.
- Charge a card more than the required amount (known as an “overcharge”) and pay out a third-party (e.g., driver, shipper or freight company) using a different payment method (e.g., cash, money order).
- Charge a card and then provide a refund outside the card network (e.g., check, wire transfer).
Declined payments can provide valuable information and should also be regularly reviewed.
- Check whether the shipping and billing addresses match. Although a difference in address by itself doesn’t indicate fraud (e.g., customer may have purchased a gift), it indicates that the charge should be looked at more carefully. If the addresses do match and the customer is using a credit card from the US, Canada or UK, check to see if the ZIP code code and street address verifications passed.
- Watch for customers who ask to change the shipping address after the order is placed. Fraudsters may use a legitimate address to obtain a successful charge but later ask that products be shipped elsewhere.
- Rush orders or requests for overnight delivery (which would allow fraudsters to take advantage of timing)
- Review the credit card’s country of origin (the country in which it was issued) in a charge’s payment detail in the Stripe dashboard. The billing address provided should match this country. Where the shipping country that does not match the card’s origin or is a country typically not shipped to, it is important to take extra steps to verify the legitimacy of the charge.
- Ensure that shipping methods are appropriate, especially for overnight shipping at a high cost. People using stolen credit cards don’t usually worry about how expensive the shipping is and want goods right away, before the card number is reported as stolen or compromised. Never agree to use a customer’s “preferred shipper” or agree to pay a third party shipping company on your customer’s behalf; these are usually a second front for fraud.
- Consider instituting a 24-48 hour shipping delay for high-value orders or shipments to non-verified addresses or first-time customers.
- If you have a verified billing ZIP code code, make sure the shipping label generated by your shipper displays this ZIP code code after you enter the address. Some fraudsters will provide a valid billing ZIP code code, but the rest of the address (street, city, and state) is fraudulent, and automated systems such as USPS self-service will often autocorrect the ZIP code code you enter—effectively changing it from the verified billing ZIP code code to the fraudster’s.
- Use of international cards or orders with international shipping addresses
- High-risk shipping destinations
- Shipping to a freight forwarder
If you’d like to familiarize yourself with the ZIP code code prefixes in the US by region, use this reference map.
Generally, Stripe cannot see the shipping address customers provide and shipping information is not necessary to successfully accept a payment. However, you can improve Stripe’s fraud detection by sending the shipping address when creating a charge.
Digital goods or services
- Customers that misuse digital goods or services are more likely to be using stolen credit cards (e.g., a customer sending spam using a product for messaging or making many purchases in a short period of time for downloadable content or “in-game” items).
- Watch for multiple accounts using similar email addresses or the same credit card. You can surface this in your review queue through a review rule.
- Watch for multiple charges to the same email address in rapid succession. You can surface this in your review queue through a review rule.
- Watch for unexpected or significant changes in account activity. If the purchase frequency or dollar amount of payments for an account increases significantly, it may be an indication of fraudulent activity.
- Even though digital goods are not shipped, it is very important to collect and verify as many card details as possible, including CVC, street address, and ZIP code code. Consider rejecting charges that fail the CVC and ZIP code checks.
- View evidence about the payments, including IP address, email logs, usage logs (i.e., did they log in and actually use the service?), and so on. Pass us this information, so that you can view it as you review a charge.
Donations or crowdfunding
- Make sure the donation makes sense for your campaign. If you’re running a small, personal campaign and you receive a very large donation from an unknown individual, scrutinize it carefully. Consider refunding if you cannot verify the individual making the donation.
- If you receive a large donation and the donor reaches out to you to say they made a mistake and only meant to donate part of the amount, be cautious. Fraudsters sometimes make a large donation (such as $1,000) and later tell you they only meant to donate a smaller amount (like $100) and ask you to refund the rest. This is done to test a stolen card’s credit limit. If this scenario appears, it may be prudent to refund the entire donation.
- Monitor your declined payments. Many of them that used different cards in rapid succession indicate a fraudster is testing stolen card numbers. If it does look like someone is testing cards on your website, consider adding a delay or implementing a CAPTCHA during checkout to slow them down. This usually encourages a card tester to move on.
Notifying you of suspected fraud
Stripe’s machine learning system continuously monitors all payments processed by our users. In rare cases, you may receive a notification from Stripe that a payment is suspected of being fraudulent after it has already been processed. This can occur if we have detected further activity on the card which now suggests it’s being used fraudulently, or if we receive an alert from the card network.
Although we notify you as soon as we become aware of any suspicious activity, it may be several days after a payment has been made. Keep in mind that this is not confirmation that a payment was fraudulent—only that we have reason to believe it is.
We provide this information to you to ensure that you’re able to make an informed decision and take action where necessary (e.g., contact the customer or place their order on hold). If you have any concerns about the payment after reviewing it, we recommend refunding it immediately. This action immediately refunds it so it cannot then be disputed.
Best practices for preventing fraud
Using Radar, you can create rules to manage how your business handles incoming payments, blocking any that you would consider suspicious or placing them in review. There are also additional methods you can implement that work alongside any features of Radar that you use. You should also be aware of common types of fraud and make sure your business is best able to identify fraudulent payments.
Refund suspicious payments immediately
Refund any payments you suspect are fraudulent as soon as possible. In the Dashboard, select the payment and click Refund as fraud. This refunds the payment and report it to us so that we can further improve our fraud detection.
Contact customers to confirm their order
Contacting customers by phone or e-mail to confirm their details before fulfilling an order can give you time to verify if a payment is legitimate. Contact information that doesn’t belong to the customer or fails to work may indicate a fraudulent payment. A nonsensical or evasive answer is also a typically a good indication of potentially fraudulent behavior.
Keep in mind that even phone or email responses cannot guarantee that the person responding is the true cardholder.
Use rules to automatically block payments or place them in review
Our fraud prevention toolset, Radar, is built directly into the payment flow and combines a customizable rules engine with powerful machine learning algorithms. It can detect patterns across payments from every business processing payments with Stripe, assessing the risk of each one. You can use Radar to create a highly effective fraud prevention strategy.
Using rules, you can adopt methods that evaluate payments based upon your specific criteria and take the appropriate action automatically. You can also create rules that make use of multiple criteria, allowing you to allow or block payments that meet multiple conditions. The following recommendations for rules can help prevent many common attempts at fraud.
If you’re experiencing increased fraud coming from certain countries, you can set up rules to block payments from any country you do not want to accept payments from, using the
:card_country:rule attributes. For example, you can create the following rule to block all payments and cards originating from Canada:
Block if :ip_country: = ca and :card_country: = 'ca'
Similarly, if your business only supports the country it operates in, you can create a rule that blocks any payments from all other countries. For example, a rule to block payments that don’t originate from Australia is:
Block if :ip_country: != au and :card_country: != 'au'
Card type limiting
You can set limits on which type of cards to accept, either by brand, (e.g., Mastercard), or by funding type (e.g., pre-paid). This can be particularly helpful if you see excessive fraud from certain card types.
To block payments from all Visa-issued debit cards, an example rule would be:
Block if :card_brand: = visa and :card_funding: = 'debit'
Manually review payments
Radar includes a review process that allows you to place certain payments into review—though keep in mind that these payments are still processed and the credit card charged. These payments are placed into the review queue for you to take a closer look at. Should you suspect that the payment is fraudulent, you can refund it.
You should review payments that Stripe has placed into your review queue as soon as possible. Payments with an elevated risk of fraud are automatically marked for review. You can also create additional rules to customize the types of payments that should be placed in your review queue.
Here are some considerations when reviewing a payment:
- Does the billing address match the shipping address?
- Has the billing address been verified by AVS? Does it also match the card’s country of origin?
- Does the customer’s email address match the cardholder’s name?
- Is this an order that the customer has asked to be expedited?
- Have multiple orders from different credit cards originated from this same IP address?
- Has this customer made many order attempts that have been declined?
If you are unsure about a payment when you’re reviewing it, you should always contact the customer by phone or email. If a payment’s billing and shipping address do not match, look into the shipping address using Google Maps & Street View to find out more. A common tactic that fraudsters use is to have orders shipped to a freight or mail forwarding service or storage facility that forwards the goods to their actual location.
Delay shipping orders
If you’re shipping physical goods, consider delaying the shipment of goods by 24-48 hours. This time gives cardholders a chance to spot any fraud on their accounts. However, not all cardholders check their statements on a daily basis, and their bank may not proactively contact them about the transaction.
Customers that request overnight or expedited shipping should be considered higher risk, as the increased cost of such services is of no consequence to fraudsters. One tactic you can use to identify these types of payments is to offer same day or overnight shipping at a very high cost–many times more expensive than any other shipping option you provide.
It’s far less likely that any legitimate customer would pay such a high cost, but a fraudster would want the goods to be shipped as soon as possible and have no regard for the additional cost. You can then manually screen any customers that opt for the expensive shipping option and scrutinize the order to determine if it looks genuine.
Ship to a verified address
Shipping to a verified billing address which has passed ZIP code and street address checks is always the safest option. When using an address that has not been verified, you cannot prove that the order was shipped to the legitimate cardholder if the payment is later disputed.
This doesn’t prevent you shipping to a different address, though you should do all you can to mitigate the risks involved. For instance, you may only want to ship orders to a different address for returning customers you already know to be legitimate, or who provide a fully verifiable billing address. In addition, any of the following could indicate the payment is suspicious:
- The order is much larger than normal, or is only for your most expensive products
- The customer changed the shipping address after placing the order
- The customer requested expedited shipping
- The products ordered have a hight street resale value
- The shipping destination is vastly different from the billing address or the card’s country of origin (e.g., billing address is Spain, shipping address is France)
Reviewing the order and the shipping address information can help you determine whether or not the order presents an unacceptable risk to you.
Use auth and capture when creating payments
When there is an attempt to charge a credit card, it is processed in two parts. The charge is first authorized by requesting authorization for the amount to charge from the bank. Once approved, the charge is then captured immediately afterwards and the amount deducted from the card.
Auth and capture is the process of performing these two steps at separate times. The authorization can be made first, which holds the amount on the card and appears on a customer’s statement as a pending transaction. The charge can then be captured up to seven days later. Capturing a charge completes the payment and the funds are deducted from the customer’s card. If a charge is not captured within the time limit, the authorization is released.
Similar to delayed shipping, this method can allow enough time for potential fraud to come to light, giving you the option to carefully review the transaction.
Set a custom statement descriptor for each payment
The statement descriptor is the line that appears on customers’ card statements with information about the company that’s associated with a payment. One use of this is to insert a short, random code that your customer then has to verify. When you suspect a transaction might be fraudulent, you can contact your customer and ask them to give you the code that is shown on their online statement.
You can use either edit your default statement descriptor within the Dashboard or set a dynamic statement descriptor whenever a payment is created through the API. While this method cannot help against a fraudster that may have access to a cardholder’s online bank or credit account, this is extremely rare. Using the statement descriptor in this manner can provide reassurance that the customer is likely to be genuine.
Verify your customer's identity
For some, verifying the identity of customers can be beneficial. Asking your customers to connect their Facebook or LinkedIn accounts, for example, can serve as further proof of their identity. Connecting a social networking account doesn’t prove who a person is, but it’s an extra step that a fraudster might not take. Of course, some legitimate customers may not want to go through this additional process, and your conversion rate may suffer as a result.
Even with all these methods, it’s still possible for instances of fraud to occur. We provide detailed information about disputes and fraud so you can be as informed as possible as users are ultimately responsible for them.
It’s important that you regularly evaluate your strategies to make sure they’re effective and keep up with different ways fraudsters may try to commit fraud. Working together, Stripe’s tools and your vigilance can work best to avoid disputes and fraud.
Benchmarking your dispute rate
Your account’s dispute rate is an important metric to use when reviewing the efficiency of your disputes and fraud prevention methods. You should also consider it a tradeoff, estimating an acceptable percentage of disputes you’re willing to accept, compared to the revenue you might lose by blocking risky payments. A dispute rate of 0.3% may be acceptable if working to reduce it further would risk blocking a substantial amount of legitimate revenue.
For example, you may create rules that block payments from a certain country which prevents $100 of fraudulent payments—but also results in $2,000 of genuine payments also being blocked. In this case, the loss from disputes is much less significant than the revenue from legitimate customers that would be lost.
Your disputes and fraud prevention strategy should work to maximize your revenue while keeping your dispute rate as low as is acceptable.