Fraud Protection

    Learn how to minimize your exposure to fraudulent activity on your cards.

    Protect yourself against fraudulent transactions by understanding and following best practices in your Issuing integration.

    Early fraud detection

    When someone attempts a purchase with an issued card, Stripe inspects the authorization request and automatically blocks any that seem suspicious. If we decline the authorization attempt as a result of our fraud analysis, the reason field of the Authorization is set to suspected_fraud.

    "request_history": [ { "approved": false, "authorized_amount": 199, "authorized_currency": "usd", "created": 1574104953, "currency": "usd", "held_amount": 199, "held_currency": "usd", "reason": "suspected_fraud" } ],

    Mitigate exposure with authorization controls

    Authorization requests may also be declined based on the Authorization Controls you’ve set on your cards and cardholders. You should implement a combination of spending limits and merchant category controls on your cards and cardholders to help limit your exposure in case fraud does occur.

    Check verification data

    If the authorization request has not been rejected for any of the reasons above, an issuing_authorization.request event is sent to your synchronous webhook, if you’ve configured it. At this point, your integration must verify that the authorization request looks legitimate.

    For e-commerce (card-not-present) authorizations, make sure to check the verification_data field of the Authorization object you receive:

    "verification_data": { "address_line1_check": "not_provided", "address_zip_check": "match", "authentication": "none", "cvc_check": "match" },

    The values for address verification (AVS) and CVC checks are one of match, mismatch, or not_provided. While a mismatch is usually a good reason to decline an authorization request, additional verification data may not be provided in all cases (including for legitimate transactions). As a result, not_provided, on its own is not automatically a reason to decline a transaction.

    field description
    address_line1_check The address associated with the cardholder of this card.
    address_zip_check The zip code associated with the cardholder of this card.
    authentication 3D Secure authentication result, if set up (see below).
    cvc_check CVC refers to the 3-digit code on the card.

    You can use the authorization_method field to determine the importance of verification_data for your decision (i.e., if the method is online or keyed_in). All of this information should be used to help you make a well-informed decision about whether to approve or decline an authorization request.

    Set up authentication with 3D Secure

    3D Secure is an additional authentication step for online purchases, and typically involves an additional identity verification step using either the cardholder’s banking application or a one-time mobile password. For more information, learn how to set up 3D Secure on your cards.

    Next steps

    Was this page helpful?

    Thank you for helping improve Stripe's documentation. If you need help or have any questions, please consider contacting support.

    On this page