As a Stripe Issuing user you can be held liable for fraud losses and disputes from your cardholders. The payments ecosystem has three primary types of fraud:
- Business fraud: A person creates a fraudulent account (often with a stolen identity) to commit fraud.
- Account takeover (ATO) fraud: A legitimate account owner’s login is compromised by a third party and unauthorized actions are taken on their account.
- Transaction fraud: The unauthorized use of a payment card to fraudulently obtain money or property.
While business fraud and ATO fraud can occur in Issuing, transaction fraud often poses a greater risk. This guide focuses on transaction fraud and the tools available to help you combat it.
On Stripe Issuing, transaction fraud manifests itself as unauthorized charges on a Stripe-issued card. Transaction fraud can occur at any point in a cardholder’s lifecycle. Purchases at legitimate businesses are also subject to transaction fraud. An issued card can be compromised by:
- Physical theft
- Being lost by the cardholder
- Compromised credentials through tactics such as:
- Non-secure checkouts
- External breaches
Transaction fraud controls and tools
Take proactive measures to manage—and in some cases prevent—transaction fraud from occurring. The following are controls and tools that you can add to your Stripe Issuing program. Use as many controls and tools as possible to limit your program’s transaction fraud risk.
|3D Secure (3DS)||Reduces loss liability on certain transactions by introducing an additional layer of cardholder verification.||Cardholders experience an additional verification step for some transactions.|
|Spending controls||Sets rules on cards and cardholders to control spending.||Limited capability to apply a complex set of rules.|
|Real-time webhook||Approves or rejects an authorization decision in real-time based on all data available at the point of sale.||Requires integration into the Stripe webhook.|
|Network risk scores (default)||Automatically blocks high-risk transactions based on Visa or MasterCard’s risk score.||Some legitimate transactions might be declined.|
|SMS fraud alertsbeta||Confirms the authenticity of high-risk authorizations through SMS to the cardholder.||Requires a valid phone number for the cardholder.|
|Verification data||Declines authorizations when the CVV or expiration date don’t match on the authorization.||Custom configuration isn’t available.|
|Token Management||Allows you to suspend or deactivate digital wallet tokens associated with fraudulent activity.||Requires integration into the Tokens API.|
|Card management||Allows you to suspend or deactivate physical or virtual cards associated with fraudulent activity.||None|
|Disputes||You can file disputes on unauthorized transactions through the Stripe Dashboard or API.||Disputes might result in the cardholder recovering their funds or in a liability shift to the merchant.|
Proactive fraud protection controls
3D Secure (3DS) is an additional layer of authentication used by merchants to make sure an online purchase is from a legitimate cardholder. 3DS is used for online transactions and only works if the merchant requests it and you have it enabled for your Issuing program. The additional 3DS step occurs at checkout where the cardholder is shown an authentication page and is prompted to enter a verification code sent to their phone or email.
3DS also offers a frictionless flow that authenticates a transaction without showing the cardholder an authentication page. Cardholders are presented the frictionless flow if the merchant doesn’t consider the transaction risky based on factors such as:
- The value of the transaction
- If the customer is new or existing
- Device information
- Transaction history
If either you or the merchant aren’t enrolled in 3DS, or the transaction is authenticated through the 3DS frictionless flow, then the cardholder is directed to the purchase confirmation screen. Fraud liability can shift when 3DS is attempted or used to authenticate a transaction:
- Visa: If a merchant requests 3DS on a transaction, fraud liability automatically shifts to you (except in rare cases), regardless of whether the issuing user enables 3DS.
- Mastercard: Fraud liability shifts to the issuing user when 3DS is successfully completed (except in rare cases).
Enable 3DS to reduce fraud loss exposure on online transactions. Learn more about 3DS and how to enable it.
Spending controls can block merchant categories (for example, bakeries) or set spending limits such as 100 USD per authorization or 3000 USD per month. Spending controls can apply to either a card or a cardholder. The controls are particularly effective when a card or cardholder has an expected spending pattern. Stripe recommends implementing a combination of spending limits and merchant category controls on your cards and cardholders to help limit your exposure in case an unauthorized use is attempted. Learn more about spending controls and how to configure them.
Real-time fraud protection controls
You can approve or decline authorization requests in real-time based on the data available to you at the point of authorization. This gives you granular control over authorization outcomes and enables you to implement your own fraud-prevention logic. Use Stripe’s real-time webhook to target a specific fraud pattern while minimizing the impact on other spending behaviors. For example, you can use authorization data on the location of the authorization to block specific geographies, currencies, and merchants. Learn more about the real-time webhook and how it works.
Network risk scores
Stripe Issuing has default fraud protection methods on transactions, which includes automatically blocking authorizations that look suspicious using Visa’s Advanced Authorization (VAA) or Mastercard’s Decision Intelligence Score. If you want us to expose this score to you, contact firstname.lastname@example.org.
SMS fraud alertsbeta
When an authorization is declined due to a high-risk score, you can send your cardholder an SMS prompt to verify if they attempted the authorization themselves or if the activity was unauthorized. No fraud alert is sent if a transaction is 3DS authenticated. Learn more about SMS fraud alerts.
For any authorization that occurs on a Stripe Issuing card, we compare the CVV2 (or security code) and card expiration date entered at checkout with the values on file for the card. If either of these elements don’t match, Stripe rejects the authorization on your behalf and exposes any potential mismatch details through the API. Read more about the verifications we perform.
Post-fraud transaction tools
Manage digital wallet tokens through the API to quickly shut down digital wallet cards that have been associated with fraudulent activity. Read more about enabling token management and the API.
If you or your cardholder suspect unauthorized activity, you can temporarily deactivate a card with the Dashboard or API to block further unauthorized use while you investigate. If the activity was authorized, you can preserve the card’s credentials and reactivate it. Whenever you confirm unauthorized use, immediately cancel the card. Read additional details on card management and how to use the API.
When fraudulent transactions occur, you can file disputes with Visa or Mastercard through the Dashboard or API for those transactions with the reason Fraudulent. In some cases, depending on what verification is conducted at the point of sale, the merchant might be liable for the fraudulent transaction. Read more about handling disputes.
Educate your cardholders
Educate your cardholders about how to can keep their card information safe. Teach them to pay close attention to the activity on their accounts to increase the likelihood of them—and you—catching compromised activity early. Make your cardholders aware of the following preventative measures:
- Check for card skimmers in physical stores: Verify no cameras or skimming equipment are present on the payment terminal. Check for anything inserted in or attached to the card reader, ports, display, or keypad.
- Transact at trustworthy merchants: Only provide your card information to merchants that you are familiar with and trust.
- Cancel a card as soon as it’s lost or stolen: Take immediate action to prevent unauthorized use before a bad actor is able to obtain your card credentials. To continue spending, create a new card after canceling the lost or stolen one.
The following are metrics we recommend monitoring to help identify and measure fraud on your Issuing-enabled accounts.
- Authorization declines due to incorrect verification data (CVC2, expiry date), over time.
- Authorization rate, over time.
- Authorizations outside of geographic footprint, over time.
- Authorizations by acquiring merchant country, over time.
- Authorizations by merchant category code, over time.
- Force captures, over time.
- Percentage of total spend that has been disputed for fraud, over time.
- Dispute win-loss rate, over time.
- Absolute dispute losses, over time.
- Acquiring merchants with the highest percentage of transactions disputed.