Opayo provides several fraud-prevention controls that can be applied to transactions processed through your account. These include:
Address Verification Service checks
Postcode verification
CV2 security-code verification
3D Secure authentication for eligible ecommerce payments
Opayo fraud-screening risk scores
Before processing live payments, review and configure the fraud settings to match your business requirements.
AVS and CV2 checks compare the information entered during payment with information held by the card issuer.
AVS checks the numerical parts of the cardholder’s billing address and postcode. CV2 checks the three- or four-digit security code supplied with the card.
To configure these controls:
Sign in to the Opayo administration portal as an administrative user.
Select Settings.
Select AVS/CV2.
Confirm that AVS/CV2 checking is enabled.
Select Add Rule.
Enter the minimum and maximum transaction values to which the rule should apply.
Select which AVS and CV2 outcomes you are prepared to accept.
Save the rule.
Rules can be created for different transaction-value ranges. For example, you may apply stricter checks to higher-value payments.
Available rule options may include accepting a transaction when:
The card issuer does not support the check.
The address matches but the CV2 does not match.
The CV2 matches but the address does not match.
Neither the address nor CV2 matches.
Allowing transactions where information does not match increases the risk of fraud. Your rules should reflect your organisation’s risk policy and chargeback exposure.
3D Secure provides additional cardholder authentication for ecommerce payments. It is not normally used for Mail Order or Telephone Order payments where the customer is not completing an online authentication process.
To configure 3D Secure rules:
Sign in to the Opayo administration portal as an administrative user.
Select Settings.
Select 3D Secure.
Confirm that 3D Secure is enabled for your ecommerce payment services.
Select Add Rule.
Enter the transaction-value range for the rule.
Select the authentication outcomes that will be accepted.
Save the rule.
Options may include:
Requiring 3D Secure authentication.
Allowing cards that are not enrolled in 3D Secure.
Allowing transactions where an authentication service error occurs.
Allowing cards from issuers that do not support 3D Secure.
Allowing a failed 3D Secure result to continue to authorisation.
Failed or unavailable authentication should only be accepted where this is consistent with your agreed fraud policy.
Fraud rules are not copied automatically between the Opayo Test and Live environments.
Any AVS/CV2 or 3D Secure rule created in Test must be created again separately in Live. Before going live, compare the rules in both environments and confirm that the Live account contains the required configuration.
Opayo’s standard enhanced fraud-screening service assigns a risk score to live transactions. The score may consider:
Transaction value and frequency.
Previous declined attempts.
Billing and delivery information.
Email and IP address activity.
AVS and CV2 history.
Unusual customer or transaction behaviour.
Fraud-screening scores are advisory. They do not automatically stop a transaction and do not guarantee that a payment is genuine.
Low-risk transactions may normally proceed without further investigation. High-risk transactions should be reviewed before goods or services are supplied. This may include contacting the customer, checking proof of address or reviewing the fraud rules triggered by the transaction.
Where necessary, an authorised user can void the transaction before settlement or issue a refund after the transaction has settled.
Confirm that:
AVS and CV2 checking is enabled.
Appropriate rules exist for each relevant transaction-value range.
Live rules have been configured separately from Test rules.
3D Secure is enabled for applicable ecommerce payments.
Staff know how to review fraud results and high-risk transactions.
Your transaction-registration request does not override the account settings.
Fraud controls are reviewed regularly as transaction patterns and fraud risks change.
An authorisation only confirms that the card issuer has approved the payment request. It does not confirm that the person making the payment is the legitimate cardholder.