It’s no secret that the eCommerce and SaaS industry is booming. There are more online shops than ever before and thousands of new businesses pop up each day. New services and product offerings all around the world try to sell us something every minute of the day. In the last 10 years our shopping behavior has changed dramatically and today we tend to buy almost everything online: pizza, Nike shoes, the latest Xbox, small business CRM, accounting software, and even the new Tesla Model S.
You can launch your WooCommerce shop in less than an hour and all you need is a domain, a theme, a few plugins, and a payment processor. It’s also easier than ever to start your SaaS business, sell your service, capture recurring revenue and bootstrap it to the next level!
eCommerce shop owners and digital product providers would like a slice of the cake but as these industries continue to grow, so do incidents of eCommerce/SaaS credit card fraud. If you’re a business owner probably you’re probably familiar with this situation and are always looking for new ways to reduce the number of fraudulent transactions, and better yet, prevent them as much as possible.
Just to make sure we are on the same page, here is a brief description of online payments fraud:
Online payments fraud involves an individual obtaining someone else’s credit card number and using it to make unauthorized online purchases. The individual might buy an item (or buy a digital product) and later resell it online for a fraction of the real price. The original cardholder (at some point) will discover this unauthorized transaction and initiate a dispute (chargeback) with their bank.
It’s frustrating, isn’t it? I know how you feel. They cause your business constant headaches and more importantly cost you lot of money. If you’re using Stripe as your online payment processor than this post is for you. 😄
I’ll show you how Stripe Radar can make your life easier! Thanks to this machine learning-based solution we were able to reduce credit fraud by 98% at Kinsta. We don’t have to spend any more time reviewing disputed charges and suspicious signups. And believe me, that’s a pretty good feeling! Let’s dive into the details.
Trends in eCommerce and Digital Fraud
It’s not surprising, but the volume of digital fraud is rapidly increasing. Today we’ll use some of the numbers from the survey conducted by Pymts and Forter in 2016. You can download the full study from this link. Here are some of the most interesting findings:
- In Q4 2015, there were 27 fraud attempts for every 1,000 transactions.
- In Q1 2016, some $4.79 out of every $100 in transactions was at risk (in Q1 2015, it was “only” $1.89).
- Fraud attack rate more than quadrupled for digital goods between Q1 and Q4.
- Fraud attack rate almost doubled for luxury goods between Q1 and Q4.
- $7.77 out of ever $100 are at risk for digital goods.
According to the LexisNexis’ study, annual fraud costs for US retailers reached $32 billion in 2014. Retailers lost an estimated 1.3% of revenue in 2015, more than double the rate of 2014. Ouch, 😧 that’s a lot of money. Below you can see the volume of attacks per 1,000 transactions in 2015.
The most affected industries are digital goods, clothing, electronics, food, and luxury. We can see that these are serious numbers and we’re talking about a lot of lost revenue when it comes to online payments fraud.
Why You Need to Prevent Credit Card Fraud, Why It’s Bad for Your Business
I’m sure you know the answer but let me summarize for you the real consequences of online fraud and how it impacts your business.
First, it doesn’t let you focus on your business. If your online store or SaaS (software as a service) has a high number of sales or sign-ups you’ll have to spend a lot of time dealing with fraudulent transactions, purchases, and disputed charges. You’re running a business and you can not afford to spend your entire day dealing with these types of problems. You have to figure out how to automate it and prevent them before they happen.
Second, it can be devastating when one day you wake up and you notice you’re out of business because your payment processor suspended your account. 😭 Trust me I know what I’m talking about. In the early days of our business, our payment processor closed our account because of some fraudulent transactions and we were suddenly at a standstill. We weren’t able to collect our revenue and get new customers to sign up for our service. Yeah, it sucked but thank God it was resolved quickly. However, that not always the case. You can read the full horrifying story here.
Third and most importantly, chargebacks are extremely expensive. eCommerce lost nearly $7 billion to chargebacks in 2016. By 2020, eCommerce chargeback losses are expected to balloon to $31 billion. Here are what chargebacks can cost you with some of the popular payment processors:
- PayPal charges $20 for each chargeback.
- Stripe charges $15 for each chargeback (AKA dispute fee).
- Depending on the bank a chargeback could be anywhere between $15 to 75. It adds up fast.
Look at the calculation below and see just how much a single chargeback can hurt your business and profitability. When a business is being targeted by individuals committing fraud, these costs can add up and have a significant impact on your business’s financials!
If you want to use your own numbers you can play with the calculator here. All right, that’s enough for the introduction, let’s dive into how Stripe Radar works and how you can use it to reduce the risk of fraudulent purchases.
What is Stripe Radar? How Can it Help?
In the last few years, Stripe has become one of the most trusted and well-known online payment processors. Two Irish entrepreneurs, John and Patrick Collison, founded Stripe in 2010, and since then the company’s growth has been exponential, placing it only behind Paypal in terms of revenue and market share.
Powering more than 100,000 businesses and handling $50 billion in commerce annually, Stripe’s 900+ talented employees are a guarantee that your business is in good hands.
Right now Stripe is in our opinion the best solution for both private individuals and businesses to accept payments online and in mobile apps. Implementing Stripe in your online store is super easy, working with their code is like a dream (if a PayPal executive is reading this please learn from these guys on how to make your platform usable…), and they have the most developer-friendly solution.
Radar is a Stripe product which was originally launched back in October 2016. I was super excited and happy that Kinsta was among the beta users and we were able to test and experiment with this tool to see it’s full potential. Actually, we even provided feedback and suggestions to help improve the platform further.
Radar is a tool which helps you to prevent fraudulent payments and reduce credit card fraud, with the option to manually review suspicious payments. These suspicious payments are automatically flagged for review either by Radar’s machine learning system or when they trigger a custom rule you previously configured.
Earlier this year, Radar 2.0 was launched and it comes with even more features and enhanced advanced machine learning to catch additional fraudulent activity.
Radar’s machine learning system is getting smarter day by day, thanks to the thousands of users who are configuring their custom rules and manually blocking suspicious payments. Radar is not perfect, as I still occasionally see an obvious fraud sign up which wasn’t blocked automatically by the system. But I’d like to emphasize that Radar makes our life so much easier that I can’t thank them enough. Now let’s dive into Radar’s features and custom rules!
Custom Rules in Stripe Radar
I won’t go into all the technical details of how Radar works, as I don’t even know all the fine details, other than it’s based on a machine learning system. Stripe manages tens of millions of transactions each day and it means that they have an incredibly large pool of data. Millions of credit card details are processed by their systems and analyzed by algorithms looking for patterns to identify every single transaction and mark them as safe or fraudulent. Radar scans every payment to help identify and prevent fraud. But we have to feed these algorithms with new actions and information to train them to become smarter. And that is where Stripe’s large user base comes into play.
How and Why You Should Manually Review Transactions
Each time we manually review a transaction and take some type of action we train Stripe’s machine learning algorithm to become more sophisticated. Whenever you manually review fraudulent activity, looking for suspicious information, there are details attached that will clearly show you that specific purchase or signup was fraudulent.
Based on a higher number of manual reviews you should be able to easily spot a pattern. Chances are good that you can then set up a custom rule so that the algorithm will identify and block these types of transactions going forward.
Less fraudulent transactions mean fewer chargebacks and more money in your pocket.
Spotting Fraudulent Activity
So what can you do to quickly spot fraudulent activity? Well, let’s take a look at this screenshot below.
Here’s what we see. A guy called Ranji from Nepal tried to sign up for a service with a card issued in Austria (The distance from Nepal to Austria is only 6,089 km). This is already slightly suspicious, but when you see that the cardholder’s name is not Ranji but Caroline, now you can be 99.9% sure that this is fraudulent activity and should be blocked, as well as reported. The good news is that Stripe catches these activities with a pretty good success rate and they rarely result in actual purchases. But sometimes it still happens and if you notice you get a lot of strange activity like this you can always configure a custom rule.
Configuring Custom Rule in Stripe Radar
The complete list of Radar rule references with detailed explanations can be found here. To create a rule, select “Radar” on the left and choose “Rules.”
Select the “When should a payment be blocked section”, scroll down and click on “Add Rule.”
After that, you will see this popup called “Add a rule for blocking payments”.
This is where we will add our first custom rule. So what we would like to achieve is to block all payments where the location of the user doesn’t equal the original location of the credit card. Note: sometimes it could still be a legitimate purchase, but honestly it’s a bit far from reality that an Austrian user during her Nepal holiday would buy a SaaS service (not to mention the names didn’t match).
Let’s say the individual from Nepal constantly tries to make a purchase. All you need to do is find the ISO two letters country code (here is a complete list) and add the following rule to Radar:
:card_country: = 'AT' AND :ip_country:= 'NP'
What exactly does this rule do? From now on, Stripe will block all transactions when someone with a Nepalese IP address tries to make a purchase with a credit card issued in Austria. Here are a few more examples:
If you would like to block payments made from the UK with a French credit card, this is the rule you would add:
:card_country: = 'FR' AND :ip_country: = 'GB'
Or if someone tried to purchase your product with an Italian card but the email address wasn’t from Italy, this is the rule you would add:
:card_country: = 'IT' AND :ip_country:!= 'IT'
As you can see, the possibilities when it comes to configuring these rules are limitless.
If you click on the “Test Rule” button the system will check the transaction history and see if they can match any previous attempts. If you see a lot of recent payment attempts and you already know those are legitimate purchases (let’s say you recognize the customers), you probably shouldn’t activate the rule as it will block these valid transactions. If there aren’t any after testing the rule or you just see fraudulent attempts, click “Add and Enable” and that’s it. You can easily edit, delete, or disable rules anytime.
Block Disposable Emails in Stripe Radar
Now on to the next useful rule. Fraudulent users love to use disposable email addresses. There are a lot of these providers out there where you can buy email addresses or even create them in bulk. The good news is that you can entirely block these email domains by adding a simple rule to Radar. Let’s say the email provider is shadyemail.com. That’s the rule you will need to add:
:email_domain: = 'shadyemail.com'
Test the rule and then enable it. The result? No one will be able to make any purchases with this domain (email addresses on the domain).
Block IP Addresses in Stripe Radar
If you notice that you get a lot of fraudulent signups from a specific IP address you can also add this to Radar. It’s useful to add it even after the fraudulent purchase because this way you can make sure Radar will block it in the future. If you’ve tracked down the IP address (you can find it in Stripe if you select the specific purchase and check the associated logs) all you need to do is add the following rule:
:ip_address: = '123.4.567.899'
Test the rule and enable it.
More Useful Stripe Radar Rules
Let’s say you don’t ship your product to a specific country or you don’t want to provide a digital service for customers based in that country. Perhaps you have a lot of fraudulent signups from this country and you would like to simply block them. For this example, we are using Morocco (sorry guys). Below is the rule you would need to add:
:ip_country: = 'MA'
This will block all attempts made from any IP addresses based in Morocco.
Another useful rule is to manage the declines and failed payment attempts made by the same customer or from the same IP address in a short period of time. Legitimate customers shouldn’t need 6 attempts to make a purchase as they usually know their card details and have enough funds to cover it.
If the credit card being used is stolen, the person often doesn’t know all details, and therefore keeps trying to sign up or make the purchase with slightly different details. In this example below the individual used seven different credit cards within a 15 minute period. Seems legitimate, right?
I’m sure they would have tried more but they probably ran out of credit cards. 💳 And there was a chance that the next card would have worked! That’s why you should limit the declines. Here are just a few different attributes you can use to limit them:
- declines_per_card_number_daily
- declines_per_card_number_hourly
- declines_per_customer_daily
- declines_per_customer_hourly
- declines_per_ip_address_daily
- declines_per_ip_address_hourly
For example, let’s say we want to block the next attempts where a customer tried to make a purchase five times during a 60 minute period, but the transaction has been declined by the bank. If it was a fraudulent person they wouldn’t be able to make the sixth purchase. If it was a legitimate customer, and for some reason, five attempts weren’t enough, they could always call their bank for further help. Below is the rule you would add:
:declines_per_customer_hourly: = 5
You can also limit the number of times a card is charged to the account in the past hour by using this rule:
charge_attempts_per_card_number_hourly
Again, the complete list of rules can be found here.
Some Golden Rules and Suggestions
- Always ask for a CVC check. It’s a no-brainer. If you don’t do this you’ll have a really hard time managing chargebacks and fraud purchases.
- Review your transactions on a regular basis. Even if you just spend one hour each month checking them and reviewing your transactions you will gain some invaluable insights!
- Keep up with the latest Stripe Radar features. The team at Stripe can help make your daily life so much easier. All you need to do is to enable a few awesome features and you will have already saved a ton of money and time for your business.
- Find a balance. It’s better to block one legitimate customer than allow 10 fraudulent signups or purchases. You can always review your existing rules, make edits, and test them again. Don’t be afraid to use them. I spend a ton of my time writing, editing, disabling, and testing rules. I’ve also made some mistakes, but at the end of the day, I can say it was definitely worth the effort. It’s a learning curve, but once you get familiar with the basics and how it works, the whole review process can be even fun!
Final Thoughts
As a Stripe customer, I remember the early days when I tried to figure out how to reduce the number of fraudulent attempts and signups. I spent countless hours reviewing every single malicious transaction trying to find patterns. Now it’s as easy as adding a custom rule to Radar to prevent future attempts.
I’m confident to say that Stripe’s algorithm has been improved a lot, even within the last few months. They are doing an awesome job with Stripe Radar 2.0. Compared to the early years, I can say that our volume of fraudulent transactions has been reduced by 98% by simply enabling a few custom rules and letting their algorithm do its job. Even without my custom rules, Stripe is now able to block most of the fraudulent attempts. But it’s better to play it safe and enable a few tested rules.
I highly recommend you use Stripe and all the features Radar has to offer. If you’re a current Stripe user, I would love to hear your thoughts. How do you use Radar, what custom rules have you enabled, and what has been your experience so far?
Last, but not least, if you found this guide helpful please share it with your friends and followers!
Tom is the Chief Business Officer at Kinsta. He is responsible for accounting, forecasting, and internal audits. He has a sharp analytical mind and a zeal for data. You can always count on him to come up with strategic ideas for the team and smart ways to spread our brand and services worldwide. He is a big fan of extreme sports and cars. Connect with Tom on Twitter.
Great article guys. I’ve been hit with this lately however stripe Radar is not available with all users.
I sent them an email to ask for it so it is something to be aware of.
Hey Matt, you should be able to activate Radar 2.0. See details at bottom of the article here: https://stripe.com/blog/radar-2018 I think they are still rolling out the new features to some accounts. I’m sure you’ll hear back from them. ?
We had Stripe for a while and quite frankly they approved most everything and even those that were blatantly fraudulent. Our own fraud evaluation fortunately stopped us from shipping product, but we still had the chargeback fees.
Stripe was getting paid a fee regardless.
We switched to PayPal Braintree, where the approval process seems to be more finely tuned to identify fraud.
Hi Terry, I’m sorry to hear that you had troubles and I’m a bit surprised. Did you contact support and asked about these approved transactions? Stripe support is very proactive and they always get back to me within 24 hours.
Braintree is another popular and well-known provider I’m glad to hear it works for you!
As a user I personally find this very annoying. I work in Australia but have a Canadian cr cd. More and more I am being blocked from making transactions because I am trying to use my card from another country. Using a VPN does not help. At that point I am stuck using PayPal to pay. And I strongly dislike PayPal. So as much as I get they are trying to stop credit card fraud and I appreciate that…. sometimes those payments are legit and it makes it difficult for that person to do business.
Hey CE,
Sorry to hear that. We can see how that would be frustrating. It sounds like you fall into that 2%. But unfortunately, without these rules in place, the amount of time spent manually going through fraudulent credit card transactions would be really high. We know this from first-hand experience from manually having to process these before Stripe’s more automated system was in place.
We have added a cancel order endpoint in WebHook and used Review Opened event so that if any transactions enter into review that order will be cancelled
We successfully tested this using test data.
But for live data , currently Review is disabled ( Radar –> Review).
If you can share how to enable review for Live data?
Hi Vishal,
I’d advise you to open a support ticket with Stripe and ask them to take a look at your account. I’m sure they will help you out!
i want to ask you that does it check credit card details while saving it for future use …?
Yes Stripe keeps a record of the cards in the system and as soon as they see a weird activity they block payment attempts to protect the customer and businesses. It’s pretty smart and the huge pool of data improves the system day by day.
The company i work for was struggling with CC fraud and stolen PayPal accounts as much as everyone. What we ended up doing was setting up a customer screening system (even before they get a chance to enter any payment details), integral part of which is FraudLabs Pro.
They allow you to filter customers by their own risk assessment score, client contact details and, most importantly IP. On the last point – we blocked all purchases made from known Proxy IP addresses and IP ranges assigned to data centers, as well as blacklisted private IPs. So essentially people who hide their actual location/IP can’t purchase anything.
This does create some concern for genuine, security-minded folk, but it cut our fraud cases down by over 90%. Despite the lost sales (potential or actual), this change saved us from dealing with bank and paypal chargeback fees and overall increased our revenue.
Also, using a public, community driven fraud database, such as FraudRecord is one way how to protect yourselves from fraud and service abuse. I sincerely wish more companies would employ it (and employ it responsibly).
We used Stripe for a while and the chargeback rate was horrendous. We have used Worldpay for years on another website (same product) and have had 3 chargebacks in that time and we don’t have to spend time going through more software to judge fraud.
I would rather use a more expensive gateway and not have to worry about every transaction being fraudulent, seems a false economy to do therwise.
Just my thoughts!
Hi Graham,
Stripe in June launched a Chargeback Protection feature to insulate businesses from the cost of fraudulent disputes. For a small fee of 0.4% per transaction, you don’t need to worry about disputes and chargebacks anymore!
I think these are decent start ones but for 2021 they are outdated. You lose way too many sales with these all enabled. Also with 3DS2 and PSD2 regulations you should really target 3ds for EU countries first. USA it kills conversions. At least for me my customers are privacy concerned so using VPN is not something to block. Most chargebacks I have are from normal IPs. These static rules are kinda old school I think so we moved to a more dynamic system. Instead of blocking transactions you can put them in review using a tool like Trust Swiftly this helps reduce false positives also prevent repeat fraudsters. You can make sure they have a real phone or do a 3ds charge after the original sale. I think people have kept rules like this for too long. We actually disable CVC verification too for certain orders too. Most people I saw were fat fingering the cvc and were good. Amazon is able to get away with no cvc code but its something you should be careful with and have other controls in place.
Hi Ryan, thanks for the feedback and for the information. For us, these rules work great and we make CVC mandatory, we simply can’t disable it, we have seen so many things during the years… Of course, it depends on the type of your business, on your niche, and your industry so everyone should test and see what works or not. So far, Stripe+Radar is a great combination.