ShopperDNA links clustered transactions to identify a profile of a shopper even as they change devices, networks, and identities. This profile is dynamic and changes based on real-time data. Configure ShopperDNA Risk rules to flag fraudulent behavior or transaction velocity, even when fraudsters try to avoid detection. ShopperDNA provides another way to track users, in addition to other methods like shopper reference, or name. Each shopper identifier (also known as linkable attribute), such as an IP address, is continually assessed for its uniqueness, and this affects the weight it gives to any given transaction connection.
If a shopper abandons the transaction after redirecting to a payment method or 3D Secure, this is counted as an attempt and adds to the count. These abandoned attempts are not listed in your payments.
- Determines all transactions that share identifiers with the parent transaction.
- Tracks the strength of those identifiers based on uniqueness and other data.
- Links transactions that meet a dynamic confidence threshold to the same shopper entity.
An identifier being shared between two shoppers might not link the two. For example, a shared IP address might indicate the same shopper, but could equally be two shoppers using the same office network.
The figure above shows a network of transactions generated by the same shopper. Transactions are shown as squares and identifiers are shown as circles.
The figure above shows an email address that has utilized different credit cards for many transactions
The Oil Splash visualization provides:
- A breakdown of distinct email addresses, credit card numbers, and IP addresses for a shopper.
- The ability to trace an attribute to the various transactions that used it. Click the attribute to view the transactions.
- A breakdown of payment statuses - refused, disputed, or authorised - for each attribute type.
- A table of all transactions in the oil splash, with customizable columns to see payment data.
Authorised transaction amount velocity
Triggers when the total amount a shopper spends exceeds a limit in a given time period. Determine what you expect good customers to spend in a given period, and use this to spot fraudulent transactions, often of significantly higher value. You can set multiple amount limits with different scores.
The amount of the assessed payment is included in the rule. Contact Support Team to turn on this risk rule for recurring payments.
Different countries used by shopper more than X times within X days
Triggers when the shopper makes payments from a number of countries in a given time period. Fraudsters use proxies to mask their location. They attempt payment with a card issued in a different location to the proxy. Establish a limit for both the number of countries and the timeframe allowed. The default is 2 times over 30 days.
The risk fires on the transaction after the set limit. So, if you set a limit of 2 in 30 days, it fires on the 3rd country recorded in that 30 days.
Fraud refusals exceed X times within X days
Triggers when the number of refused payments exceedes a limit in a given time period. Many refusals in a row can indicate a fraud attack is being detected by RevenueProtect.
This rule uses RevenueProtect data, but not issuer data. To include issuer data, see Shopper Consecutive Refusals. If you set a threshold of 3 refusals in 7 days, this rule is triggered on the 4th consecutive refusal.
High amount velocity
Triggers if a shopper makes more than the specified number of high-value transactions in a given time period.
Issuer blocked (previous) card used by shopper
Triggers when an issuer responds that they have previously blocked a shopper's card. Blocked card refusals often indicate fraud.
Multiple distinct IP addresses used by shopper more than X times within X minutes/hours/days
Triggers when a shopper uses a number of distinct IP addresses in a given time period. Fraudsters use proxies that switch between IP addresses to hide their identity. This rule identifies these profiles. The default is 2 times over 3 days.
Adyen dynamically determines if an IP address is a shared IP address and does not include these in the rule calculation. This is to reduce the effect that using networks , such as Wi-Fi hotspots have on good users' scores. The shared IP address rule allows you to flag the use of these shared IP addresses if needed.
Multiple distinct cards/bank accounts used by shopper more than X times within X minutes/hours/days
Triggers when the shopper uses a number of different payment methods in a given time period. Fraudsters often use as many compromised payment methods as possible. The default is 2 times over 30 days.
Configure this rule based on your own business model. For some markets, using multiple payment methods may be normal, for example in the United States it is common to have 3 or more credit cards.
Multiple distinct delivery addresses used by shopper more than X times within X minutes/hours/days
Triggers when a shopper uses a number of different delivery addresses in a given time period. Fraudsters often use multiple delivery addresses to commit fraud.
Multiple distinct email addresses used by shopper more than X times within X minutes/hours/days
Triggers when a shopper uses a number of different email addresses in a given time period. Fraudsters often cycle through lists of email addresses to appear legitimate. This rule identifies these profiles. The default is 3 times over 3 days.
Multiple distinct shopper references used by shopper more than X times within X minutes/hours/days
Triggers when the shopper uses a number of different shopper references in a given time period. The default is 2 times over 30 days. The shopper reference is a unique identifier for a shopper that a merchant provides in the payment request. This is usually the User ID. Fraudsters use multiple accounts to appear like separate, and legitimate users. This rule identifies these profiles.
For this risk rule to work properly, it is imperative that merchant's ensure that there is parity between their internal reference numbers/ID associated with a unique user and what they are passing to Adyen via the
Shopper authorized velocity exceeds X times within X minutes/hours/days
Triggers when a shopper makes a number of authorisations in a given time period. The default is 3 times over 7 days.
Fraudsters attempt many payments in a short time period. While refusal velocity is a stronger signal of fraud, it can be useful to track users who are successfully authorising a high volume of payments. This can indicate a fraud attack that is being undetected by the Issuing banks.
The number of expected authorisations varies based on your business model and vertical. For example, airlines can expect significantly less velocity than businesses based on micro-transactions.
Shopper automated referral
Triggers if a shopper has used more than a certain number of cards or bank account numbers anywhere on Adyen's network, including with other merchants. Loyal shoppers often use a select number of payment methods, so the use of many different payment methods can be an indication of fraudulent behavior.
Shopper consecutive refusals exceeds X times within X minutes/hours/days
Triggers when a shopper has a number of refused payments in a given time frame. The default is 3 times over 7 days. Fraudsters attempt many payments, and many refusals in a row can indicate the issuing bank detects a fraud attack.
Shopper has a previous fraud chargeback or notification of fraud
Triggers when a previous payment by the shopper has resulted in either a Notification of Fraud (NOF) or fraud-related chargeback.
For a fraud-related chargeback to initiate this risk rule, Adyen must have visibility to your chargebacks. Depending on the type of acquiring integration, this can be variable.
chargeback uploader can be used in scenarios where Adyen does not receive the chargeback data. This allows this risk rule to have visibility on those fraud incidences.
Shopper used shared IP address
Triggers when a shopper uses a known shared IP address. Fraudsters sometimes use proxies and public Wi-Fi hotspots to mask their identity.
Legitimate transactions can also trigger this rule. For example, offices, hotels, and apartments with certain network configurations. For an IP address to be considered shared, 6 or more unique users should have used it.
Shopper used shared card/bank account more than X times within X minutes/hours/days
Triggers when a shopper uses a known shared card or bank account, which can indicate a fraudster using compromised details.
Legitimate transactions can trigger this rule. For example, office environments where the same card can be used by many shoppers. To be considered shared 6 or more unique users should have used the card/account.
Strong authentication confirmed X times in X minutes/hours/days
Triggers when a shopper has previously successfully authenticated with 3DS a number of times over a given time period and fits the established profile of a 'trusted shopper'. Use this rule to lower a shopper's score so that they won't be prompted for 3DS during their next transaction.
Trust loyal shoppers
Triggers when a shopper does not match your profile of a 'loyal shopper'. Identifying loyal shoppers allows you to reduce friction and false positives where shoppers match the profile. Shoppers with fraud-related chargebacks, notifications of chargeback, notifications of fraud and rejections in manual review will never be considered loyal. You can also configure this rule to trigger for shoppers with risk refusals or non-fraud related chargebacks.
If you are experiencing Account Takeover Fraud, temporarily set a score of 1.