The content on this page applies to the latest risk engine. If you use the classic risk engine, refer to Configure your risk profile (classic). See the risk management overview for the differences.
We have been working on major improvements to our risk engine.
Using the latest version of the profile, you can:
- Benefit from more risk insights and risk decisions that are easier to understand. Our risk engine continuously evaluates incoming traffic, which helps to detect and block transactions that come in at an unusually fast rate with suspicious payment properties. This helps mitigate card testing traffic and bot attacks, for example.
When you enable premium features, you can also:
- Benefit from Adyen’s fraud risk evaluation using machine learning and platform-wide data. This helps you to identify and block risky transactions that are likely to be fraudulent, while reducing the chance of blocking legitimate transactions.
- Easily add and label custom risk rules with the improved rule builder to complement and fine-tune your risk profile.
- Evaluate the impact of adding or editing a rule by backtesting.
- Get insights into how each risk rule performs and monitor overall performance of a risk profile. Authorization, refusal, and chargeback rates and statistics are available for both risk rules and the risk profile. On top of backtesting, this data can help you pinpoint underperforming risk profiles or rules, and analyze and monitor the impact of changes.
Machine learning in risk profiles
Machine learning assesses the properties of each incoming payment request and gives the transaction a risk classification. If the risk classification exceeds your selected block threshold, risk will block the transaction.
The latest risk engine supports:
-
Machine learning: bot attack risk
This rule detects and blocks transactions that come in at an unusually fast rate with suspicious payment properties. This can indicate scripted attacks like card testing and bot attacks. -
Machine learning: fraud risk (premium only)
This rule evaluates the payment fraud risk of transactions and classifies them with a distinct risk level. This risk level indicates the likelihood that a payment will result in a fraudulent chargeback. When a transaction is classified as riskier than the risk threshold that you define, the transaction is blocked before it is sent to authorization.Currently, this rule runs on credit and debit card transactions that could result in a chargeback. We recommend that you add custom rules to complement your risk profile.
Fine-tune your risk profile
Used risk before?
If you configured a risk profile before and transitioned to the latest risk profile, check out these best practices.
You can use block and trust lists to block or allow specific transaction properties. We have grouped together the default, Adyen-provided block and trust lists.
When you have enabled premium features, you can add custom rules to complement the fraud risk evaluation. When you configure a rule in your risk profile, you configure which action should be taken when a transaction matches that rule.
For each rule, you configure if the rule should run before or after authorization, and what to do if a transaction matches the rule: Allow, Block, Review (premium), or Check for 3DS (premium, available soon).
You can also label your rules for easy classification, and to further personalize your risk profile setup.
Block and trust lists
To view the default lists:
- Log in to your Customer Area.
- Go to Revenue & risk > Risk profiles.
- Select a risk profile.
- Select Risk rules.
- Select Allow and expand the Default trust lists, or select Block and expand the Default block lists.
You can edit the default lists to block, trust or remove single items. For some lists, you can upload multiple items using CSV files. You can find the details in your Customer Area. To upload items in bulk using an API instead of the Customer Area, see Automate submitting referrals.
You can also block or trust a payment attribute using the Fraud Control widget on the payment details page for a specific payment.
When you have enabled premium features, you can continue to create custom lists.
Custom rules
To create a new rule:
- Log in to your Customer Area.
- Go to Revenue & risk > Risk profiles.
- Select a risk profile.
- Select Risk rules.
- Select + Create new custom rule, and then select Pre-authorization or Post-authorization.
- Enter a rule name.
- In the Action section, select Allow, Block, Review (premium), or Check for 3DS (premium, available soon) to define the action you want to take when the rule triggers.
- Allow: do not block the transaction if the transaction matches this rule.
- Block: block the transaction if the transaction matches this rule.
- Review: send the transaction to case management if the transaction matches this rule.
- Check for 3DS: do not make a risk decision if the transaction matches this rule.
When you create a pre-authorization rule with the Check for 3DS action, you can use it to influence the authentication engine. Because no risk decision is made to block or allow the transaction, you can select the custom rule as a trigger for Dynamic 3D Secure rules.
- In the Label section, select one of the following labels for the rule:
- Business: for rules specifically related to your business.
- Legal: for rules based on regulations or laws.
- Fraud: for rules to prevent specific fraud risks for your business.
- Block list: for rules to add payment properties to predefined block lists.
- Trust list: for rules to add payment properties to predefined trust lists.
- Enter conditions. You can add conditions to the rule by selecting AND or OR. For each condition, select:
- Field Name: choose a field to use as a risk variable.
- Operator: how to compare the Field Name and the Field Value. The type of the fields you are comparing defines which operators you can use. For example, you can use greater than (>) for numbers, or starts with for strings.
- Field Value: value that triggers your rule.
- Select Create new rule.
Extra risk management features
You can continue to use extra risk features such as case management (premium only) and Dynamic 3D Secure.
View or change your risk threshold
When you enabled premium features, the rule Machine learning: fraud risk is added to your Block rules. This rule will block transactions that are likely to be fraudulent, unless the transaction triggered an Allow rule before authorization.
By default, the block threshold for this rule is set to high risk and above. This threshold setting has a balanced approach as it avoids blocking genuine shoppers while keeping fraud at acceptable levels by blocking high risk transactions. You can change the risk threshold if you think this setting does not fit your business, for example if you want to block more transactions.
It is important to understand that not all fraud cases can be detected by the Machine learning: fraud risk rule. We recommend that you add custom rules to complement your risk profile.
To view or change the risk threshold for your risk profile:
- Log in to your Customer Area.
- Go to Revenue & risk > Risk profiles.
- Select a risk profile.
- Select Risk rules.
- Select Block.
- Select Machine learning: fraud risk > Adjust blocking threshold.
- View the current block threshold, or adjust it using the slider.
Backtest a rule
When you have enabled premium features, you can backtest the impact before you activate a new rule, or change the settings of an existing rule.
You can run the rule on your historical data to build more confidence in the effect of the rule before you turn it on. Or, after you identify a rule that is not performing well, you can test the effect of any changes to the rule before you make them.
Backtesting can give you helpful insights in your risk profile performance, and reduces the time you have to spend on manually monitoring risk rule performance over time.
To backtest a rule:
- Log in to your Customer Area.
- Go to Revenue & risk > Risk profiles.
- Select a risk profile.
- Select Risk rules.
- Select a pre-authorization rule from the Allow, Block or Review tab, and then select Backtest.
View risk results
You can see the risk decisions on the Risk results page.
To open the risk results page:
- Log in to your live Customer Area, and switch to a merchant account using the latest version of the risk profile.
- Go to Transactions > Payments.
- Select the Risk score for a payment from the payments overview to open the risk results page.
You can see the decision outcome at the top of the page.
Apart from the overall risk result, you can also see which rules were triggered, if they triggered before or after authorization, and which actions were taken.
Analyze risk results
When you have enabled premium features, you can see more information about the Machine learning: fraud risk rule on the Risk results page.
When you select the rule, a detailed view opens. You can use the information to analyze the risk decision made for this payment, or see that the payment was not evaluated by the machine learning rule.
Risk level
Before the payment is sent to authorization, each payment is assigned a risk level ranging from very low to very high. This risk level is based on the properties from the payment request, as well as historical data connected to the payment.
You can then decide, based on your overall risk profile threshold setting and risk rules, to allow, block, or review the payment.
Some payments cannot be evaluated by the fraud risk evaluation rule, for example because they are made with a payment method that cannot be disputed. If this is the case, the risk result will show that the payment has not been evaluated. You can then set up custom risk rules to mitigate the risk.
Fraud signals
Many signals impact the risk level classification for a payment, some stronger than others. We show the top fraud signals that contributed to the risk level assessment of this payment. These signals can contribute positively or negatively to the overall risk level.
Here are some example fraud signals:
- The number of previously authorized payments for a shopper
- The number of cards this shopper has used
- The email address contains the shopper name
- The billing address matches the delivery address
- The total amount that this shopper has previously spent at your business
Data quality
Machine learning predicts the likelihood of a payment being fraudulent based on the data in the payment request, historical shopper data, and interaction patterns with the payment form.
For both the rules Machine learning: fraud risk and Machine learning: bot attack risk, it is important to provide high quality data to reach the most correct risk classification. Similarly, when you use block and trust lists or custom rules, the payment request has to contain the data to trigger the correct action.
You can influence the quality of the data. We recommend that you always send in as many fields as possible, and avoid sending in dummy or placeholder data.
If you use a Web Drop-in/Components integration, we collect additional risk data that you send when the shopper pays, with the option for more data collection outside of the checkout page.
The following table shows some example fields that are highly relevant for the risk evaluation.
Data point | Used by | Required field in payment request |
---|---|---|
Billing address |
|
billingAddress |
Delivery address |
|
deliveryAddress |
Email address |
|
shopperEmail |
IP address |
|
shopperIP |
The shopper’s first and last name |
|
shopperName |
Your reference to uniquely identify the shopper |
|
shopperReference |
The shopper’s phone number |
|
telephoneNumber |
Card number |
|
paymentMethod.number paymentMethod.encryptedCardNumber |
The account creation date | accountInfo.accountCreationDate |
|
Browser information |
|
browserInfo |
The date and time that the item will be delivered |
|
deliveryDate deliveryAt |
Additional risk data for Web Drop-in/Components |
|
riskData |
Best practices after transition
If your company transitioned from classic risk to the latest risk profile, you will notice that the risk profile has changed.
After the transition, you can no longer change classic risk profiles or assign them to merchant accounts, but you can still view previously created profiles.
You may have to take specific actions to make sure that your new risk profile meets the needs specific to your business. See How can I transition to Adyen's new risk engine? for more details and determine which actions apply to you.