Configure your risk profile

Learn how to set up your risk profile, get insights into risk performance, and how machine learning helps detect and prevent fraud.

We have been working on major improvements to RevenueProtect. You can now use and configure the latest version of the risk profile.

Using the latest version of the profile, you can:

Benefit from more risk insights and risk decisions that are easier to understand. RevenueProtect continuously evaluates incoming traffic, which helps to detect and block transactions that come in at an unusually fast rate with suspicious payment properties. This helps mitigate card testing traffic and bot attacks, for example.

When you use RevenueProtect premium, you can also:

Benefit from Adyen’s fraud risk evaluation using machine learning and platform-wide data. This helps you to identify and block risky transactions that are likely to be fraudulent, while reducing the chance of blocking legitimate transactions.
Easily add and label custom risk rules with the improved rule builder to complement and fine-tune your risk profile.
Evaluate the impact of adding or editing a rule by backtesting.
Get insights into how each risk rule performs and monitor overall performance of a risk profile. Authorization, refusal, and chargeback rates and statistics are available for both risk rules and the risk profile. On top of backtesting, this data can help you pinpoint underperforming risk profiles or rules, and analyze and monitor the impact of changes.

Machine learning in risk profiles

Machine learning assesses the properties of each incoming payment request and gives the transaction a risk classification. If the risk classification exceeds your selected block threshold, RevenueProtect will block the transaction.

We are introducing two machine learning rules:

Machine learning: bot attack risk (RevenueProtect basic and premium)
This rule detects and blocks transactions that come in at an unusually fast rate with suspicious payment properties. This can indicate scripted attacks like card testing and bot attacks.
Machine learning: fraud risk (RevenueProtect premium)
This rule evaluates the payment fraud risk of transactions and classifies them with a distinct risk level. This risk level indicates the likelihood that a payment will result in a fraudulent chargeback. When a transaction is classified as riskier than the risk threshold that you define, the transaction is blocked before it is sent to authorization.

Currently, this rule runs on credit and debit card transactions that could result in a chargeback. We recommend that you add custom rules to complement your risk profile.

View or change your risk threshold

By default, the rule Machine learning: fraud risk will block transactions with a high risk classification. The only exception is if the transaction triggered an Allow rule before authorization. When you use RevenueProtect premium, you can change at which risk classification you want the rule to block transactions.

To view or change the risk threshold for your risk profile:

Log in to your Customer Area.
Go to Risk > Risk profiles.
Select a risk profile.
Select Block.
If you do not see the tabs Allow, Block, and Review, the latest version of the risk profile is not yet enabled for your company or merchant account.
Select Machine learning: fraud risk > Adjust blocking threshold.
View the current block threshold, or adjust it using the slider.

Fine-tune your risk profile

You can use block and trust lists to block or allow specific transaction properties. We have grouped together the default, Adyen-provided block and trust lists.

When you use RevenueProtect premium, you can add custom rules to complement the fraud risk evaluation. When you configure a rule in your risk profile, you configure which action RevenueProtect should take when a transaction matches that rule.

For each rule, you configure if the rule should run before or after authorization, and what to do if a transaction matches the rule: Allow, Block or Review.

You can also label your rules for easy classification, and to further personalize your risk profile setup.

Custom rules

To create a new rule:

Log in to your Customer Area.
Go to Risk > Risk profiles.
Select a risk profile.
Select Risk rules.
Select + Create new custom rule, and then select Pre-authorization or Post-authorization.
Enter a rule name.
In the Action section, select Allow, Block or Review to define the action you want RevenueProtect to take when the rule triggers.
In the Label section, select one of the following labels for the rule:
- Business: for rules specifically related to your business.
- Legal: for rules based on regulations or laws.
- Fraud: for rules to prevent specific fraud risks for your business.
- Block list: for rules to add payment properties to predefined block lists.
- Trust list: for rules to add payment properties to predefined trust lists.
Enter conditions. You can add conditions to the rule by selecting AND or OR. For each condition, select:
- Field Name: choose a field to use as a risk variable.
- Operator: how to compare the Field Name and the Field Value. The type of the fields you are comparing defines which operators you can use. For example, you can use greater than (>) for numbers, or starts with for strings.
- Field Value: value that triggers your rule.
Select Create new rule.

Block and trust lists

To view the default lists:

Log in to your Customer Area.
Go to Risk > Risk profiles.
Select a risk profile.
Select Risk rules.
Select Allow and expand the Default trust lists, or select Block and expand the Default block lists.

You can edit the default lists to block, trust or remove single items. For some lists, you can upload multiple items using CSV files. You can find the details in your Customer Area. You can also block or trust a payment attribute using the Fraud Control widget on the payment details page for a specific payment.

When you use RevenueProtect premium, you can continue to create custom lists.

Extra risk management features

You can continue to use extra risk features such as case management (RevenueProtect premium) and Dynamic 3D Secure (RevenueProtect basic and premium).

Because risk rules in the latest version of the risk profile are based on actions, when you use RevenueProtect premium:

To send a transaction to case management, set the risk rule action to Review.
To link a Dynamic 3D Secure rule to a risk rule, set the risk rule action to Allow or Review, and then configure the Dynamic 3D Secure rule to trigger on your risk rule.

Backtest a rule

When you use RevenueProtect premium, you can backtest the impact before you activate a new rule, or change the settings of an existing rule.

You can run the rule on your historical data to build more confidence in the effect of the rule before you turn it on. Or, after you identify a rule that is not performing well, you can test the effect of any changes to the rule before you make them.

Backtesting can give you helpful insights in your risk profile performance, and reduces the time you have to spend on manually monitoring risk rule performance over time.

To backtest a rule:

Log in to your Customer Area.
Go to Risk > Risk profiles.
Select a risk profile.
Select Risk rules
Select the rule from the Allow, Block or Review tab, and then select Backtest. Or, backtest the rule before you activate a new rule.

View risk results

You can see the risk decisions on the Risk results page.

To open the risk results page:

Log in to your live Customer Area, and switch to a merchant account using the latest version of the risk profile.
Go to Transactions > Payments.
Select the Risk score for a payment from the payments overview to open the risk results page.

You can see the decision outcome at the top of the page.

Apart from the overall risk result, you can also see which rules were triggered, if they triggered before or after authorization, and which actions were taken.

Analyze risk results

When you use RevenueProtect premium, you can see more information about the Machine learning: fraud risk rule on the Risk results page.

When you select the rule, a detailed view opens. You can use the information to analyze the risk decision made for this payment, or see why the payment was not evaluated by the machine learning rule.

Risk level

Before the payment is sent to authorization, RevenueProtect assigns a risk level to each payment ranging from low to very high. This risk level is based on the properties from the payment request, as well as historical data connected to the payment.

You can then decide, based on your overall risk profile threshold setting and risk rules, to allow, block, or review the payment.

Some payments cannot be evaluated by the fraud risk evaluation rule, for example because they are made with a payment method that cannot be disputed. If this is the case, you will see a message. You can then set up custom risk rules to mitigate the risk.

Fraud signals

Many signals impact the risk level classification for a payment, some stronger and some weaker than others. We show the top fraud signals that contributed to the risk level assessment of this payment. These signals can contribute positively or negatively to the overall risk level.

Here are some example fraud signals:

The number of previously authorized payments for a shopper
The number of cards this shopper has used
The email address contains the shopper name
The billing address matches the delivery address
The total amount that this shopper has previously spent at your business

Data quality

Machine learning predicts the likelihood of a payment being fraudulent based on the data in the payment request, historical shopper data, and interaction patterns with the payment form.

For both the rules Machine learning: fraud risk and Machine learning: bot attack risk, it is important to provide high quality data to reach the most correct risk classification. Similarly, when you use block and trust lists or custom rules, the payment request has to contain the data to trigger the correct action.

You can influence the quality of the data. We recommend that you always send in as many fields as possible, and avoid sending in dummy or placeholder data.

The following table shows some example fields that are highly relevant for the risk evaluation.

Data point	Used by	Required field in payment request
Billing address	Default Shopper address block and trust lists Machine learning rules	`billingAddress`
Delivery address	Default Shopper address block and trust lists Machine learning rules Custom rules and custom lists	`deliveryAddress`
Email address	Default Shopper email and Email domain block and trust lists Machine learning rules Custom rules and custom lists	`shopperEmail`
IP address	Default Shopper IP address block and trust lists Machine learning rules Custom rules and custom lists Data collection: device information	`shopperIP`
The shopper’s first and last name	Default Shopper name block and trust lists Custom rules and custom lists	`shopperName`
Your reference to uniquely identify the shopper	Default Shopper reference block and trust lists Custom lists	`shopperReference`
The shopper’s phone number	Default Phone number block and trust lists Custom rules and custom lists	`telephoneNumber`
Card number	Default Bank identification number (BIN) block and trust lists block and trust lists Default Fraudulent card number or bank account number (IBAN) block list Default Non-fraudulent card number or bank account number (IBAN) block list Default Card number or bank account number (IBAN) trust list	`paymentMethod.number` `paymentMethod.encryptedCardNumber`
The account creation date	Custom rules	`accountInfo.accountCreationDate`
Browser information	Custom rules and custom lists Data collection: device information	`shopperIP`
The date and time that the item will be delivered	Custom rules: include if you want to use the `hoursToDelivery` field.	`deliveryDate` `deliveryAt`