Risk-team icon

Post-authorization rules

Use post-authorization signals in risk rules to block or allow a transaction.

After a transaction has been authorized, you get new information from the card scheme and the issuing bank. For example, you will know if there was a liability shift, if the CVC code was entered correctly, and if the address details matched. You can use this information to influence the risk evaluation after authorization.

Requirements

Before you begin, take into account the following requirements and limitations.

Requirement Description
Integration type Make sure that you have built an online payments integration and that risk is enabled.
Customer Area roles Make sure that you have one of the following role(s):
  • Merchant change risk settings
  • Risk admin
Limitations Because the post-authorization rules for AVS, CVC, and liability shift run after authorization, it is not possible to link the rules to Dynamic 3D Secure.

The liability shift rule does not trigger for recurring merchant-initiated transactions where the shopper interaction is ContAuth.

How it works

Post-authorization rules let you influence the risk evaluation based on information that becomes available after authorization. For example, you can block the transaction if there is a mismatch in the address details or if the card verification code is incorrect. Or, you can block transactions when there is no liability shift.

All post-authorization rules are disabled by default. Because there is a risk of shopper input errors for both the CVC field and address details, enabling these risk rules may result in a higher number of declined transactions because of mismatches. We recommend that you use the Adyen Uplift Optimize settings, and set Smart Payment Messaging to optimize low risk transactions only.

When you enable a post-authorization rule, and a transaction matches the rule, the transaction can be part of control traffic. You can then analyze and identify any false positives. When you enable Protect premium, you can create more specific custom post-authorization rules instead.

You can use the following post-authorization rules:

  • Address Verification System (AVS)
    This rule checks for mismatches in address details. Address Verification System (AVS) is a security feature that compares the billing address that the shopper entered with the cardholder address on file at the issuer.

  • Card Verification Code (CVC)
    This rule verifies if the Card Verification Code (CVC2/CVV2/CID) matches after authorization by the issuing bank. The rule does not trigger for recurring transactions because it runs only on the initial transaction.

  • Liability shift status blocked and Liability shift status allowed
    These rules check if a liability shift has or has not occurred. A liability shift occurs when the liability of chargebacks passes from you to the issuing bank. This happens when the transaction has been verified through 3D Secure.

Configure a post-authorization rule

To configure a post-authorization rule, in your Customer Area:

  1. Go to Revenue & risk > Risk profiles.
  2. Select a risk profile.
  3. Select Risk rules.
  4. Select Block.

  5. Select the post-authorization rule that you want to configure, select Configure rule options, and select when you want to block the transaction:

    Rule Options
    Address Verification System (AVS) Select when you want to block the transaction:
    • Postal code and address do not match.
    • Address does not match.
    • Postal code does not match.
    Card Verification Code (CVC) Select when you want to block the transaction:
    • CVC is provided but does not match.
    • CVC does not match, is not provided, or the issuer cannot perform the check.
    Liability shift status blocked Select which transactions you want to block when there is no liability shift:
    • Default setting: All 3D Secure transactions.
    • Only 3D Secure transactions without technical errors.
    • All e-commerce credit card transactions.

    Select when you want to trigger the rule:
    • Default setting: 3D Secure liability shift has not taken place.
    • Full authentication not achieved.
  6. Select Save.

Enable a post-authorization rule

To enable a post-authorization block rule, in your Customer Area:

  1. Go to Revenue & risk > Risk profiles.
  2. Select a risk profile.
  3. Select Risk rules.
  4. Select Block.
  5. Select one or more of the following:
    • Address Verification System (AVS) > Enabled.
    • Card Verification Code (CVC) > Enabled.
    • Liability shift status blocked > Enabled.
  6. Select Save changes.

To allow based on liability shift status:

  1. Go to Revenue & risk > Risk profiles.
  2. Select a risk profile.
  3. Select Risk rules.
  4. Select Allow.
  5. Select Liability shift status allowed > Enabled.
  6. Select Save changes.

See also