{"title":"Post-authorization rules","category":"default","creationDate":1674206160,"content":"<p>After a transaction has been authorized, you get new information from the card scheme and the issuing bank. For example, you will know if there was a liability shift, if the CVC code was entered correctly, and if the address details matched. You can use this information to influence the risk evaluation after authorization.<\/p>\n<h2>Requirements<\/h2>\n<p>Before you begin, take into account the following requirements and limitations.<\/p>\n<table>\n<thead>\n<tr>\n<th style=\"text-align: left;\">Requirement<\/th>\n<th style=\"text-align: left;\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: left;\"><strong>Integration type<\/strong><\/td>\n<td style=\"text-align: left;\">Make sure that you have built an <a href=\"\/online-payments\/build-your-integration\/\">online payments integration<\/a> and that <a href=\"\/risk-management\/configure-risk-settings\/\">risk management is enabled<\/a>.<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><strong><a href=\"\/account\/user-roles\/#risk\">Customer Area roles<\/a><\/strong><\/td>\n<td style=\"text-align: left;\">Make sure that you have one of the following role(s): <ul><li markdown=\"1\"><strong>Merchant change risk settings<\/strong><\/li><li markdown=\"1\"><strong>Risk admin<\/strong><\/li><\/ul><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: left;\"><strong>Limitations<\/strong><\/td>\n<td style=\"text-align: left;\">Because the post-authorization rules for AVS, CVC, and liability shift run after authorization, it is not possible to link the rules to <a href=\"\/risk-management\/dynamic-3d-secure\/\">Dynamic 3D Secure<\/a>. <br><br>The liability shift rule does not trigger for recurring <a href=\"\/get-started-with-adyen\/adyen-glossary\/#contauth-continuous-authorization\">merchant-initiated transactions<\/a> where the shopper interaction is <strong>ContAuth<\/strong>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>How it works<\/h2>\n<p>Post-authorization rules let you influence the risk evaluation based on information that becomes available after authorization. For example, you can block the transaction if there is a mismatch in the address details or if the card verification code is incorrect. Or, you can block transactions when there is no liability shift.<\/p>\n<p>All post-authorization rules are disabled by default. Because there is a risk of shopper input errors for both the CVC field and address details, enabling these risk rules may result in a higher number of declined transactions because of mismatches. We recommend that you use the <a href=\"\/uplift\/#uplift-optimize\">Adyen Uplift<\/a> Optimize settings, and set Smart Payment Messaging to optimize low risk transactions only.<\/p>\n<p>When you <a href=\"#enable-post-auth\">enable a post-authorization rule<\/a>, and a transaction matches the rule, the transaction can be part of <a href=\"\/risk-management\/control-traffic\/\">control traffic<\/a>. You can then analyze and identify any false positives. When you enable Protect premium, you can create more specific <a href=\"\/risk-management\/configure-your-risk-profile\/custom-rules\/\">custom post-authorization rules<\/a> instead.<\/p>\n<p>You can use the following post-authorization rules:<\/p>\n<ul>\n<li>\n<p><strong>Address Verification System (AVS)<\/strong><br \/>\nThis rule checks for mismatches in address details. <a href=\"\/risk-management\/avs-checks\/\">Address Verification System<\/a> (AVS) is a security feature that compares the billing address that the shopper entered with the cardholder address on file at the issuer.<\/p>\n<\/li>\n<li>\n<p><strong>Card Verification Code (CVC)<\/strong><br \/>\nThis rule verifies if the Card Verification Code (CVC2\/CVV2\/CID) matches after authorization by the issuing bank. The rule does not trigger for recurring transactions because it runs only on the initial transaction.<\/p>\n<\/li>\n<li>\n<p><strong>Liability shift status blocked<\/strong> and <strong>Liability shift status allowed<\/strong><br \/>\nThese rules check if a liability shift has or has not occurred. A liability shift occurs when the liability of chargebacks passes from you to the issuing bank. This happens when the transaction has been verified through 3D Secure.<\/p>\n<\/li>\n<\/ul>\n<h2 id=\"configure-post-auth\">Configure a post-authorization rule<\/h2>\n<p>To configure a post-authorization rule, in your <a href=\"https:\/\/ca-test.adyen.com\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Customer Area<\/a>:<\/p>\n<ol>\n<li>Go to <strong>Revenue &amp; risk<\/strong> &gt; <strong>Risk profiles<\/strong>.<\/li>\n<li>Select a risk profile.<\/li>\n<li>Select <strong>Risk rules<\/strong>.<\/li>\n<li>Select <strong>Block<\/strong>.<\/li>\n<li>\n<p>Select the post-authorization rule that you want to configure, select <strong>Configure rule options<\/strong>, and select when you want to block the transaction:<\/p>\n<table>\n<thead>\n<tr>\n<th>Rule<\/th>\n<th>Options<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Address Verification System (AVS)<\/td>\n<td>Select when you want to block the transaction: <ul><li markdown=\"1\">Postal code and address do not match.<\/li><li markdown=\"1\">Address does not match.<\/li><li markdown=\"1\">Postal code does not match.<\/li><\/ul><\/td>\n<\/tr>\n<tr>\n<td>Card Verification Code (CVC)<\/td>\n<td>Select when you want to block the transaction: <ul><li markdown=\"1\">CVC is provided but does not match.<\/li><li markdown=\"1\">CVC does not match, is not provided, or the issuer cannot perform the check.<\/li><\/ul><\/td>\n<\/tr>\n<tr>\n<td>Liability shift status blocked<\/td>\n<td>Select which transactions you want to block when there is no liability shift: <ul><li markdown=\"1\">Default setting: All 3D Secure transactions.<\/li><li markdown=\"1\">Only 3D Secure transactions without technical errors.<\/li><li markdown=\"1\">All e-commerce credit card transactions.<\/li><\/ul><br>Select when you want to trigger the rule: <ul><li markdown=\"1\">Default setting: 3D Secure liability shift has not taken place.<\/li><li markdown=\"1\">Full authentication not achieved.<\/li><\/ul><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/li>\n<li>Select <strong>Save<\/strong>.<\/li>\n<\/ol>\n<h2 id=\"enable-post-auth\">Enable a post-authorization rule<\/h2>\n<p>To enable a post-authorization block rule, in your <a href=\"https:\/\/ca-test.adyen.com\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" class=\"external-link no-image\">Customer Area<\/a>:<\/p>\n<ol>\n<li>Go to <strong>Revenue &amp; risk<\/strong> &gt; <strong>Risk profiles<\/strong>.<\/li>\n<li>Select a risk profile.<\/li>\n<li>Select <strong>Risk rules<\/strong>.<\/li>\n<li>Select <strong>Block<\/strong>.<\/li>\n<li>Select one or more of the following:\n<ul>\n<li><strong>Address Verification System (AVS)<\/strong> &gt; <strong>Enabled<\/strong>.<\/li>\n<li><strong>Card Verification Code (CVC)<\/strong> &gt; <strong>Enabled<\/strong>.<\/li>\n<li><strong>Liability shift status blocked<\/strong> &gt; <strong>Enabled<\/strong>.<\/li>\n<\/ul><\/li>\n<li>Select <strong>Save changes<\/strong>.<\/li>\n<\/ol>\n<p>To allow based on liability shift status:<\/p>\n<ol>\n<li>Go to <strong>Revenue &amp; risk<\/strong> &gt; <strong>Risk profiles<\/strong>.<\/li>\n<li>Select a risk profile.<\/li>\n<li>Select <strong>Risk rules<\/strong>.<\/li>\n<li>Select <strong>Allow<\/strong>.<\/li>\n<li>Select <strong>Liability shift status allowed<\/strong> &gt; <strong>Enabled<\/strong>.<\/li>\n<li>Select <strong>Save changes<\/strong>.<\/li>\n<\/ol>\n<h2>See also<\/h2>\n<div class=\"see-also-links output-inline\" id=\"see-also\">\n<ul><li><a href=\"\/risk-management\/avs-checks\/\"\n                        target=\"_self\"\n                        >\n                    Address Verification System (AVS)\n                <\/a><\/li><li><a href=\"\/risk-management\/configure-your-risk-profile\/risk-lists\"\n                        target=\"_self\"\n                        >\n                    Risk lists\n                <\/a><\/li><li><a href=\"\/risk-management\/configure-your-risk-profile\/custom-rules\"\n                        target=\"_self\"\n                        >\n                    Custom rules\n                <\/a><\/li><li><a href=\"\/risk-management\/configure-your-risk-profile\/machine-learning-rules\"\n                        target=\"_self\"\n                        >\n                    Machine learning rules\n                <\/a><\/li><li><a href=\"\/risk-management\/configure-your-risk-profile\/risk-field-reference\"\n                        target=\"_self\"\n                        >\n                    Data quality and risk field reference\n                <\/a><\/li><li><a href=\"\/uplift\"\n                        target=\"_self\"\n                        >\n                    Adyen Uplift\n                <\/a><\/li><\/ul><\/div>\n","url":"https:\/\/docs.adyen.com\/risk-management\/configure-your-risk-profile\/post-auth-rules","articleFields":{"description":"Use post-authorization signals in risk rules to block or allow a transaction.","feedback_component":true,"last_edit_on":"20-01-2023 10:19"},"algolia":{"url":"https:\/\/docs.adyen.com\/risk-management\/configure-your-risk-profile\/post-auth-rules","title":"Post-authorization rules","content":"After a transaction has been authorized, you get new information from the card scheme and the issuing bank. For example, you will know if there was a liability shift, if the CVC code was entered correctly, and if the address details matched. You can use this information to influence the risk evaluation after authorization.\nRequirements\nBefore you begin, take into account the following requirements and limitations.\n\n\n\nRequirement\nDescription\n\n\n\n\nIntegration type\nMake sure that you have built an online payments integration and that risk management is enabled.\n\n\nCustomer Area roles\nMake sure that you have one of the following role(s): Merchant change risk settingsRisk admin\n\n\nLimitations\nBecause the post-authorization rules for AVS, CVC, and liability shift run after authorization, it is not possible to link the rules to Dynamic 3D Secure. The liability shift rule does not trigger for recurring merchant-initiated transactions where the shopper interaction is ContAuth.\n\n\n\nHow it works\nPost-authorization rules let you influence the risk evaluation based on information that becomes available after authorization. For example, you can block the transaction if there is a mismatch in the address details or if the card verification code is incorrect. Or, you can block transactions when there is no liability shift.\nAll post-authorization rules are disabled by default. Because there is a risk of shopper input errors for both the CVC field and address details, enabling these risk rules may result in a higher number of declined transactions because of mismatches. We recommend that you use the Adyen Uplift Optimize settings, and set Smart Payment Messaging to optimize low risk transactions only.\nWhen you enable a post-authorization rule, and a transaction matches the rule, the transaction can be part of control traffic. You can then analyze and identify any false positives. When you enable Protect premium, you can create more specific custom post-authorization rules instead.\nYou can use the following post-authorization rules:\n\n\nAddress Verification System (AVS)\nThis rule checks for mismatches in address details. Address Verification System (AVS) is a security feature that compares the billing address that the shopper entered with the cardholder address on file at the issuer.\n\n\nCard Verification Code (CVC)\nThis rule verifies if the Card Verification Code (CVC2\/CVV2\/CID) matches after authorization by the issuing bank. The rule does not trigger for recurring transactions because it runs only on the initial transaction.\n\n\nLiability shift status blocked and Liability shift status allowed\nThese rules check if a liability shift has or has not occurred. A liability shift occurs when the liability of chargebacks passes from you to the issuing bank. This happens when the transaction has been verified through 3D Secure.\n\n\nConfigure a post-authorization rule\nTo configure a post-authorization rule, in your Customer Area:\n\nGo to Revenue &amp; risk &gt; Risk profiles.\nSelect a risk profile.\nSelect Risk rules.\nSelect Block.\n\nSelect the post-authorization rule that you want to configure, select Configure rule options, and select when you want to block the transaction:\n\n\n\nRule\nOptions\n\n\n\n\nAddress Verification System (AVS)\nSelect when you want to block the transaction: Postal code and address do not match.Address does not match.Postal code does not match.\n\n\nCard Verification Code (CVC)\nSelect when you want to block the transaction: CVC is provided but does not match.CVC does not match, is not provided, or the issuer cannot perform the check.\n\n\nLiability shift status blocked\nSelect which transactions you want to block when there is no liability shift: Default setting: All 3D Secure transactions.Only 3D Secure transactions without technical errors.All e-commerce credit card transactions.Select when you want to trigger the rule: Default setting: 3D Secure liability shift has not taken place.Full authentication not achieved.\n\n\n\n\nSelect Save.\n\nEnable a post-authorization rule\nTo enable a post-authorization block rule, in your Customer Area:\n\nGo to Revenue &amp; risk &gt; Risk profiles.\nSelect a risk profile.\nSelect Risk rules.\nSelect Block.\nSelect one or more of the following:\n\nAddress Verification System (AVS) &gt; Enabled.\nCard Verification Code (CVC) &gt; Enabled.\nLiability shift status blocked &gt; Enabled.\n\nSelect Save changes.\n\nTo allow based on liability shift status:\n\nGo to Revenue &amp; risk &gt; Risk profiles.\nSelect a risk profile.\nSelect Risk rules.\nSelect Allow.\nSelect Liability shift status allowed &gt; Enabled.\nSelect Save changes.\n\nSee also\n\n\n                    Address Verification System (AVS)\n                \n                    Risk lists\n                \n                    Custom rules\n                \n                    Machine learning rules\n                \n                    Data quality and risk field reference\n                \n                    Adyen Uplift\n                \n","type":"page","locale":"en","boost":17,"hierarchy":{"lvl0":"Home","lvl1":"Risk management","lvl2":"Configure your risk profile","lvl3":"Post-authorization rules"},"hierarchy_url":{"lvl0":"https:\/\/docs.adyen.com\/","lvl1":"https:\/\/docs.adyen.com\/risk-management","lvl2":"https:\/\/docs.adyen.com\/risk-management\/configure-your-risk-profile","lvl3":"\/risk-management\/configure-your-risk-profile\/post-auth-rules"},"levels":4,"category":"Risk Management","category_color":"green","tags":["Post-authorization","rules"]}}