Fraud Prevention

Fraud Prevention

Credit card fraud is fast growing problem for online merchants. As a merchant, you are liable for every processed credit card transaction even if fraudulent. Fraud can hurt your business in the following ways: lost revenue, wasted productivity, and penalties such as charge backs and higher interchange rates.

The UltraCart fraud prevention system is a set of industry leading rules that will help protect your UltraCart store from potential customer fraud.  The fraud prevention system configuration is located at:

How it Works

The fraud prevention system utilizes a set of rules that are run against the order before credit card processing takes place.  The rules compare the details of the current order and previous transactions to determine if a fraudulent action is taking place.  If a rule is broken then the merchant can decide to reject the transaction or send the order to Accounts Receivable for further review.

Rules fall into five different types:

Rule TypeDescription
ExemptionThese rules are the first ones checked by the system.  If an order matches these rules then the order is exempted from all other rules.  These rules are typically added to exempt your office or call center from the fraud prevention system during the order taking process.
Credit CardThese rules focus around checking the credit card for fraud.  This includes checks like number of attempts, changing the card, blocking prepaid/gift, etc.
Credit Card (Premium)This rule checks and confirms if Card Type = Prepaid or Gift Card. This is a premium feature ($0.05 per card validated).
IP/SubnetThese rules focus on the origination of the order traffic and velocity of the orders originating from a portion of the internet.
AddressThese rules focus on the addresses on the order and allow merchants to block known fraudsters (establish fraud filter on a fraudulent order) or hold orders for review that have different billing/shipping addresses.

Address (Premium)

These rules are a premium feature ($0.01/card validated)
AffiliateThese rules attempt to block affiliates from submitting fraudulent orders in an attempt to earn commissions.

Configuring Rules

The top section of the page displays all the rules that can be configured on an UltraCart account like the screen shot below.

Notice below that each rule reads like a simple sentence.  So if I want to decline transactions over $500 then I would enter the amount, select the desire action from the drop down list and click apply.

After clicking the apply button a popup dialog will appear allowing the configuration of additional options/filters for the rule as shown below.

In this example we have configured a custom decline message to display to the customer and then clicked apply.  Other filters include:

  • Items - the rule will only execute if the order contains one of these items.  For example if you are blocking prepaid/gift cards you would want to filter it down to only the item(s) that represent the free trial.
  • Gateway - the rule will only apply if one of the checked rotating transaction gateways is being used.
  • Screen Branding - the rule will only apply to the selected screen branding theme.

When an optional filter is left empty/unchecked then the rule will apply to all of the items, gateways, or screen branding themes accordingly.

After we click the Apply button the page will automatically scroll down to the Established Rules and highlight the new rule.  Below is an example of how the rule we just configured appears.

Note Regarding Exemption Rules

Adding IP Exemption Rules

When adding an IP Exemption, the dialog window that appears is the same one as is used with adding decline rules. Just go ahead and save that dialog window and the exemption rule will be created.

Establishing Fraud Filters based on the details of a placed order

When you encounter an order that you deem fraudulent, you can create fraud filters based  upon the following order details:

  • IP Address Range 
  • Credit Card XXXX-XXXX-XXXX-0664 (Full credit card will be used for filter)
  • Address (Numeric portion of street & Zip Code / Postal Code)
  • Email Address

"If prepaid or gift card"

Note: This Fraud filter rule is provided via a 3rd party service that can determine if the CC number provided by the customer is either a prepaid or gift card. This could be useful in auto filtering customers from auto order "Trial" purchases that are configured with a very small initial purchase price ("pay only shipping today" type offers) as these types of recurring billing can be targets for 'scammers' using cards that have just enough money on the card to pass the initial validation of the trial purchase but not enough to cover the subsequent purchase(s).


  The charge applies to every single CC validated, but there is order caching. So, don't get dinged for multiple authorization attempts on the checkout. For example, if the customer initially entered the wrong billing address causing a decline due to AVS mismatch then, corrected the details and resubmitted the order, the $0.01 fee would be applied only once, not for each authorization attempt.

Order Handling for flagged orders

The fraud rules have a setting for how to handle the fraudulent checkout/order.

There are four possible choices for fraudulent order handling:

  • "Flag for review" → Sends the order to the Accounts Receivable and places a note in merchant comments.
  • "Process payment and modify" → Processes the payment and then modifies the order (i.e. - tagging a value into the custom field)
  • "Process payment and review" → Processes the payment and then places the order into the Fraud Review order management page.
  • "Decline transaction" → Gives the customer a decline message at the point of finalizing the order.

Flag for Review

If you select the flagged for review option then the orders will be sent to:

When you bring up the order within Accounts Receivable the merchant notes will contain an automatic note generated by the fraud rule.  In the example below the order tripped the rule "If transaction exceeds 25.00, then flag for review".  You can see the merchant comments has a note informing the user why the order was sent to the Accounts Receivable department.

User Notifications

Make sure that you have configured one or more users to receive the "Process Credit Card Payment" & "Fraud Review" notification located:

Home     Configuration     Users

Receipt Email

By default the customer will receive a receipt email even if their order is sent to Accounts Receivable for review. 

If you want to change this behavior, navigate:

Home     Configuration     Email Notifications Email Templates

For the receipt template choose the option "Hold Receipt Until Payment Processes". This will cause the receipt email to be held until you successfully process the payment within the Accounts Receivable section.

Visit Email Notifications page at: Email Templates - Email Notifications

Best Practices

Wow, there sure is a lot of functionality in the fraud prevention system, but I'm new to fraud prevention so what are the best practices for an initial setup?

CategoryRuleRecommend ValueComments
ExemptionIf IP address matchesEnter the IP address for your office and/or call centerIf you don't know what you IP address is then go to and it will tell you your IP address.
ExemptionIf Customer logged into profile with pricing tier
You typically don't want to block your B2B customers with profiles for any reason.
Credit CardIf single transaction exceeds2X average sale = flag for review, 4X average sale = declineMake sure fraudsters aren't using your store to test the maximum card limits.
Credit CardIf user changes credit card number this many times for attempted transactions4Make sure fraudsters aren't testing a bunch of cards on your account to find valid ones.
Credit CardIf prepaid or gift card (Note: This is a 3rd party service and will cost you $0.05/card validated)
Use this rule on your free trial items.  See this blog post for the importance of this rule.
IP/SubnetIf weekly attempted transaction count for IP Subnet Exceeds10Prevent fishing attempts from the same IP addresses.
AddressIf fraud score exceeds5 = Flag For ReviewThis is our legacy fraud prevention system which uses a 3rd party and provides a good holistic check of the order.
AddressIf billing address does not match shippingFlag for ReviewUse this if you have high value products and strict AVS checking configured on your credit card rules.
AffiliateIf affiliate generates multiple sales with the same IP address within one week  
The same IP rarely should be generating multiple sales.  You must be using the UltraCart affiliate system for this rule to work.


UltraCart collects statistics of how each rule performs on a daily basis.  To access the report go to:

The report is easy to run.  Just pick a date range as shown below.  There are quick selectors on the right to make things easy.

The report that opens is an Excel spreadsheet as shown below.

For each rule there is a column by date of the number of times the rule was checked, # of declines (or exemptions), # of passes, and percentages.  The far right column of the spreadsheet will summarize the information for the date range.  In this example spreadsheet we can see that the rule to block prepaid/gift cards on our free trial blocked 3.85% of the transactions for the time period.

Frequently Asked Questions

Q: What message does the customer receive when they trip a fraud filter?

A: If the fraud rule is set to decline and you did not enter an optional customer message than the message "Your payment has been declined.  Make sure the billing address matches the location that the credit card statement is mailed.  Please verify the information and try again." is returned to the customer.  

Q: Will the customer receive a receipt if the order is held for review?

A: See the Flag For Review section above which covers this.  There are options on the email notification configuration that you can adjust.

Q: I have linked multiple UltraCart Accounts together, if I link a new account, will the existing fraud rules apply?

A: Yes, the existing fraud rules be auto populated to newly linked accounts.