How to Avoid False Positives in Authorize.net AFDS

Authorize.net is one of the largest payment gateways in the world, owned and operated by Visa. Most merchants across the country and many around the world are using it to process ACH and credit card purchases, and take advantage of a variety of other services.

One of those key services is AFDS, or the Advanced Fraud Detection System.

AFDS serves as a filtering layer for purchases, as a way to detect and stop fraud before it happens. It’s a powerful engine you can use to set up rules and IP address filtering, which helps you identify potential fraud and stop it before it causes problems.

Since fraudulent transactions are near-universally reversed, often with a damaging chargeback attached, it’s a very useful tool for minimizing the problems that can occur as a merchant.

There’s just one problem: it can be prone to false positives, which prevent legitimate transactions from going through. Since it’s based on rules you configure yourself, it’s easy to set something the wrong way and end up filtering good customers.

How do you skirt the line between a filter that is too lax and lets fraud through, and a filter that is too strict and prevents legitimate business? It’s all in how you use the system.

How AFDS Works

Let’s start with an overview of the features and rules you can use in the AFDS.

At the top level, the AFDS is a set of rules you can configure to process and limit transactions handled by your account. The rules you set define what constitutes potential fraud, and you can customize them to suit the specific needs of your business, since rules that work for one brand might not work for another.

For example, a brand located in the United States that ships large physical items only to the continental US could set rules that prohibit transactions coming from IP addresses overseas, since no legitimate customer could be ordering from those locations. A brand with a digital product that can be fulfilled anywhere in the world wouldn’t need that kind of location filtering. That’s a very simple example of the kinds of differences you can customize around using AFDS.

When you run AFDS over your transactions, there are five possible results.

• The transaction doesn’t trigger any rules and is authorized as normal, processed, and fulfilled as per your usual process.
• The transaction triggers a rule, but is authorized as normal. You’re notified that the filter has been triggered. This is most often used as a way to check test transactions and validate your rules.
• The transaction is authorized, but held for review. This is a 30-day queue you have to manually review, where you can accept or void the transaction. Anything ignored for 30 days is automatically voided. This is useful for edge cases where most transactions are fine, but a few might be fraudulent, and you can tell in a way the rules can’t.
• The transaction is not authorized and is held for review. Any transaction that triggers these filters is held in a five-day queue for you to either approve it or decline it. This is most useful for cases where the majority of transactions tripping the filter will be fraudulent, but now and then, you might want to approve one.
• The transaction is fully declined. If you set up the rules such that anything that trips them is guaranteed to be fraud, or the chance is so high that catching a legitimate transaction is both rare and not valuable to avoid, you can automatically decline those transactions.

What it all comes down to is the rules and how you use them.

Exploring the Authorize.net AFDS Rules

Now let’s take a look at the specific rules you can set. The rules fall into four broad categories.

Card Testing Settings

“Card testing” is the financial term for when scammers or fraudsters are going through a list of credit cards and checking to see if they’re valid and work. Since they need a store to test them on, they look for stores that process small transactions that look fairly standard on a bank statement, so they can slip through the radar when the customer checks their statements.

There are four possible filters you can set in this category.

• Daily Velocity. This allows you to set a limit on the number of transactions you process in a day. If you know you’re usually getting under 50 transactions per day, if you suddenly start seeing more, it might be high-volume card testing.
• Hourly Velocity. This is the same as daily velocity, but for an hourly basis, for shops that do relatively steady business throughout the day.
• Suspicious Transactions. Using a set of “proprietary criteria” set by Authorize.net, this filters transactions and looks for anything that meets their definition of suspicious. What are those criteria? They won’t say.
• Transaction IP Address. This is not geographic filtering. Instead, it’s a filter for the maximum number of transactions allowable from a single IP address per hour. Since card testing is usually performed from the same location, and since customers are unlikely to be making large numbers of transactions per hour instead of single larger purchases, this can be a good filter for stopping fraud.

Transaction Settings

This second batch of filters relates specifically to ways to validate and verify transactions, as an added layer of fraud prevention.

There are three filters you can use in this section.

• Enhanced AVS Handling. AVS is the Address Verification Service, and it’s a standard feature that helps by checking if the address on file with a card and the address submitted by the customer are reasonable. Enhanced AVS handling gives you more nuance and options for filtering using the standard AVS.
• Enhanced CCV Handling. CCV is the Card Code Verification service, using that numerical code on the back of a card to validate the card itself. Enhancing this filtering gives you more nuance and options for filtering CCV issues.
• Amount Filtering. This allows you to specify a minimum cart value and a maximum cart value to help prevent minuscule testing transactions or overly large fraud transactions.

E-Commerce Settings

The third batch of filters is aimed at e-commerce fraud that is less likely in person or impossible outside of the world of e-commerce.

There are four filters here.

• Shipping Address Verification. All this does is validate that the shipping address is a real address, which helps prevent things like brushing scams.
• IP Shipping Address Mismatch. This checks to see if the IP address of the order does not match the shipping address. Useful if you typically don’t see people ordering on behalf of others or as gifts.
• Regional IP Address Filtering. This lets you flag IP ranges based on geographic areas or countries, and pre-emptively flag transactions from high-risk locations.
• Shipping-Billing Mismatch. This allows you to flag transactions where the shipping address and the billing address are different, and you can even specify how different.

IP Address Administration

The final set of settings gives you filters related to IP addresses and specific blocking.

There are two filters here, though they are some of the broadest and most customizable filters.

• Authorized API IP Addresses. If you process transactions using an API, one of the biggest strengths of Authorize.net is that you can create an allowlist of IP addresses allowed to send over the API. This helps you prevent abuse using API access from unapproved sources.
• IP Address Blocking. This allows you to block specific IP addresses if those IP addresses are known to be the source of fraudulent transactions.

Avoiding False Positives with AFDS

So, how do you avoid false positives?

A false positive is when the rules are configured in such a way that they catch transactions that are legitimate. That means you have rules set such that they’re too strict.

One of the most common examples is something I’ve already mentioned: gifts and buying on behalf of others. If your parent or child decides to order you something for your birthday, the mismatch in addresses can trip several different flags here and would be a false positive, for example.

There’s no one set of suggestions I can give you to prevent false positives. You need to think about the kinds of people who shop with your business, where transactions are likely to come from, and how to smartly use the filters to cut off anything outside of that normal use case.

I recommend a few key steps.

• Start with soft filters that aren’t overly strict. You’ll let more fraud through, but that’s what Fight Disputes is for.
• Use the trigger method that lets you review and approve transactions, rather than deny them outright. This way, you can see if a rule is catching legitimate transactions and loosen it.
• Incrementally tighten your filters until you reach a sweet spot where they catch most of your fraud, but don’t catch legitimate transactions.

It takes time and iteration, but there’s never a one-size-fits-all solution in the ever-changing world of fraud.

Is Authorize.net’s AFDS Right for You?

If you made it some of the way through this post and noticed your eyes glazing over and your scroll finger moving faster, it’s no surprise.

AFDS and Authorize.net, in general, are very powerful. But that power comes at a cost, which is time and investment in the knowledge necessary to use the tools to their fullest. If you aren’t able to use them to the max, you’re at best wasting money, and at worst harming your business.

At a cost of $25 per month plus 10 cents daily and 10 cents per transaction (for the gateway, which includes the AFDS), Authorize.net can be fairly pricey for small businesses. Stripe is free, and Clover has a lower initial cost at just $15.

On the flip side, while it’s robust and quite customizable, it’s not quite as customizable or flexible as the kinds of gateways that truly large enterprises will need. It’s ideal more for a sweet spot in the middle, where the needs of a growing business have exceeded the simpler payment gateways, but haven’t reached the needs (or the budget) necessary for high-end merchant tools.

So, is Authorize.net something you should use, or should you consider a different gateway?

It all depends on what your business needs. Small businesses with small budgets might not want to hand over the fees necessary to use Authorize.net. Mid-sized businesses, online retailers, subscription services, and similar brands can make good use of the suite and its tools. Larger businesses will outgrow it.

If you choose to use Authorize.net and make use of the Advanced Fraud Detection System, it can give you a good amount of protection, but there will always be some amount of fraud that can slip through. No system is perfect, after all.

That’s where we come in. The Fight Disputes system has a direct link with the payment processors and can near-instantly notify you if a customer has filed a dispute with their bank or credit card company. Rather than allow a chargeback to process before you’re able to react, we alert you right away, so you can reach out and ask the customer what’s going on.

• If there’s an issue with your product, your customer service can step in and solve the problem.
• If there’s fraud, you can issue a refund rather than have the funds clawed back (with added fees) in a chargeback.
• If there’s evidence of friendly fraud or other attempts to defraud your business, you can present that evidence to the bank and have the chargeback cancelled in your favor.

If you use Authorize.net’s AFDS, you can stop a lot of fraud before it reaches you. Anything that does slip through, you can rely on us to help you solve it before it becomes a problem for your merchant account.

Want to know more? Reach out! We’re always around to answer any questions you may have.