I received an order that was marked with medium risk of fraud by Shopify’s automatic fraud detection system. I’ve looked at the results of the fraud analysis and the only thing that I don’t understand is the CVV code being unavailable. What does this mean? That the CVV code is invalid? If so, how could the customer successfully place an order? Don’t invalid CVV-codes lead to immediate rejection of an attempted card payment?
Furthermore, I would appreciate suggestions for how to proceed with the order. If we should contact the customer, what should we ask them to do do verify the validity of the order?
Posting fraud analysis below.
Neutral
Some characteristics of this order are similar to fraudulent orders observed in the past
Neutral
Card Verification Value (CVV) isn’t available
Neutral
Billing address or credit card’s address wasn’t available
Neutral
Billing address ZIP or postal code isn’t available to match with credit card’s registered address
Neutral
A payment method other than a credit card was used
Neutral
Location of IP address used to place the order is MASKED, Sweden
Positive
There was 1 payment attempt
Positive
Shipping address is 48 km from location of IP address
Positive
Billing country matches the country from which the order was placed
Positive
The IP address used to place the order isn’t a high risk internet connection (web proxy)
There are a number of different ways and questions you can ask the customer when you contact them to verify the validity of the order:
Call the number on the order
Search for the email address
Verify the addresses (I see they are different here, but if the customer can verify them it would be hugely helpful).
Verify the IP address
Shopify has a helpful guide with more information on this too which you can find here. It would be up to you to decide whether or not to accept the order though. My take is, if you aren’t comfortable or sure about it, then I wouldn’t accept it, but everyone is different and it is ultimately up to the store owner.
Regarding your question on the CVV number. There is another Shopify help guide which you can read here that has a note about CVV numbers which can be seen below:
Not all banks support AVS and CVV security checks. When it’s enabled, AVS and CVV fraud filters apply only to orders where the customer’s card-issuing bank supports these checks. If a bank doesn’t support AVS or CVV security checks, then the order is processed, but the security check isn’t flagged as a risk indicator in the risk analysis tool.
I wonder if this could be the case for this order?
The CVV is the last 3 digits on the back of the credit card. It’s used as a secondary verification method so knowing the digits on the front of the credit or debit card isn’t enough to prove ownership.
From my understanding, the CVV code is not always required. There are some transactions that aren’t required to accept a CVV. Think of purchasing gas for your car at a gas station. They ask you for your ZIP code, but not your credit card’s CVV.
In this case, Shopify is just telling you the CVV wasn’t prompted for this transaction, therefore that additional verification piece is missing.
Unavailable == not prompted to the customer
Incorrect == prompted to the customer & the customer provided an incorrect CVV
Shopify offers 2 different ways to add additional verification to help prevent fraud. CVV is one, AVS is the other.
To enable either, follow these directions:
From your Shopify admin, go to Settings > Payments.
In the Shopify Payments section, click Manage.
In the Fraud prevention section, check the options that you want to use to automatically decline charges.
Hi Dylan, thanks for your answer. The option to deny non-CVV-verified payments was already activated. How come the customer was still able to place an order without CVV?
It turns out that we got this message in the fraud analysis system because the person had ordered with Klarna invoice. Quite ridiculous that this leads to an increased fraud risk in the system since no CVV code is required when paying with invoice.
I had this issue too. Billing address & zip matched but it said CVV unavailable and marked as “Low Fraud Risk”. I am unfamiliar with the way Klarna works, but is a customer able to use it for any online store, even if the business is not associated with Klarna?
This is actually unacceptable especially for businesses who sell digital products. Why would shopify allow these fraudulent orders to go through? I’m slowly but surely gaining more reason to leave Shopify and go else where because my business is not protected on top of increasing prices in April. Paying more per month for Shopify to allow scammers to go through with orders on my website is ridiculous. Shopify count your days
Even if you have it checked as decline the transaction if no CVV or AVS they still put the order in and put it at low risk. This and address verification is a key feature and they don’t provide any verification for these. So anyone can order and charge back. They say it is low risk because the transaction is made one time. There is no valid protection with Shopify payment.
How are they able to put the order in and change it to low risk if I have it set to decline transaction? Am I missing something? This order wasn’t switched to low risk it was always high risk. My digital products were set to deliver automatically so I’m not able to verify. I recently switched it to where I have to fulfill the item manually, giving me time to double check verification. I would rather refund and not fulfill than go through another chargeback with Shopify.
