• Documentation
  • API Reference
  • Documentation
  • API Reference
Expand All Collapse All
  • Payment Overview
    • Introduction
    • Choosing an Integration Method
  • Accept Payment
    • Payment Page
      • Quick Start
      • Input Parameters
      • Output Parameters
    • Web SDK
      • Quick Start
      • Nuvei Fields
        • Styling
      • Additional Functions
      • APM Payments
      • Tokenization-Only Flow
      • Scenarios
      • Using ReactJS
        • Full Samples
        • Sandbox Examples
      • FAQs
    • Checkout
      • Quick Start
      • UI Customization
      • Payment Customization
      • Advanced Controls
      • Checkout Examples
    • Server-to-Server
    • Payment Scenarios
    • Mobile SDKs (Beta Release)
      • Android Mobile SDK (Beta Release)
      • iOS Mobile SDK (Beta Release)
    • Flow Diagrams
    • Plugins
      • Magento
        • Rebilling with Magento
      • WooCommerce
        • Rebilling with WooCommerce
      • PrestaShop
        • Rebilling with PrestaShop
      • OpenCart
      • Shopify (via AsiaBill)
      • Mirakl
      • Salesforce
      • SAP
      • WIX
    • Marketplaces
  • Features
    • Authentication
    • Financial Operations
      • Refund
      • Void
      • Auth and Settle
      • Partial Approval
      • Currency Conversion (DCC and MCP)
    • Card Operations
      • Card-on-File
      • PCI and Tokenization
      • Zero-Authorization
      • Merchant-Initiated Transactions (MIT)
      • Blocking Cards
    • Subscription (Rebilling)
    • 3D-Secure
      • 3D-Secure Explained
      • 3DS Implementations
        • 3DS MPI-Only Web SDK
        • 3DS MPI-Only REST
        • 3DS External MPI
        • 3DS Responses
      • 3DS Functions
        • 3D-Secure Fingerprinting
        • 3D-Secure Authentication Challenge
    • Callbacks (DMNs)
      • Configuring the Events API
  • Guides
    • Testing Cards, APIs and APMs
      • Testing Cards
      • Testing APIs with Postman
      • Testing APMs
    • Response Handling
    • Alternative Payment Guides (APMs)
    • Airline Ticket Guides
      • Airline Addendum
      • External Authorization Addendum
    • Payment Facilitators (PayFac)
    • Cashier
      • Cashier Events Guide
      • Cashier Features
    • Withdrawal Guide
    • Risk Guide
      • Appendix 1: Transaction Types
      • Appendix 2: Credits and Payouts
      • Appendix 3: Fraud to Sale Programs
      • Appendix 4: Compliance Programs
      • Appendix 5: Chargebacks
    • eKYC Guide
    • Server SDKs
      • Java SDK
      • .NET SDK
      • PHP SDK
      • Node.JS SDK
    • Fast Track Onboarding Developer Guide
    • Currency Conversion Guides
      • Multiple Currency Pricing (MCP)
      • Dynamic Currency Conversion (DCC)
        • DCC in Cashier or Payment Page
        • DCC in REST API Workflows
        • DCC in Web SDK Workflows
    • Website Compliance Guides
  • Additional Links
    • FAQs
    • API Reference
    • Release Notes
    • Country and Currency Codes

Risk Guide

On this page:
  • Introduction
  • Nuvei Services
    • Standard Services
    • Personalized Services
    • Added Value Services

Introduction

Nuvei guarantees to do its best to detect and prevent fraud in real-time and offline, but at the end of the day, the Nuvei platform is a decision supportive system and your cooperation and actions are crucial to secure your processing account in the long term.

The purpose of this guide is to provide you with a smooth onboarding process, in a way that makes you aware of the risks involved in card-not-present (CNP) processing, as well as Nuvei’s products and services built from years of experience with mitigating risks.

The guide provides you with an overview of common terminology and regulations and describes your initial fraud screening profile that was customized for you during your onboarding process.

Your initial profile detailed in this guide might be different according to the rules’ compatibility/efficiency and emerging fraud trends.

To learn more about risk services contact us at RiskSupport@nuvei.com.

Nuvei Services

There are many fraud-screening services to help merchants assess the risk of a transaction and authenticate the cardholder to prevent chargebacks.

Nuvei provides you with three types of services for mitigating chargebacks:

  • Standard services include real-time fraud prevention through Nuvei’s Rule Engine, access to the Case Management System, Screening Profile Overview and Chargeback Re-presentments.
  • Personalized services include personal risk analysts.
  • Added Value services include the 3D-Secure Authentication Program, Dynamic 3D, AVS check and CVV check.

Standard Services

Fraud Prevention Rule Engine

Nuvei’s rule engine provides real-time fraud prevention via your Nuvei payment page. The rule engine runs during the pre-authorization phase of a transaction and its decision can impact the flow of the authorization in the acquirer bank. Nuvei’s fraud screening rules can block or flag transactions for review for a particular user that matches the logical conditions of the rules. In addition, rules can be configured to automatically blacklist transactions according to elements such as credit card, email address, user ID, IP address and more.

The risk engine has three responses to transactions: accept the transaction, reject it, or flag it for review.

When the risk engine accepts a transaction, the transaction passes to the acquirer bank.

When the risk engine rejects a transaction, the transaction is not passed to the acquirer bank for authorization, and the merchant receives a detailed response with the reasons why that the transaction was rejected.

When the rule engine flags a transaction for review, the transaction passes to the acquirer bank and the merchant receives a response with the reasons for review.

Additionally, you can refund or void suspicious transactions before they become chargebacks through the Case Management System.

Nuvei’s risk platform is proactive in combating fraudulent transactions and can be customized to your needs to automatically blacklist customers according to specific fraud rules or when a transaction has been reported as a chargeback.

Screening Profile Overview

Listed below are categories of rules available in the rule engine.

For the specific rules that have been configured to your account, please refer to the Control Panel, Risk > Client Fraud Rules:

These rules are just an initial configuration. Nuvei may add or modify rules based on your needs and/or emerging fraud trends detected by the Nuvei platform.

The table below provides a list of the categories that are mapped to groups of Nuvei’s fraud screening rules. A category is displayed in the Nuvei Control Panel in the Transaction Report when a transaction is filtered due to a Custom Fraud Screen.

# Rule Categories # Rule Categories
1 3D-Secure information 15 Inconsistency by IP address
2 Airline information 16 IP information
3 Banned Countries 17 List management global level
4 Billing information 18 List Management industry level
5 Credit Card Information 19 List management merchant level
6 Customer verification 20 Merchant information
7 Default Parameters 21 Merchant limits
8 Duplicate Charges 22 Merchant velocities
9 Geo-location 23 Names Conflict
10 Global Limits 24 Restricted Gambling Countries
11 Global velocities 25 Shipping information
12 Inconsistency by Billing address 26 Transactional information
13 Inconsistency by Credit Card 27 User information
14 Inconsistency by Email address 28 User Seniority

Case Management System

Nuvei’s Case Management system enables you to be proactive in your risk management. Through the Case Management system, your Risk Team can collaborate with the Nuvei Risk Team to mitigate the risks of fraudulent transactions and is embedded within Nuvei’s portal.

Through the Case Management system, real-time alerts are received for transactions that have been flagged for review by the rule engine, offline reports, or the Nuvei Risk Team.

With the Case Management system, you can independently review transactions, flag users, issue refunds, void transactions, perform follow-ups, blacklist and whitelist users and parameters such as Email addresses, and send live feedback to the Nuvei Risk Team. Nuvei logs all alerts and feedback in the system.

Merchants can cancel/void transactions prior to the transmission of the transaction to the acquiring bank. This allows merchants to decrease chargebacks and prevent even greater losses in cases where an affiliate sends bad traffic.

All alerts and merchant feedback are documented in the system. Nuvei’s Risk Team is able to measure the efficiency of fraud detection for each merchant’s account. The Risk Team can then further customize parameters and fine-tune the merchant’s risk profiles for better performance.

Chargeback Re-presentments

Nuvei handles disputes on behalf of clients. For more information about the re-presentment process and necessary documents, please refer to Appendix 5.

All chargeback notifications can be received in one of the following ways:

  • Case Management System
  • Chargebacks Report in Nuvei’s portal.

Personalized Services

Personalized services are customized services, which Nuvei can provide you in addition to standard services.

Risk Analyst

A personal risk analyst is responsible for your account in terms of monitoring and payment optimization including, but not limited to, reviewing fraud screening rules efficiency, chargeback ratio, fraud trends and conversion ratio. Your risk analyst is your focal point for any inquiry, customized analysis, or reports. The Risk Team handles post-process actions, such as blocks and whitelists, as well as answering merchant emails and inquires. For merchants eligible for personalized services, the Risk Team also performs manual reviews of suspicious transactions.

Emails to the risk analysts should be sent to RiskSupport@nuvei.com. They are then forwarded to your personal risk analyst.

You can reach a risk analyst at: +44 20 3051 3031 ext. 5666

Added Value Services

Added value services are provided by Nuvei in addition to the standard and personalized services. This section provides a brief description of the Nuvei’s added value services.

3D-Secure Authentication Program

3D-Secure is a credit card authentication program implemented by Visa and Mastercard to reduce fraudulent purchases by verifying the cardholder’s identity during online transactions. The Nuvei Gateway can act as an MPI (Merchant Plug-in) for 3D-Secure when processing transactions.

The benefits of implementing 3D-Secure include a reduction in disputed transactions and chargebacks with fraud reasons and their resulting financial expenses.

3D stands for three domains:

  • Issuer Domain

The issuer is responsible for managing the enrollment of their cardholders to the service and the authentication of the cardholder during an online purchase.

  • Acquirer Domain

The acquirer is responsible for ensuring that the merchant participating in the transaction is operating under a merchant agreement and is also responsible for the actual processing of the authenticated transaction.

  • Interoperability Domain

This domain facilitates the transaction exchange between the other two domains with a common protocol and shared services.

Transaction Flow

ECI

An Electronic Commerce Indicator (ECI) value is the result of a 3DS authentication request, returned by a Directory Server (“issuer ACS”) (namely Visa, MasterCard, JCB, and American Express).

Possible ECI data values:

An Electronic Commerce Indicator (ECI) value is the result of a 3DS authentication request, returned by a Directory Server (“issuer ACS”) (namely Visa, MasterCard, JCB, and American Express).

Possible ECI values:

ECI = 5 (VISA), 2 (Mastercard): This value is set by the ACS in the Payer Authentication Response message when the cardholder successfully passes 3D-Secure payment authentication leading to a shift in liability.
ECI = 6 (VISA), 1 (Mastercard): This value is set by the merchant when the merchant attempted to authenticate the cardholder using 3D-Secure, but the issuer or cardholder was not participating, or set by an ACS when the issuer or cardholder was not participating, or an issuer ACS was not able to respond, leading to a shift in liability.
ECI = 7 (VISA, MasterCard), 6 (Mastercard): This value is set by the Merchant when the payment transaction was conducted over a secure channel (for example, SSL/TLS), but payment authentication was not performed, or when the issuer responded that authentication could not be performed, leading to no shift in liability.

Below is a table that contains the ECI values per 3D version:

3D1:
Credit Card Type ECI Enrollment Authentication Chargeback Protection
Mastercard 2 Y Y Yes
A Yes
1 Y A Yes
N - Yes
6 N - No
7 U - No
E - No
Y N No
E No
U No
A No
- No
Visa 5 Y Y Yes
A Yes
6 Y A Yes
N - Yes
7 U - No
E - No
Y N No
E No
U No
A No
- No
3D2:
Credit Card Type ECI Enrollment Authentication Chargeback Protection
Mastercard 2 Y Y Yes
C Y Yes
1 A A Yes
C A Yes
6 N N No
7 R - No
N - No
C Y No
- No
U - No
Visa 5 Y Y Yes
C Y Yes
6 A A Yes
7 R - No
N - No
C Y No
- No
U - No
- No

Whether you have a liability shift or not depends on the combination of the enrollment and authentication result.

Results Explanations

Result Enrollment Authentication
N Cardholder not participating Authentication failed
U Unable to authenticate Authentication could not be performed
E Critical field validation failed Error
Y Card participate Authentication successful
A - Attempts processing performed

Exceptional Cases

Every user has the right to ask their issuer bank for clarification and details. Even though a transaction was processed through 3D-Secure, a retrieval request or report as fraud may occur when a cardholder does not recognize a charge in their credit card’s monthly statement.

It is also possible to get a chargeback from any user who is authenticated via 3D-Secure, but only under the following circumstances:

  1. The chargeback reason is a customer service reason.
  2. The credit card is a commercial (corporate, business, gift card) credit card and the user was not fully authenticated.
  3. When the ECI result is (for MasterCard: ECI=6) (for VISA: ECI=7) and the enrollment status or authentication status returned an error (U, E, N).

3D1 was still used until October 2021 (1 October 2021 Mastercard and 16 October 2021 Visa). Since that date, the schemes remove the fraud liability shift for authentications attempted with 3D1 on account ranges not enrolled to 3D1 (cases of ECI 1 and 6). Fraud liability is with the merchant on attempted authentications where Issuer doesn’t participate in 3D1.

There is no change to liability shift for 3D1 fully authenticated transactions (meaning when Issuer supports 3D1). As it is today, the liability is with the Issuer.

In the meantime, 3D1 has higher fees and may lead to a high decline rate. If an Issuer continues to support 3D1,  a merchant receives fraud-related dispute protection for ECI6, ECI5.

The final 3D1 decommission is planned by Visa and Mastercard on 15 October 2022.

Enhanced 3D Options: Dynamic 3D

The Dynamic 3D feature allows Nuvei to dynamically manage a 3D-Secure flow for suspicious orders based on multiple criteria in the rule engine in real-time.

Nuvei minimizes the merchants’ risk of chargebacks and fraud, while converting high-risk traffic into payments instead of automatically rejecting them during the fraud screening flow.

Suspicious flagged users are given an option to pay via a secured flow, and if authentication has been successfully completed, Nuvei accepts these transactions as legitimate transactions and ensures a liability shift in the event of a chargeback.

Routing parameters include the following parameters:

  • Credit card company
  • Transaction amount
  • Currency
  • Issuer bank
  • BIN
  • Device type
  • BIN or Billing country
  • BIN – Billing location mismatch
  • Seniority by card or email
  • Website

CVV Check

CVV2 (Card Verification Value) reduces credit card fraud by ensuring that the card number is legitimate, and that the customer physically possesses the credit card. The CVV number is printed on the back side of a credit card next to the signature panel.

Nuvei connects to Visa, Mastercard and AMEX networks to verify that the card verification number that appears on the back of a credit card matches the credit card number provided by the customer.

The result can be seen in the Transaction Search section in the Control Panel or in the API response from our server.

The possible CVV2 responses are listed below:

Code Result
M CVV2 Match
N CVV2 No Match
P Not Processed
U Issuer is not certified and/or has not provided Visa the encryption keys
S CVV2 processor is unavailable

AVS Check

Address Verification Service (AVS) enables merchants to verify the address of a cardholder. Nuvei’s AVS checking service verifies the billing address of the credit card provided by the customer against the address on file at the credit card company.

AVS has almost full coverage in the US, Canada, and UK. (For rest of the world it is supported when the issuer supports it.) In order to be able to receive AVS results you need to make sure that you send the relevant information in the Address, City, ZIP Code, State, and Country fields for all transactions processed from these countries.

The result can be seen in the transaction search in the Control Panel and in the API response from our server.

When sending a transaction for address verification, you receive one of the following responses from the issuing bank:

Code Summary Value Description
X / Y / D / M / F Match Street address and ZIP code both match.
A / B Partial Match Street address matches, but ZIP code does not match.
W / Z / P Partial Match Street address does not match, but ZIP code matches.
N / I / C No Match Street address and ZIP code do not match.
G / S Not Supported Issuing bank does not support AVS.
U System Unavailable • Address information unavailable. Returned if non-US.
• AVS is not available or the AVS in a U.S. bank is not functioning properly.
R System Unavailable Retry - Issuer's System Unavailable or Timed Out.

The table below provides a list of the categories that are mapped to groups of Nuvei’s fraud screening rules. A category is displayed in the Nuvei Control Panel in the Transaction Report when a transaction is filtered due to a Custom Fraud Screen.

# Rule Categories # Rule Categories
1 3D-Secure information 15 Inconsistency by IP address
2 Airline information 16 IP information
3 Banned Countries 17 List management global level
4 Billing information 18 List Management industry level
5 Credit Card Information 19 List management merchant level
6 Customer verification 20 Merchant information
7 Default Parameters 21 Merchant limits
8 Duplicate Charges 22 Merchant velocities
9 Geo-location 23 Names Conflict
10 Global Limits 24 Restricted Gambling Countries
11 Global velocities 25 Shipping information
12 Inconsistency by Billing address 26 Transactional information
13 Inconsistency by Credit Card 27 User information
14 Inconsistency by Email address 28 User Seniority

Below is a table that contains the ECI Values:

CC type ECI Enrollment Authentication CHB protection
MasterCard 1 N Yes
Y A Yes
2 Y Y Yes
A Yes
6 U No
E No
Y N No
E No
U No
A No
Visa 5 Y Y Yes
A Yes
6 N Yes
Y A Yes
7 U No
E No
Y N No
E No
U No
A No

Results Explanations

Result Enrollment Authentication
N Cardholder not participating Authentication failed
U Unable to authenticate Authentication could not be performed
E Critical field validation failed Error
Y Card participate Authentication successful
A – Attempts processing performed

The possible CVV2 responses are listed below:

Code Result
M CVV2 Match
N CVV2 No Match
P Not Processed
U Issuer is not certified and/or has not provided Visa the encryption keys
S CVV2 processor is unavailable

When sending a transaction for address verification, you receive one of the following responses from the issuing bank:

Code Summary Value Description
X / Y / D / M / F Match Street address and zip code both match.
A / B Partial Match Street address matches, but zip code does not match.
W / Z / P Partial Match Street address does not match, but zip code matches.
N / I / C No Match Street address and zip code do not match.
G / S Not Supported Issuing bank does not support AVS.
U System Unavailable • Address information unavailable. Returned if non-US.
• AVS is not available or the AVS in a U.S. bank is not functioning properly.
R System Unavailable Retry – Issuer’s System Unavailable or Timed Out.
2022 Nuvei. All rights reserved.