Introduction
Nuvei guarantees to do its best to detect and prevent fraud in real-time and offline, but at the end of the day, the Nuvei platform is a decision supportive system and your cooperation and actions are crucial to secure your processing account in the long term.
The purpose of this guide is to provide you with a smooth onboarding process, in a way that makes you aware of the risks involved in card-not-present (CNP) processing, as well as Nuvei’s products and services built from years of experience with mitigating risks.
The guide provides you with an overview of common terminology and regulations and describes your initial fraud screening profile that was customized for you during your onboarding process.
Your initial profile detailed in this guide might be different according to the rules’ compatibility/efficiency and emerging fraud trends.
To learn more about risk services contact us at RiskSupport@nuvei.com.
Nuvei Services
There are many fraud-screening services to help merchants assess the risk of a transaction and authenticate the cardholder to prevent chargebacks.
Nuvei provides you with three types of services for mitigating chargebacks:
- Standard services include real-time fraud prevention through Nuvei’s Rule Engine, access to the Case Management System, Screening Profile Overview and Chargeback Re-presentments.
- Personalized services include personal risk analysts.
- Added Value services include the 3D-Secure Authentication Program, Dynamic 3D, AVS check and CVV check.
Standard Services
Fraud Prevention Rule Engine
Nuvei’s rule engine provides real-time fraud prevention via your Nuvei payment page. The rule engine runs during the pre-authorization phase of a transaction and its decision can impact the flow of the authorization in the acquirer bank. Nuvei’s fraud screening rules can block or flag transactions for review for a particular user that matches the logical conditions of the rules. In addition, rules can be configured to automatically blacklist transactions according to elements such as credit card, email address, user ID, IP address and more.
The risk engine has three responses to transactions: accept the transaction, reject it, or flag it for review.
When the risk engine accepts a transaction, the transaction passes to the acquirer bank.
When the risk engine rejects a transaction, the transaction is not passed to the acquirer bank for authorization, and the merchant receives a detailed response with the reasons why that the transaction was rejected.
When the rule engine flags a transaction for review, the transaction passes to the acquirer bank and the merchant receives a response with the reasons for review.
Additionally, you can refund or void suspicious transactions before they become chargebacks through the Case Management System.
Nuvei’s risk platform is proactive in combating fraudulent transactions and can be customized to your needs to automatically blacklist customers according to specific fraud rules or when a transaction has been reported as a chargeback.
Screening Profile Overview
Listed below are categories of rules available in the rule engine.
For the specific rules that have been configured to your account, please refer to the Control Panel, Risk > Client Fraud Rules:
The table below provides a list of the categories that are mapped to groups of Nuvei’s fraud screening rules. A category is displayed in the Nuvei Control Panel in the Transaction Report when a transaction is filtered due to a Custom Fraud Screen.
| # | Rule Categories | # | Rule Categories |
|---|---|---|---|
| 1 | 3D-Secure information | 15 | Inconsistency by IP address |
| 2 | Airline information | 16 | IP information |
| 3 | Banned Countries | 17 | List management global level |
| 4 | Billing information | 18 | List Management industry level |
| 5 | Credit Card Information | 19 | List management merchant level |
| 6 | Customer verification | 20 | Merchant information |
| 7 | Default Parameters | 21 | Merchant limits |
| 8 | Duplicate Charges | 22 | Merchant velocities |
| 9 | Geo-location | 23 | Names Conflict |
| 10 | Global Limits | 24 | Restricted Gambling Countries |
| 11 | Global velocities | 25 | Shipping information |
| 12 | Inconsistency by Billing address | 26 | Transactional information |
| 13 | Inconsistency by Credit Card | 27 | User information |
| 14 | Inconsistency by Email address | 28 | User Seniority |
Case Management System
Nuvei’s Case Management system enables you to be proactive in your risk management. Through the Case Management system, your Risk Team can collaborate with the Nuvei Risk Team to mitigate the risks of fraudulent transactions and is embedded within Nuvei’s portal.
Through the Case Management system, real-time alerts are received for transactions that have been flagged for review by the rule engine, offline reports, or the Nuvei Risk Team.
With the Case Management system, you can independently review transactions, flag users, issue refunds, void transactions, perform follow-ups, blacklist and whitelist users and parameters such as Email addresses, and send live feedback to the Nuvei Risk Team. Nuvei logs all alerts and feedback in the system.
Merchants can cancel/void transactions prior to the transmission of the transaction to the acquiring bank. This allows merchants to decrease chargebacks and prevent even greater losses in cases where an affiliate sends bad traffic.
All alerts and merchant feedback are documented in the system. Nuvei’s Risk Team is able to measure the efficiency of fraud detection for each merchant’s account. The Risk Team can then further customize parameters and fine-tune the merchant’s risk profiles for better performance.
Chargeback Re-presentments
Nuvei handles disputes on behalf of clients. For more information about the re-presentment process and necessary documents, please refer to Appendix 5.
Personalized Services
Personalized services are customized services, which Nuvei can provide you in addition to standard services.
Risk Analyst
A personal risk analyst is responsible for your account in terms of monitoring and payment optimization including, but not limited to, reviewing fraud screening rules efficiency, chargeback ratio, fraud trends and conversion ratio. Your risk analyst is your focal point for any inquiry, customized analysis, or reports. The Risk Team handles post-process actions, such as blocks and whitelists, as well as answering merchant emails and inquires. For merchants eligible for personalized services, the Risk Team also performs manual reviews of suspicious transactions.
Emails to the risk analysts should be sent to RiskSupport@nuvei.com. They are then forwarded to your personal risk analyst.
You can reach a risk analyst at: +44 20 3051 3031 ext. 5666
Added Value Services
Added value services are provided by Nuvei in addition to the standard and personalized services. This section provides a brief description of the Nuvei’s added value services.
3D-Secure Authentication Program
3D-Secure is a credit card authentication program implemented by Visa and Mastercard to reduce fraudulent purchases by verifying the cardholder’s identity during online transactions. The Nuvei Gateway can act as an MPI (Merchant Plug-in) for 3D-Secure when processing transactions.
The benefits of implementing 3D-Secure include a reduction in disputed transactions and chargebacks with fraud reasons and their resulting financial expenses.
3D stands for three domains:
- Issuer Domain
The issuer is responsible for managing the enrollment of their cardholders to the service and the authentication of the cardholder during an online purchase.
- Acquirer Domain
The acquirer is responsible for ensuring that the merchant participating in the transaction is operating under a merchant agreement and is also responsible for the actual processing of the authenticated transaction.
- Interoperability Domain
This domain facilitates the transaction exchange between the other two domains with a common protocol and shared services.
Transaction Flow
ECI
An Electronic Commerce Indicator (ECI) value is the result of a 3DS authentication request, returned by a Directory Server (“issuer ACS”) (namely Visa, MasterCard, JCB, and American Express).
Possible ECI data values:
An Electronic Commerce Indicator (ECI) value is the result of a 3DS authentication request, returned by a Directory Server (“issuer ACS”) (namely Visa, MasterCard, JCB, and American Express).
Possible ECI values:
ECI = 5 (VISA), 2 (Mastercard): This value is set by the ACS in the Payer Authentication Response message when the cardholder successfully passes 3D-Secure payment authentication leading to a shift in liability.
ECI = 6 (VISA), 1 (Mastercard): This value is set by the merchant when the merchant attempted to authenticate the cardholder using 3D-Secure, but the issuer or cardholder was not participating, or set by an ACS when the issuer or cardholder was not participating, or an issuer ACS was not able to respond, leading to a shift in liability.
ECI = 7 (VISA, MasterCard), 6 (Mastercard): This value is set by the Merchant when the payment transaction was conducted over a secure channel (for example, SSL/TLS), but payment authentication was not performed, or when the issuer responded that authentication could not be performed, leading to no shift in liability.
Below is a table that contains the ECI values per 3D version:
3D1:
| Credit Card Type | ECI | Enrollment | Authentication | Chargeback Protection |
|---|---|---|---|---|
| Mastercard | 2 | Y | Y | Yes |
| A | Yes | |||
| 1 | Y | A | Yes | |
| N | - | Yes | ||
| 6 | N | - | No | |
| 7 | U | - | No | |
| E | - | No | ||
| Y | N | No | ||
| E | No | |||
| U | No | |||
| A | No | |||
| - | No | |||
| Visa | 5 | Y | Y | Yes |
| A | Yes | |||
| 6 | Y | A | Yes | |
| N | - | Yes | ||
| 7 | U | - | No | |
| E | - | No | ||
| Y | N | No | ||
| E | No | |||
| U | No | |||
| A | No | |||
| - | No |
3D2:
| Credit Card Type | ECI | Enrollment | Authentication | Chargeback Protection |
|---|---|---|---|---|
| Mastercard | 2 | Y | Y | Yes |
| C | Y | Yes | ||
| 1 | A | A | Yes | |
| C | A | Yes | ||
| 6 | N | N | No | |
| 7 | R | - | No | |
| N | - | No | ||
| C | Y | No | ||
| - | No | |||
| U | - | No | ||
| Visa | 5 | Y | Y | Yes |
| C | Y | Yes | ||
| 6 | A | A | Yes | |
| 7 | R | - | No | |
| N | - | No | ||
| C | Y | No | ||
| - | No | |||
| U | - | No | ||
| - | No |
Whether you have a liability shift or not depends on the combination of the enrollment and authentication result.
Results Explanations
| Result | Enrollment | Authentication |
|---|---|---|
| N | Cardholder not participating | Authentication failed |
| U | Unable to authenticate | Authentication could not be performed |
| E | Critical field validation failed | Error |
| Y | Card participate | Authentication successful |
| A | - | Attempts processing performed |
Exceptional Cases
Every user has the right to ask their issuer bank for clarification and details. Even though a transaction was processed through 3D-Secure, a retrieval request or report as fraud may occur when a cardholder does not recognize a charge in their credit card’s monthly statement.
It is also possible to get a chargeback from any user who is authenticated via 3D-Secure, but only under the following circumstances:
- The chargeback reason is a customer service reason.
- The credit card is a commercial (corporate, business, gift card) credit card and the user was not fully authenticated.
- When the ECI result is (for MasterCard: ECI=6) (for VISA: ECI=7) and the enrollment status or authentication status returned an error (U, E, N).
3D1 was still used until October 2021 (1 October 2021 Mastercard and 16 October 2021 Visa). Since that date, the schemes remove the fraud liability shift for authentications attempted with 3D1 on account ranges not enrolled to 3D1 (cases of ECI 1 and 6). Fraud liability is with the merchant on attempted authentications where Issuer doesn’t participate in 3D1.
There is no change to liability shift for 3D1 fully authenticated transactions (meaning when Issuer supports 3D1). As it is today, the liability is with the Issuer.
In the meantime, 3D1 has higher fees and may lead to a high decline rate. If an Issuer continues to support 3D1, a merchant receives fraud-related dispute protection for ECI6, ECI5.
The final 3D1 decommission is planned by Visa and Mastercard on 15 October 2022.
Enhanced 3D Options: Dynamic 3D
The Dynamic 3D feature allows Nuvei to dynamically manage a 3D-Secure flow for suspicious orders based on multiple criteria in the rule engine in real-time.
Nuvei minimizes the merchants’ risk of chargebacks and fraud, while converting high-risk traffic into payments instead of automatically rejecting them during the fraud screening flow.
Suspicious flagged users are given an option to pay via a secured flow, and if authentication has been successfully completed, Nuvei accepts these transactions as legitimate transactions and ensures a liability shift in the event of a chargeback.
Routing parameters include the following parameters:
- Credit card company
- Transaction amount
- Currency
- Issuer bank
- BIN
- Device type
- BIN or Billing country
- BIN – Billing location mismatch
- Seniority by card or email
- Website
CVV Check
CVV2 (Card Verification Value) reduces credit card fraud by ensuring that the card number is legitimate, and that the customer physically possesses the credit card. The CVV number is printed on the back side of a credit card next to the signature panel.
Nuvei connects to Visa, Mastercard and AMEX networks to verify that the card verification number that appears on the back of a credit card matches the credit card number provided by the customer.
The result can be seen in the Transaction Search section in the Control Panel or in the API response from our server.
The possible CVV2 responses are listed below:
| Code | Result |
|---|---|
| M | CVV2 Match |
| N | CVV2 No Match |
| P | Not Processed |
| U | Issuer is not certified and/or has not provided Visa the encryption keys |
| S | CVV2 processor is unavailable |
AVS Check
Address Verification Service (AVS) enables merchants to verify the address of a cardholder. Nuvei’s AVS checking service verifies the billing address of the credit card provided by the customer against the address on file at the credit card company.
AVS has almost full coverage in the US, Canada, and UK. (For rest of the world it is supported when the issuer supports it.) In order to be able to receive AVS results you need to make sure that you send the relevant information in the Address, City, ZIP Code, State, and Country fields for all transactions processed from these countries.
The result can be seen in the transaction search in the Control Panel and in the API response from our server.
When sending a transaction for address verification, you receive one of the following responses from the issuing bank:
| Code | Summary | Value Description |
|---|---|---|
| X / Y / D / M / F | Match | Street address and ZIP code both match. |
| A / B | Partial Match | Street address matches, but ZIP code does not match. |
| W / Z / P | Partial Match | Street address does not match, but ZIP code matches. |
| N / I / C | No Match | Street address and ZIP code do not match. |
| G / S | Not Supported | Issuing bank does not support AVS. |
| U | System Unavailable | • Address information unavailable. Returned if non-US. • AVS is not available or the AVS in a U.S. bank is not functioning properly. |
| R | System Unavailable | Retry - Issuer's System Unavailable or Timed Out. |
The table below provides a list of the categories that are mapped to groups of Nuvei’s fraud screening rules. A category is displayed in the Nuvei Control Panel in the Transaction Report when a transaction is filtered due to a Custom Fraud Screen.
Below is a table that contains the ECI Values:
Results Explanations
The possible CVV2 responses are listed below:
When sending a transaction for address verification, you receive one of the following responses from the issuing bank: