Overview
Chargeback Protection (CBP) works best when paired with robust fraud prevention practices implemented at the application and transaction level—such as validating user behavior, monitoring anomalies, and securing data flows end-to-end.
Understanding fraud impact
Fraudulent transactions create cascading costs beyond the immediate financial loss:
| Impact Category | Examples |
|---|---|
| Direct Financial | Transaction amount, chargeback fees, dispute processing costs |
| Operational | Investigation time, customer service escalations, account monitoring |
| Reputational | Customer trust erosion, negative reviews, brand damage |
| Regulatory | Compliance penalties, audit requirements, legal exposure |
| Business Growth | Higher processing fees, difficulty obtaining financing, increased insurance costs |
Merchant-Led fraud prevention
Online transactions inherently carry risks-your proactive involvement in establishing and maintaining fraud prevention measures is paramount. By combining your unique knowledge of your business, customer base, and product offerings with proactive security practices, you can significantly reduce the likelihood of fraud impacting your business. The goal is to prevent fraud from occurring in the first place. Effective merchant-led fraud prevention helps you avoid exceeding the Monthly Loss Cap, the monthly limit on chargeback losses covered by CBP. By actively reducing fraud attempts, you are less likely to reach that limit. The following best practices will help fortify your defenses against fraud and maximize your overall financial security.
IT Infrastructure
A strong IT infrastructure forms the bedrock of your fraud prevention strategy and is the very first step for protecting your business.
- Robust Passwords: Enforce strong, unique passwords (at least eight characters, mixing uppercase, lowercase, numbers, and special characters) for all employee accounts. Encourage a reputable password manager for secure storage and generation.
- Phishing Awareness: Run regular training so staff can identify and report phishing attempts. Urge caution with suspicious links, attachments, and any request for sensitive information.
- Updated Software: Keep operating systems current and deploy business-grade anti-malware and anti-spyware across all endpoints.
- Secure Wi-Fi: Use a secure, private Wi-Fi network with a firewall, access restrictions, and a strong password. Avoid public Wi-Fi when handling business data.
Securing website and customer interactions
Beyond infrastructure, you can implement measures directly on your ecommerce platform to minimize risk and to form another layer of defense.
- Transaction Limits or Payment Caps: Implement reasonable limits on the number of purchases and total transaction value from a single account within a timeframe. Tailor caps by credibility, payment history, and KYC completion—for example, a $1,000 daily limit and a $3,000 monthly limit.
- CAPTCHA Verification: Use CAPTCHA challenges to mitigate suspected bot activity, especially during sudden traffic surges from a single IP address or location.
- Strong Customer Authentication: Verify customer details at account creation (email, phone, shipping/billing). Enforce strong passwords and require two-factor authentication (2FA) for high-risk or high-value transactions.
- Prevent Internal Collusion: Enforce communication monitoring, a clear code of conduct, mandatory ethics training, segregation of duties, regular audits, and prompt investigation of suspicious activity.
- High-Risk Product Management: Apply stringent procedures for items prone to fraud (high-value or easily resold). Delay shipping until additional verification steps are completed.
- 3D Secure: Add 3D Secure as an extra authentication layer for card transactions. Use it for high-risk flows such as gift cards, which are typically not covered by CBP.
- Collaboration with PayPal: Work closely with PayPal’s fraud and risk teams to share insights, report emerging threats, and receive best-practice guidance.
- Participation in Industry Fraud Networks: Join organizations like the Merchant Risk Council (MRC) to stay current on global fraud trends, share practices, and learn from peer merchants.
- Account-Based Purchasing: Require customers to create accounts with verified contact and billing information before purchasing to increase traceability and accountability.
- CVV Handling: Handle CVV securely—never store or transmit it unencrypted—to ensure only authorized cardholders can complete purchases.
Even with robust merchant-led fraud prevention, some fraudulent transactions may still slip through. CBP acts as a vital layer of protection, mitigating the financial impact caused by eligible fraudulent transactions. CBP will cover the chargeback amount for cases it can protect against.
Maximizing CBP effectiveness
The quality and comprehensiveness of the data received significantly enhance CBP's effectiveness in identifying and protecting against fraudulent transactions. CBP leverages advanced data analytics to assess transaction risk, analyzing a wide range of factors, including payment details, velocity behavior, device data, geolocation, and other key characteristics. The following table outlines the required and recommended data integration points for CBP. Note: Merchants must be using the the latest SDK to leverage the capabilities of CBP fully. Providing the necessary data is crucial for CBP and is key to reducing fraud and avoiding the Monthly Loss Cap.
| Field | Description | API Reference Link | Status |
|---|---|---|---|
| Email address composed of ASCII characters. 255 character maximum. | Non Vaulting | Vaulting | Required | |
| Customer IP | The customer's IP address. Should be sent for customer-initiated transactions (i.e., when the transactionSource is empty or set to moto, recurring_first, or installment_first). | Non Vaulting | Vaulting | Required |
| Device ID | Customer device information. This should be sent for customer-initiated transactions, such as when the transactionSource is empty or set to moto, recurring_first, or installment_first. Find more details in the Collecting device data section of the Client-Side Implementation page. | Non Vaulting | Vaulting | Required |
| Shipping Information | Shipping address information associated with a specific customer ID. | Non Vaulting | Vaulting | Required |
| Phone | The value in the phone number field of a customer's statement. Phone must be 10–14 characters and can only contain numbers, dashes, parentheses, and periods. | Non Vaulting | Vaulting | Recommended |
| Billing Information | Billing address information associated with a specific customer ID. | Non Vaulting | Vaulting | Recommended |
| Cardholder Name | The name associated with the credit card. Must be less than or equal to 175 characters. | Non Vaulting | Vaulting | Recommended |
| Line Item | The line items for this transaction. It can include up to 249 line items. | Non Vaulting | Vaulting | Recommended |
| STC Data | Structured transactional data. Consult with onboarding teams on need and requirements. Recommended for high-risk industries, events, travel, and marketplaces. | Consult with onboarding teams | Recommended for specific use cases |
Maximizing Authorization Rates with Issuers - Leveraging Data and Technology
While Chargeback Protection (CBP) acts as a filter, effectively reducing the number of fraudulent transactions sent to the issuer, it's important to note that CBP does not directly influence your overall authorization rate. CBP's primary role is to minimize the financial impact of fraud. However, by filtering down fraudulent traffic and sending high-quality, low-risk transactions to the issuer, CBP indirectly helps reduce overall issuer decline rates. This results in a higher percentage of transactions being accepted by the issuer. Beyond CBP, providing more data and leveraging advanced payment technologies further enhances the probability of approval from the issuing bank. Merchants can take additional steps to improve authorization rates. Here are several key strategies:
Providing complete billing information
Supplying the ZIP code or postal code along with the CVV (Card Verification Code) can significantly increase the chances of legitimate transactions being authorized. Don't overlook these critical details, as issuers often use them for cardholder verification.
Stored payment credentials
Leveraging stored credentials dramatically improves processing and allows for quicker, frictionless transactions for repeat customers. By securely saving payment information in a manner compliant with security guidelines, merchants improve the customer experience while also increasing authorization rates. This is especially effective for subscriptions and repeat online purchases.
Implementing network token processing
Network token processing dramatically reduces the risk of payment failures, thereby enhancing authorization rates. Network tokens serve as a secure alternative to actual card numbers, and they are automatically updated when a card is replaced or expires. Merchants can leverage the Braintree Vault to facilitate network token processing.
Opting into Real-Time account updater
The Real-Time Account Updater opt-in feature is specifically designed to minimize declined card payments. This innovative feature enhances payment success rates by proactively requesting updates from the card issuer regarding the buyer's card and automatically implementing any necessary changes to the stored card information.
Understanding the CBP Dashboard
The CBP Dashboard serves as your central command center for monitoring the effectiveness of Chargeback Protection. It provides a clear overview of the value CBP delivers to your business, along with key information on dispute trends and integration health. The dashboard is divided into multiple pages:
Home Page
The Home Page offers a concise summary of the following performance indicators:
Total Savings: This reflects the cumulative amount of chargeback liability assumed by PayPal. In essence, it's the total dollar value of chargebacks where PayPal covered the loss, protecting you from financial exposure.