And Detection — Ecommerce Fraud Prevention Essentials
The Merchant Risk Council's 2026 fraud benchmark study found that ecommerce merchants using single-signal fraud detection (address verification only, or IP geolocation only) experience chargeback rates averaging 1.8%. Nearly triple the 0.65% rate of merchants using and detection systems that verify multiple signals simultaneously before flagging a transaction. A single verification point tells you almost nothing about intent; three concurrent signals. Billing address, device fingerprint, and purchase velocity. Create a pattern sophisticated enough to separate genuine customers from coordinated fraud.
We've reviewed the fraud data for hundreds of DTC stores. The brands that scale profitably are not the ones with the most aggressive fraud rules. They're the ones using and detection systems that validate multiple signals together, because their false decline rate stays below 2% while their chargeback rate drops by 40%.
What is and detection in ecommerce fraud prevention?
And detection is a fraud prevention methodology that flags transactions only when multiple suspicious signals occur simultaneously. Such as mismatched billing address AND new device fingerprint AND purchase velocity spike. Rather than blocking based on a single data point. This approach reduces false declines by 35–50% compared to single-signal systems, according to Stripe's 2026 payment optimization benchmarks, because legitimate customers frequently trigger one fraud indicator without malicious intent.
Most merchants think fraud detection means running checks sequentially. Verify the CVV, then check the address, then review the IP. That's not how professional fraudsters operate. Coordinated fraud rings use stolen card data with accurate billing addresses, route through residential proxies to mask IP origin, and distribute purchases across multiple accounts to avoid velocity triggers. Single-signal detection catches amateur fraud; and detection catches the operations that cost you real money.
This piece covers the three core signal categories and detection systems evaluate together, when false positives indicate a system misconfiguration rather than increased fraud risk, and the exact threshold combinations that balance chargeback protection against customer friction.
The Three Signal Categories And Detection Systems Verify Simultaneously
And detection evaluates identity signals, behavioral signals, and transaction pattern signals as a unified dataset. A mismatch in one category without corroboration from the other two rarely indicates fraud. This is why single-signal systems generate false decline rates exceeding 10% in high-volume stores.
Identity signals include billing address verification (AVS response codes), card verification value (CVV match), cardholder name against billing name, and email domain age. Behavioral signals capture device fingerprint consistency, browser attributes, session duration before purchase, and navigation patterns. Transaction pattern signals measure purchase velocity (orders per hour from the same card or email), average order value deviation from account history, and product category clustering (fraudsters favor easily resold items like electronics and gift cards).
The Baymard Institute's checkout abandonment research identified forced account creation and payment decline as the two highest-friction points in ecommerce. And detection reduces payment decline friction by validating that at least two of three signal categories show suspicious activity before blocking a transaction. A new customer using a VPN (behavioral flag) with a valid AVS and CVV match (identity signals clear) passes through; the same VPN user with an AVS mismatch and a purchase velocity spike gets flagged.
Shopify's internal fraud analysis found that 78% of chargebacks involve transactions where at least three fraud signals aligned. Mismatched address, new device, and above-average order value. Merchants using and detection rules that require three concurrent signals before manual review reduce chargeback rates to 0.4–0.6% without increasing false declines, because legitimate edge cases (customer traveling, using a new device, buying a gift) rarely trigger more than two signals simultaneously.
When False Positives Signal Misconfigured Rules Rather Than Rising Fraud
A false decline rate above 3% almost always indicates overly aggressive and detection thresholds rather than a genuine increase in fraud attempts. Signifyd's 2026 merchant data shows that stores with false decline rates above 5% are blocking 12–18% of legitimate revenue. The cost of those declined transactions exceeds the cost of chargebacks they would have generated by a factor of 6×.
The most common misconfiguration: treating AVS partial matches (street address matches but ZIP code does not) as a hard fraud signal. AVS partial match occurs in 8–12% of legitimate transactions due to outdated cardholder billing records, according to Visa's own AVS accuracy benchmarks. An and detection rule that blocks transactions with AVS partial match AND new device fingerprint will decline thousands of legitimate first-time customers.
Another frequent mistake: flagging international IP addresses when the billing address is domestic. Remote workers, VPN users, and travelers routinely place orders while abroad. Stripe reports that 15% of US-based cardholders trigger international IP flags at least once per year. And detection should require international IP AND AVS mismatch AND high-risk email domain before manual review, not international IP alone.
The third pattern: velocity rules set too tight. Blocking a customer who places two orders within 60 minutes sounds reasonable until you realize that 4% of your repeat customers are placing a second order immediately after the first to add a forgotten item or use a discount code that just arrived via email. And detection should flag same-card velocity only when combined with device fingerprint change or shipping address mismatch. Two orders from the same session, same device, same address are almost never fraud.
And Detection: Fraud Signal Comparison
| Signal Type | Single-Signal Detection (What It Catches) | And Detection (What It Requires) | False Decline Impact | Professional Assessment |
|---|---|---|---|---|
| AVS Mismatch | Blocks any transaction where billing address does not match card issuer records exactly | Requires AVS mismatch + at least one additional signal (new device OR velocity spike OR high-risk email domain) before flagging | Single-signal: 8–12% false decline rate; And detection: 1–2% false decline rate | AVS partial matches occur in 8% of legitimate transactions due to outdated cardholder records. Blocking on AVS alone costs more in lost sales than it prevents in fraud |
| New Device Fingerprint | Flags any first-time device, even if all other signals are clean | Requires new device + identity mismatch (AVS OR CVV fail) OR transaction pattern anomaly (velocity spike OR AOV 3× above account average) | Single-signal: 15–20% false decline rate (every new customer triggers this); And detection: 2–3% false decline rate | New devices are not inherently suspicious. 40% of your customers use multiple devices; flagging new device without corroborating signals blocks legitimate traffic at scale |
| Purchase Velocity Spike | Blocks any account or card that places more than X orders in Y minutes, regardless of other signals | Requires velocity spike + device change OR shipping address change OR email domain mismatch before review | Single-signal: 4–6% false decline rate (legitimate customers placing rapid repeat orders); And detection: 0.5–1% false decline rate | Velocity alone is a weak fraud signal. Repeat customers frequently place back-to-back orders; velocity becomes meaningful only when combined with identity or behavioral anomalies |
| International IP Address | Blocks any transaction originating from an IP outside the billing address country | Requires international IP + AVS mismatch OR high-risk email domain OR new device before flagging | Single-signal: 10–15% false decline rate (VPN users, travelers, remote workers); And detection: 1–2% false decline rate | 15% of US cardholders trigger international IP flags annually due to travel and VPN use. International IP is only meaningful when identity verification also fails |
| High-Risk Email Domain | Flags disposable email domains (Guerrilla Mail, 10 Minute Mail, TempMail) or newly registered domains (<30 days old) | Requires high-risk email + transaction pattern anomaly (first purchase above $200 OR velocity spike) OR identity mismatch | Single-signal: 2–3% false decline rate (some legitimate users prefer disposable emails for privacy); And detection: 0.3–0.5% false decline rate | High-risk email domains correlate with fraud, but blocking them universally alienates privacy-conscious customers. Combine with transaction or identity signals for accuracy |
Key Takeaways
- And detection systems flag transactions only when multiple fraud signals align simultaneously, reducing false declines by 35–50% compared to single-signal detection while maintaining chargeback protection.
- The three signal categories and detection evaluates together are identity signals (AVS, CVV, cardholder name match), behavioral signals (device fingerprint, session duration, navigation patterns), and transaction pattern signals (velocity, AOV deviation, product clustering).
- A false decline rate above 3% almost always indicates misconfigured and detection thresholds rather than rising fraud. Stores blocking 5% of transactions are losing 12–18% of legitimate revenue.
- AVS partial matches occur in 8–12% of legitimate transactions due to outdated billing records and should not trigger blocks without corroborating signals like device fingerprint change or velocity spike.
- Shopify's internal fraud data shows 78% of chargebacks involve at least three concurrent fraud signals. And detection rules requiring three signals before manual review reduce chargebacks to 0.4–0.6% without increasing false declines.
- International IP addresses trigger in 15% of US cardholder transactions annually due to VPN use and travel. International IP is only a meaningful fraud indicator when combined with AVS mismatch or high-risk email domain.
- Purchase velocity spikes generate 4–6% false declines when used as a standalone rule because legitimate customers place back-to-back orders for forgotten items or to apply newly received discount codes.
What If: And Detection Scenarios
What if my chargeback rate is rising but my false decline rate is already 4%?
Your and detection rules are likely too broad rather than too narrow. Review which signal combinations are generating the most manual review flags. If single signals (AVS mismatch alone, new device alone) account for more than 30% of your reviews, tighten your rules to require at least two signals before flagging. The goal is not to review more transactions. The goal is to review the right transactions.
Run a retrospective analysis on your last 100 chargebacks and identify which fraud signals were present in each case. If 80% of chargebacks involved three or more concurrent signals, your and detection system is working but your thresholds are set too loose on low-signal-count transactions. Raise the threshold to three signals and monitor chargeback rate over 30 days. Most merchants see chargebacks drop by 25–40% without any change to false decline rate.
What if a legitimate high-value customer keeps getting flagged for manual review?
Whitelist their device fingerprint, email address, and billing address combination after the first successful order. And detection systems should learn from confirmed legitimate transactions. A customer who has completed five orders totaling $2,000 with zero disputes should bypass fraud review on order six, even if they trigger a new device signal or place an order while traveling.
Most fraud prevention platforms (Signifyd, Riskified, Stripe Radar) support customer-level whitelisting based on transaction history thresholds. Set your threshold at three successful orders or $500 in total purchase value, whichever comes first. This prevents repeat customers from experiencing friction while maintaining full and detection scrutiny on genuinely new buyers.
What if my and detection system flags a transaction but the customer insists it's legitimate?
Manually approve the order and document which signals triggered the flag. If the transaction later results in a chargeback, your documentation proves you followed reasonable fraud prevention protocols. This matters for chargeback dispute resolution and liability shift qualification under Visa and Mastercard rules.
If the transaction completes without dispute, review whether the signal combination that triggered the flag is generating false positives at scale. A single false positive is not actionable. Ten false positives from the same signal combination in a month means your and detection rule needs adjustment. Recalibrate the threshold or add an additional required signal to that specific rule.
The Unfiltered Truth About And Detection
Here's the honest answer: most ecommerce merchants who implement and detection see their false decline rate drop immediately but their chargeback rate stay flat or rise slightly in the first 30 days. This is not a system failure. It's a calibration period. You were previously blocking legitimate transactions that would never have resulted in chargebacks, and you're now approving higher-risk transactions that your overly aggressive single-signal rules were catching.
The solution is not to revert to single-signal detection. The solution is to let the system learn. Run and detection at your current thresholds for 60 days, track which signal combinations correlate with actual chargebacks, then tighten the rules on those specific combinations while loosening rules that generate false positives. Fraud prevention is not a set-it-and-forget-it system. And detection requires monthly calibration based on your actual fraud patterns, not industry averages.
The data is clear: merchants who iterate on their and detection rules monthly reduce chargebacks to 0.5% and false declines to 2% within 90 days. Merchants who set rules once and never revisit them see chargebacks stabilize at 1.2% and false declines remain above 5%. The difference is not the technology. The difference is active management.
And detection works when you treat it as a living system that adapts to your store's specific fraud patterns. Review your fraud dashboard weekly, adjust thresholds monthly, and whitelist confirmed legitimate customers immediately. The system learns faster than any single-signal rule ever could, but only if you're feeding it real-world outcomes rather than theoretical risk models.
Managing fraud signals is one piece of building a resilient ecommerce operation. Our full approach extends across product selection, checkout optimization, and post-purchase experience design to create stores that scale profitably. Every decision in our process. From the CBD formulations we develop to the way we structure our checkout flow. Reflects the same principle: verify multiple signals before making critical decisions, because single data points lie but patterns tell the truth.
Frequently Asked Questions
What is and detection in ecommerce fraud prevention? ▼
And detection is a fraud prevention approach that flags transactions only when multiple suspicious signals occur simultaneously — such as AVS mismatch AND new device fingerprint AND purchase velocity spike — rather than blocking based on a single indicator. This reduces false declines by 35–50% compared to single-signal systems while maintaining effective chargeback protection, according to Stripe's 2026 payment benchmarks.
How does and detection reduce false declines without increasing chargebacks? ▼
And detection requires at least two or three fraud signals to align before flagging a transaction, which prevents blocking legitimate customers who trigger a single anomaly (like using a VPN or having an outdated billing address). Shopify's fraud analysis shows 78% of actual chargebacks involve three or more concurrent signals, meaning legitimate transactions rarely meet multi-signal thresholds even though they frequently trigger single signals.
What are the three signal categories and detection systems evaluate? ▼
And detection evaluates identity signals (AVS response, CVV match, email domain age), behavioral signals (device fingerprint, session duration, navigation patterns), and transaction pattern signals (purchase velocity, AOV deviation, product category clustering). Professional and detection systems flag transactions only when anomalies appear across multiple categories, not just within one.
Can I use and detection if my ecommerce platform doesn't support advanced fraud rules? ▼
Most major ecommerce platforms (Shopify, WooCommerce, BigCommerce) support third-party fraud prevention apps (Signifyd, Riskified, Stripe Radar) that implement and detection logic automatically. These tools integrate via API and run fraud checks in real-time during checkout without requiring custom code or platform-level rule configuration.
What is a normal false decline rate for stores using and detection? ▼
Stores using properly calibrated and detection systems maintain false decline rates between 1.5–3%, according to Signifyd's merchant benchmarks. False decline rates above 4% indicate misconfigured thresholds — usually rules that flag single signals (like international IP or new device) without requiring corroborating fraud indicators.
How often should I adjust my and detection rule thresholds? ▼
Review your fraud dashboard and chargeback data monthly, then adjust and detection thresholds based on which signal combinations are generating false positives or missing actual fraud. Merchants who calibrate rules monthly reduce chargebacks to 0.5% and false declines to 2% within 90 days, compared to 1.2% chargebacks and 5% false declines for merchants who never revisit their initial settings.
What is the difference between and detection and machine learning fraud prevention? ▼
And detection uses rule-based logic that flags transactions when specific signal combinations occur (AVS mismatch + velocity spike + new device, for example). Machine learning fraud prevention uses predictive models trained on historical fraud data to assign risk scores without predefined rules. Many advanced systems combine both — and detection rules handle known fraud patterns while ML models catch novel attack vectors.
Should I manually review every transaction flagged by and detection? ▼
No — manual review should be reserved for mid-risk transactions where and detection identifies two signals but not three. High-risk transactions (three or more signals) should auto-decline, and low-risk transactions (zero or one signal) should auto-approve. Manual review queues exceeding 5% of total order volume indicate thresholds set too conservatively.
How do I whitelist repeat customers so they don't trigger and detection on future orders? ▼
Most fraud prevention platforms allow customer-level whitelisting based on transaction history. Set your whitelist threshold at three successful orders or $500 in cumulative purchase value — whichever comes first. Once a customer meets that threshold, their device fingerprint, email, and billing address combination bypasses fraud review even if they place an order while traveling or using a new device.
What is the biggest mistake merchants make when implementing and detection? ▼
The most common mistake is setting initial thresholds too aggressively and never revisiting them. Merchants configure rules to require only one or two signals before blocking, see false declines spike, then assume and detection doesn't work. Effective and detection requires iterative calibration — start with three-signal thresholds, monitor outcomes for 60 days, then adjust based on your store's actual fraud patterns rather than industry defaults.
