November 30, 2025
You do not need a dedicated risk team to protect your business against payment fraud. You need the right rules applied consistently. Here is a practical framework for small retailers handling international transactions.
Card testing — where stolen card numbers are validated with small transactions before larger fraudulent purchases. Friendly fraud — where legitimate customers dispute valid transactions to avoid paying. And account takeover — where buyer accounts with stored payment credentials are compromised and used for unauthorized purchases.
Each has different detection signatures and different responses.
Card testing typically shows up as multiple small transactions — often EUR 1 to EUR 5 — from the same IP address or device fingerprint in a short window. Rate limiting transactions by IP, adding CAPTCHA to checkout, and monitoring for sudden spikes in micro-transactions are the primary defenses. Most payment processors include configurable velocity rules. Enable them if they are not on by default.
Friendly fraud is harder to automate against because the transaction itself is legitimate. The defenses are documentation: clear proof of delivery, detailed order records, and email confirmation trails. For high-value orders, requiring signature on delivery adds a layer of evidence. Dispute-handling is a manual process, but merchants who maintain good records win more disputes than those who do not.
Account takeover often involves a change of delivery address followed quickly by a large purchase. Flagging orders where the shipping address was recently changed and the order value is above your average is a simple but effective rule. Requiring re-authentication for address changes adds friction that is small for legitimate users and significant for attackers using automated tools.
Visa and Mastercard monitor merchant chargeback rates. Exceeding 1% of transactions in a month triggers additional scrutiny and can eventually lead to increased fees or account termination. Know your current chargeback rate. If it is above 0.5%, investigate proactively rather than waiting for processor action.