> Risk controls too tight kill good users; too loose invite fraud and chargebacks. Layered risk control, using 3DS and data signals well, and tuning thresholds by category.

[← Blog](/en/blog)

🕵️

Risk

# Payment Fraud Defense: Balancing Chargeback Rate and Approval Rate

2026-06-09

The core tension in payment fraud defense is a pair of trade-off metrics: **risk controls too tight kill good users and drop approval; too loose and fraud and chargebacks rise**. The goal was never “zero fraud” — it’s finding the balance point that fits your category. Here’s how to find it.

## First: zero fraud isn’t the goal

Driving fraud to zero means controls so strict they kill a big batch of good users — the legitimate revenue lost far exceeds the fraud loss saved. The smart move is the total account: **minimize the sum of fraud loss + false-decline loss + chargeback penalties**, not fraud alone.

## Layered controls, not one brush

Handling by risk tier is the key to balance:

-   **Low risk** (small amount, returning user, trusted device) → wave through smoothly, no friction;
-   **Medium risk** → run 3DS to shift fraud liability to the issuer;
-   **High risk** (large amount, unfamiliar device, unusual region, proxy IP) → strengthen verification or manual review, decline if needed.

The point is **don’t measure every transaction with the same ruler**. Adding friction to low-risk transactions trades conversion for security that wasn’t at risk.

## Use signals, not a single rule

Useful risk signals are combinatorial: device fingerprint, IP / geo consistency, behavioral rhythm (checkout speed, card-change frequency), card BIN vs region match, historical success/chargeback record. A single rule false-declines easily; a multi-signal weighted score is steadier.

## Tune thresholds by category

Risk structures differ entirely by category: digital goods / virtual top-ups are high-fraud and low-recovery, so thresholds tighten; physical e-commerce has delivery proof as evidence, so it can loosen; subscription renewals are MITs with different risk logic. **Don’t run one threshold for everything.**

## Don’t forget “friendly fraud”

Many chargebacks aren’t true theft — they’re users who “bought then claimed they didn’t” (friendly fraud). Front-loaded controls can’t stop these; you need a clear billing descriptor, smooth refunds, and 3DS authentication records as representment evidence. Treat it separately from true fraud.

## How to do it

1.  Layer: wave low-risk, 3DS medium-risk, review high-risk;
2.  Multi-signal weighted scoring, not a single rule;
3.  Set thresholds by category, and tune the “approval vs chargeback” pair continuously;
4.  Handle friendly fraud separately, via descriptor + refunds + representment evidence.

> 3DS liability shift is live today (Vault); layered risk control / multi-signal scoring is done by the issuer / PSP / risk service — KeepPay doesn’t run a risk engine but can integrate one. [Book a demo](/en/) and we’ll help put the card layer and 3DS to best use.
