Cartis Payments’ Arsenal of Tools/Services to Protect Against Fraudulent Transactions

Reviewed by Mayer Hyman, Payments Specialist | Reviewed for accuracy July 2026

Key Takeaways

  • US merchants lose $4.61 for every $1 of fraud once fees, labor, and lost goods are counted, up 37% from five years ago (LexisNexis True Cost of Fraud Study, 2025).
  • No fraud-prevention tool can guarantee zero chargebacks. Issuing banks and card networks, not merchants or their software vendors, make the final call on any dispute.
  • 41% of North American merchants still lean on manual processes to catch fraud, which is slower and harder to scale than automated screening (LexisNexis, 2025).
  • The real evaluation isn’t “does this tool stop fraud,” it’s “what’s the tradeoff between fraud caught, good orders wrongly declined, and how much work integration takes.”
  • A strong stack typically layers several techniques — AVS/CVV, 3D Secure, device fingerprinting, and machine-learning risk scoring — rather than relying on any single method.

Fraud Prevention Isn’t One Tool, It’s a Stack

Ecommerce fraud isn’t shrinking. The Nilson Report put global card fraud losses at $33.41 billion in 2024, roughly flat with $33.83 billion in 2023, with the US accounting for a disproportionate share relative to its transaction volume (The Nilson Report, January 2026). For merchants, the real question isn’t whether to invest in fraud prevention, it’s which combination of tools earns that investment back.

Every fraud-prevention product claims to “stop fraud,” but the tools themselves fall into a handful of well-defined categories, each with real strengths and real blind spots. Understanding those categories, and the tradeoffs built into each, is what lets a merchant pick a stack that fits their business rather than buying whatever a sales rep is currently pitching.

The Core Categories of Fraud-Prevention Technology

AVS and CVV Checks

Address Verification System (AVS) and Card Verification Value (CVV) checks are the oldest tools in the stack. AVS compares the billing address entered against the address on file with the issuing bank; CVV checks the security code on the card. Both are cheap and nearly universal — most gateways run them by default.

Their limitation is well known: a stolen card usually comes with the correct billing address and CVV attached, since fraudsters often have the full card data, not just the number. AVS and CVV catch typos and low-effort attempts, not a criminal working from a complete data dump. No card network publishes an independently verified statistic on how much fraud these checks catch on their own, so treat any specific percentage in vendor marketing as that vendor’s estimate, not an industry figure. These are baseline hygiene checks, not a strategy by themselves.

3D Secure (3DS2)

3D Secure 2.0 adds a second authentication step for card-not-present transactions, developed and maintained by EMVCo, the standards body jointly owned by American Express, Discover, JCB, Mastercard, UnionPay, and Visa (EMVCo). When a transaction is authenticated through 3DS2, liability for a fraud-based chargeback shifts from the merchant to the card-issuing bank — the single most concrete, verifiable benefit of the technology.

The tradeoff is friction: 3DS2 can add an extra checkout step that some customers abandon. Modern “risk-based” implementations try to trigger that step only for higher-risk transactions, but how well that works varies by provider. See our earlier piece on 3D Secure 2.0 for more on the protocol.

Device Fingerprinting and Behavioral Signals

Device fingerprinting profiles the device, browser, and connection a shopper is using — IP address, device ID, browser configuration, typing and navigation patterns — to flag a known fraud source reusing infrastructure, or a returning customer’s session that suddenly looks nothing like their usual behavior. The Federal Reserve’s payments-fraud guidance calls out device intelligence and behavioral biometrics as recommended layers in a modern fraud-detection stack, alongside risk-based multi-factor authentication (Federal Reserve Financial Services, Fed360, 2025).

Device signals are strongest against organized fraud rings reusing devices or scripts across many transactions, and weaker against a one-off fraudster using a clean device — which is why fingerprinting is almost always paired with other methods.

Machine Learning and AI Risk Scoring

Machine-learning risk scoring analyzes dozens of transaction variables at once — purchase amount, time of day, shipping/billing mismatch, device history, order velocity — and outputs a probability score rather than a hard yes/no rule. The advantage over static rule-based systems is adaptability: the model updates as fraud patterns shift, instead of waiting for an analyst to write a new rule.

The catch: a poorly tuned model can create a wave of false declines just as easily as it catches fraud, and “AI-powered” is now table-stakes marketing language whether or not there’s a materially different model underneath. For a deeper walkthrough of how these models work, see our earlier explainer, Machine Learning 101.

Manual Review

Even the best automated stack routes some transactions to a human reviewer — the ones the system can’t confidently classify. Manual review is slower and doesn’t scale the way automation does, but LexisNexis’s 2025 research found that 41% of North American merchants still depend on manual processes as their primary fraud-prevention method, not merely a fallback for edge cases (LexisNexis True Cost of Fraud Study, 2025). That’s a meaningful signal: a large share of the market hasn’t automated the bulk of its fraud decisioning, which usually means slower response times and higher labor cost per order reviewed.

How to Actually Evaluate a Fraud-Prevention Vendor

The right question isn’t “does this catch fraud” — it’s what the tool costs you in approval rate, false declines, and integration time to get there. Every category above involves a tradeoff, and every vendor stack combines them differently.

Approval Rate vs. Risk Tolerance

Ask what percentage of transactions are approved automatically versus flagged for review, broken out by risk tier if the vendor sells across industries. A tool that blocks or flags too aggressively protects you from fraud while quietly turning away good customers.

False-Positive Rate

A false positive is a legitimate order incorrectly flagged or declined as fraud — the easiest cost for a merchant to miss, since a declined sale doesn’t generate a chargeback or a support ticket, the customer just leaves and buys from a competitor. Ask any vendor what their false-positive rate is and how they measure it, and be skeptical of an answer without a defined methodology. Current, independently sourced false-decline statistics are hard to pin down industry-wide; several widely circulated figures trace back to older, single-source studies, so treat vendor-marketing numbers as claims, not settled fact.

Integration Effort and Layered Coverage

How much developer time does onboarding take, and does the tool plug into your existing platform and gateway without custom middleware? A tool that takes months to implement can cost more in opportunity cost than it saves in prevented fraud. Also ask which categories above — AVS/CVV, 3DS, device fingerprinting, ML scoring, manual review — the product actually covers, and which it expects you to source elsewhere. A vendor transparent about what its product doesn’t do is more trustworthy than one implying its tool alone eliminates fraud risk.

Our earlier guide on choosing a chargeback management solution provider goes deeper on rules-based versus machine-learning approaches. For the cost side — what fraud and chargebacks do to a growing company’s cash flow — see our piece on capital efficiency and payment processing.

Why No Tool Can Promise Zero Chargebacks

It’s worth stating plainly, because it gets glossed over in a lot of fraud-prevention marketing: no fraud-detection tool, regardless of vendor, can guarantee that a merchant will never experience a chargeback due to fraud. Dispute outcomes are decided by the cardholder’s issuing bank and the card network’s rules, not by the merchant or the screening software that flagged (or missed) the transaction. A strong tool can authenticate more legitimate transactions, catch more fraud attempts before they complete, and shift liability in some cases, like 3DS2’s liability shift. What it can’t do is override a bank’s dispute decision or promise a 0% chargeback rate. The honest goal is meaningfully reducing fraud-based chargebacks and false declines, not eliminating either one.

Putting the Checklist to Work

If you’re evaluating your current stack against the categories above and want a second opinion on where the gaps are, Cartis Payments can walk through your specific transaction mix and how its fraud-prevention service layers automated screening with manual review.

FAQ

Can any fraud-prevention tool guarantee zero chargebacks?
No. Chargeback and dispute outcomes are decided by the cardholder’s issuing bank and the card network, not by the merchant or any fraud-screening vendor. Any product that claims a guaranteed or 100% outcome on chargebacks is overstating what the technology can actually control. The realistic goal is a significant reduction in fraud-based chargebacks and false declines, not elimination.

What’s the difference between AVS/CVV and 3D Secure?
AVS and CVV check the billing address and security code against the data the issuing bank has on file — a basic hygiene check most gateways run automatically. 3D Secure (3DS2) is a separate authentication protocol, developed by EMVCo, that can add a verification step and shifts fraud-chargeback liability to the card issuer when the transaction is successfully authenticated.

Is machine learning always better than rule-based fraud detection?
Not automatically. Machine-learning models adapt to new fraud patterns faster than static rules, but a poorly tuned model can generate more false declines, not fewer. Most effective stacks combine both approaches rather than relying on ML alone.

Why do 41% of merchants still rely on manual review?
According to LexisNexis’s 2025 True Cost of Fraud Study, 41% of North American merchants still depend primarily on manual processes rather than automated decisioning. Manual review can be more accurate for ambiguous cases, but it’s slower and more labor-intensive to scale, which is part of why total fraud costs remain high industry-wide.

What should I ask a fraud-prevention vendor before signing a contract?
Ask for their approval rate by risk tier, their false-positive rate and how it’s measured, realistic integration timelines, and exactly which detection categories (AVS/CVV, 3DS, device fingerprinting, ML scoring, manual review) their product covers versus what you’d need to source separately. Device fingerprinting alone, for instance, is strong against fraud rings reusing devices but weak against a fraudster using a clean device, so ask what fills that gap.