Why didn’t this risk rule trigger, or why was risk skipped for this transaction?

There can be several reasons why a transaction didn’t trigger a risk rule, or why the risk evaluation was skipped completely for the transaction. Usually this can be explained by looking at the payment request in combination with the risk settings at the time of the transaction.

Below are a few things that you can check to understand why this might have happened, and how you can troubleshoot the issue. 

Risk settings

If risk was skipped completely, the risk results page shows Risk status: Skipped. If you did not expect this, log in to your Customer Area > Risk > Settings and check the following:

• RevenueProtect is turned on. For any transaction to be evaluated by RevenueProtect, you have to enable risk.
• The payment method is added to be evaluated by risk. By default, RevenueProtect screens transactions made using credit and debit cards, PayPal and SEPA Direct Debit. If the transaction was made using an alternative payment method, make sure that you include it in the risk evaluation. You can select the payment method in the risk settings. Also, some alternative payment methods can only be evaluated by risk after authorization.
• The transaction was made at a point of sale. For any in-person transaction to be evaluated by RevenueProtect, you have to enable risk for point of sale. We recommend that you create a separate risk profile for point of sale. Risk evaluation for in-person payments is most relevant for Mail Order/Telephone Order (MOTO) and Manual Key Entry (MKE) transactions, and you can turn off most standard rules.
• Other risk settings. Some risk settings can prevent risk or risk rules from triggering. For example, by default, velocity risk rules do not run on recurring transactions. Recurring transactions, such as ContAuth transactions, won’t trigger velocity rules unless you configure it in your risk settings.

Risk rule settings

If a risk rule did not trigger for a transaction, and you did not expect this, log in to your Customer Area > Risk > Risk profiles. Select the risk profile that applies to the transaction, find the relevant risk rule, and check the following:

• The risk rule is turned on. For any risk rule to trigger, the rule must be enabled at the time of the transaction.
• The risk rule is configured correctly. If the risk rule did not trigger, check that the rule configuration is as you expect, and that it was configured that way at the time of the transaction. For example, if the risk rule should trigger on a currency or country/region code, check that these are included in the rule configuration. Most risk rules run and trigger before authorization, but some risk rules can only trigger after authorization such as AVS and liability shift checks. Another example is that for PayPal, we receive the issuer country/region code only after authorization. This means that the regular issuer country/region risk check that runs pre-authorization will not trigger.

Payment request

You include a variety of fields when you send in a payment request. Some of these fields are mandatory to include in the API request to make a payment, for example amount and reference. Other fields are required to trigger risk rules. Check the payment request to investigate why risk was skipped, or a risk rule didn’t trigger. You can do this, for example, by looking at the API logs for the payment in your Customer Area.

• The risk rule didn’t trigger. Make sure that the payment request includes the required field to trigger the risk rule. For example, the velocity risk rule Shopper IP address requires that you send the shopper’s IP address in the payment request. If you do not include this field, the risk rule will not run.
• Risk was skipped. If you send the skipRisk field in the payment request, we will skip the risk assessment for that particular transaction.

Control traffic

A small percentage of total transactions is randomly selected to be part of control traffic, and regular risk evaluation is skipped. You will see a Control traffic label in the risk results page for these transactions.