Why hasn't a risk rule triggered or why was risk skipped?

Several reasons exist why a transaction didn't trigger a risk rule, or the risk evaluation was skipped entirely. This can be explained by looking at the payment request in combination with the risk settings at the time of the transaction.

Below are a few things you can check to understand why this might have happened and how you can troubleshoot the issue. 

Risk settings

If risk was skipped entirely, the risk results page shows Risk status: Skipped. If you did not expect this, log in to your Customer Area > Risk > Settings and check the following:

• The risk engine is turned on. For any transaction to be evaluated by the risk engine, you have to enable risk.
• The payment method is added to be assessed by risk. By default, the risk engine screens transactions using credit and debit cards, PayPal and SEPA Direct Debit. If the transaction was made using an alternative payment method, make sure that you include it in the risk evaluation. You can select the payment method in the risk settings. Also, some alternative payment methods can only be evaluated by risk after authorization.
• The transaction was made at a point of sale. For any in-person transaction to be evaluated by the risk engine, you must enable risk for point of sale. We recommend that you create a separate risk profile for point of sale. Risk evaluation for in-person payments is most relevant for Mail Order/Telephone Order (MOTO) and Manual Key Entry (MKE) transactions, and you can turn off most standard rules.
• Other risk settings. Some risk settings can stop risk or risk rules from triggering. For example, velocity risk rules do not run on recurring transactions by default. Recurring transactions like ContAuth transactions will only trigger velocity rules if you configure them in your risk settings.

Risk rule settings

If a risk rule did not trigger a transaction, and you didn't expect it, log in to your Customer Area > Risk > Risk profiles. Select the risk profile that applies to the transaction, find the relevant risk rule, and check the following:

• The risk rule is turned on. For any risk rule to trigger, the rule must be enabled during the transaction.
• The risk rule is configured correctly. If the risk rule was not triggered, check that the rule configuration is as you expected and configured during the transaction. For example, if the risk rule should trigger on a currency or country/region code, check that these are included in the rule configuration. Most risk rules run and trigger before authorization, but some, such as AVS and liability shift checks, can only trigger after authorization. Another example is that for PayPal, we receive the issuer country/region code only after authorization. This means the regular issuer country/region risk check that runs pre-authorization will not trigger.

Payment request

You include a variety of fields when you send in a payment request. Some of these fields are mandatory to include in the API request to make a payment, for example amount and reference. Other fields are required to trigger risk rules. Check the payment request to look at why risk was skipped or if a risk rule wasn't triggered. You can do this, for example, by looking at the API logs for the payment in your Customer Area.

• The risk rule didn't trigger. Make sure that the payment request includes the required field to trigger the risk rule. For example, the velocity risk rule for the Shopper's IP address requires that you send the shopper's IP address in the payment request. If you do not include this field, the risk rule will not run.
• Risk was skipped. If you send the skipRisk field in the payment request, we'll skip the risk assessment for that particular transaction.

Control traffic

A small percentage of total transactions is randomly selected to be part of control traffic, and regular risk evaluation is skipped. You'll see a Control traffic label for these transactions on the risk results page.