Feature Request: Fraud Prevention Options

  • Resolved youssefwalid

    (@youssefwalid)


    1 month ago

    Dear Support Team,

    I hope you’re doing well.

    I’m currently using your plugin “Payment Plugins for PayPal WooCommerce” and truly appreciate its flexibility, especially the support for Authorize Only payment flows.

    I’d like to suggest a feature enhancement that would improve transaction validation and reduce the risk of fraudulent payments. The idea is to introduce conditional rules that automatically void transactions if certain criteria related to the buyer’s PayPal account are not met, during the authorization phase (before capture). Suggested Conditional Rules:

    1. Void transactions if the PayPal account email used for payment is different from the customer’s WooCommerce account or billing email address.
    2. Void transactions from non-verified PayPal accounts.
    3. Void transactions from PayPal accounts registered in a different country than the merchant’s account.

    These rules could be implemented as optional settings, allowing merchants to enable or disable each condition as needed.

    This would be especially helpful for stores using the authorize-review-capture workflow, allowing us to automatically block transactions that do not meet trusted identity checks before capturing the funds.

    Please let me know if these features could be considered for a future update, or if there’s an existing way to implement this logic through filters or hooks.

    Thank you very much for your continued support and great plugin development.

Viewing 13 replies - 1 through 13 (of 13 total)
  • Thread Starter youssefwalid

    (@youssefwalid)

    1 month ago

    4. Void transactions from PayPal accounts registered in a different country than the customer’s WooCommerce account or billing email address.

    misho2007

    (@misho2007)

    1 month ago

    yes this is a good option to reduce fraud on Paypal transactions.

    I hope they can add such a thing in next update

    Plugin Author Payment Plugins

    (@mrclayton)

    1 month ago

    Hi @youssefwalid

    Thank you for contacting us. We’ll need to research your suggestions and determine based on the information that PayPal provides which of those are possible. We’re open to adding these features.

    Do you frequently encounter fraudulent payment attempts with PayPal? Because PayPal is an authentication based payment method, fraudulent payments should be dramatically reduced compared to something like a credit card. Do you have any statistics based on your site that you can share?

    @misho2007 can you provide some stats which help build the case for why this feature would be beneficial to merchants?

    Kind Regards

    misho2007

    (@misho2007)

    1 month ago

    @mrclayton

    it’s very simple, we just need to confirm that the payer is the PayPal account owner, as the main fraud point here is too many PayPal accounts has no 2FA and the account is stolen, i receive dispute cases from many orders due to Unauthorized transaction, which not done by the account owner, so we need to force the Payer to use his PayPal account to be the same on our website.

    so i think it will be easy to add a rule for that in your plugin so it will check the API response Payer email if same as woocommerce registered email will accept the transaction, if not reject it with a custom msg to the buyer.

    i know we could add a notice for the buyers to use same account of paypal like the one in woocommerce but if they didn’t do that they can procced to payment normally.

    Note: our store deliver digital products instantly through email (vouchers, codes) so this feature will be helpful for these kind of business.

    Thread Starter youssefwalid

    (@youssefwalid)

    1 month ago

    Hi @mrclayton ,

    Thank you for your quick and open response, I appreciate you exploring these suggestions.

    Why these conditional void rules matter — especially for merchants selling digital goods:

    1. Digital goods are prime targets for fraudsters.
      • Fraud consumes about 9.7% of revenue at digital‑only merchants — compared to 8% for general e‑commerce and 4.2% fraud rates in other e‑commerce sectors.
      • Fraudsters are drawn to digital products because there’s no shipping address required — making it easy to resell codes, subscriptions, or downloads instantly.
    2. PayPal is widely exploited for scams.
      • In the U.S., 28% of reported scam payments in 2023 involved PayPal — more than any other payment app.
      • Moreover, over 60% of merchants surveyed view PayPal as a top fraud channel.
    3. Account takeover and credential misuse are rampant.
      • Phishers compromise accounts in large numbers — 35% of recipients open phishing emails and 97% struggle to detect them.
      • Fraudsters then use stolen credentials to make unauthorized purchases.
    4. Digital goods merchants lack downstream protections.
      • PayPal’s seller protection does not cover intangible goods — leaving merchants vulnerable to chargebacks long after delivery.
      • Most of the seller are saying, “we’re finding it near impossible to sell digital goods due to digital goods having no seller protection on PayPal…”

    How your feature suggestions help mitigate these risks:

    • Rule #1 (Payment email ≠ billing email): Helps detect hijacked or mismatched accounts upfront.
    • Rule #2 (Non‑verified PayPal accounts): Prevents fraudsters using newly created or unverified accounts.
    • Rule #3 & #4 (Geolocation rules): Blocks cross‑country mismatches that often point to stolen accounts or proxy use.

    These measures, offered as optional but structured rules, would be invaluable to thousands of merchants who:

    • Sell instantly delivered digital items — resellers love PayPal’s ease and lack of address checks.
    • Face high chargeback/operation costs — digital‑goods merchants often spend 20% of budgets on fraud management.
    • Have little to no recourse when chargebacks hit — they cannot rely on PayPal Seller Protection for digital goods.

    These conditional void rules don’t just make sense — they’re essential defenses in the authorize‑review‑capture workflow. They’d dramatically reduce merchant exposure to stolen‑account abuse, chargeback nightmares, and fraud losses — especially in the vulnerable digital‑goods segment.

    I’d be happy to help test the feature or provide further input. Thank you for considering these enhancements — they could make a real difference for thousands of merchants and put your plugin at the forefront of fraud‑aware WooCommerce solutions.

    Best regards,
    Youssef

    Thread Starter youssefwalid

    (@youssefwalid)

    1 month ago

    I wanted to expand a bit on how these conditional void rules could be technically integrated into your plugin — with a suggested enhancement for auto-capturing transactions when no red flags are triggered.

    Since your plugin already supports the Authorize Only payment method, the ideal place for these checks is after authorization and before capture, during the review phase. 🔧 Suggested Settings (New Section: “Fraud Prevention Rules”)

    Under your plugin’s settings, you could add a toggleable set of conditional rules:

    • ❌ Void if PayPal email ≠ WooCommerce billing/customer email (Buyer)
    • ❌ Void if PayPal account is unverified
    • ❌ Void if PayPal account country ≠ store base country
    • ❌ Void if PayPal account country ≠ WooCommerce billing country (Buyer)
    • ✅ Auto-capture if none of the above are triggered

    🔄 Implementation Workflow

    1. After the authorization step, hook into the response payload from PayPal’s Orders API:
      • payer.email_address
      • payer.address.country_code
      • payer.verification_status (or similar metadata if available)
    2. Compare these values against:
      • WooCommerce billing_email, billing_country
      • Store’s country (from general WooCommerce settings)
    3. If any rule is triggered:
      → Automatically void the transaction and log an order note (e.g., “Voided: PayPal email mismatch”).
    4. If no rules are triggered:
      → Automatically capture the transaction and note success (e.g., “Captured: All fraud checks passed”).

    Why Auto-Capture is Important:

    In digital product stores, time-to-delivery is often immediate. Merchants who trust these automated checks would benefit greatly from eliminating manual review overhead. This allows:

    • Fast, safe fulfillment
    • Minimal fraud exposure
    • Reduced admin workload

    This system would preserve flexibility (via settings), enhance security (via conditions), and streamline fulfillment (via auto-capture). I believe it would be a significant step forward for merchants who deal with digital goods or high-risk product categories.

    Plugin Author Payment Plugins

    (@mrclayton)

    1 month ago

    Hi @youssefwalid

    Thank you for your reply.

    1. This is pretty easy to circumvent though. It’s easy enough to ensure the billing email entered on the checkout page matches the email address used to login to the PayPal account. I don’t view this as providing any kind of real security. Can you provide more details on why you believe this would be a good feature?
    2. I think this suggestions makes sense. The buyer’s account status is available in the API response from PayPal so this could be implemented.
    3. Will need to research what’s available in the API response as I am not sure the buyer’s account country is available. PayPal is restrictive on billing address info that’s provided in API responses.

    Can you provide any statistics from your actual store? It would be great to see how your actual store has been affected.

    Kind Regards

    Thread Starter youssefwalid

    (@youssefwalid)

    1 month ago

    Hi @mrclayton ,

    Let me clarify the reasoning behind the email match rule and respond to the other points as well:

    Why the Email Match Rule Adds a Huge Value:

    Our store sells digital products, and all orders are delivered via email to the customer’s verified address.

    Because of this, we require email verification for all new users during registration, and only registered, verified users can proceed to checkout.

    This ensures we have a confirmed identity tied to each purchase — which significantly helps in preventing fraud and resolving disputes with strong evidence.

    You’re right that a determined fraudster could match the billing email to the stolen PayPal email on some websites. But here’s why the rule still matters in the real-world context of fraud prevention:

    • On our website, users must verify their email address before purchase. And we disabled the ability to change their email address from the billing details or account details area.
      This adds a real identity signal and makes it harder for scammers to align all identity elements unless they also control the customer’s inbox.
    • In most stolen PayPal account scenarios, the scammer:
      • Logs into PayPal with a compromised account
      • Quickly purchases digital products (downloads, keys, subscriptions)
      • Uses a disposable or random billing email just to pass checkout

    Matching PayPal email to the verified WooCommerce customer email helps detect this mismatch before capture. It’s not foolproof, but it’s a practical layer in a multi-signal fraud strategy.

    • In fraud prevention, no rule is perfect, but layered checks raise the effort required to commit abuse. This is especially important in digital goods where fraud is fast and irreversible.

    On Real-World Trends (and Our Store’s Impact):

    While we don’t have formal statistics in place, our experience over the past few months strongly mirrors the patterns seen in industry reports and fraud forums.

    In the 3 months prior to implementing manual review, we received over 100 PayPal disputes and chargebacks, all tied to digital goods. (The registered email address on our website was different than the PayPal account email address)

    In every case, the buyer claimed:

    “We didn’t make this purchase! our account was stolen.”

    And unfortunately, PayPal sided with them — because they had clear evidence the accounts had been compromised (login from new device/location, IP inconsistencies, etc.).

    After this, we shifted to a more secure flow: Authorize → Manual Review → Capture or Void based on red flags.

    Since making this change:

    • We’ve only received 3 PayPal disputes this month, and
    • We won all of them, because:
      • We captured transactions only after confirming the account looked legitimate (email match, country match, verified status)
      • We had proper delivery logs and identity evidence tying the order to a real, verified customer

    This workflow has dramatically reduced our fraud exposure and saved us from ongoing revenue loss, which is why automating these checks and responses (auto-capture/void) based on red flags would be a huge upgrade

    Thread Starter youssefwalid

    (@youssefwalid)

    1 month ago

    Just to add one final point — we’ve carefully reviewed the PayPal API response during the authorization step, and we can confirm with certainty that the following buyer data is available:

    • Email Address [email_address]
    • Country [country_code]
    • Verification Status [account_status]

    So, from a technical standpoint, we’re 100% sure that the rules we’ve suggested — including email mismatch detection, unverified account filtering, and country-based validation — can be implemented cleanly within your plugin’s authorize-review flow.

    It’s definitely possible to build these rules:

    • Auto-Void if PayPal email ≠ WooCommerce verified email (User’s billing_email)
    • Auto-Void if account is not verified
    • Auto-Void if country mismatch (User’s billing_country)
    • Auto-capture if no rules are triggered

    If you add these rule-based conditions with optional auto-capture or auto-void actions, your plugin will genuinely become the most powerful and secure PayPal WooCommerce plugin on the market — especially for digital goods sellers like us.

    We’ve tested nearly every alternative, and nothing comes close to what you’re offering. These few enhancements would close the final gap and set a new standard in fraud prevention for PayPal on WooCommerce.

    Thanks again for being open to feedback — really appreciate the great work you’re doing.

    Plugin Author Payment Plugins

    (@mrclayton)

    1 month ago

    Hi @youssefwalid

    Thank you for the detailed write-up.

    So would the preference then be that all these conditions can be configured and if they pass, the authorized payment is captured automatically during the checkout process? If any conditions fail, the payment would just remain authorized and could then be manually reviewed.

    Or would you prefer to still manually capture but have this logic run automatically during the capture process that you initiate?

    I think the first option is superior, especially when dealing with digital goods where immediate delivery is preferable. It will also reduce manual inputs.

    Kind Regards

    Thread Starter youssefwalid

    (@youssefwalid)

    1 month ago

    Hi @mrclayton ,

    Thanks for the thoughtful response!

    To clarify — we’re definitely aiming to fully automate both the capture and the void actions, based on the defined conditions. The ideal flow is:

    • If all fraud checks pass → Auto-Capture
    • If any key rule fails → Auto-Void

    We agree that automation is especially valuable in the context of digital goods, where fast delivery and fraud risk go hand-in-hand. Manual review slows things down and can be avoided if intelligent, customizable rules are in place.

    We’d also love to see these conditional rules easily configurable from the plugin’s settings page — with the ability to:

    • Enable/disable specific checks (user email match, user country match, user account verification)
    • Define the action taken when conditions are met or failed (capture, void, or leave authorized)
    • Possibly introduce a new dropdown setting like:
      Transaction Type
      ▸ Authorize → Auto-Capture & Auto-Void
      Capture
      Authorize

    This would give store owners the flexibility to tailor the behavior to their specific fraud risks and operational needs.

    Thanks again for the collaboration — we’re excited about where this is heading!

    Best Regards,
    Youssef

    Plugin Author Payment Plugins

    (@mrclayton)

    1 month ago

    Hi @youssefwalid

    Thank you for the detailed response. Can you create a support ticket via the WordPress Admin > WooCommerce > PayPal > Support page within your site? It will be good to have your input as we develop this feature.

    Given our development cycle, these features will most likely be available in 1.1.8.

    Kind Regards

    Thread Starter youssefwalid

    (@youssefwalid)

    1 month ago

    Hi @mrclayton ,

    I’ll go ahead and create a support ticket via the path you mentioned so you have all the necessary information. I’m glad to contribute and look forward to seeing the new features in version 1.1.8

    Kind regards,
    Youssef

Viewing 13 replies - 1 through 13 (of 13 total)
  • You must be logged in to reply to this topic.