On this page
The Card-Not-Present Fraud Problem in Canada
Card-not-present (CNP) fraud occurs when someone uses stolen card details to make a purchase without the physical card. Online checkout is the primary vector — the fraudster has a card number, expiry date, and sometimes the CVV, but not the card itself.
Why is Canada's CNP fraud rate so high? Largely because Canadian chip-and-PIN adoption at physical POS is among the highest in the world. Chip cards make in-person fraud extremely difficult — you need the physical card with its secure chip. This pushes fraud almost entirely online, where chip security doesn't apply.
When you accept an online payment, you can't see the customer or the card. You're relying on:
- The card number being valid and the account being in good standing
- The CVV matching what the bank has on file
- The billing address matching the address on the account
- The card network's real-time fraud scoring (which you don't control)
Points 2 and 3 are where your fraud controls live. Let's go through them.
AVS: Address Verification Service
AVS checks the billing address information entered by the customer at checkout against the address the issuing bank has on file for the card. Specifically, it checks:
- The numeric portion of the street address (e.g., "123" from "123 Main St")
- The postal code
AVS does not check the street name, city, or province. It's a narrow match against two numeric fields.
AVS Response Codes for Canadian Merchants
| Code | Meaning | Action to Take |
|---|---|---|
| Y | Both address and postal code match | ✅ Process normally |
| X | 9-digit postal code and address match (US only) | ✅ Process normally |
| A | Address matches, postal code does not | ⚠️ Review for high-value orders; may be legitimate (customer typed wrong postal) |
| W / Z | Postal code matches, address does not | ⚠️ Review; partial match is better than no match |
| N | Neither address nor postal code match | 🔴 Flag for review; decline on high-value or high-risk orders |
| U | AVS unavailable (bank doesn't support it, or non-US card) | ⚠️ Common in Canada — do NOT auto-decline |
| R | System unavailable, retry | ⚠️ Retry once; then proceed with additional scrutiny |
| G | Non-Canadian/US card (international) | ⚠️ Higher risk for cross-border; evaluate order context |
⚠️ The Canadian AVS limitation
AVS was designed primarily for US card issuers. Many Canadian banks — particularly credit unions and smaller institutions — don't fully support AVS, resulting in "U" (unavailable) responses even for completely legitimate Canadian customers. If you auto-decline all "U" responses, you will block a meaningful percentage of valid Canadian orders. Treat "U" as a neutral signal, not a red flag, when it appears in isolation.
Practical AVS Rules for Canadian E-Commerce
- High-value orders (e.g., over $200): Require "Y" or partial match, or manually review "N" and "U" before shipping
- Low-risk, low-value orders: A "U" response alone is not a reason to decline
- International cards: "G" codes on international cards + no other verification = higher scrutiny warranted
- Digital goods / instantly delivered: Apply stricter rules — there's no shipment to cancel if fraud is discovered
CVV / CVV2: Your First Line of Defence
CVV (also called CVV2, CVC2, or CID) is the security code printed on the physical card but not encoded in the magnetic stripe or chip. For Visa and Mastercard, it's the 3-digit code on the back. For Amex, it's the 4-digit code on the front.
The critical point: PCI DSS prohibits any merchant or processor from storing the CVV after authorization. This means fraudsters who obtain card numbers from data breaches usually don't have the CVV — it's not stored anywhere after the initial transaction. A correct CVV at checkout is strong evidence the fraudster has the physical card or obtained the CVV through a separate mechanism (phishing, card skimmer, etc.).
🛡️ CVV Checking Essential
Always check CVV for online transactions. Always decline CVV mismatches.
A CVV mismatch — where the card number is valid and approved by the bank but the CVV doesn't match — is a near-certain indicator of fraud. The fraudster has the card number (perhaps from a breached database) but not the physical card. There is essentially no legitimate reason for a CVV mismatch to occur on a valid transaction.
How to enable: In Stripe, CVV checking is enabled by default — the authorization response includes a CVC check result field. In Helcim, CVV is checked at the gateway level. In most payment processors, you can configure automatic decline on CVV failure in your fraud settings or via API response handling.
3D Secure (Verified by Visa / Mastercard SecureCode)
3D Secure (3DS) is an authentication protocol that adds a verification step between the customer and their bank during online checkout. After entering card details, the customer may be asked to:
- Enter a one-time SMS code sent by their bank
- Approve the payment in their banking app
- Answer a security question
The major benefit: when 3DS authentication is successfully completed, fraud liability shifts from you (the merchant) to the issuing bank. If the transaction later proves fraudulent and the customer disputes it, the bank absorbs the chargeback — not you.
🔐 3D Secure 2 (3DS2) Recommended for High-Risk Orders
3DS2 is the modern version — it uses risk-based authentication, meaning many low-risk transactions are approved without any customer interaction (a "frictionless flow"). The authentication step only appears when the bank's algorithm flags a transaction as higher-risk.
Canadian bank support: All major Canadian banks (TD, RBC, BMO, Scotiabank, CIBC, National Bank) support 3DS2 on their Visa and Mastercard products as of 2026.
How to activate:
- Stripe: Enable Radar with 3DS support in the Dashboard → Settings → Radar. You can set rules to trigger 3DS for specific transaction types or amounts.
- Helcim: 3DS is available on the Helcim payment gateway; contact support to enable for your account.
- Moneris: 3DS2 available through the Moneris hosted payment page and API.
- WooCommerce / Shopify: Enabling depends on your payment gateway plugin; most major Canadian gateway plugins support 3DS2.
Trade-off: Even with frictionless flows, enabling 3DS universally can increase cart abandonment by 3–8% for some merchant categories — customers who see an unexpected authentication step sometimes abandon. Consider triggering 3DS only for high-risk transactions (orders over a certain amount, shipping to a different address than billing, etc.) rather than universally.
Velocity Checks and Order Rules
Fraud rings don't make one transaction — they test cards systematically, often processing dozens of small transactions quickly to identify valid card numbers before making larger purchases. Velocity rules detect and block this pattern.
⚡ Velocity Checks Essential
Recommended velocity rules for Canadian e-commerce:
| Rule | Threshold | Action |
|---|---|---|
| Failed payment attempts per IP address | 3 failures per hour | Block IP temporarily; flag for review |
| Declined transactions per card number | 2 declines per 24 hours | Block card from further attempts |
| Orders per IP address | 5 orders per 24 hours | Flag for manual review |
| Multiple cards per device fingerprint | 3+ cards per session | Immediate flag; manual review required |
| Unusually high order value for first-time customer | Define your high-value threshold | Require 3DS or manual review |
Stripe Radar, Kount, and other fraud platforms implement velocity rules automatically. If you're on a simpler setup (Helcim, Moneris), check whether your plan includes fraud rule configuration, or implement rules at the application layer.
Layering Your Fraud Defences
No single fraud tool catches everything. The most effective approach layers multiple signals:
| Defence Layer | What It Catches | Priority |
|---|---|---|
| CVV check | Card-number-only fraud (stolen database) | 🔴 Essential — always enabled |
| AVS check | Cards used at wrong address; catches some fraud, weak in Canada | 🟡 Use contextually, not as hard block |
| 3D Secure | Account takeover, stolen card with CVV; shifts liability | 🟡 Recommended for high-risk/high-value |
| Velocity rules | Card testing, fraud rings, automated attacks | 🔴 Essential for any volume merchant |
| Device fingerprinting | Same device cycling multiple cards | 🔵 Advanced; available through Stripe Radar, Kount |
| Machine learning scoring | Pattern recognition across transaction history | 🔵 Advanced; Stripe Radar, Signifyd, NoFraud |
✅ Minimum viable fraud setup for Canadian e-commerce
- ✅ CVV checking enabled and declines on mismatch — always
- ✅ AVS enabled, flag "N" results on high-value orders, don't auto-decline "U"
- ✅ Velocity rules: limit failed attempts per IP and per card
- ✅ 3DS enabled for orders over your chargeback-risk threshold (e.g., $250+)
- ✅ Review your chargeback reports monthly — fraud patterns cluster by industry and time
📊 Know your chargeback rates
The card networks (Visa, Mastercard) set acceptable chargeback thresholds at 1% of transactions per month. Exceeding that threshold triggers warnings and eventually fines. Monitoring your chargeback rate by product category is the fastest way to identify fraud vectors before they become a compliance problem. See our chargeback rates by industry in Canada and our chargeback response builder for practical tools.