Studio 2.3 - New Hidden Upsell Step For Regular Giving 🚀

Need Help? Let's Find the
Answer Together!

Sorry, we didn't find any relevant articles for you.

Send us your queries using the form below and we will get back to you with a solution.

Security

Topics on Security

MinFraud

What should we set the Minfraud Value to? We default the value to 20 as that come ...

What should we set the Minfraud Value to?

We default the value to 20 as that comes from what Minfraud have suggested. The lower the number, the lower the risk tolerance and the more likely the Minfraud checks will fail a Payment. The higher the score, the higher your risk tolerance is and the more likely a transaction will be accepted.

Please see MaxMind Minfraud for some details about how the scoring works - please also go into the learn more on the Minfraud page. You may also wish to review their Understanding Risk Scoring page as well.

We have provided the ability for your organisation to change these values up or down. This will depend on the level of risk your organisation wishes to take and that is for you to determine. See the MinFraud Set Thresholds for the Risk Score for some guidance.

Minfraud is included as part of Payments2Us and provides an important role as one of the methods used to avoid fraud and card testing.

 
 

Can I disable Minfraud?

We have added MaxMind MinFraud risk scoring system to prevent fraudulent card testing activity on your Payment/Donation Form. It is not our recommendation to disable.

Additionally, some Payment Gateways such as Windcave charge on the basis of transaction attempts rather than successful transaction. Therefore if you were a target to Credit card washing attempts/fraudulent card testing activity, then in that case you will get charged for all these transaction attempts and you could be liable for these fees from the Payment Gateway. This is explained in 10(e) of our terms. Hence we do not recommend turning Minfraud off.

However, if you wish to disable, set the Minfraud Scores to 0 (Zero) on the Merchant Facility. Configuring your threshold at 0 means the condition for fraud-based intervention will never trigger, allowing all transactions to pass through without minFraud influencing the outcome - effectively disabling its impact while keeping the integration in place.

 
 

What is the impact of disabling Minfraud?

We do not recommend disabling Minfraud. It is an important security check. There are a lot of other checks as well and this is just one component.

You'll see some links and references in the “What should we set the Minfraud Value to?” FAQ above as to how the risk scoring works. At a high level it checks the data entered to see if all all matches and makes sense. This means, even if someone were to complete Captcha's successfully, they still could be pick up as fraudulent and stopped.

The risk of disabling is card testing or fraudulent transactions could be completed on your payment form. Please note here that some Payment Gateways such as Windcave charge on the basis of transaction attempts rather than successful transaction. Therefore if you were a target to Credit card washing attempts/fraudulent card testing activity, then in that case you will get charged for all these transaction attempts and you could be liable for these fees from the Payment Gateway. This is explained in 10(e) of our terms. 

Therefore, we do not recommend turning Minfraud off. Rather we recommend that you inspect each transaction where the fraud risk is high and if it is a legit transaction then study patterns and increase risk score accordingly. 

 
 

Why a Transaction May Receive a High MaxMind minFraud Score?

Payments2Us integrates with MaxMind minFraud to help protect your organisation from fraud, card testing, and suspicious donation activity.

It is important to understand that Payments2Us does not calculate the Risk Score or IP Risk Score. These scores are calculated by MaxMind minFraud using the transaction details available at the time of payment.

Payments2Us then checks the score returned by MaxMind against the threshold configured on your Merchant Facility. If the score is higher than the allowed threshold, Payments2Us blocks the transaction and may add the IP address to the blocked IP Address list, depending on your security settings.

How MaxMind Calculates Risk

MaxMind assesses many signals to determine whether a transaction appears risky. These may include:

  • The donor’s IP address and location
  • Whether the donor appears to be using a VPN, proxy, hosting provider, or anonymising service
  • Whether the billing address, country, email, IP location, and card-related information appear consistent
  • The history and reputation of the IP address, email, and other transaction signals
  • The likelihood that the transaction resembles card testing or fraudulent behaviour
  • Other risk patterns available to MaxMind at the time of the transaction

This means a donor is not necessarily “on a blacklist”. A known donor can still receive a high score if the transaction details look unusual or inconsistent to MaxMind.

For more information, see MaxMind’s documentation:

Common Causes of a High Score

Below are common reasons a transaction may receive a higher MinFraud score.

· Missing or Incomplete Country Information

If the Country field is not included on the checkout form, Payments2Us may not receive the donor’s correct country.

For example, if a donor is overseas but the form defaults the country to Australia, the donor’s address, IP location, and country may not match. MaxMind may treat this inconsistency as higher risk.

To reduce this risk, we recommend including the Country field on Payment Forms, especially where you accept donations from overseas donors.

· Donor Using a VPN or Proxy

A donor using a VPN, proxy, or anonymising service can cause a higher score.

For example, the donor may enter an Australian address, but their IP address appears to come from another country. MaxMind may assess this as suspicious because the transaction details do not appear consistent.

· IP Address Location Does Not Match Donor Details

A high score can occur where the IP location, billing address, card-related signals, or email information do not align.

For example:

  • IP address appears to be overseas, but the donor enters an Australian address
  • IP address appears to be from a data centre or hosting provider
  • IP address has a poor reputation or has been associated with suspicious activity
  • Email or transaction patterns appear unusual to MaxMind

· Card Testing or Fraud-Like Behaviour

Not-for-profits and donation forms are often targeted for card testing. This is where fraudsters attempt small transactions to test whether stolen card details are valid.

MaxMind may return a higher score when the transaction resembles known card-testing or fraud patterns, even where some details appear valid.

· Email Address or Domain Appears Higher Risk

MaxMind may consider email-related signals when calculating the risk score.

For example, a higher score may occur where:

  • The email address appears newly created.
  • The email domain has a poor reputation.
  • The email pattern looks unusual or automated.
  • The email has been associated with suspicious activity in MaxMind’s risk data.

This does not mean the donor is automatically fraudulent. It means the email information may have contributed to the overall risk score.

· Multiple Attempts or Card Testing Patterns

Not-for-profits and donation forms are often targeted for card testing. This is where fraudsters attempt small transactions to test whether stolen card details are valid.

MaxMind may return a higher score where the transaction resembles known card-testing behaviour, such as:

  • Multiple payment attempts in a short period
  • Repeated failed transactions
  • Similar attempts using different card or donor details
  • Unusual transaction timing or volume
  • Small transactions that look like test payments

Understanding the Merchant Facility Threshold

The Max Fraud Risk Score threshold on the Merchant Facility controls how strict the fraud protection is.

Payments2Us commonly recommends/defaults this value to 20.

  • A lower number means a lower risk tolerance. More transactions may be blocked.
  • A higher number means a higher risk tolerance. More transactions may be allowed through.

You can adjust this value, but we recommend doing so carefully. Increasing the threshold too much may allow higher-risk transactions to proceed, which can increase exposure to fraud, gateway fees, chargebacks, and card-testing activity.

Before changing the threshold, review enough examples to understand whether the blocked transactions are likely genuine false positives or valid high-risk attempts.

Using Your Own MaxMind Account

From Payments2Us release 11.0 onwards, you can connect your own MaxMind minFraud account in Payments2Us.

This is recommended if your organisation wants more visibility into why transactions are being scored as high risk.

When using the Payments2Us MaxMind account, you can see the score result in Payments2Us, but you do not have direct access to MaxMind’s deeper transaction-level analysis.

With your own MaxMind account, your team can log in to MaxMind and review more detail about each transaction. This can help you:

  • Understand why a transaction received a high score
  • Identify patterns across blocked transactions
  • Review whether blocked transactions are likely false positives
  • Make more informed decisions before changing your Merchant Facility threshold

MaxMind offers different minFraud product levels. As a general guide:

  • minFraud Score provides the risk score used for automated fraud checks.
  • minFraud Insights provides more detail to help review and understand risk decisions.
  • minFraud Factors provides the most detailed risk factor breakdown.

If your team wants to investigate blocked transactions in more detail, minFraud Insights or minFraud Factors may be more useful than Score alone.

For setup steps, see:

Risk and IP Risk Management Settings – Adding Your Own minFraud Credentials

Recommended Review Steps

If you are seeing transactions blocked due to high MinFraud scores:

  1. Review the related Error Log and Payment Txn details.
  2. Check whether the donor’s country, address, IP location, and email details appear consistent.
  3. Confirm whether the donor may be using a VPN, proxy, or overseas network.
  4. Review whether the Country field is included on the Payment Form.
  5. Check the Max Fraud Risk Score threshold on the Merchant Facility.
  6. Consider setting up your own MaxMind account if you need deeper visibility into the risk reasons.
  7. Only adjust the threshold after reviewing enough examples to understand the likely cause.
 
 

 

 

 

General Security related Questions

I have now allowed an IP Address, will the Transaction go through, or does the us ...

I have now allowed an IP Address, will the Transaction go through, or does the user need to re-submit

The card holder will need to resubmit the transaction.  The transaction was blocked.

 
 

I have marked an IP Address as allowed.  How long does it take until this comes into effect?

It should take effect straight away.

However, sometimes the forms are cached and it remembers previous settings. Doing a control+refresh should work to clear the cache.

Also, double check it has not been blocked again. The IP addresses are related to Merchant Facilities, so check that it is marked as allowed for all Merchant Facilities that you want to allow it for.

If still having issues, check the Error Log - Payments2Us as that describes the error in more detail.