Paybyrd Paybyrd
Sign Up Free
Paybyrd Antifraud
Fraud prevention · production-grade

Every transaction
scored in 47 milliseconds.

Fifty-five fraud signals. One decision engine. Zero tickets in the morning. Paybyrd Antifraud scores every payment before it reaches your acquirer — blocks the attackers, passes the shoppers, and explains every call your analysts need to review.

Blocked by Paybyrd Antifraud · since you opened this page
0
card-tester attempts · 0 in exposure prevented
Watch it live
Book a 15-min with a risk engineer See the dashboard Developer docs
47ms
p95 decision time
Rules + AI + device · every payment
10
IP intel signals
VPN · Tor · datacenter · threat score
45+
Device intel signals
History · reputation · biometrics
−16.8%
Chargeback volume
Paybyrd's own payments book — now yours to deploy
The threat monitor · live

Watch the engine work.
Every transaction. Every outcome. Explained.

The monitor below is synthetic — but every signal, score, and rule you'll see is the real engine. Plug in a sandbox key and your own traffic flows through this exact pipeline.

paybyrd.antifraud ▸ monitor
Live · synthetic load · eu-west-1
Incoming
Shield
Approved
Blocked
SCORING Rules · Velocity · AI · Device · IP
0
Passed · 60s
0
3DS step-up
0
Blocked · 60s
PASS €84.20 · MB WAY · restaurant · domestic BIN
BLOCK €1.00 · velocity · 12 BINs in 22s · card tester
3DS €1,420 · Amex · check-in · step-up issued · OTP ok
PASS €38.50 · Visa Debit · subscription renewal · trusted device
BLOCK €892 · residential proxy · geo mismatch · 4 cards
decision 47ms false-pos rate 0.04% region eu-west-1
Authorization flow

Three stages.
Every decision explained.

Every transaction passes through Pre-Auth Screening, Issuer Authorization, and Final Decision — each stage scored, each score visible, each reason logged. This is the actual detail view your analysts will see in the console.

Transactions / ffd5b23cf58e4b…
ffd5b23cf58e4b… Review
€897.10 · Score 420/1000 · Apr 20, 2026 · 10:57
Acme Travel · Ref: 59e5af3a-a75c-45d9-a99d-db7c0d819cbf Purchase
This transaction requires manual review
Overview Card info Shopper Device

Authorization Flow

Pre-Auth Screening

Approved
Fraud Score 300 / 1000
Reason Approved: score 300 from 2 rules, below thresholds.
Decided at Apr 20, 2026 · 10:57:12

Velocity, device reputation, and IP intelligence checked before the card is even sent to the issuer. Fast-path for trusted sessions — no friction added.

Issuer Authorization

Approved
Decided at Apr 20, 2026 · 10:57:13

Transaction sent to the issuer through the acquirer most likely to approve this BIN. Response captured, rate applied.

Final Decision

Review
Fraud Score 420 / 1000
Reason Sent to review by 4 rules.
Decided at Apr 20, 2026 · 10:57:13

Post-issuer analysis fires our review rules — velocity surge, device risk, BIN country mismatch. Human-in-the-loop for the €420 threshold your team set.

IP Intelligence · 10 signals

Know where the payment
is actually coming from.

Every online payment originates from an IP address. Our IP Intelligence module answers two questions instantly: where is this person and is this person hiding.

paybyrd.intel ▸ ip lookup
Resolved · 12ms
Incoming session IP
102.212.56.255 ThreatScore 78
Card-issuer → Session location
CARD · PT Lisbon · Caixa Geral 4,814 km SESSION · KE Nairobi · Safaricom
Geo-distance > 4,000 km from issuing country flagged
ISP: Safaricom Mobile — legitimate consumer carrier noted
No VPN, Tor, datacenter, or known-attacker match clean
Rule match: geo-distance > 4000 → review Send to review
01

Country & city

Buyer location to the city level

02

ISP identification

Legit consumer ISP or suspicious provider

03

Geo-distance

Kilometres from the card's issuing country

04

VPN / Proxy / Tor

Anonymisers masking real location

05

Residential proxy

Fraud rings routing through real homes

06

Datacenter / cloud

Bots running from AWS, GCP, Azure, OVH

07

Known attacker

IPs flagged in global threat intelligence

08

Bot detection

Automated card-testing attacks

09

ThreatScore 0–100

Aggregate IP risk in a single metric

010

First-seen

Has this IP touched our platform before?

Example rule If ThreatScore > 70 AND GeoDistance > 4000 Review Stops fraud before it costs money — no chargebacks, no scheme fines.
Device Intelligence · 7 categories · 45+ signals

Know the device,
not just the transaction.

Instead of scoring a single payment in isolation, Device Intelligence builds a persistent profile of every browser and phone that touches your checkout — and follows that profile across every merchant on the platform.

01 Has this device been seen before?

Device history · global

  • Days since first seen across every Paybyrd merchant
  • Total visits, ever
  • Number of distinct merchants visited
  • New-device flag (0-7 day threshold, configurable)

A device brand-new to the entire platform carries different risk than one seen 200 times over 6 months. Context beats context-free scores every time.

02 Has it been seen at THIS merchant?

Workspace-scoped history

  • New-to-workspace flag
  • Visit count scoped to this merchant only
  • Last purchase on this merchant
  • Cross-merchant vs same-merchant pattern

A device trusted by Merchant A might be brand-new to Merchant B. The rule engine lets you weigh both — cross-merchant reputation AND your own history.

03 What's this device's track record?

Reputation signals

  • Chargeback rate on past transactions
  • Unique cards used from this device
  • Unique emails & phones bound to this device
  • Manual approve/decline history from your analysts
  • Aggregate reputation score (0-100)

A device that's used 15 different cards is almost certainly a fraud tool. Reputation aggregates historical signal into one number your rules can pivot on.

04 Is the buyer hiding their tracks?

Environment detection

  • Private / incognito browsing detected
  • WebView inside an app (common in phishing kits)
  • DevTools open
  • Browser automation — Selenium, Puppeteer, Playwright

A shopper with DevTools open and incognito on is inspecting your checkout — not buying. These signals separate real visitors from reconnaissance.

05 Does the user act human?

Behavioral biometrics

  • Mouse movement naturalness
  • Typing speed & keystroke count
  • Paste events on card / CVV fields
  • Form-fill duration (200ms = bot, 20-40s = human)
  • Aggregate behavioral risk score

Bots type instantly. Humans don't. Bots paste whole card numbers. Humans usually type them. This is the layer that catches the sophisticated attack no static rule will.

06 Is this device lying about itself?

Spoofing detection

  • User-Agent spoofing — claims Chrome/Mac but isn't
  • Headless browser detection
  • Antidetect / fraud browser fingerprint
  • Canvas noise injection (fingerprint evasion)
  • Aggregate spoofing risk score

Professional fraud rings buy antidetect browsers to look like clean devices. We detect the forgery itself — the browser is lying and we know it.

07 Composite score

One number.
All 45+ signals rolled up.

Your rules don't need to fire on 40 signals. The Device Risk Score rolls them all into a single 0–100 metric — and every component stays visible on the review page when your analyst needs to drill in.

Explainable Tunable weights Per-category drilldown
0 50 100 78 RISK · HIGH
Behavioral biometrics

Bots type instantly.
Humans don't.

The same checkout, filled by a human and a bot. Same card number. Same IP even. Behavioral biometrics separate them in under two seconds — here's how.

Human shopper
session #a7f4
mouse · natural arcs · 240 px/sec
Card fill · 28.4 seconds
card 4584 9021 5783 1248
expiry 08 / 28
cvv 4 2 7
Typing rhythm Human · 3.2 chars/sec variance
Paste events 0
Form-fill duration 28.4s · in range
Mouse trajectory Natural arcs · no jumps
Behavioral risk 12 / 100 · Pass
Card-testing bot
session #b8e2
mouse · teleport jumps · no velocity
Card fill · 0.18 seconds · pasted
card 4 5 8 4 9 0 2 1 5 7 8 3 1 2 4 8 paste
expiry 08 / 28
cvv 4 2 7
Typing rhythm 0 keystrokes · full paste
Paste events 3 · on sensitive fields
Form-fill duration 180ms · impossibly fast
Mouse trajectory Linear teleports
Behavioral risk 96 / 100 · Block
Rule that fires If HasPasteOnSensitiveField = true AND FormFillDurationMs < 3000 Review
Rule builder

Compose rules your team
actually understands.

Visual rule builder. Drag signals, pick operators, choose an action. No SQL, no code, no support ticket to change a threshold. Below are the exact seven rules most risk teams deploy in their first week.

Seven starter rules · deployed week one
Production-ready
01 If
DeviceRiskScore>75
Decline
Catches: High-risk devices outright
02 If
IsNewDevice= trueANDAmount>€500
Review
Catches: First-time devices making large purchases
03 If
UniqueCardCount>3
Decline
Catches: Card-testing: a device cycling through stolen numbers
04 If
HasPasteOnSensitiveField= trueANDFormFillDurationMs<3000
Review
Catches: Automated form-filling with pasted stolen credentials
05 If
IsHeadlessBrowser= true
Decline
Catches: Bots running without a real browser
06 If
ChargebackRate>5%
Decline
Catches: Devices with a history of chargebacks
07 If
IsTor= trueANDIsNewToWorkspace= true
Decline
Catches: Anonymous first-time visitors
15+ condition types · velocity · pattern · geo-distance · BIN · temporal · ML scores · device · IP · behavioral
Walk through the builder
Case review · analyst workflow

Your analysts' morning
isn't a ticket queue anymore.

Every flagged transaction lands in Alerts with SLA countdown, assignee, triggering rule and one-click Approve / Decline. No spreadsheet exports, no CSV joins, no "let me check with the acquirer".

Total alerts
35
Open
32
Investigating
30
SLA overdue
32
Unassigned
32
Avg resolution
0.3h
SLA
Open Inv. Over Resolved
Alert ID Opened Status Trigger rule Amount Merchant SLA Assigned
bcbf6e8a... 20 Apr 2026, 11:42 Investigating High-Value Fraud Risk €3,780 Acme Travel 2m left
l
luiz
fa92e3d1... 20 Apr 2026, 11:38 Open Card Testing Attack €62 Nova Hotels Group OVERDUE
4f2a8b71... 20 Apr 2026, 11:31 Open Velocity · 12 BIN/22s €140 Quinta Bistro 14m left
a
ana
c8d45520... 20 Apr 2026, 11:22 Escalated Geo-mismatch · 4,814 km €897.10 Acme Travel OVERDUE
l
luiz
e1748f9a... 20 Apr 2026, 11:08 Open Residential Proxy €1,420 Nova Hotels Group 31m left
a33c02fe... 20 Apr 2026, 10:54 Investigating ThreatScore > 85 €240 Beltone Retail OVERDUE
a
ana
One-click decisions
Approve / Decline / Escalate
No SQL, no support ticket
SLA tracking
Per-rule response windows
Alert triggers · auto-escalation
Full audit trail
Every action logged
Analyst · decision · reason · timestamp
The dashboard

Your Head of Risk
opens this at 08:45.

Every metric live-updating, every chart breathing, every anomaly highlighted before the coffee is made. Configurable widgets — add a shadow-pass-rate line, swap the world map for a merchant ladder, drop in a rule-firing heatmap.

Paybyrd Antifraud
20 Apr · 08:45:21 GMT+2
L
Luiz

Good morning, Luiz

Here's your fraud operations overview · 04h 22m since last login.

Session activity
42 alerts handled
1 merchant with unusual decline spike today decline rate > 10% SLA 12m
Transactions · 24h
6,412
+2.4% this hour
Flagged for review
16.7 %
+0.3pp this hour
Avg fraud score
353
+12 this hour
Approve rate
83.3 %
+1.2pp this hour
Decline rate
16.7 %
−0.3pp this hour
Decision latency
47 ms
−3ms this hour

7-day approval heatmap

Hour-by-hour approve rate · click a cell to drill in

Low Med High
036912151821
Mon
Tue
Wed
Thu
Fri
Sat
Sun
Peak: Tue 11:00 · 94% Dip: Sun 03:00 · 64%

Transaction origins · live

Pulsing dots scaled by volume · trailing 7 days

34/min
🇺🇸 United · 442 🇵🇹 Portugal · 780 🇳🇱 Netherlands · 310 🇪🇸 Spain · 420 🇧🇷 Brazil · 530 🇦🇴 Angola · 248 🇯🇵 Japan · 160 🇩🇪 Germany · 290
🇺🇸 United States 442 🇵🇹 Portugal 780 🇳🇱 Netherlands 310 🇪🇸 Spain 420 🇧🇷 Brazil 530 🇦🇴 Angola 248
Activity
08:45:12 BLOCK velocity · 12 BINs · 22s 08:45:11 PASS €84.20 · MB WAY · trusted device 08:45:08 3DS €1,420 · check-in · step-up OK 08:45:05 BLOCK headless browser · DevTools open 08:45:03 PASS €38.50 · Apple Pay · recurring 08:45:01 BLOCK residential proxy · geo mismatch 08:44:58 REVIEW ThreatScore 78 · new device + large order 08:45:12 BLOCK velocity · 12 BINs · 22s 08:45:11 PASS €84.20 · MB WAY · trusted device 08:45:08 3DS €1,420 · check-in · step-up OK 08:45:05 BLOCK headless browser · DevTools open 08:45:03 PASS €38.50 · Apple Pay · recurring 08:45:01 BLOCK residential proxy · geo mismatch 08:44:58 REVIEW ThreatScore 78 · new device + large order
12+ configurable widgets. Alert strip · approve/decline · flagged for review · top rules · merchant risk · country breakdown · shadow pass rate · rule-firing heatmap · 7-day trends. Add, remove, rearrange.
See the widget library
Shadow mode

Deploy without fear.
Measure before you break anything.

Run a new rule set in shadow — it scores every live transaction in parallel but doesn't affect the decision. Compare shadow vs. production side-by-side in the dashboard, then promote the rules that moved approvals up without moving false positives.

Live · affects decisions
rules_v7
Approved
83.3%
2,140 tx
Declined
16.7%
430 tx
Cost · last 24h
€8,420 in fraud prevented · 3 chargebacks
Shadow · scores but doesn't decide
rules_v8_candidate
Would approve
86.4%
+3.1 pp vs live
Would decline
13.6%
−3.1 pp vs live
Projected · same 24h window
€9,100 prevented · 2 chargebacks · −33%
Shadow vs Live · 7-day moving average approve rate
14 Apr15 Apr16 Apr17 Apr18 Apr19 Apr20 Apr
Live rules · 83.3% Shadow rules · 86.4% +3.1 pp uplift
Multi-tenant hierarchy

One ruleset at the top.
Every brand inherits it.

Built for agencies, hotel groups, franchises, and marketplaces. Shared rules cascade down. Each workspace stays fully isolated. Overrides at any level when one brand needs a tighter policy than the rest.

LEVEL 1
Partner
Paybyrd Pay Group
Baseline rules · compliance guardrails · shared denylist
3DS2 · mandatory ThreatScore > 80 → decline Tor → decline
cascades
LEVEL 2
Merchant
Nova Hotels Group
Hospitality overrides · folio-aware
40 properties
LEVEL 2
Merchant
Acme Travel
Airline overrides · GDS aware
6 rails
LEVEL 2
Merchant
Beltone Retail
E-commerce overrides · global ship
12 storefronts
LEVEL 3
Tavira
Store
LEVEL 3
Estoril
Store
LEVEL 3
Algarve
Store
LEVEL 3
Lisbon
Store
LEVEL 3
Porto
Store
LEVEL 3
Beja
Store
Rules cascade
Top-level policies automatically apply to every merchant and store below — unless explicitly overridden.
Workspace isolation
Each merchant's data, users, API keys, and audit log are fully isolated — a compromise at one never reaches another.
Shared threat intel
A bad actor blocked at one merchant is flagged instantly across every other — the denylist is platform-wide by default.
Integration

Three ways in.
All of them small.

Use Antifraud standalone (inline API), fully orchestrated with our gateway + acquirer mesh, or subscribe to webhooks and keep your own stack. Sandbox in 24 hours · first real decision by end of week one.

01
Inline API

Score every transaction before auth

Single REST call. Fires on your checkout, gets a decision in <50ms, you route accordingly. Zero change to your acquirer integration.

POST /v2/antifraud/score
{
  "amount": 89710,
  "currency": "EUR",
  "ip": "102.212.56.255",
  "device_fingerprint": "a8f3...",
  "card_bin": "454832",
  "shopper_email": "..."
}

→ 200 OK
{
  "decision": "REVIEW",
  "score": 420,
  "rules_fired": ["geo-mismatch", "new-device"],
  "request_id": "ffd5b23c..."
}
02
Orchestrated

Sits between checkout and acquirer

Paybyrd handles both — antifraud decision + acquirer routing. One integration covers fraud, acquiring, tokenisation, 3DS2. Most popular for new merchants.

// Just configure in dashboard:
// Checkout → Paybyrd Gateway
//          → Antifraud (score + decide)
//          → Acquirer Mesh (route)
//          → 3DS2 if needed
//          → Settlement
//          → Webhook back to you

// Merchant code is unchanged.
// Toggle antifraud on/off per channel.
03
Webhook

React to decisions after the fact

Get fired-rule events, SLA breaches, shadow-mode diffs delivered to your endpoint in real-time. Drop into Slack, PagerDuty, your own risk engine.

POST /your-webhook-endpoint
{
  "event": "antifraud.decision.review",
  "transaction": "ffd5b23c...",
  "score": 420,
  "rules_fired": [
    {"id": "geo-mismatch", "weight": 180},
    {"id": "new-device",   "weight": 120},
    {"id": "velocity-6h",  "weight":  80},
    {"id": "bin-country",  "weight":  40}
  ],
  "ip_intel": { "threat_score": 78, ... },
  "device_intel": { "composite_score": 72, ... }
}
Sandbox in 24h · first decision by end of week one.
REST, webhook, or orchestrated — all three supported from day one. Swap between them later without re-integration.
Read the docs
Antifraud FAQ

The questions risk teams
ask before they commit.

Every objection we've fielded in the last two years, answered honestly. If something's missing, the team replies in under 4 working hours.

01 Scope & signals
How many fraud signals do you actually evaluate?

55+ per transaction — 10 from IP Intelligence (country/city/ISP/geo-distance + VPN/proxy/Tor/residential/datacenter/known-attacker/bot + threat score), 45+ from Device Intelligence across 7 categories (global history, workspace history, reputation, environment, behavioral biometrics, spoofing, composite score). Plus the transaction-level signals your rules access directly: amount, BIN country, shopper email domain, velocity windows, currency, etc.

Do you use ML or rules?

Both — rules run first because they're explainable and fast, ML runs in parallel and contributes weighted scores into the composite. Every ML signal is still visible on the review page so your analysts can see exactly why the score moved. Black-box "trust us" scoring is explicitly out of scope.

Can I add custom signals from my own data?

Yes. Pass any field from your checkout (loyalty tier, internal risk score, cohort ID, CRM segment) into the scoring call — it becomes available in the rule engine as a first-class signal. Custom ML features can be trained on your data in a dedicated workspace for merchants on Custom plans.

02 Setup & deployment
How long does it take to go live?

Sandbox access in 24 hours. First real scoring call by end of week one. Production cutover typically in 2–3 weeks with shadow mode running in parallel first — your team sees impact on their existing traffic before any decision changes. A full multi-property rollout can close inside 30 days with the standard runbook.

Do I have to change my acquirer integration?

No. Use Antifraud inline via one REST call, fire it before you authorise. Your existing acquirer integration is untouched. The orchestrated mode (Paybyrd gateway + acquirer mesh + antifraud together) is available if you want the full stack, but it's never required.

Can I run it alongside my current fraud tool?

Yes — many merchants do this for 2-3 months during evaluation. Paybyrd runs in shadow mode, scoring every transaction but deferring the final decision to your incumbent. You compare outcomes daily. When the numbers justify the switch, you promote Paybyrd to live and the incumbent goes silent. Zero traffic blown up.

03 Operations & pricing
What's included in the headline rate vs. charged separately?

Scoring, rule builder, case review, shadow mode, dashboard, API access, webhooks, SLA tracking, 15+ condition types, composite scores, behavioral biometrics, device + IP intelligence, multi-tenant hierarchy — all included. No per-signal pricing, no ML-feature upsell, no "enterprise edition" paywall. Priority support and named TAM are included on Custom plans.

What's your SLA?

99.999% platform uptime, contractually backed with credits. p95 decision time 47ms. Sub-200ms automatic failover to a hot-standby region. Named technical account manager and SRE Slack channel for Custom plans — you talk to the engineer who built the thing, not a script reader.

Do I own my data?

Yes. Every signal we collect on your transactions stays yours — you can export the full history at any time, revoke access, or require us to delete everything within the retention period your plan specifies. Shared threat intelligence (the cross-merchant denylist) is anonymised — only the device/IP identifier is shared, never your merchant context.

Can we self-host in regulated markets?

Yes. The decisioning engine, vault and gateway modules can deploy in your cloud or behind your VPC for jurisdictions where data residency or regulator policy demands it. We've deployed in Brazilian, Angolan and EU markets with local data-processor requirements. Same APIs, same dashboards, your infrastructure, your audit trail.

Risk-engineered · not risk-theatre

Stop losing sleep.
Ship Antifraud by next Friday.

Fifteen minutes with a risk engineer — no SDRs, no slide decks. We'll map your current chargeback pattern to the rules that would have caught them, run a live benchmark against your existing tool, and have your sandbox provisioned by tomorrow.

Book 15 min with a risk engineer Read the API docs
Sandbox in 24 hours · no card needed
First real scoring decision by end of week one
Shadow mode running alongside your incumbent
Named technical account manager · SRE Slack channel