Four signal layers fire before a charge reaches any payment processor. Confirmed fraud on one ZenoPay deployment propagates as an anonymized signal to every other deployment in the network within 60 seconds. Every block is explained in plain language.
Most fraud detection happens at the processor — after ZenoPay has already submitted the charge. By that point, a failed transaction still costs an authorization fee and contributes to card-testing patterns that processors penalize. ZenoPay's fraud engine runs pre-authorization, before any processor sees the transaction.
Card BIN prefixes, IP ranges, email patterns, and device fingerprints flagged across the network. A card identifier that hit fraud on any ZenoPay deployment is checked here before any other evaluation. Blocklist entries carry a 30-day TTL before expiry review.
Transaction frequency analysis within configurable time windows. Four transactions in under 60 seconds is a reliable card-testing signal. The velocity counter is atomic — concurrent requests cannot race around it. Thresholds are configurable per guardrail.
Each customer's payment history establishes a behavioral baseline. A transaction that deviates significantly from that baseline — amount, time, frequency, geography — is flagged for additional evaluation before proceeding.
Anonymized fraud indicators from confirmed fraud events across all ZenoPay deployments. Card BIN prefixes and IP ranges are checked against the network-wide signal store. No customer-identifying data crosses tenant boundaries — only anonymized indicators.
When fraud is confirmed on any ZenoPay deployment, anonymized indicators propagate across the network within 60 seconds. A card-testing pattern that hits one customer is available as a signal to every other customer before it can spread.
Tenant data isolation is maintained absolutely. Row-level security at the database level ensures one tenant cannot access another's customer data, transaction records, or audit logs. The only thing that crosses tenant boundaries is an anonymized fraud indicator — a BIN prefix, an IP range, a device fingerprint hash — with no linking information.
Every fraud evaluation — block or allow — generates a natural-language audit entry. Not a status code. A written explanation: which signals were evaluated, what was found, why the decision was made. Readable by a compliance team. Readable by a regulator.
The audit log is append-only at the SQL level. No update or delete is possible. Every fraud event is permanently recorded with its full context.
Before any processor contact. All four signal layers run in parallel.
Each layer returns a score. Maximum score across layers determines the fraud risk rating.
Above threshold: block with natural-language explanation. Below threshold: proceed to rail router.
Audit entry written. If confirmed fraud, anonymized signals propagate to network within 60 seconds.
Fraud detection is one of six integrated systems. Blocked transactions feed back into churn scoring and the compliance audit trail.
Pre-authorization fraud detection saves authorization fees, prevents chargebacks, and protects authorization rates. Reach out for early access.