Fraud prevention signals
Google can provide additional user client information when we send
SubmitOrderRequest. You can use this information to help prevent fraudulent
transactions in your integration.
How to read fraud prevention signals
When your project is enabled to receive additional fraud prevention signals, the
SubmitOrderRequest headers will contain information about the user client
instead of Google's servers. The request headers will contain the following
information:
IP address: The user client's IP address is available as the first IP in the
x-forwarded-forfield. This address is in either IPV4 or IPV6 format as determined by the user client's configuration.User agent: The user agent string is stored in the
user-agentfield with a "Google-ActionsOnGoogle/1.0" suffix. Note that this field might not populate depending on the user's device and whether they placed an order by voice.
Below is a snippet of the SubmitOrderRequest HTTP header when fraud prevention
is enabled:
X-Forwarded-For: 72.00.123.12,66.111.12.123, 169.254.1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe) Google-ActionsOnGoogle/1.0
If the user client information isn't sufficient for you to perform fraud prevention, reach out to your Google contact to discuss alternative solutions.
How to handle fraudulent transactions during fulfillment
Based on the user’s IP address and user-agent information provided in the
SubmitOrderRequest, use your internal fraud prevention algorithm to determine
whether the transaction is legitimate.
If the transaction appears to be fraudulent, respond with an orderState of
REJECTED and a rejectionInfo of INELIGIBLE, along with an appropriate
error description in the SubmitOrderResponseMessage.
If the transaction appears to be legitimate, process the order as normal.
Billing address validation
In order to reduce fraud, you can include the billing address in the payment
transaction request to your PSP. The billingAddress is returned in the
SubmitOrderRequestMessage.
- Set CardParameters.billingAddressRequired to
truein the checkout response to require the user to enter their billing address. - Set CardParameters.billingAddressParameters to define the
required fields. It is recommended to set
{"format":"MIN"}to reduce friction to users. - Include the full billingAddress or only the billingAddress.postalCode for validation as part of the payment transaction with your PSP.
Example googleProvidedPaymentOptions:
{
"facilitationSpecification": "{\"apiVersion\":2,\"apiVersionMinor\":0,\"merchantInfo\":{\"merchantId\":\"Merchant ID\",\"merchantName\":\"Merchant Name\"},\"allowedPaymentMethods\":[{\"type\":\"CARD\",\"parameters\":{\"allowedAuthMethods\":[\"PAN_ONLY\"],\"allowedCardNetworks\":[\"VISA\",\"AMEX\",\"MASTERCARD\"],\"billingAddressRequired\":true,\"billingAddressParameters\":{\"format\":\"MIN\"}},\"tokenizationSpecification\":{\"type\":\"PAYMENT_GATEWAY\",\"parameters\":{\"gateway\":\"stripev2\",\"gatewayMerchantId\":\"stripe_pk_live_key\"}}}]}"
}
If the PSP responds that the address or postal code is incorrect, you should
return a similar example SubmitOrderResponseMessage response.
Example response
{
"expectUserResponse": false,
"finalResponse": {
"richResponse": {
"items": [
{
"structuredResponse": {
"orderUpdate": {
"actionOrderId": "sample_action_order_id",
"orderState": {
"state": "REJECTED",
"label": "Order rejected"
},
"updateTime": "2017-05-10T02:30:00.000Z",
"rejectionInfo": {
"type": "PAYMENT_DECLINED",
"reason": "Invalid zipcode"
},
"orderManagementActions": [
{
"type": "CUSTOMER_SERVICE",
"button": {
"title": "Contact customer service",
"openUrlAction": {
"url": "mailto:support@example.com"
}
}
},
{
"type": "EMAIL",
"button": {
"title": "Email restaurant",
"openUrlAction": {
"url": "mailto:person@example.com"
}
}
},
{
"type": "CALL",
"button": {
"title": "Call restaurant",
"openUrlAction": {
"url": "tel:+16505554679"
}
}
},
{
"type": "VIEW_DETAILS",
"button": {
"title": "View order",
"openUrlAction": {
"url": "https://orderview.partner.com?orderid=sample_action_order_id"
}
}
}
]
}
}
}
]
}
}
}
Returning the PAYMENT_DECLINED rejectionInfo type displays a
message and allows the user to update the billing address or choose another
payment method. PAYMENT_DECLINED errors are excluded in Submit Order Error
Alerts.