ipasis
Blog/Technical Guide

Integrating IP Reputation into Payment Risk Engines: A Technical Guide

December 28, 20258 min read

Payment fraud—specifically card testing and stolen credential usage—often originates from anonymized networks. For modern fintech applications, relying solely on CVV or AVS (Address Verification Service) is insufficient.

Integrating real-time IP intelligence into your payment risk engine allows you to flag high-risk connection types (VPNs, Tor, Hosting Providers) before a transaction is sent to the payment gateway. This reduces authorization fees and mitigates chargeback ratios.

Architecture: Pre-Authorization vs. Post-Authorization

The optimal placement for IP reputation checks is the Pre-Authorization stage. By querying IPASIS before sending data to Stripe, Adyen, or Braintree, you achieve two goals:

  1. Cost Reduction: You avoid paying processing fees for transactions that are obviously fraudulent.
  2. Velocity Control: You prevent your merchant account from being flagged due to high decline rates.

Key IP Signals for Risk Scoring

When querying the IPASIS API, your risk engine should weigh the following signals heavily:

  • Connection Type (is_proxy, is_vpn, is_tor): If a user is masking their identity during checkout, the risk score should increase significantly.
  • ASN Type (hosting vs. isp): Legitimate purchases typically come from Residential ISPs (Comcast, Verizon, Vodafone). Traffic originating from Data Centers (AWS, DigitalOcean) during checkout is highly correlated with bot-driven card testing.
  • Geo-Velocity: Compare the IP location against the Billing Address country. A mismatch is not proof of fraud (travelers exist), but it acts as a multiplier for the risk score.

Implementation: Python Middleware

The following Python example demonstrates a synchronous check within a transaction wrapper. It enforces a strict timeout to ensure the checkout experience is not degraded.

import requests
import json

def validate_transaction_ip(client_ip, billing_country):
    API_KEY = 'YOUR_IPASIS_KEY'
    TIMEOUT_MS = 200  # Strict timeout for payment flows

    try:
        response = requests.get(
            f"https://api.ipasis.com/v1/{client_ip}?key={API_KEY}",
            timeout=TIMEOUT_MS / 1000
        )
        data = response.json()

        # 1. Hard Block: Tor Exit Nodes
        if data.get('security', {}).get('is_tor'):
            return {"allow": False, "reason": "TOR_DETECTED"}

        # 2. Hard Block: Hosting/Data Center IPs
        if data.get('asn', {}).get('type') == 'hosting':
            return {"allow": False, "reason": "HOSTING_IP_DETECTED"}

        # 3. Soft Signal: Geo Mismatch (Add to risk score)
        ip_country = data.get('location', {}).get('country_code')
        if ip_country != billing_country:
            return {"allow": True, "flag": "GEO_MISMATCH", "risk_increment": 20}

        return {"allow": True, "risk_increment": 0}

    except requests.exceptions.Timeout:
        # Fail open or closed based on risk appetite
        return {"allow": True, "flag": "IP_CHECK_TIMEOUT"}

# Usage in payment flow
risk_assessment = validate_transaction_ip('192.0.2.1', 'US')
if not risk_assessment['allow']:
    raise PermissionError(f"Transaction blocked: {risk_assessment['reason']}")

Advanced Pattern: ASN-Based Velocity Limiting (Node.js)

Sophisticated fraudsters rotate IPs for every request but often utilize the same subnet or ISP (ASN). Instead of rate-limiting by a single IP, rate-limit by the Autonomous System Number (ASN).

If you see 50 failed transactions from a specific residential ISP in 1 minute, block the entire ASN temporarily.

const redis = require('./redisClient');
const axios = require('axios');

async function checkAsnVelocity(ipAddress) {
  const ipData = await axios.get(`https://api.ipasis.com/v1/${ipAddress}?key=${process.env.IPASIS_KEY}`);
  const asn = ipData.data.asn.asn; // e.g., "AS12345"
  
  const key = `velocity:asn:${asn}`;
  
  // Increment transaction count for this ASN, expire in 60 seconds
  const count = await redis.incr(key);
  if (count === 1) await redis.expire(key, 60);

  // Threshold: Max 20 failed tx per ASN per minute
  if (count > 20) {
    throw new Error('ASN_VELOCITY_EXCEEDED');
  }
  
  return ipData.data;
}

FAQ

Q: Should I block all VPNs automatically? No. Legitimate users often leave VPNs on for privacy. Instead, combine is_vpn status with other signals (e.g., high-value orders, new device fingerprints) or trigger 3D Secure (3DS) challenges for VPN users rather than outright blocking them.

Q: What is the acceptable latency for this check? For payment flows, total latency for external checks should remain under 300ms. IPASIS endpoints are optimized to return data in sub-100ms to accommodate real-time decisioning.

Q: How do I handle Residential Proxies? Residential proxies are difficult to detect because they use real ISP IPs. Look for the is_proxy flag combined with proxy_type: residential in the IPASIS payload, and correlate this with behavioral biometrics (mouse movements, typing speed).

Secure Your Transactions with IPASIS

Stop card testing and chargeback fraud at the network level. Integrate IPASIS into your risk engine today for enterprise-grade IP intelligence.

Get your API Key

Start detecting VPNs and Bots today.

Identify anonymized traffic instantly with IPASIS.

Get API Key