Fraud prevention

Fraud prevention signals

Google can provide additional user client information when we send SubmitOrderRequest. You can use this information to help prevent fraudulent transactions in your integration.

How to read fraud prevention signals

When your project is enabled to receive additional fraud prevention signals, the SubmitOrderRequest headers will contain information about the user client instead of Google's servers. The request headers will contain the following information:

  • IP address: The user client's IP address is available as the first IP in the x-forwarded-for field. This address is in either IPV4 or IPV6 format as determined by the user client's configuration.

  • User agent: The user agent string is stored in the user-agent field with a "Google-ActionsOnGoogle/1.0" suffix. Note that this field might not populate depending on the user's device and whether they placed an order by voice.

Below is a snippet of the SubmitOrderRequest HTTP header when fraud prevention is enabled:

X-Forwarded-For: 72.00.123.12,66.111.12.123, 169.254.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36,gzip(gfe),gzip(gfe) Google-ActionsOnGoogle/1.0

If the user client information isn't sufficient for you to perform fraud prevention, reach out to your Google contact to discuss alternative solutions.

How to handle fraudulent transactions during fulfillment

Based on the user’s IP address and user-agent information provided in the SubmitOrderRequest, use your internal fraud prevention algorithm to determine whether the transaction is legitimate.

If the transaction appears to be fraudulent, respond with an orderState of REJECTED and a rejectionInfo of INELIGIBLE, along with an appropriate error description in the SubmitOrderResponseMessage.

If the transaction appears to be legitimate, process the order as normal.

Billing address validation

In order to reduce fraud, you can include the billing address in the payment transaction request to your PSP. The billingAddress is returned in the SubmitOrderRequestMessage.

Example googleProvidedPaymentOptions: 

{
  "facilitationSpecification": "{\"apiVersion\":2,\"apiVersionMinor\":0,\"merchantInfo\":{\"merchantId\":\"Merchant ID\",\"merchantName\":\"Merchant Name\"},\"allowedPaymentMethods\":[{\"type\":\"CARD\",\"parameters\":{\"allowedAuthMethods\":[\"PAN_ONLY\"],\"allowedCardNetworks\":[\"VISA\",\"AMEX\",\"MASTERCARD\"],\"billingAddressRequired\":true,\"billingAddressParameters\":{\"format\":\"MIN\"}},\"tokenizationSpecification\":{\"type\":\"PAYMENT_GATEWAY\",\"parameters\":{\"gateway\":\"stripev2\",\"gatewayMerchantId\":\"stripe_pk_live_key\"}}}]}"
}

If the PSP responds that the address or postal code is incorrect, you should return a similar example SubmitOrderResponseMessage response.

Example response

  {
    "expectUserResponse": false,
    "finalResponse": {
        "richResponse": {
            "items": [
                {
                    "structuredResponse": {
                        "orderUpdate": {
                            "actionOrderId": "sample_action_order_id",
                            "orderState": {
                                "state": "REJECTED",
                                "label": "Order rejected"
                            },
                            "updateTime": "2017-05-10T02:30:00.000Z",
                            "rejectionInfo": {
                                "type": "PAYMENT_DECLINED",
                                "reason": "Invalid zipcode"
                            },
                            "orderManagementActions": [
                                {
                                    "type": "CUSTOMER_SERVICE",
                                    "button": {
                                        "title": "Contact customer service",
                                        "openUrlAction": {
                                            "url": "mailto:support@example.com"
                                        }
                                    }
                                },
                                {
                                    "type": "EMAIL",
                                    "button": {
                                        "title": "Email restaurant",
                                        "openUrlAction": {
                                            "url": "mailto:person@example.com"
                                        }
                                    }
                                },
                                {
                                    "type": "CALL",
                                    "button": {
                                        "title": "Call restaurant",
                                        "openUrlAction": {
                                            "url": "tel:+16505554679"
                                        }
                                    }
                                },
                                {
                                    "type": "VIEW_DETAILS",
                                    "button": {
                                        "title": "View order",
                                        "openUrlAction": {
                                            "url": "https://orderview.partner.com?orderid=sample_action_order_id"
                                        }
                                    }
                                }
                            ]
                        }
                    }
                }
            ]
        }
    }
}

Returning the PAYMENT_DECLINED rejectionInfo type displays a message and allows the user to update the billing address or choose another payment method. PAYMENT_DECLINED errors are excluded in Submit Order Error Alerts.