Skip to main content

Fraud Prevention & Blocking

Niftipay gives you tools to proactively block fraud — without waiting for chargebacks. You can manually block IPs, emails, and card BINs, and the system automatically blocks identifiers associated with unusual order patterns. These APIs work across fiat orders and onramping flows. This page covers:

Overview

Niftipay provides three layers of proactive fraud prevention on top of the existing chargeback-based blocking:

1. Manual blocking (IP, email, BIN)

You can block an IP address, email, or card BIN at any time using the APIs below. Blocked customers see a block page with their case number instead of the payment form.
  • IP blocking — block a specific IP address you know is fraudulent
  • Email blocking — block a specific email address
  • BIN blocking — block an entire card range by its BIN (first 6 digits of the card number, identifying the issuing bank). Useful when you see a pattern of fraud from cards issued by the same bank.

2. Unusual amount detection

Niftipay automatically monitors your order amounts. When an order is significantly higher than your historical average, it is flagged as an amount anomaly. This helps catch fraud attempts using stolen cards for unusually large purchases.
  • The system computes your average order amount per currency using your completed orders
  • Orders with a z-score of 3.0 or higher are flagged as warning severity
  • Orders with a z-score of 5.0 or higher are flagged as critical severity
  • Anomaly detection activates after you have at least 10 completed orders in a given currency
Flagged orders are not automatically blocked — they appear as fraud signals in the fraud signals API and in fraud alert emails so you can review them.

3. Velocity auto-blocking

If the same IP address or same email submits 2 or more amount-anomaly orders within a 24-hour window, Niftipay automatically blocks that IP or email. This catches attackers who rapidly test stolen cards with high amounts. Auto-blocked identifiers appear in your chargeback cases and can be unblocked from the dashboard or via the API.

Dashboard

In the Niftipay dashboard, you can find these features under Fraud Protection:
  • Chargeback Cases — view all blocked IPs and emails (automatic, manual, and velocity-based)
  • Alerts — view orders flagged with suspicious activity, and block/unblock IPs and emails with one click
You can also use the Fraud Alerts API to integrate alerts into your own systems.

Authentication

All endpoints below require API key or session authentication.

Block an IP Address

Endpoint

POST /api/fraud/blocked-ips Manually block an IP address. Blocked customers from this IP will see a block page instead of the payment form.

Request body

FieldTypeRequiredNotes
ipAddressstringYesIPv4 or IPv6 address.
reasonstringNoOptional reason for blocking.

Example request

Example response (201)

Error: already blocked (409)


List Blocked IPs

Endpoint

GET /api/fraud/blocked-ips Returns all currently blocked IPs for your account — including both manually blocked and automatically blocked (from chargebacks or velocity detection).

Example request

Example response

Response fields

FieldTypeDescription
idnumberCase ID (used for unblocking).
caseNumberstringHuman-readable case number (e.g. CB-00015).
kindstringHow the IP was blocked: "ip_manual" (you blocked it), "ip" (chargeback auto-block), or "ip_amount_anomaly" (velocity auto-block).
ipAddressstringThe blocked IP address.
cardNamesstring[]Cardholder names from related orders (if any).
truncatedPansstring[]Card numbers from related orders (if any).
orderEmailsstring[]Emails from related orders (if any).
createdAtstringISO 8601 timestamp when the block was created.

Unblock an IP

Endpoint

DELETE /api/fraud/blocked-ips/:id Unblocks a previously blocked IP address.

Path parameters

NameTypeNotes
idnumberThe case ID from the list response.

Query parameters

NameTypeRequiredNotes
reasonstringNoOptional reason for unblocking.

Example request

Example response


Block an Email

Endpoint

POST /api/fraud/blocked-emails Manually block an email address.

Request body

FieldTypeRequiredNotes
emailstringYesValid email address (automatically lowercased).
reasonstringNoOptional reason for blocking.

Example request

Example response (201)

Error: already blocked (409)


List Blocked Emails

Endpoint

GET /api/fraud/blocked-emails Returns all currently blocked emails for your account.

Example request

Example response

Response fields

FieldTypeDescription
idnumberCase ID (used for unblocking).
caseNumberstringHuman-readable case number.
kindstringHow the email was blocked: "email_manual" (you blocked it), "email" (chargeback auto-block), or "email_amount_anomaly" (velocity auto-block).
emailstringThe blocked email address.
cardNamesstring[]Cardholder names from related orders (if any).
truncatedPansstring[]Card numbers from related orders (if any).
orderEmailsstring[]Emails from related orders (if any).
createdAtstringISO 8601 timestamp.

Unblock an Email

Endpoint

DELETE /api/fraud/blocked-emails/:id

Example request

Example response


Block a Card BIN

Endpoint

POST /api/fraud/blocked-bins Block an entire card range by its BIN (Bank Identification Number). The BIN is the first 6 digits of a card number and identifies the issuing bank. This is useful when you notice a pattern of fraud from cards issued by the same bank. For example, if you see multiple fraudulent orders from cards starting with 443047, you can block that BIN to prevent all cards in that range from being used on your checkout.

Request body

FieldTypeRequiredNotes
binstringYesExactly 6 digits (e.g. "443047").
reasonstringNoOptional reason for blocking.

Example request

Example response (201)

Error: already blocked (409)

How to find a card’s BIN

The BIN is extracted automatically from the card number when a payment is processed. You can see it in the fraud signals API response in the order.bin field, or by looking at your order details — the first 6 digits of the truncated card number (e.g. 460332******1234 has BIN 460332).

List Blocked BINs

Endpoint

GET /api/fraud/blocked-bins Returns all blocked BINs for your account, including both merchant-specific and platform-wide blocks.

Example request

Example response

Response fields

FieldTypeDescription
idnumberBlocked BIN ID (used for unblocking).
binstringThe 6-digit BIN.
reasonstring | nullReason for blocking.
scopestring"merchant" (you blocked it) or "platform" (blocked by Niftipay for all merchants).
createdAtstringISO 8601 timestamp.
Note: Platform-wide BIN blocks are managed by Niftipay and cannot be removed by merchants. Only merchant-specific BINs can be unblocked.

Unblock a BIN

Endpoint

DELETE /api/fraud/blocked-bins/:id Removes a BIN from your blocklist. Only merchant-specific BINs can be removed — platform-wide blocks return a 403 error.

Example request

Example response

Error: platform block (403)


Unusual Amount Detection

Niftipay automatically monitors your order amounts to detect anomalies. This is a passive detection — it does not block orders, but flags them in the fraud signals API and in fraud alert emails.

How it works

  1. When an order is completed, Niftipay computes the z-score of the order amount compared to your historical completed orders in the same currency.
  2. The z-score measures how many standard deviations the amount is from your average.
  3. Anomaly detection only activates after you have at least 10 completed orders in the given currency, to avoid false positives on new accounts.

Thresholds

Z-scoreSeverityMeaning
< 3.0Normal range. No flag.
3.0 - 4.9warningUnusually high amount. Included in fraud signals and alert emails.
>= 5.0criticalExtremely high amount. Elevated severity in fraud signals.

Example

If your average order is 85.00 EUR with a standard deviation of 40.00 EUR, an order of 325.00 EUR would have a z-score of (325 - 85) / 40 = 6.0, triggering a critical amount anomaly signal. An order of 210.00 EUR would have a z-score of (210 - 85) / 40 = 3.1, triggering a warning signal.

What to do

When you see an amount anomaly signal:
  • Review the order — is the amount consistent with what you sell?
  • Check the customer’s email and IP for other fraud signals
  • If the order looks legitimate, no action is needed

Velocity Auto-Blocking

When the same IP address or email address is involved in 2 or more amount-anomaly orders within a 24-hour window, Niftipay automatically blocks that identifier.

How it works

  1. An order completes and is flagged with an amount anomaly (z-score >= 3.0)
  2. Niftipay checks if the same IP or email had other amount-anomaly orders in the last 24 hours
  3. If 2 or more anomaly orders are found, the IP or email is automatically blocked
  4. A chargeback case is created with kind ip_amount_anomaly or email_amount_anomaly
  5. Future orders from the blocked IP or email are rejected with a block page
You can unblock these via the blocked IPs/emails endpoints above, or via the chargeback cases API.

Fraud Alerts

Endpoint

GET /api/fraud/alerts
Requires API key or session authentication.
Returns a paginated list of orders that have at least one fraud indicator. This is the data source for the Alerts page in the dashboard, but you can also use it in your own integration to monitor suspicious orders. Each alert includes the current block status for the order’s IP and email, so you can decide whether to block them.

What triggers an alert

An order appears in the alerts list if any of the following are true:
  • Amount anomaly — the order’s z-score is 3.0 or higher
  • Disposable email — the email uses a known temporary domain
  • IP blocked — the customer’s IP is currently blocked
  • Email blocked — the customer’s email is currently blocked

Query parameters

NameTypeDefaultNotes
pagenumber1Page number (min 1).
pageSizenumber25Results per page (min 1, max 200).

Example request

Example response

Response fields (alert object)

FieldTypeDescription
idstringFiat order ID.
orderKeynumberNumeric order key.
merchantReferencestring | nullYour merchant reference.
amountCentsnumberOrder amount in minor units.
currencystringCurrency code (e.g. "EUR").
orderStatusstringOrder status (e.g. "completed").
emailstring | nullCustomer email.
ipstring | nullCustomer IP address.
truncatedPanstring | nullMasked card number.
binstring | nullCard BIN (first 6 digits).
cardholderNamestring | nullCardholder name.
isDisposableEmailbooleanWhether the email is from a disposable domain.
amountAnomalyZScorenumber | nullZ-score of the order amount vs your average. null if not computed.
createdAtstringISO 8601 timestamp.
completedAtstring | nullISO 8601 timestamp when payment completed.
severitystring"critical", "high", or "medium".
reasonsstring[]Why this order was flagged (see below).
ipBlockobject | nullCurrent IP block status (see below). null if not blocked.
emailBlockobject | nullCurrent email block status (see below). null if not blocked.

reasons values

ValueMeaning
critical_amountAmount anomaly with z-score >= 5.0.
high_amountAmount anomaly with z-score >= 3.0.
disposable_emailDisposable/temporary email detected.
ip_blockedThe IP is currently blocked.
email_blockedThe email is currently blocked.

ipBlock / emailBlock object

Present when the IP or email is currently blocked. Use the caseId to unblock via DELETE /api/fraud/blocked-ips/:id or DELETE /api/fraud/blocked-emails/:id.
FieldTypeDescription
caseIdnumberCase ID (use this to unblock).
caseNumberstringHuman-readable case number (e.g. CB-00015).
statusstringAlways "blocked" in this response.

Alert status

Each alert has a status field that you can update:
StatusMeaning
newNot yet reviewed. Shown in red in the dashboard.
reviewedYou’ve looked at it. Shown in blue.
dismissedYou’ve decided it’s not a concern. Shown in gray.

Update Alert Status

Endpoint

PATCH /api/fraud/alerts/:id
Requires API key or session authentication.
Update the status of a fraud alert.

Path parameters

NameTypeNotes
idstringThe alert ID (UUID).

Request body

FieldTypeRequiredNotes
statusstringYesOne of: "new", "reviewed", "dismissed".
notestringNoOptional review note (max 500 characters).

Example request

Example response

Error: not found (404)


Taking action on alerts

From the dashboard Alerts page, you can review, dismiss, block, or unblock directly. Via the API: Block an IP from an alert:
Block an email from an alert:
Unblock an IP:

Updated Fraud Signals

The fraud signals API now returns additional signal types for the new detection features.

New signal types

TypeDescriptionExtra fields
bin_blockedCard BIN is on the blocklist.bin, reason
amount_anomalyOrder amount is unusually high compared to merchant’s average.zScore, severity, merchantMean, amountCents
ip_amount_velocityIP auto-blocked due to repeated high-amount orders.anomalyCount, caseNumber
email_amount_velocityEmail auto-blocked due to repeated high-amount orders.anomalyCount, caseNumber

New fields in the order object

FieldTypeDescription
binstring | nullCard BIN (first 6 digits). Extracted automatically from the card number at payment time.

Updated severity levels

LevelTriggers
criticalIP/email blocked, BIN blocked, velocity auto-block, or IP risk score >= 75.
highCard/email/IP matched your chargebacks, critical amount anomaly (z >= 5.0), or IP risk score >= 50.
mediumPlatform-wide matches, disposable email, or warning amount anomaly (z >= 3.0).
lowNo fraud signals detected.

Example fraud signal: amount anomaly

Example fraud signal: BIN blocked


Error Responses

All endpoints return errors in this format:

Invalid request (400)

Missing authentication (401)

Cannot delete platform block (403)

Not found (404)

Already blocked (409)