TrustLens – Fraud Prevention & Chargeback Defense for WooCommerce

Your payment gateway (Stripe Radar and similar) scores a single transaction at the moment of charge — card, IP, AVS, device — and is blind to what happens before and after on your store. TrustLens scores the customer's behavior over time: refund and return patterns, coupon abuse, multi-account links, dispute history, category-specific returns, and card-testing activity at checkout. Those are signals your gateway never sees. They're complementary, not competing. Your gateway blocks obvious stolen-card charges; TrustLens surfaces friendly-fraud chargebacks, serial returners, coupon abusers, fraud rings, and card-testing bots that slip past a per-transaction view — and it keeps you in control (the free version never auto-blocks; you decide). Everything runs inside your own store, so no customer data leaves your site.

Yes. Customers are identified by a hash of their email address, so guest and registered customers are tracked equally. If a guest later registers, their history carries over.

By default, no. The free version is manual: it surfaces customer risk data, and you decide when to block or allowlist someone. Pro can optionally automate specific actions, including alerts, order holds, verification requirements, and customer blocking if you configure automation rules or chargeback auto-blocking.

TrustLens creates fingerprints from shipping addresses, billing addresses, phone numbers, IP addresses, payment methods, and device user agents. When multiple customer accounts share fingerprints, they are flagged as linked. This helps detect multi-account abuse like repeated first-order discounts.

Yes. TrustLens tracks refund rate, refund value, refund frequency, category-specific return behavior, and related customer patterns over time. This helps you spot serial returners and high-risk refund behavior earlier instead of reviewing refunds one order at a time.

Yes — and the core chargeback tracking is in the free version. TrustLens automatically ingests disputes from Stripe and WooPayments, accepts manual entry for other gateways (PayPal, Square, offline), keeps per-customer dispute counters, and feeds dispute history into trust scores. The free dashboard also shows a Chargeback Ratio Speedometer with a Healthy / Approaching / Action-needed status against Visa, Mastercard, Amex, and Discover thresholds. Pro adds a dedicated Advanced Chargeback Monitor with per-brand breakdown (Visa VDMP/VFMP, Mastercard ECP, Amex, Discover), 12-month trend, trailing-30-day window, daily ratio email alerts, a one-click Dispute Evidence Report for processor responses, and auto-block after N lost disputes.

TrustLens captures the card brand on every Stripe and WooPayments paid order and tracks how many of those orders end up as disputes. Your blended monthly chargeback ratio is shown on the dashboard speedometer, with status colors keyed to Visa VDMP/VFMP, Mastercard ECP, Amex, and Discover monitoring thresholds — so you can see if you're approaching enrollment before it happens. Pro adds per-brand ratios, the 12-month trend chart, the trailing-30-day window, and daily email alerts.

Card-Testing Defense (free) is real-time protection against stolen-card attack bots that probe your checkout with thousands of declined payment attempts. TrustLens watches per-device decline rates in a 60-second rolling window, matching on both the browser fingerprint and a server-side fingerprint (IP and user agent) so bots can't slip through by rotating their browser fingerprint. When a device crosses the threshold it's locked out of checkout for 90 seconds, blocking the attack before it reaches your payment gateway and runs up gateway fees, fraud fees, and downstream chargebacks. VIP Customer Bypass is enabled by default, so established customers — those who meet your minimum-order threshold (default 3 completed orders) and aren't already in a Risk or Critical segment — are never blocked by velocity rules. A one-click Panic Freeze button halts all checkouts for 15 minutes during an active attack your thresholds haven't caught. Pro adds auto-escalation, a geographic-diversity safeguard so flash-sale traffic isn't mistaken for an attack, fingerprint and IP CIDR allowlists, attack analytics with CSV export, and Slack alerts.

Yes, with Pro. Automation Rules let you build trigger-based rules that fire when customer risk changes, orders are placed, refunds are processed, disputes are filed, linked accounts are detected, card-testing attacks happen, or shipping anomalies are spotted. Each rule supports 30+ condition fields and actions like block customer, hold order, send email, fire webhook, allowlist customer, cancel order, or tag customer. Pro automation also includes a save-time validator that blocks rules that can never fire, an inline inspector that shows exactly why each rule fired or didn't, and async HMAC-SHA256-signed webhooks with automatic retry.

Blocked customers see a customizable message when they try to add items to their cart or proceed to checkout. The block applies to both logged-in users and guest checkouts matching the blocked email. All blocked checkout attempts are logged.

Yes. You can unblock a customer at any time from their profile page or the customer list. You can also add customers to the allowlist, which locks their score at 100 and prevents any negative signals from affecting them.

New WooCommerce orders are analyzed automatically after activation. If you already have historical orders, you can run Historical Sync from the dashboard to build trust profiles from your existing store data without slowing down the frontend.

No. Score calculations run asynchronously via Action Scheduler (the same system WooCommerce uses). Checkout blocking uses a lightweight email-hash lookup. The historical sync processes orders in small batches in the background.

No customer personal data ever leaves your site. TrustLens works inside your WordPress and WooCommerce installation. The only default external call is the optional Pro report-verification feature, which (while enabled) sends a non-personal, one-way fingerprint of a dispute report to the TrustLens verification service so issuers can confirm it is genuine — never customer data, and it can be disabled. All other external delivery (webhooks, email notifications) happens only if you configure it.

Yes. TrustLens declares full compatibility with High-Performance Order Storage and works with both legacy and HPOS-enabled stores.

TrustLens stores customer email addresses and behavioral data (order counts, refund counts, trust scores) in custom database tables. Matching identifiers used for linked-account detection are pseudonymized using keyed HMAC-SHA256 hashes, preventing the raw values from being exposed or reused across sites. The plugin integrates with WordPress privacy tools — customers can request data export or erasure through the standard WordPress privacy workflow.

Yes. TrustLens includes a REST API with 8 endpoints for looking up customers, retrieving scores, filtering by segment, and triggering recalculations. API access requires either the manage_woocommerce capability or a valid API key configured in settings.

Yes. The free version includes core email notifications such as blocked checkout alerts, a welcome summary, and a weekly summary. Pro adds advanced alerts, daily digests, monthly revenue protection reports, and scheduled email reports.

By default, customers need at least 3 orders before they move out of the Normal segment. You can adjust this threshold in Settings > General. Customers below the threshold still accumulate signals — they just aren't classified until enough data exists.

Yes. All 8 detection modules ship in the free version — returns, orders, coupons, categories, linked accounts, shipping address anomalies, chargebacks, and card-testing defense. There are no trial limits, no disabled scoring, and no locked modules. Pro adds automation rules, webhooks, scheduled reports, payment-method risk controls, the advanced per-brand Chargeback Monitor with daily alerts, Card-Testing Defense Pro (auto-escalation + analytics + Slack alerts), and 10 advanced notification types.

Important: TrustLens uses your WordPress auth secret key (via wp_salt('auth')) as the HMAC keying material for hashing customer emails and linked-account fingerprints. This is a deliberate security choice — it makes stored hashes non-reversible and non-portable across sites. The trade-off is that regenerating your WordPress secret keys (whether through a security plugin's "regenerate keys" tool or by editing wp-config.php directly) will permanently invalidate every customer hash and fingerprint already stored in your TrustLens tables. After rotation, the plugin won't be able to match a returning customer to their existing trust profile, and linked-account detection will reset. If you ever need to rotate WordPress secret keys, plan to run Historical Sync afterward so TrustLens rebuilds the customer table from your existing WooCommerce order data using the new keying material. Allowlisted/blocked status set manually on individual customer rows is the exception that won't auto-recover — re-apply those after the sync.