Almost all risk rules do run before authorisation. This in order to filter out all suspicious orders before the payment request is sent to the card issuing bank.
In addition, the Risk Profile contains a few risk rules that trigger post authorization. These are:
- Billing address does not match card holder address (AVS)
- Card Verification Code (CVC2/CVV2/CID) does not match
- Liability shift status
- All PayPal rules
When clicking on the risk score of the payment, you’ll see a breakdown between the pre-auth and post-auth rules.