The DTC Playbook Search ⌘K
The DTC Playbook
Contents Glossary Benchmarks CalculatorsBeta Tools Health Check Dashboard

The DTC Playbook is a collection of learnings, frameworks and stories from my journey co-founding Quad Lock, and scaling to $200M in revenue and a $500M exit. - Rob Ward

Silent explainer video. It presents The DTC Playbook's tagline - Build a brand. Scale it. Sell it? - and introduces the playbook: a free, single source of truth for direct-to-consumer founders, written by Rob Ward, who bootstrapped Quad Lock to $50M+ in revenue before a $500M exit. It shows the Health Check that diagnoses what to fix in your business, and the sections, checklists and tools that show you how to fix it.

Home / The Business / Compliance & Regulatory
S9 · The Business

Compliance & Regulatory

Claims, Labelling, Safety, IP, Privacy, Accessibility

Section 9 / The Business / by Rob Ward
Free to read or create a free account to score your brand and see exactly what to fix first. No Subscription. No Credit Card. No Upsell. 100% Free.
TL;DR
  • Compliance done early costs $2K-$20K; done late it's $50K-$500K+ in recalls, fines and legal fees.
  • Every claim must be provable on demand - puffery is fine, but 'clinically proven' needs the evidence file.
  • File trademarks in every market you sell into; patents are expensive and distracting, so win on brand strength.
  • Keep chargebacks under 0.5% and build a dated compliance register - buyers pay for a clean file at exit.
On this page
Principle
Compliance Is Cheaper Than Consequences

Most founders ignore compliance until something goes wrong. A product recall, a cease-and-desist on your claims, a regulatory investigation. The cost of getting it right early is a fraction of the cost of getting it wrong later. This section won't make you a lawyer. It will tell you what questions to ask, when to get help, and what to never ignore.

Why This Section Exists

Most DTC founders come from marketing or product backgrounds. Compliance is the thing you assume you'll figure out later. Then later arrives as a cease-and-desist letter, a marketplace listing suspension, or a recall notice.

Get it right upfront and it typically costs $2K-$20K depending on category (testing and certification - IP protection like trademarks and patents is extra, covered below). Get it wrong and it's $50K-$500K+ in recalls, fines, legal fees, and brand damage, usually arriving at the worst possible moment. This section won't make you a regulatory expert. It will tell you what to ask about, what you can't ignore, and when to pay for help. Practical guidance, not legal advice. This section is the product-and-market-facing half of the legal picture: what you can sell, label, claim and say, how you protect your IP, and the consumer-protection and data-privacy rules around it. The corporate and structural half - entity, equity, founder agreements, contracts and governance - is Section 30: Legal & Corporate Foundations.

What's required depends heavily on your category. An accessories brand has minimal regulatory burden. A supplements brand operates in one of the most regulated consumer product spaces. Know where your category sits and invest accordingly. And if you're early stage, accept that you'll never dot every i and cross every t. Don't do everything compliance could possibly demand, and don't let it stop you from shipping either.

Hold two things in your head at once: take compliance seriously, and don't let it stop you. Finding the balance is the job of an entrepreneur.

Start with the category table below: find your product and see what actually applies to you. The acronym reference lives at the end of this section - use it when you need it.

Product Compliance by Category

CategoryKey RequirementsRegulatory BodiesWhat to Ask
Beauty/SkincareIngredient safety (INCI lists), preservative testing, stability testing, SPF claims, GMP where relevantAICIS and ACL/ACCC in AU, FDA in the US, EU Cosmetic Regulation"Are my ingredients and claims compliant in each market? Does this product cross into therapeutic claims?"
SupplementsRegistration or notification where required, health claims substantiation, GMP, batch testing, label complianceIn AU this may fall under TGA or food regulation depending on the product and claims, FDA in the US, EFSA and local food rules in the EU"Are my health claims substantiated? Is my manufacturer GMP-certified? Which regime applies in each market?"
Food/BeverageFood safety standards, allergen labelling, nutritional panels, shelf life testingFSANZ in AU/NZ, FDA in the US, FSA in the UK"Is my labelling compliant for each market? Do I have HACCP or equivalent controls?"
ElectronicsCE or equivalent conformity marking, FCC compliance, RCM in AU, safety testing, EMC, RoHS where applicableACMA and other applicable AU schemes, FCC in the US, EU product rules"Has this been tested and certified for each market I'm selling into?"
Children's ProductsAdditional safety testing (choking hazards, lead, phthalates)CPSC in the US, EN 71 in the EU, ACCC and mandatory AU standards where applicable"Has this been tested to the relevant children's product standard in every market?"
Apparel/TextilesFibre content labelling, country of origin, flammability for relevant products, care labellingACCC and ACL in AU, FTC in the US, EU Textile Regulation"Is my label compliant for fibre content and country of origin in each market?"
Warning
If you sell supplements, baby products, or anything that goes on or in the body - get specialist regulatory advice before you launch.

These categories have requirements that are easy to get wrong and expensive to fix. A regulatory consultant costs $2K-$5K. A product recall costs $50K-$500K+. The maths is straightforward.

Claims & Advertising Compliance

What you say about your product matters legally, not just commercially. Every claim you make in ads, on your website, in emails, or through influencers is subject to advertising standards and consumer law.

The difference between puffery and claims:

  • Puffery (generally fine): "We make the best coffee." "You'll love how this feels." Subjective opinions that no reasonable consumer would take as literal fact.
  • Claims (must be substantiated): "Clinically proven to reduce wrinkles by 40%." "Dermatologist recommended." "Organic." These are specific, measurable, or verifiable statements that require evidence.

Common traps that get brands in trouble:

  • "All natural" - Has no legal definition in most jurisdictions. If your product contains any synthetic ingredients, this claim is defensible grounds for a complaint.
  • "Chemical free" - Everything is a chemical. This claim is scientifically meaningless and increasingly flagged by regulators.
  • "Clinically tested" - Doesn't mean "clinically proven." Tested could mean one test with five people that showed no results. Regulators are increasingly scrutinising this distinction.
  • "Dermatologist approved/recommended" - How many? Under what conditions? One paid dermatologist doesn't constitute a recommendation.

Social media and influencer claims follow the same rules. If an influencer makes a health claim about your supplement, you're potentially liable. Brief your creators clearly on what they can and can't say. See Section 20: PR & Earned Media for disclosure requirements in seeding and gifted product.

Competitor comparisons are allowed in most jurisdictions if they're truthful, substantiated, and not misleading. But "our product is better than [Competitor]" without evidence is a lawsuit waiting to happen. Stick to objective, verifiable claims.

Tip
Tip:

Before launching any campaign with specific product claims, ask: "If a regulator asked me to prove this tomorrow, could I?" If the answer is no, rewrite the claim or get the evidence. Regulators and advertising bodies including the ACCC in Australia, the FTC in the US, and the ASA in the UK do actively scrutinise misleading claims, especially in beauty, supplements, and health.

Influencers, Reviews & User-Generated Content

The claims rules above don't stop at your own ads. The moment someone else talks about your product on your behalf - a creator you pay, a customer you incentivise, a review you publish - you're on the hook for what they say. Regulators have got sharper here, and the penalties are no longer theoretical.

Disclosure is non-negotiable. If there's a material connection between you and the person endorsing your product (payment, free product, an affiliate commission, an employment relationship), it has to be disclosed clearly: legible, in the same place as the endorsement, on every platform it appears. A buried #ad on the third line of a caption doesn't cut it. Same with affiliate links - if a click earns you money, say so.

Warning
The Fake-Review Line Is Now a Bright One

The FTC's fake-reviews rule (in force since late 2024) bans buying positive reviews, suppressing honest negative ones, posing as an independent reviewer, and using AI to fabricate testimonials. Civil penalties run up to roughly $53,000 per violation, and "per violation" can mean per fake review. It's the kind of thing a founder waves off as a growth hack early on, until a disgruntled competitor or ex-employee reports it. Don't buy reviews, don't gate your widget to publish only the five-stars, and don't let an agency do it on your behalf.

Four things to get right, and they're cheap to get right:

01
Disclose
Every paid or incentivised endorsement carries a clear, legible disclosure (#ad, #paid, #partner, or the platform's paid-partnership label), near the endorsement, on every platform.
02
Contract It
Your written creator agreement requires the disclosure in clause form, bans claims you can't back, and makes the creator responsible for following your brief.
03
Substantiate
If an endorser states a result ("this cleared my skin in a week"), you need evidence that it's what a typical user can expect, not a one-off. The endorsement raises the evidence bar, it doesn't lower it.
04
Monitor
Review UGC before you put paid budget behind it, and watch for fake or incentivised reviews slipping into your own feed.

See Section 20: PR & Earned Media for the disclosure mechanics in gifting and seeding - the same rules apply to ads run through a creator's handle.

Subscriptions & Auto-Renewal

If you run subscriptions, free trials, or any auto-renewing charge, you are in one of the most actively enforced corners of consumer law. The headlines move around, but the underlying obligations barely shift, and founders get caught by reading the headline and missing the substance.

Insight
Don't be fooled by "the click-to-cancel rule was struck down."

The FTC's Click-to-Cancel / Negative Option Rule was vacated by a US appeals court in July 2025 on procedural grounds, and the FTC restarted rulemaking with an ANPRM in early 2026 - so that specific rule is not currently in force. But the FTC continues to enforce ROSCA and the FTC Act aggressively, with multiple 2025-26 cases, and other markets run their own auto-renewal and unfair-contract rules. The practical bar is effectively unchanged wherever you sell: make cancellation as easy as sign-up, get clear consent before the first charge, and don't use dark patterns. "The rule got vacated" is not a defence.

The obligations to get right:

  • Consent before the first charge: express, informed agreement to the recurring terms - what they will be charged, how often, and when - before any money moves. Pre-ticked boxes and buried terms don't count.
  • Clear, ongoing disclosure: the renewal price and cadence stated plainly at sign-up and again in renewal reminders.
  • Cancellation no harder than sign-up: if they signed up in two clicks online, they can cancel in two clicks online - not a phone call during business hours.

Email and SMS consent for those subscribers is a related but separate obligation (CAN-SPAM, TCPA, and local equivalents) - see Section 12: Email & SMS for the channel mechanics.

Data Privacy & Cookie Consent

Your entire DTC machine runs on data: pixels, email and SMS lists, customer profiles. All of it is regulated, and a non-compliant data layer is both a live fine risk and a red flag in diligence. The rules differ by region but the obligations rhyme.

RegimeWho it hitsKey obligationPenalty ceiling
GDPREU/UK customersOpt-in consent before trackingUp to 4% of global annual revenue (or €20M, whichever is higher)
CCPA / CPRACalifornia, above thresholdHonour opt-out / data-sale rulesPer-violation penalties
8+ US state lawsCO, CT, TX, VA and moreVarying notice & opt-out rulesVaries by state
Insight
CCPA/CPRA applies once a brand crosses a threshold, and the revenue line moves with inflation.

The structure is: over roughly $25M in gross annual revenue (the figure is periodically inflation-adjusted, so confirm the current number), OR data on 100,000+ California consumers/households, OR 50%+ of revenue from selling/sharing data. A growing DTC brand can trip the revenue or consumer-count prong without realising it - which is why this is a check-annually item, not a set-and-forget one.

The practical obligations are short and worth doing properly:

1
A compliant privacy policy
Accurate, current, and matching what the site actually does with data.
2
A real consent banner
Equal-weight Accept and Reject buttons - no dark patterns making "reject" hard to find.
3
Universal opt-out signals
Respecting Global Privacy Control (GPC) and similar browser signals; enforcement here is live (Sephora settled a GPC case for $1.2M).
4
Mapped data flows & DPAs
Knowing which vendors touch customer data, with data-processing agreements in place with each.
Warning
Dark-pattern cookie banners are an enforcement target, not a clever growth hack.

A banner where "Accept all" is a big bright button and "Reject" is buried or greyed out is exactly what regulators are now fining. A genuine equal-weight choice built from the start is far cheaper than a settlement, and a Section 10 tech stack consent-management tool should support it out of the box.

Website Accessibility (ADA / WCAG)

Your storefront is increasingly treated as a public accommodation in law, which makes an inaccessible site two problems at once: it shuts out real customers (around one in five people has a disability), and it is a live legal risk. Web-accessibility complaints are now one of the highest-volume areas of consumer litigation - thousands of ADA suits and far more demand letters land on online retailers every year, DTC stores very much included, and most settle quietly rather than in a headline.

The obligations differ by region but, as with privacy, they rhyme:

RegimeWho it hitsThe standard in practice
US ADA (Title III)US customersNo codified web standard, but courts and the DOJ treat WCAG 2.1 Level AA as the benchmark. Some states stack their own damages (California's Unruh Act adds statutory damages per affected visit).
European Accessibility Act (EAA)Selling to EU consumersAccessibility duties for ecommerce services in force since June 2025, enforced by each member state.
UK Equality Act / AU Disability Discrimination ActUK / AU customersLong-standing "reasonable adjustment" duties, both read against WCAG in practice.

WCAG 2.1 Level AA is the de facto target everywhere. The baseline is unglamorous and mostly one-time work baked into the theme:

1
Text alternatives
Meaningful images carry descriptive alt text; purely decorative ones are marked so screen readers skip them.
2
Keyboard and focus
Every action works without a mouse, in a logical order, with a visible focus state.
3
Contrast and colour
At least 4.5:1 contrast on body text, and never colour alone to carry meaning (an error needs a label, not just red).
4
Labelled controls
Form fields and buttons have real, programmatic labels, not just grey placeholder text.
5
Media
Captions or a transcript on any video that carries information.

Test it properly, because scanners only see part of the picture. An automated pass (axe, WAVE or Lighthouse) catches maybe a third of issues; a keyboard-only run-through and a real screen-reader pass (VoiceOver or NVDA) catch the structural ones that actually get you sued.

Warning
Accessibility overlay widgets are not a fix - they are a target.

The bolt-on "one line of code and you're compliant" overlays are marketed hard, but they have become a magnet for litigation rather than a shield against it, and disability advocates broadly reject them. There is no shortcut here: accessibility has to be built into your theme and templates, not painted over at runtime. The practical build-side detail - contrast, tap targets, labelled forms, semantic structure - sits in Section 11: Website & Conversion; email-specific alt text is in Section 12: Email & SMS.

As with everything here, this is awareness, not legal advice. Your exposure depends on where your customers are and how big you are, so confirm the current rules for your markets and get proper advice if an accessibility claim lands on you.

Labelling Requirements

Labelling requirements vary by product category and market. What must appear on the label, in what format, and in what language differs between AU, US, EU, and UK.

Universal basics (almost every market requires):

  • Product name and description
  • Ingredients or materials list
  • Net weight/volume
  • Country of origin (rules differ by jurisdiction)
  • Manufacturer or importer name and address
  • Batch/lot number (critical for traceability)
  • Any required warnings or certifications

Market-specific requirements:

  • EU/UK: Language requirements vary by market. CE marking applies to relevant product categories. UK conformity rules have shifted repeatedly, so check the current UK position for your product before printing artwork.
  • US: FTC Made in USA rules. FDA-specific requirements for food, supplements, and cosmetics.
  • AU: Country-of-origin and consumer law requirements under ACL, plus TGA requirements where the product is a therapeutic good.

Cross-reference: Section 24: International Expansion for market-specific compliance considerations when entering new regions.

Rob's take

As we scaled Quad Lock into new regions and moved from simple accessories into electronic products, the compliance and labelling requirements got significantly more complex. EU packaging recycling rules, certification markings, retailer-specific requirements on top of the regulatory ones. The key lesson for us was building compliance timelines into the product development cycle from the start. It can add weeks/months to the end of a project, and if you haven't accounted for it, you're either delaying your launch or cutting corners.

International Conformity: EU GPSR & UKCA

Selling into the EU and UK is no longer just a labelling exercise. Both now require a named, locally established party who is accountable for the product's safety. "We ship from Australia" or "we're a US brand" is not an answer a marketplace will accept.

Warning
The EU GPSR Is a Hard Gate, Not a Nice-to-Have

Since the EU's General Product Safety Regulation took effect (13 December 2024), you can't legally sell to EU consumers unless an EU-established "Responsible Person" is named on the product or listing. That can be your importer, an authorised representative, or in some setups a fulfilment provider, but it has to be someone with an EU address who takes responsibility. No Responsible Person, no sale, and marketplaces will pull your listings. Check the current position before you print artwork - the Commission keeps issuing further guidance.

What the two regimes demand:

RequirementEU (GPSR)UK
Local accountable partyEU-established Responsible Person named on product/listingUK-based Responsible Person for UK sales
Conformity markingCE marking where the product category requires itUKCA marking (UKNI for Northern Ireland)
Technical documentationRetained and available to authorities for 10 yearsRetained per the relevant UK product rules
Marketplace safety reportingRegister/report unsafe products via the EU Safety Gate; unsafe listings removed within ~2 working days of an orderReport via the UK product safety database
LabelsPhysical safety labelling, not QR-code-only, where safety information is requiredPhysical safety labelling per UK rules

The practical move is a per-market conformity matrix before you enter a region: one row per market, columns for who your Responsible Person is, which mark applies, where the technical file lives, and whether you're Safety-Gate registered. Naming the Responsible Person is the longest-lead item, so start it early. If a cell is blank, you're not ready to sell there yet.

This is one of the heaviest parts of entering Europe. Treat it as part of the market-entry plan, not an afterthought. See Section 24: International Expansion for sequencing market entry.

Intellectual Property Foundations

Section 5: Product covers IP in the context of product development. Here's the operational summary:

Trademark: File in every market you sell into. AU, US, EU, UK as a minimum for most DTC brands. Budget $1K-$3K per jurisdiction. File before you launch if possible - someone else registering your brand name in a market you haven't filed in is expensive to resolve.

Design registration: Protects the visual appearance of your product. Cheaper than patents, faster to obtain, and often more useful for DTC products where the design is distinctive. Budget $500-$1,500 per design per jurisdiction.

Patents: Expensive ($10K-$50K+), slow (2-4 years), and only worth pursuing if your product has a genuinely novel functional innovation. Not all DTC brands need patents. Focus on trademarks and design registrations first.

Marketplace brand protection. Once you're selling well, someone will copy you, and marketplaces are where it shows up first: counterfeits, listing hijackers piggybacking on your product page, unauthorised sellers. This is where trademark strength earns its keep, because the takedown tools are built around it. On Amazon, enrol in Brand Registry (which needs a registered trademark), then layer on Project Zero for self-service takedowns and Transparency for unit-level serialisation that proves authenticity. Amazon now seizes 15M+ counterfeits a year and stops around 99% of suspected infringements before brands even have to report them, but you still need a monitored takedown workflow across every marketplace you sell on, plus a clean chain of authenticity for your retail and wholesale channels.

This is the day-to-day reason the patent story above lands the way it does: brand and trademark enforcement is cheaper, faster, and higher-ROI than patent litigation for almost every DTC brand.

Rob's take

The first time we had to enforce our IP was against a Taiwanese company we believed was infringing our US patent. We'd been speaking with a major US retailer, then discovered they had found a similar product from that supplier and gone cold on us.

We issued a cease and desist. Nothing happened. So we sent the patent directly to the retailer, telling them they couldn't import or sell the product. The Taiwanese company then sued us, and we counter-filed in Chicago, where our lawyers were based.

By the time I was in a freezing Chicago courtroom just before Christmas, we'd already spent about a quarter of a million dollars. Once the judge saw our development history and timeline, it was clear we were in the stronger position, and the matter settled. They could sell through remaining stock, then we had the market to ourselves.

We got the result, but it reinforced a view I still hold: patents are expensive and distracting to enforce. If you can win on trademark strength and brand, that's usually the better path.

Tip
Domain Names

Secure your brand name across .com, .com.au, .co.uk, and any market-specific TLDs before launch. Domains are cheap to register ($10-$50/year) and expensive to recover once someone else has them.

Product Safety & Recalls

If you sell a consumer product, a recall is always possible. The question isn't whether you can imagine one happening, it's whether you're prepared if it does.

MetricCurrent figureWhy it matters
CPSC recalls & safety warnings369 in 2024 (the highest in recent years), already passed with 376 by Sept 2025~92% are tied to major online platforms, the channel most DTC brands sell on
CPSC reporting deadlineWithin 24 hours of learning of a substantial product hazardThe clock is fast and unforgiving once you have reportable information
California Prop 65 notices~5,400 filed in 2024 (up from 4,142 in 2023 and 3,170 in 2022)A private-enforcement machine; sell into California and you're exposed to it
FTC fake-reviews penaltyUp to ~$53,000 per violation"Per violation" can mean per fake review (see Influencers, Reviews & UGC above)

None of these should scare you off shipping. They're the reason the founder's principle at the top holds: getting it right early is a fraction of the cost of getting it wrong late. Know which of these touches your category, and watch those.

What triggers a recall:

  • Product causes injury or poses a safety risk
  • Non-compliance with a mandatory standard discovered
  • Contamination (food, beauty, supplements)
  • Labelling error that creates a safety issue (e.g., missing allergen declaration)

Preparation (before you need it):

  • Batch/lot traceability: Every unit should be traceable to a production batch. This lets you recall the affected batch without recalling everything. If you can't trace by batch, a recall means recalling all stock - exponentially more expensive.
  • Product liability insurance: Non-negotiable once you're selling to the public. Budget $1K-$5K/year for most DTC product categories. More for higher-risk categories (electronics, children's products, supplements).
  • Recall protocol documented: Who's responsible, who contacts the regulator, what goes on the website, how affected customers are reached, how product is returned or destroyed. See Section 20: PR & Earned Media for the communications framework.
Tip
Tip:

Product liability insurance is one of the cheapest forms of business insurance relative to the risk it covers. If you're selling physical products and don't have it, stop reading and get a quote today. One product injury lawsuit without insurance can end a brand.

Compliance as a Business Asset

Everything above reads like cost and admin while you're building. At exit it flips, and becomes one of the things a buyer pays for, or punishes you on. A serious acquirer diligences every claim you've ever made, every recall, every regulatory file, every IP registration. If it's organised and dated, diligence is fast and your reps and warranties are clean. If it's scattered across inboxes and a founder's memory, the buyer prices the uncertainty in, or holds back part of the consideration against it.

The asset is a single, audit-ready compliance register. Build it as you go, not the week before a sale.

01
Centralise the Files
One register (a shared drive or compliance tool) holding claims-substantiation files per SKU and per ad, test certificates, supplier compliance attestations, recall logs, IP and trademark filings, and export/customs documents. Dated, accessible, current.
02
Push It Onto Suppliers
Your supplier contracts should carry compliance obligations and indemnities, so that if a component fails a standard, the liability and the cost sit with the party who made it, not only with you.
03
Keep It Audit-Ready
Clear, dated, and retrievable in minutes. The EU's 10-year technical-file retention is the kind of obligation you can't reconstruct after the fact, so capture it in real time.
04
Insure the Tail
Treat product liability, recall, and errors-and-omissions cover as part of the package a buyer inherits. Coverage that's active and reviewed annually is a trust signal at exit, not just a cost line.
Insight
A Clean Compliance File Is Worth Real Money at Exit

The difference between an organised compliance register and a pile of forwarded emails can be a holdback, a price chip, or a stalled deal. A buyer's lawyers will find every gap, and every gap they find becomes leverage against your valuation and your reps-and-warranties exposure. The work you do here quietly compounds into a cleaner, higher, faster exit. See Section 28: Valuation & Exit for how diligence actually runs.

Fraud, Chargebacks & Payment Risk

Fraud is a cost of doing business in DTC. You won't eliminate it, but you can manage it to a level where it doesn't meaningfully impact your margin or your relationship with payment processors.

What actually happens:

  • A stolen credit card is used to buy product on your site
  • You fulfil the order and ship the product
  • The real cardholder disputes the charge with their bank
  • The bank issues a chargeback - taking the money back from you
  • You lose the product, the revenue, and get hit with a chargeback fee ($15-$25 per incident)

At low volumes, this is annoying. At scale, it's a margin problem. And if your chargeback rate starts climbing toward the 0.9-1% range, Shopify Payments or your processor is likely to get uncomfortable. Sustained levels above that can threaten your processing relationship. That's an existential risk, not just a cost.

Rob's take

We had a meaningful fraud and chargeback problem coming out of the Philippines. As Quad Lock got more popular there, a small group worked out they could buy product with stolen or disputed cards, receive the goods, then resell them locally on Facebook Marketplace.

It was tricky because there was also plenty of legitimate demand from the same region, so blocking the country wasn't an option. What worked was geolocation analysis. We mapped the orders that turned into chargebacks and found they clustered in a few very small areas, often shipping to addresses that weren't real residences. Once we saw the pattern, we tightened filters around those signals without hurting genuine customers.

The lesson was practical: fraud rarely disappears, but once you stop being the easy target, volume usually drops to a manageable level.

Chargeback rate benchmarks:

RateStatusAction
<0.5%HealthyMonitor monthly
0.5-0.8%ElevatedInvestigate patterns, tighten fraud filters
0.8-1.0%Warning zoneUrgent action needed
>1.0%Critical in many processor relationshipsProcessor relationship may be at risk

What Shopify gives you by default: Shopify's built-in fraud analysis flags orders as low, medium, or high risk based on signals like Address Verification System (AVS) mismatch, IP location vs billing address, and order velocity. For many brands under $5M, this plus basic manual review of flagged orders is adequate.

When to add dedicated fraud tooling: If you're seeing chargebacks above 0.5%, processing over $5M annually, or selling high-AOV products that attract professional fraudsters (electronics, luxury goods), consider a dedicated fraud prevention tool. NoFraud, Signifyd, or Riskified sit between your checkout and payment processor, scoring every transaction in real time and guaranteeing approved orders against chargebacks.

Common fraud patterns in DTC:

  • Card testing: Small orders ($1-$5) to test stolen card numbers before making large purchases elsewhere. Watch for sudden spikes in low-value orders.
  • Friendly fraud: A real customer makes a legitimate purchase, then disputes the charge claiming they didn't receive it or didn't authorise it. Clear shipping confirmation with tracking and signature on delivery reduces this.
  • Promo abuse: Customers creating multiple accounts to stack discounts or exploit new-customer offers. Tighten your promo code logic and flag repeated shipping addresses.
  • Refund fraud: Claiming a product was defective or never arrived when it was. Return reason coding (see Section 8: Quality & Returns) helps identify patterns.

Dispute management: When you do get a chargeback, respond promptly with evidence. Shipping confirmation, delivery tracking, AVS match, customer communication history. Shopify has a built-in dispute response flow. Good evidence materially improves your odds. Not responding means you lose by default.

Tip
Tip:

Set up a monthly fraud review. Check your chargeback rate, review the orders that were disputed, and look for patterns. Is it concentrated on a specific product? A specific region? A specific promotion? Fraud often comes in clusters, and catching the pattern early saves you from a chargeback rate spike that threatens your processor relationship.

Card-Network Monitoring & Dispute Deflection

Your processor's comfort level isn't the only threshold that matters. The card networks run their own monitoring programmes, and breaching them puts your ability to take payments at risk regardless of what Shopify thinks. The network average is still low, so you've got real headroom if you stay disciplined.

~0.17-0.26%
Network-wide average ecommerce chargeback rate (Q1-Q3 2025, and rising). Your processor gets uncomfortable as you approach ~0.9%, and the card networks monitor against their own ratios on top - note that VAMP's ratio counts fraud reports plus disputes, so it runs far above your raw chargeback rate and its thresholds aren't directly comparable.

Visa's VAMP programme is the one to watch. It combines fraud and dispute activity into a single ratio (fraud reports plus disputes, over total sales). The threshold dropped to 2.2% from June 2025, tightening to 1.5% in some regions from 1 April 2026. Mastercard runs equivalent monitoring; your acquirer can tell you the current thresholds and whether you're near them. The shift that matters: under VAMP, disputes count toward the ratio, not just confirmed fraud. So deflecting disputes matters as much as blocking fraud.

Insight
Most Disputes Aren't Stolen Cards, They're Your Own Customers

Around 75% of disputes are friendly (first-party) fraud: a real customer who genuinely bought the product, then disputes the charge anyway. A fraud filter can't block your way out of that, because the order looked legitimate - it was. The lever is deflection: resolving the complaint before it hardens into a chargeback. Different toolset from fraud scoring, and you need both.

Three tools work together:

01
Pre-Dispute Alerts
Enrol in Verifi (Visa) and Ethoca (Mastercard). When a cardholder is about to dispute, you get a window to refund or resolve directly, deflecting it before it counts against you. Visa's Rapid Dispute Resolution can auto-resolve qualifying disputes by rule.
02
Selective 3DS2
Apply 3-D Secure on high-risk transactions only. It shifts chargeback liability to the issuer on those orders while keeping low-risk checkout frictionless. Blanket-apply it and you'll add friction (and lose conversions) on orders that never needed it.
03
Guarantee-Backed Scoring
The dedicated tools above (NoFraud, Signifyd, Riskified) score every order and guarantee approved ones against chargebacks, taking the fraud loss off your books.

The trap on the other side is over-blocking. Tighten the filters too hard and you reject good customers.

Warning
False Declines Cost More Than Fraud Does

Globally, declined legitimate orders cost merchants roughly 9x what actual fraud does (about $443B in lost good orders versus about $48B in fraud). Guarantee-backed platforms run false-decline rates of roughly 1.0-2.5%. Every legitimate customer you wrongly decline is a lost sale, a dented lifetime value, and often a customer who never comes back. The goal isn't zero fraud, it's the lowest total cost of fraud plus false declines. Watch both numbers, not just the chargeback line.

Regulatory Acronym Reference

Different markets, different bodies. The acronyms used in this section refer to:

AcronymFull nameJurisdiction
ACCCAustralian Competition and Consumer CommissionAU
ACLAustralian Consumer LawAU
ACMAAustralian Communications and Media AuthorityAU
AICISAustralian Industrial Chemicals Introduction SchemeAU
TGATherapeutic Goods AdministrationAU
FSANZFood Standards Australia New ZealandAU/NZ
RCMRegulatory Compliance MarkAU
FDAFood and Drug AdministrationUS
FCCFederal Communications CommissionUS
FTCFederal Trade CommissionUS
CPSCConsumer Product Safety CommissionUS
ADAAmericans with Disabilities ActUS
CCPACalifornia Consumer Privacy ActUS
CPRACalifornia Privacy Rights ActUS
ROSCARestore Online Shoppers' Confidence ActUS
TCPATelephone Consumer Protection ActUS
CAN-SPAMControlling the Assault of Non-Solicited Pornography And Marketing ActUS
GDPRGeneral Data Protection RegulationEU/UK
GPCGlobal Privacy ControlInternational
EFSAEuropean Food Safety AuthorityEU
CEConformité Européenne markingEU
RoHSRestriction of Hazardous SubstancesEU
FSAFood Standards AgencyUK
ASAAdvertising Standards AuthorityUK
UKCA / UKNIUK Conformity Assessed marking (UKNI for goods placed in Northern Ireland)UK
GMPGood Manufacturing PracticeInternational
HACCPHazard Analysis and Critical Control PointsInternational
EMCElectromagnetic Compatibility (testing standard)International
INCIInternational Nomenclature of Cosmetic IngredientsInternational (cosmetics labelling)
VAMPVisa Acquirer Monitoring ProgramInternational (card networks)
WCAGWeb Content Accessibility GuidelinesInternational

Section 9 Checklist

Section checklist
19 items
Sign in to unlock this 19-point checklist and track your progress across every section.
Sign in to unlock →
Share this section

Found this useful?

If this helped, send it to a DTC Founder or Operator who’d benefit. The Playbook is FREE — the only way it grows is word of mouth.

Free access · No subscription

Go from reading to doing.

You've read the section. Sign in to score your ecommerce brand with the Health Check, track your progress across 472 checklist items, and get your tools and history in one dashboard. Free, and always will be.