How to Hide Payment Gateways for High-Risk WooCommerce Customers
Store Security · Payment Risk
Not Every Risk Deserves a Full Block
Hiding a payment gateway is more precise than blocking a customer entirely. A Risk-segment shopper can still buy — they just can’t choose the payment method most likely to become a chargeback. This guide explains when that trade-off makes sense, and how WooCommerce payment method restriction actually works.
There is a customer in your store right now with two refunds in three months, a coupon-then-refund cycle on one of them, and a second account linked by shipping address. TrustLens has moved them into the Risk segment. Their trust score is sitting at 28.
The question is not whether to do something. The question is what to do.
Blocking their checkout entirely is one answer. But it is a blunt one. That customer may still place legitimate orders. The abuse pattern you have documented is financial — refunds and discount cycling — not identity fraud. Cutting them off completely means losing the revenue from any genuine purchases, and generating a support ticket if they push back.
There is a more targeted response: hide the payment gateways that carry the highest chargeback and dispute risk, while leaving others available. The customer can still buy. They just cannot pay with the method most likely to turn into a formal dispute. For a Risk-segment customer with a refund pattern, that is often the appropriate response at this stage.
This guide walks through how WooCommerce payment method restriction works, how TrustLens Pro’s Payment Method Risk Controls feature implements it, and how to decide whether restriction or a full block is the right call for a given customer profile.
Why a Full Checkout Block Is Sometimes the Wrong Tool
A full checkout block is appropriate for a Critical-segment customer with confirmed multi-account fraud, a documented linked-account ring, or an active chargeback. The evidence is dense, the intent is clear, and the cost of allowing another order outweighs the cost of refusing the sale.
A Risk-segment customer is a different situation. Their behavior has raised enough signals to warrant a response, but the picture is often less clear-cut. They might have a high refund rate from a run of genuinely defective products. They might share a shipping address with a family member who has a separate account. They might have used a first-order coupon twice, which is a policy violation but not fraud in the legal sense.
For these customers, a full block has two costs worth considering:
- Lost revenue. Some Risk-segment customers are marginal — they cost more than they earn — but others are not. A graduated response lets you keep the revenue while reducing the specific risk you are most exposed to.
- False positive exposure. The Risk segment captures customers who might be abusive, not customers who definitely are. A block is hard to reverse without a support interaction. Restriction is lower stakes: if it turns out the customer is legitimate, the friction was a minor inconvenience rather than a refusal to serve them.
Payment method restriction sits between “do nothing” and “block completely.” It is the right layer when you have enough evidence to act but not enough to be confident about a full block.
Why payment method matters for chargeback exposure
Different payment methods carry meaningfully different dispute risk. Credit cards processed through Stripe or WooPayments have 120-day chargeback windows, formal adjudication processes, and dispute fees in the $15–$25 range per incident. Prepayment methods, bank transfers with immediate settlement, or pay-by-invoice arrangements with agreed terms have much shorter or nonexistent dispute windows. Steering a high-risk customer away from a chargeback-prone gateway is a structural reduction in dispute exposure — not just a one-off measure.
What Hiding a Payment Gateway Actually Does
WooCommerce exposes a filter called woocommerce_available_payment_gateways that lets plugins remove specific gateways from the list a customer sees at checkout. The removed gateways are simply absent — the customer never sees them as options. Nothing on the page indicates they were hidden; the checkout displays whatever payment methods remain available.
TrustLens Pro’s Payment Method Risk Controls feature hooks into this filter and applies your configured rules in real time during checkout. If a customer meets one of the restriction triggers, the gateways you have nominated are removed from their available options before the checkout page renders.
A few mechanics worth understanding:
- The restriction applies at checkout and at the order-pay endpoint — both the standard checkout flow and the “pay for this order” link sent via email.
- Allowlisted customers are always exempt, regardless of their trust score or segment. If you have added someone to the allowlist, their payment options are never restricted.
- The feature must be explicitly enabled in TrustLens settings. It is off by default.
- When a restriction fires, TrustLens logs a
payment_gateway_restrictedevent to the customer’s event timeline, so you can see the restriction history when reviewing their profile. - A configurable customer-facing notice is displayed when gateways are removed. The default reads: “Some payment methods are unavailable for this order. Please choose another payment option.” You can edit this in settings.
The customer experience is non-confrontational. They are not told they are blocked, flagged, or under scrutiny. They see a narrower set of payment options and a brief notice. Most customers will simply choose one of the available methods and complete their purchase — which is the point. You captured the revenue while reducing your exposure.
The Three Signals That Trigger a Restriction
TrustLens Payment Method Risk Controls can restrict gateways based on three independent signals. They can be used individually or in combination — any signal that fires will trigger the restriction.
1. Trust segment
The primary and most commonly used trigger. You configure which segments should have gateway restrictions applied — by default, Risk and Critical. When a customer in one of those segments reaches checkout, the configured gateways are removed.
You can adjust the segment list. If you want to apply restrictions starting at Caution rather than Risk, you can add Caution to the list. If you only want restrictions for Critical customers, you can remove Risk. The full segment range — VIP, Trusted, Normal, Caution, Risk, Critical — is available as options, though restricting gateways for VIP or Trusted customers would be counterproductive in nearly every scenario.
2. Order velocity
An optional trigger that fires when a customer places a high number of orders within a short time window. This is separate from TrustLens’s trust scoring system — it is a real-time checkout signal that does not depend on a customer’s segment at all.
The default threshold is 3 or more orders within 24 hours. Both values are configurable: the order count can be set between 2 and 50, and the time window can be set between 1 and 168 hours. When the threshold is crossed, the restriction fires regardless of the customer’s trust segment.
Velocity controls are useful for catching rapid multi-purchase patterns from new accounts that have not yet accumulated enough order history to trigger segment-based scoring. A customer with two completed orders cannot be in the Risk segment by default (the minimum order threshold gates scoring), but they can still trigger a velocity restriction.
Velocity here is not the same as card-testing velocity
TrustLens has three independent velocity systems. Card-testing defense measures gateway declines per device fingerprint in 60-second and 10-minute windows. Shipping anomaly detection measures distinct address changes per customer. Payment method controls velocity measures completed orders per email address in a configurable window. They track different things, respond to different threats, and operate entirely independently.
3. Linked account risk
An optional trigger that fires when TrustLens detects that the current customer is linked to other accounts that are either blocked or in the Risk or Critical segment. The linking uses the same fingerprint approach as the broader linked accounts module: billing address, shipping address, phone number, IP address, and device user agent.
This trigger matters because a Risk-segment customer’s network can be a better predictor of intent than their own order history alone. If an account has placed two orders — below the minimum for segment scoring — but shares a billing address with a Critical-segment account, the linked risk trigger can apply payment restrictions before the scoring system has enough data to move the new account into a risk segment on its own.
For a deeper look at how TrustLens automation rules use similar risk signals to trigger order holds, email alerts, and other actions, see how TrustLens Automation Rules work.
How to Configure Payment Method Risk Controls
Payment Method Risk Controls live in TrustLens Settings, under the Pro section. The feature is off by default; you need to toggle it on before any restrictions take effect.
Enable the feature
Go to TrustLens → Settings and find the Payment Method Risk Controls section. Toggle the feature on. No restrictions apply until you also configure which gateways to restrict and under which conditions.
Select the gateways to restrict
Choose which payment gateways should be hidden for customers who trigger the controls. TrustLens reads your installed and active gateways and presents them as a selection. You are choosing gateways to remove for risky customers — the gateways you do not select remain available for everyone.
Configure segment targets
Choose which trust segments should trigger gateway restrictions. The default is Risk and Critical. You can add Caution if you want to cast a wider net, or narrow to Critical only if you want the most conservative approach.
Optionally enable velocity and linked-account controls
Both are off by default. Enable velocity control and set your threshold (order count and time window). Enable linked-account risk control if you want restrictions to apply to customers connected to known high-risk accounts even before they have entered a risk segment themselves.
Set a minimum order total (optional)
You can configure a minimum cart value below which restrictions do not fire. This is useful if you want to focus restrictions on higher-value orders where chargeback exposure is more meaningful, while leaving low-value orders unrestricted.
Edit the customer-facing message
Customize the notice that appears at checkout when gateways are removed. Keep the message neutral. The goal is to guide the customer toward an available payment method, not to reveal your detection logic or create alarm. The default message (“Some payment methods are unavailable for this order. Please choose another payment option.”) works well for most stores.
Full Checkout Block vs. Payment Restriction — When to Use Each
Both tools are available in TrustLens Pro. They address different risk levels and have different consequences for your customer relationships.
| Scenario | Recommended response | Why |
|---|---|---|
| Customer in Critical segment with confirmed multi-account fraud ring | Full checkout block | Evidence is strong enough to refuse service. No revenue from this customer is worth the exposure. |
| Customer in Risk segment with elevated refund rate and a coupon-then-refund cycle | Payment restriction | Pattern is concerning but not conclusive. Removing high-chargeback gateways reduces exposure without losing the order. |
| New account linked to a blocked or Critical-segment account | Payment restriction (via linked-account trigger), then monitor | Linked risk is a signal, not confirmation. Restriction is appropriate while you watch for more signals. |
| Customer placing orders at unusually high velocity | Payment restriction (via velocity trigger), then review | High velocity might be legitimate (bulk buyer, event-driven purchase). Restriction is a reasonable precaution while the pattern is unclear. |
| Customer with confirmed stolen-card activity or a formal dispute filed | Full checkout block (via automation rule) | Active fraud or confirmed dispute warrants a full block, not just gateway restriction. |
| Customer you have reviewed and confirmed as legitimate despite a low score | Allowlist them | Allowlisting locks their score at 100 and exempts them from all restrictions and blocks. The correct tool for confirmed false positives. |
The gradient from “do nothing” to “restriction” to “block” maps roughly to your confidence level in the risk assessment. The more specific and corroborated the signals, the stronger the response should be. The more ambiguous the picture, the more valuable a reversible, lower-friction intervention becomes.
For a full picture of how manual blocking, automation rules, and payment controls fit together as layers of the same enforcement strategy, the post on why manual customer blocking in WooCommerce never quite works walks through the graduated model end to end.
Avoiding Friction for Legitimate Customers
The strongest argument against payment method restriction — or any automated risk response — is the false positive problem. What happens when a customer in the Risk segment turns out to be a legitimate buyer who hit a rough patch?
The good news is that payment restriction is one of the lower-cost false positives in the system. The customer is not blocked. They are not told something is wrong. They see fewer payment options and a neutral message. The friction is real but minor. If they are legitimate, they will choose one of the remaining methods and complete their purchase.
Three features in TrustLens reduce the probability of a false positive triggering a restriction in the first place:
The loyalty bonus protects established customers
TrustLens adds up to +15 trust score points based on account age — +10 after 6 months, +15 after a year. A customer who has been buying from you reliably for two years needs significantly more negative signals to reach the Risk segment than a newer account. Restrictions are far less likely to fire for established buyers going through an unusual period.
The minimum order threshold prevents premature scoring
New customers need to accumulate at least 3 orders before TrustLens moves them out of the Normal segment into a risk segment (this threshold is configurable). A customer with two completed orders and one refund does not enter the Risk segment on that evidence alone. Velocity and linked-account triggers can still fire, but the segment-based trigger cannot until there is enough data for reliable scoring.
The allowlist is the right override mechanism
For specific customers you know are legitimate — business buyers with unusual patterns, resellers placing large bulk orders, VIPs with a documented history of exception requests — the allowlist locks their score at 100 permanently. Allowlisted customers are always exempt from payment method restrictions, regardless of what other signals exist. This is the correct tool for individual exceptions, not lowering the segment thresholds for everyone. For context on how TrustLens Pro and Free differ in terms of what gets automated and what stays manual, the TrustLens Free vs Pro comparison covers the full boundary.
Check the event timeline before adjusting thresholds
If you are seeing restrictions fire for customers who seem legitimate, open their profile in TrustLens and read through the event timeline before changing your segment configuration. The timeline shows you exactly which events moved their score and which signals are active. Often the restriction is firing correctly for reasons that are not obvious from the order list alone — a linked account that was blocked, a refund pattern that spans further back than you checked, or a velocity spike from a bulk order. Understand what drove the score before deciding whether to override it.
Frequently Asked Questions
Is payment method restriction available in the free version of TrustLens?
No. Payment Method Risk Controls is a Pro-only feature in TrustLens. The free version includes the full trust scoring engine, all eight detection modules, manual blocking and allowlisting, and checkout enforcement — but gateway restriction at checkout requires a Pro license. The free version is manual: it surfaces the risk information, and you decide what to do with it.
Which payment gateways can I restrict?
Any gateway installed and active in your WooCommerce store. TrustLens reads your available gateways and presents them as a selection in settings. You choose which ones should be hidden for customers who trigger a restriction. There is no built-in gateway list — it works with whatever you have installed.
Does the customer see a reason for the restriction?
No. The customer sees a configurable notice — the default is “Some payment methods are unavailable for this order. Please choose another payment option.” — and the gateways that remain available. Nothing indicates why certain methods are absent or that any risk assessment has taken place. The checkout continues normally with the remaining options.
Can I restrict payment methods for guest customers?
Yes. TrustLens identifies customers by billing email, which is available during guest checkout. If a guest enters a billing email that matches a Risk-segment customer’s profile, the restriction fires. The trigger also applies to the order-pay endpoint, which is how some guest orders pay after placing via other means.
How does the velocity trigger differ from the trust score trigger?
The trust score trigger uses a customer’s accumulated behavioral history — their segment is determined by signals across refunds, coupons, linked accounts, and other patterns over time. The velocity trigger is a real-time signal based on how many orders that billing email has placed within a configured time window, regardless of their segment or score. A new customer with a clean history can still trigger a velocity restriction if they place three or more orders within 24 hours.
Does restricting payment methods affect WooCommerce analytics or reporting?
No. Restrictions happen at the checkout display level — TrustLens filters the available gateways before the customer selects one. If the customer completes an order using one of the remaining gateways, that order flows through WooCommerce normally and appears in your reports like any other order. TrustLens logs the restriction event to the customer’s event timeline, but this does not affect WooCommerce’s own data.
Should I use payment restriction or automation rules when a customer hits the Risk segment?
They serve different purposes. Payment restriction changes what happens at the payment step of checkout — silently, in real time, without requiring any trigger to have fired. Automation rules are event-driven: a rule fires when something changes (a segment transition, a refund, a dispute) and executes a configured action. You can and should use both: a payment restriction that applies whenever a Risk-segment customer reaches checkout, and an automation rule that sends you a notification or holds their next order when their segment first changes to Risk. For a walkthrough of how automation rules are structured, see how TrustLens Automation Rules work.
The Practical Takeaway
Blocking a customer is the right call when the evidence is dense and the pattern is clear. But most Risk-segment customers are not at that threshold. They have accumulating signals — a refund rate that is higher than average, a coupon cycle that looks deliberate, a linked account that is in trouble — but the picture is still ambiguous enough that refusing their next order is a blunter instrument than the situation warrants.
Payment method restriction gives you a middle layer. You are not accepting risk uncritically, and you are not cutting off a customer you might be wrong about. You are narrowing their options to payment methods where your dispute exposure is lower — and doing it quietly, without confrontation, in a way that a legitimate customer will barely notice.
Whether payment restriction is the right tool depends on what your event timeline shows for that specific customer. The score is a starting point, not a verdict. Open the profile, read the signals, understand what drove the number — and then choose the response that matches what you actually found.
TrustLens Pro’s Payment Method Risk Controls are one part of a broader fraud response toolkit that includes how discount campaigns and customer risk interact — an important connection for any store running active promotions. If you want to explore the full feature set before upgrading, the TrustLens plugin page has the current tier breakdown.
