The WooCommerce Store Annual Risk Audit: What to Review Every Year Before You’re Forced To
Store Security · Annual Checklist
The WooCommerce Annual Risk Audit
Payment networks update their fraud and chargeback thresholds on a schedule. Your store’s exposure should be reviewed on one too. This guide walks through what to audit every year — discounts, fraud signals, chargeback exposure, policies, and tool fit — before a processor, gateway, or network forces the conversation.
Most WooCommerce store owners do a version of this review the hard way — after a gateway flags their account, after a chargeback rate triggers a monitoring program, after a discount campaign runs longer than planned and loses money no one was tracking. The audit happens, but reactively.
This post is the proactive version. A structured annual review that catches problems while they’re still small: discount campaigns that no longer serve their purpose, fraud patterns that have quietly shifted in your customer base, chargeback exposure creeping toward a threshold you haven’t checked, policies that invite abuse, and tools that may no longer be the right fit for where your store is today.
It’s organized by domain — discounts, fraud, chargebacks, policies, tools — with a printable checklist at the end. Treat the sections as a working document, not a one-time read.
Disclosure
This post references Smart Cycle Discounts and TrustLens, both made by Webstepper, who publishes this blog. We’ve written this as an honest operational guide — these tools come up where they’re genuinely relevant, not in every section. If you use other tools that do the same job, the audit questions apply equally.
Why annual isn’t arbitrary
Card networks run merchant monitoring programs on calendar cycles. Visa’s VDMP and VFMP programs track your chargeback ratio month by month, with enrollment triggered when you cross certain thresholds — and those thresholds can shift as the programs evolve. Mastercard’s ECP program operates similarly. Amex and Discover have their own monitoring logic. None of these reset automatically in your favor. If your ratio climbs over the course of a year and you haven’t looked, you may already be in a monitoring program without knowing it.
Payment gateway policies update on their own schedule too. Processors revise acceptable-use policies, fraud scoring models, and category risk classifications. A gateway that was a comfortable fit 18 months ago may have tightened its stance on certain product types or geographic patterns since then.
Post-holiday data is another forcing function. The period immediately after peak season (BFCM, holiday, major sales campaigns) generates an elevated volume of returns, disputes, and chargebacks that take weeks to surface. By January or February, the downstream picture from your biggest sales period is becoming clear. That’s the right time to look at it with fresh eyes.
Discount structures drift over time. A campaign architecture you built two years ago may have been right for your order volume then but not for where you are now. The abuse patterns that made sense to guard against may have shifted. New customers behave differently from the cohort that taught you your original policies.
An annual audit isn’t a nice-to-have. It’s the minimum review cadence that keeps a growing store from being surprised by problems that accumulated slowly.
Discount audit
The discount audit asks one core question about every promotion your store ran in the past year: did it work the way you intended, and is it structured correctly for the next year?
Which campaigns actually ran
Start by pulling a complete list of campaigns that were active at any point in the past 12 months — including ones that expired or ran briefly. This list often surprises merchants. Campaigns that were “supposed to be temporary” that ran for months. Recurring promotions that were set up once and never revisited. Campaigns that were paused but never properly closed out.
For each one: what was the discount type, what products did it cover, what was the intended duration, and did it actually end when planned? A campaign that ran 3 weeks longer than intended isn’t just a margin question — it’s a signal that your scheduling process needs tightening.
Smart Cycle Discounts shows the full lifecycle of every campaign (draft, scheduled, active, expired) in the campaign list, including historical records. Use that view to reconstruct what actually ran.
What Campaign Intelligence flagged
If you’re using Smart Cycle Discounts, Campaign Intelligence evaluates each campaign during its lifetime and flags operational risks — overlapping discounts, priority conflicts, pricing integrity issues. Pull up the campaigns from the past year and look at what the system flagged, particularly for campaigns that ran during peak periods.
A Campaign Intelligence verdict of “At Risk” or “Action Required” that you dismissed at launch is worth revisiting now with the benefit of knowing how the campaign actually performed. Did the flagged risk materialize? If so, what would you do differently? If not, was the warning miscalibrated, or did you catch it early enough to avoid the problem? For a deeper look at what each verdict state means and what action it calls for, the guide to Campaign Intelligence verdict states covers this in detail.
Analytics review
For Pro users of Smart Cycle Discounts, the analytics dashboard gives per-campaign revenue contribution, conversion data, and performance trends. Use this data to answer four questions:
- Which campaigns drove the most meaningful revenue relative to margin given up?
- Which campaigns had poor conversion despite high discount depth — suggesting the offer wasn’t the constraint?
- Which campaigns were consistently high-performing and should be retained or expanded?
- Which campaigns should be retired or restructured?
If you don’t have this data at campaign level, that’s itself an audit finding: your current tooling doesn’t give you visibility into discount ROI, and next year’s campaigns will be just as opaque.
Tier fit check
An honest question: are you using the features your tier provides? And conversely, are you hitting limitations in your current tier that are costing you more in workarounds than an upgrade would cost?
A store that has grown into tiered pricing needs — wholesale customers, volume buyers, B2B segments — but is on a free-tier discount plugin is doing a manual job that should be automated. A store that paid for Pro capabilities it’s barely using may be over-tooled for where it is now. Both are valid findings from an annual review.
Pre-launch checklist vs. annual audit
If you’re setting up individual campaigns throughout the year, the pre-launch checklist in the campaign safety guide handles the per-campaign safety checks. The annual audit is the higher-level review: are your campaign structures, discount architecture, and tooling still correct for your store as it exists today?
Fraud audit
The fraud audit is a behavioral review of your customer base over the past year. Fraud patterns aren’t static — the customers exploiting your return policy this year may be different from last year’s cohort, the abuse patterns may have shifted, and your store’s growth may have attracted new vectors that weren’t present before.
Chargeback ratio year-on-year
Pull your store’s overall chargeback ratio for the past 12 months and compare it to the prior year. If it’s rising — even slowly — that trend matters more than the absolute number. A ratio that was 0.4% two years ago and is 0.7% today is heading somewhere, and you want to understand why before it arrives.
Segment the data where you can: which payment methods generate the most disputes, which product categories, which customer segments. This breakdown tells you where to focus intervention.
If you’re using TrustLens, the Chargeback Ratio Speedometer on the dashboard tracks your blended monthly ratio with status colors keyed to Visa VDMP/VFMP, Mastercard ECP, Amex, and Discover monitoring programs. The guide to reading the TrustLens chargeback speedometer explains what each status means and what action each threshold calls for. For your annual audit, pull the 12-month trend chart (Pro) to see how your ratio has moved over the year.
Segment distribution shift
In TrustLens, every customer belongs to one of six segments: VIP, Trusted, Normal, Caution, Risk, or Critical. Your segment distribution — the proportion of customers in each bucket — is a snapshot of the behavioral health of your customer base.
Compare this year’s distribution to last year’s. If your Risk and Critical segments are larger as a proportion of your active customer base, something has changed: your acquisition channels may be attracting a different type of customer, your policies may be more exploitable than before, or an abuse pattern has taken hold that you haven’t addressed.
A growing VIP and Trusted segment is the signal you want to see — loyal, high-trust customers increasing as a share of your base. A growing Caution and Risk segment is a yellow flag worth investigating before it becomes red.
Linked accounts trends
TrustLens tracks accounts that share fingerprints: shipping addresses, billing addresses, phone numbers, IPs, payment methods, and device user-agents. When multiple accounts share fingerprints, they’re flagged as linked — a signal of potential multi-account abuse like repeated first-order discount farming or coordinated return rings.
For the annual audit: how many linked-account clusters appeared in the past year? Did any clusters grow in size? Were there clusters you blocked that later reappeared with new account variations? Linked-account behavior that repeats or scales suggests a systematic abuse pattern, not a one-off incident.
This data is also useful for understanding how your discount campaigns interact with fraud. Stores running first-order discount campaigns often see linked-account activity spike around campaign dates — customers creating new accounts specifically to claim the offer. If that pattern is visible in your data, the discount audit and fraud audit connect directly.
Card-testing event log
If your store experienced card-testing attacks during the past year — where bots probe stolen cards through your checkout to validate them before using them elsewhere — your TrustLens Card-Testing Defense log records these events. Review:
- How many attack events were detected?
- Which periods saw elevated attack activity (and does that correlate with peak traffic or promotion launches)?
- Were there attacks that required the Panic Freeze button?
- Did any attacks result in successful payments that later became chargebacks?
Card-testing attacks that slip through to successful payments are a direct contributor to your chargeback ratio. If your data shows a correlation, tightening the Card-Testing Defense thresholds (or upgrading to Pro’s auto-escalation for large-scale attacks) is a concrete finding for your annual action list.
Chargeback audit
The chargeback audit goes deeper than the ratio trend. It looks at the composition of disputes, the card brands generating them, and whether your current processes are set up to respond effectively.
Per-brand breakdown
Different card networks have different monitoring thresholds and different consequences for crossing them. Your blended ratio may look acceptable while a specific brand’s ratio — Visa, Mastercard, Amex, or Discover — is quietly approaching a threshold that triggers a monitoring program enrollment.
TrustLens Pro’s Advanced Chargeback Monitor provides per-brand ratio breakdowns with threshold progress bars so you can see each brand’s position independently. If you’re on TrustLens free, you see the blended speedometer — still useful for directional trend, but the per-brand view is more precise for avoiding monitoring program enrollment.
The monitoring program names the readme describes are Visa VDMP/VFMP, Mastercard ECP, Amex, and Discover — these are the program labels TrustLens tracks against. If you’re near a threshold for any one brand, that’s an action item even if your blended ratio looks fine.
Top disputed customers
The annual audit is a good time to look at which customers have generated the most disputes. In TrustLens, per-customer dispute history feeds into trust scores, and Pro’s Advanced Chargeback Monitor surfaces top-disputed customers with a direct link to a Dispute Evidence Report — a print-ready behavioral risk summary you can submit alongside processor dispute responses.
Customers with multiple disputes in a single year are a concentrated risk. Some of them have legitimate complaints that point to product or fulfillment issues on your end. Others are abusing the dispute process. Knowing which is which lets you respond differently: fix the operational issue with one customer, block the bad actor with another.
Gateway response readiness
If you’ve received a retrieval request or chargeback notification in the past year, how quickly were you able to assemble evidence? How complete was that evidence? This is a process check, not just a data check.
Common gaps: no per-order record of what was communicated to the customer at checkout, no stored delivery confirmation for digital products, no screenshot of the refund policy the customer accepted at purchase. If your dispute response process is ad hoc, the annual audit is the time to standardize it — before the next dispute arrives.
Policy audit
Policies are a fraud surface. A return policy that’s too generous invites abuse; one that’s too restrictive generates disputes. A coupon policy that’s too permissive funds a first-order discount ring; one that’s not communicated clearly creates customer service friction. The policy audit looks at whether your current policies are serving you.
Refund policy
Review the refund policy as it stands on your site today. Then compare it to your actual refund data for the past year:
- What percentage of orders resulted in a full refund?
- What percentage resulted in a partial refund?
- Are there product categories with dramatically higher refund rates than others?
- Are there specific customers whose refund rates are far above the store average?
If your refund rate is rising without a corresponding decline in product quality issues, the policy itself may be a contributor. A policy that allows returns within 30 days for any reason, with no questions asked, is a wardrobing invitation for certain product types. That doesn’t mean you should make returns harder — it means the policy should be calibrated to the actual return behavior you’re seeing, not drafted in the abstract.
Coupon restrictions
Review how your coupon structure works today. Which coupons are configured as one-per-customer? Which have usage limits? Which have no restrictions at all? Then check TrustLens’s coupon abuse detection data: how many customers triggered the repeat first-order coupon penalty, the coupon-then-refund pattern, or the excessive stacking signal during the past year?
If the data shows systematic coupon abuse, the policy question is: is your coupon configuration making this easier than it should be? A first-order coupon with no per-customer limit and no email verification gate is a wide-open surface. Smart Cycle Discounts’ coupon code campaigns can be configured with single-use enforcement (Pro) — if you’re running codes that should be one-time, make sure they’re actually enforced that way.
First-order discount abuse patterns
First-order discounts are structurally vulnerable to multi-account farming. A customer creates a new email address, claims the new-customer offer, completes an order (or not), then creates another. TrustLens’s linked-accounts detection tracks whether multiple accounts share fingerprints — shipping address, billing address, phone, IP, payment method, device — so you can see if “new customers” claiming your first-order offer are actually the same actors in new accounts.
The annual audit question: how many first-order discount claims in the past year came from customers who turned out to be linked to existing accounts? If the number is significant, consider whether the discount is worth the abuse rate, or whether it needs a tighter gate (email verification, account age requirement, or geographic restriction).
Policies that look generous but cost more than they save
The annual audit is the right time for an honest cost calculation: what did your most permissive policies actually cost you this year in refunds, dispute fees, and foregone margin on abused discounts? That number, even approximate, gives you a rational basis for a policy adjustment. Without it, policy decisions are made on instinct rather than evidence.
Tool audit
The tool audit is the most uncomfortable section for most merchants, because it requires asking honestly whether your current setup is still the right fit — including tools you’ve been using for years and may have some attachment to.
Are your current tools still the right fit?
The right tooling for a store processing 100 orders per month is not necessarily the right tooling for a store processing 2,000. The right fraud prevention tool for a store with mostly new customers is different from the right tool for a store with a deep behavioral history of returning customers. Your store has changed. Has your tooling kept pace?
Specific things to evaluate:
- Discount tooling: Are you on the right tier? Are you using features you’re paying for? Are there capabilities you’ve been manually workarounds for that a tier upgrade would solve? Would tiered pricing, bundle deals, or spend-threshold discounts serve your current customer mix better than what you’re running now?
- Fraud tooling: Does your current fraud setup catch the types of abuse your store actually sees? Or does it leave behavioral patterns — serial returners, coupon abusers, linked-account rings — undetected because it only screens at the transaction level?
- Chargeback monitoring: Are you watching your ratio at all, or are you flying blind until a gateway notification arrives? If it’s the latter, the annual audit is the moment to change that.
- Reporting and analytics: Can you answer basic questions about your store’s performance from last year — which campaigns worked, which customers cost you the most, what your refund trend looks like — from your current tooling? If not, what’s missing?
The honest question
The annual audit isn’t an exercise in justifying what you already have. It’s an honest review of what’s working and what isn’t. If a tool that made sense when you chose it is no longer earning its place, that’s a finding worth acting on — even if it involves replacing something familiar.
Equally, if you’ve been relying on manual processes to compensate for tool gaps — manually reviewing every refund request, hand-checking coupon usage, monitoring your dispute inbox for early warning signs — those processes are audit findings too. Manual compensations that should be automated are a drain on your time and an inconsistency risk when you’re busy.
What the annual audit usually surfaces
When merchants run through this review seriously for the first time, the most common findings aren’t dramatic revelations — they’re accumulated small gaps. A recurring campaign that ran 6 weeks past its end date. A refund rate that has quietly doubled over 18 months. Three linked-account clusters that appeared during the holiday season and were never addressed. A chargeback ratio that’s been edging upward for three quarters. None of these individually would have triggered a crisis. Together, they represent the difference between a well-maintained store and one where problems have been building unnoticed.
Printable checklist
Use this checklist as a working document for your annual review. Print it, copy it into a spreadsheet, or paste it into your project management tool. Each item is a question to answer — some will take five minutes, others may surface findings that need deeper attention.
Discount audit
| Item | Done | Notes |
|---|---|---|
| Pull complete list of campaigns that ran in the past 12 months | ||
| Flag any campaigns that ran longer than their intended end date | ||
| Review Campaign Intelligence flags for the past year — which were dismissed? Which risks materialized? | ||
| Identify top 3 revenue-contributing campaigns (Pro analytics) and confirm whether to retain, expand, or retire | ||
| Identify any campaigns with poor conversion despite high discount depth — consider restructuring or retiring | ||
| Check whether current discount types still match your customer mix (first-order, B2B, volume, recurring seasonal) | ||
| Confirm whether your current plugin tier has the features you need for next year |
Fraud audit
| Item | Done | Notes |
|---|---|---|
| Compare chargeback ratio this year vs. last year — note direction of trend, not just absolute level | ||
| Segment dispute data by product category and payment method to identify concentration | ||
| Compare TrustLens segment distribution (VIP / Trusted / Normal / Caution / Risk / Critical) to prior year | ||
| Review linked-account clusters that appeared in the past year — any that grew or recurred? | ||
| Review card-testing event log — frequency, timing, any correlation with campaign launches? | ||
| Check whether any card-testing attacks resulted in successful orders that later became chargebacks | ||
| Confirm TrustLens minimum-orders threshold still calibrated correctly for your current order volume |
Chargeback audit
| Item | Done | Notes |
|---|---|---|
| Review per-brand chargeback ratio (Visa, Mastercard, Amex, Discover) — is any single brand elevated above others? | ||
| Check TrustLens Chargeback Speedometer status for current month and review 12-month trend (Pro) | ||
| Identify top-disputed customers and review whether dispute cause is operational (on your end) or behavioral (on theirs) | ||
| Audit dispute response process — do you have consistent, complete evidence for each dispute type you receive? | ||
| Confirm gateway relationship health — any notifications from your processor in the past 12 months? | ||
| Assess whether manual chargeback entry process (for non-Stripe/WooPayments gateways) is being maintained consistently |
Policy audit
| Item | Done | Notes |
|---|---|---|
| Compare stated refund policy to actual refund rate — are they aligned or has behavior drifted from policy? | ||
| Identify product categories with significantly higher-than-average refund rates | ||
| Review coupon restrictions: are first-order codes single-use, per-customer-enforced, and time-limited? | ||
| Check TrustLens coupon abuse data — how many customers triggered the repeat-use or coupon-then-refund signal? | ||
| Quantify first-order discount abuse: how many new-customer claimants were linked to existing accounts? | ||
| Review whether refund policy language on your site accurately reflects your actual practice |
Tool audit
| Item | Done | Notes |
|---|---|---|
| Is your discount plugin on the right tier for your current discount type needs? | ||
| Are there discount capabilities you’re workarounding manually that a tier change would automate? | ||
| Does your fraud tooling detect behavioral patterns (return abuse, coupon farming, linked accounts) or only transaction-level signals? | ||
| Is your chargeback ratio monitored proactively, or do you only find out about problems from gateway notifications? | ||
| Are there manual review processes you’re running that should be automated? | ||
| Are all installed plugins on current versions? Any security updates outstanding? |
Common questions
When is the best time of year to run this audit?
The period after peak season — January through February for most WooCommerce stores — is the natural anchor. By then, the downstream data from your biggest trading period has surfaced: chargebacks from holiday orders are arriving, refund rates from November and December are fully visible, and you can see the full behavioral picture of how your campaigns actually ran. Doing the audit before this data has materialized means making decisions with an incomplete picture.
A secondary review in July or August is worth doing for stores that see significant mid-year sales (summer promotions, back-to-school). Some audit items — particularly the chargeback ratio check and the Campaign Intelligence review — are worth running more frequently than once a year, even if the full audit is annual.
What if I don’t have year-over-year data because I just installed TrustLens?
Run Historical Sync from the TrustLens dashboard immediately. Historical Sync processes your existing WooCommerce order data in background batches and builds trust profiles for all your existing customers — including behavioral signals from orders placed before TrustLens was installed. Most stores will have a meaningful customer behavioral picture within a few hours of running the sync, even if the plugin is brand new. Next year’s audit will have a full 12-month baseline to compare against.
How much time should this audit take?
For a small-to-medium store that has been running TrustLens and Smart Cycle Discounts throughout the year, the data collection for each section shouldn’t take more than an hour. The deeper thinking — deciding what to change, what to retire, what to prioritize — takes longer and depends on what the data surfaces. Block two to three hours for the full audit plus action planning. If that feels like a lot, consider what a gateway chargeback notification or a monitoring program enrollment would cost in time and operational disruption by comparison.
Should I be worried if my chargeback ratio is below the network thresholds?
Below-threshold doesn’t mean risk-free — it means you haven’t crossed the line that triggers a formal monitoring program. The more useful question is whether your ratio is trending up or down. A ratio that’s been stable for two years is a different situation from one that has risen 30% year-over-year, even if both are currently below the enrollment threshold. The trend is the signal. The threshold is the consequence.
The TrustLens Chargeback Speedometer reflects this: Healthy, Approaching threshold, and Action needed are status labels that describe your position relative to the threshold, not just whether you’ve crossed it. “Approaching threshold” is an action item even when you’re technically still in the safe zone.
What’s the relationship between discount campaigns and chargeback risk?
Discount campaigns attract orders from customers who wouldn’t otherwise buy at full price. Some of those customers are opportunistic but legitimate; others are specifically looking to exploit the discount and then dispute the charge. The correlation isn’t universal, but it’s consistent enough that stores with aggressive first-order discount programs tend to see elevated chargeback rates from that customer cohort.
The tool that helps here is TrustLens’s coupon abuse detection and linked-accounts identification — patterns that show customers who claim first-order discounts repeatedly or create new accounts specifically for discount access. Identifying that cohort lets you decide whether the discount structure needs tightening. For a deeper look at how your discount strategy and fraud exposure interact, the guide on discount fraud loops covers the specific patterns and how to address them.
Key Takeaways
- The audit has five domains: discounts, fraud, chargebacks, policies, and tools. Each one surfaces different problems. Running them together once a year gives you a complete picture of where your store’s risk exposure actually sits.
- Annual isn’t arbitrary — payment networks run their monitoring programs on calendar cycles, post-holiday data takes weeks to surface, and policies drift in ways that aren’t visible until you look at the full year’s data in one sitting.
- Trend matters more than absolute level — a chargeback ratio that’s rising is a more urgent finding than a ratio that’s stable, even if both numbers look comfortable today.
- Segment distribution shift is an early signal — if your Risk and Critical customer segments are growing as a proportion of your active base, something in your acquisition or policy structure has changed. The distribution tells you before individual incidents do.
- Discount campaigns and fraud aren’t separate problems — first-order discount structures, coupon restrictions, and linked-account patterns are directly connected. Your discount audit and fraud audit should inform each other.
- Manual compensations are audit findings — if you’re doing by hand what a tool should automate, that process is fragile and costs you more time than it appears to. Annual audits are the right moment to act on that.
- Historical Sync lets you start late — if you’re just installing TrustLens now, run Historical Sync immediately. You’ll have a meaningful behavioral baseline in hours, built from your existing order history, not just from orders placed after activation.
Make Next Year’s Audit Easier
The annual audit is harder when you’re reconstructing a year’s worth of data from scratch. Smart Cycle Discounts tracks campaign history and surfaces Campaign Intelligence flags as you go. TrustLens builds a running behavioral record of every customer — so when audit time comes, the data is already there.
