IP Geolocation Check
What Is an IP Geolocation Check? Definition and How It Works
Definition
An IP geolocation check in payments is a fraud detection signal that derives the physical location of a transaction's originating IP address and compares it against transaction attributes such as billing address, shipping address, and card BIN country to identify geographic inconsistencies.
How it works
IP geolocation works by mapping an IP address to an approximate physical location using databases that correlate IP address ranges to geographic regions, cities, and ISPs. When a transaction is initiated, the payment system captures the IP address and queries a geolocation database to retrieve the associated country, region, and city.
The geolocation result is compared against other transaction data: the cardholder's billing address country, the card BIN country (which indicates where the card was issued), and in some cases the shipping address. Significant mismatches, a US-issued card transacting from an IP geolocated to Eastern Europe with shipping to a freight forwarder, are combined into a risk signal that feeds fraud scoring.
IP geolocation has well-documented accuracy limitations. VPNs, proxy services, and Tor exit nodes mask the user's true location entirely, returning the location of the VPN server rather than the cardholder. Mobile network IP addresses often geolocate to the carrier's regional hub rather than the user's actual location, producing false mismatches. Corporate IP addresses geolocate to the company's network hub, which may be in a different city or country than the employee transacting.
These limitations mean IP geolocation is most useful as a weak supporting signal in a multi-factor fraud score rather than as a standalone decision criterion. Rules that decline based solely on IP geolocation mismatch produce high false positive rates.
Why it matters
IP geolocation alone generates too many false positives to use as a hard decline rule: VPN usage among legitimate cardholders is widespread enough that blocking VPN-origin transactions would block a material proportion of legitimate purchases. Geolocation is most useful when combined with other signals.
High-risk country flags are useful at the rule level: transactions originating from countries with no legitimate business relationship, or from known high-fraud IP ranges, are worth elevated scrutiny. This is a legitimate use of geolocation in rules when combined with other signals.
Geolocation accuracy degrades for mobile and corporate networks: mobile carrier IP blocks frequently geolocate to regional hubs. Corporate networks route through central IP addresses. These cases produce systematic mismatch signals that have no fraud content. Risk models should be trained with these false-positive generators accounted for.
VPN detection is a more useful signal than geolocation: identifying whether the IP originates from a commercial VPN or hosting provider is more actionable than the raw geolocation result. A transaction from a residential IP in France is different from one routed through a VPN exit node in France.
With PXP
PXP captures IP data at transaction initiation and includes geolocation signals in its fraud scoring model. IP-to-BIN country mismatch is available as a configurable rule input in PXP's risk interface, with IP signals feeding both rule-based checks and the ML-assisted fraud scoring model.
Frequently asked questions
How accurate is IP geolocation for fraud detection?
IP geolocation is accurate to country level for most residential and business IP addresses, but significantly less reliable for mobile networks, VPN services, and corporate IP ranges. At city level, accuracy varies considerably. Fraud systems should treat geolocation as a probabilistic signal with known limitations rather than a definitive location indicator.
Should merchants decline transactions from VPN IP addresses?
Not as a blanket rule. VPN usage is widespread among legitimate users, particularly in privacy-conscious markets, business travelers, and users in countries with internet restrictions. Declining all VPN-origin transactions would block a significant and growing proportion of legitimate customers. VPN origin is best treated as one elevated-risk signal that adjusts the fraud score rather than a standalone decline trigger.
What is an IP address associated with a datacentre and why does it matter?
Datacentre IP addresses belong to cloud hosting providers and server farms rather than residential or business ISPs. A transaction originating from a datacentre IP suggests the request was sent by a bot or script rather than a real user, no legitimate cardholder would be browsing from a cloud server. This is a high-value fraud signal and is typically treated more seriously than a residential-to-billing mismatch.
How do merchants handle IP geolocation for international customers?
For merchants with legitimate international customer bases, geolocation rules must be calibrated to the actual geographic distribution of legitimate customers. Rules that flag all transactions from outside the merchant's home country produce massive false positive rates for global merchants. Geolocation signals should be weighted relative to the expected transaction population, not applied with thresholds designed for domestic-only merchants.
Revolutionize your business with PXP
Take complete control of your commerce and payments with one platform.
Get Started