Skip to main content
— Concept

Why POS orders skip the fraud queue

Alva Digital Downloads skips fraud checks on Shopify POS orders by design. The customer is at the counter with a card-present payment already authenticated by the terminal — the risk profile is fundamentally different from an online checkout, so a review queue would block legitimate in-store sales for no benefit.

Last updated · May 6, 2026 Read time · 3 min Author ·

Why this is correct behaviour

The fraud queue exists because online checkouts run card-not-present. Shopify's Risk API flags patterns that correlate with stolen-card use — mismatched billing addresses, anonymising proxies, velocity from one IP. None of those signals apply at POS: the card was inserted, tapped, or swiped in store, the issuer authenticated it on the spot, and chargeback liability shifts to the issuer on a chip-and-PIN sale. Holding the order would mean a customer at the counter waiting on an email the merchant is also holding. Immediate license-key assignment is what merchants want here.

What this means in practice

Three concrete consequences flow from the POS bypass:

  • License keys assign immediately. The buyer walks out with a working code, not a pending one.
  • The download email fires on the ORDERS_PAID webhook. If the order was rung up against a customer profile in POS, the email lands within seconds of the receipt printing.
  • The order never appears in the fraud queue. No FraudCheckQueue row, no Shopify Risk API call, no risk score anywhere in the Alva admin.
Screenshot needed

Alva admin → order detail page for a POS order. Show the order header with the Shopify "Point of Sale" channel pill, and a small "Fraud check skipped — POS order" indicator near where the risk score would normally appear. Alternative: the empty fraud queue with a footer note that POS orders are excluded.

The Alva order detail surfaces a clear marker that the order bypassed the fraud queue.

Where this is enforced in code

The bypass lives in app/models/webhooks.server.neworder.ts at line 79. The handler reads the customer ID from the payload and short-circuits when none is present, logging "Order <number> has no customer (POS/guest/draft order), skipping digital delivery" and returning before any code path that touches the Shopify Risk API or the FraudCheckQueue table runs. There is no toggle, no per-shop override, no per-order escape hatch.

Side effects to know

Skipping the Risk API means POS orders carry no risk score anywhere in Alva. If a specific in-store sale needs manual review later, open the order in the Alva admin and click Disable access — download links stop resolving and any assigned license keys return to the pool. The full walkthrough is linked below.

See also

POS &amp; order status

Sell digital products at Shopify POS

The end-to-end in-store flow.

 Fraud &amp; security

How fraud checks work and when downloads are held

The online-order path POS deliberately avoids.

 Fraud &amp; security

Revoke download access after a refund or chargeback

Disable access on a POS order if review is needed later.

Frequently asked questions

Can I force a fraud check on a POS order?

No. The POS branch is unconditional — Alva short-circuits before reaching the Shopify Risk API for any order without a customer record. For manual review, use Disable access on the Alva order detail page.

How do I revoke a POS order if I need to?

Open the order in the Alva admin and click Disable access. Download links stop working immediately and any assigned license keys return to the pool.

Does this apply to draft orders too, or only POS?

It applies to any paid order without a customer record on the webhook payload — POS sales, draft orders converted without a customer attached, and guest checkouts. All three skip fraud checks for the same reason.

Was this helpful?

Still stuck? Email us.

Last updated 2026-05-06