If the ecommerce website is using a payment portal (e.g. paypal.com) which uses 3Dsecure & the recommended method of using an <iframe> is not deployed. Then theses 3Dsecure domains (e.g. verifiedbyvisa.bank.com) will need to be excluded.

If these domains are not added to the exclude referral list; then organic & cpc transaction sales will be attributed to referrals, and the session will be split in half; causing pan-session conversion rate issues, an artificial increase in returning visitors and funnel flow reporting issues.

universal migrations ecommerce 3Dsecure non-iframe referrals revenue graph


Exclude payment portal referrals TopLevelDomains checklist:


Note: GA universal excluding referral uses a wildcard .*paypal.com$ not ^paypal.com$ thus xxxpaypal.com and blog.paypal.com will also be excluded. Read this Google help page for more info here.



Assuming that clientdomain.com is present in the exclude referral list. Then GTM referral override setting patch can be added to the pageview and transaction tags on the sale complete page only.

universal migrations transaction tabs

The advantage of this solution is that the exclude list does not need to be maintained, but it does require the separation of the global pageview tag and the sale complete pageview tag:



If the payment portal callback thank you page: is not hosted on httpS.

Then the browser would hide document.referrer if the user is redirected from an httpS payment portal (i.e traffic would defaults to direct without needing a GA exclude referral patch). However this requires the website to add htaccess redirect rule, hence managing an exclude referral blacklist will be an easier option.


# Rough example – not tested

RewriteCond %{HTTPS} off

RewriteCond %{REQUEST_URI} ^/checkout/onepage/success$ [NC]

RewriteRule ^(.*)$ http://%{HTTP_HOST}$1 [L,R=301]


Tip 1: A report on pageGroup2_pageType=”confirmed” or landing page=/checkout/onepage/success which is filtered for returning session only and sorted descending by entrances or sessions can be used to find exclude referral for the blacklist.


Tip 2: A GA user-defined profile filter can be added to find referrals these domains:

referral: (.+)

medium: ^(referral|referral_self)$

output user-defined: $A1


Tip 3: Other exclude referrals to check include…

Livechat TopLevelDomains:


Survey TopLevelDomains:



0117 3361103