Risk threshold rules – often referred to as velocity checks – are designed to detect and prevent carding attacks. The rules trigger different actions when specified customer information passes through the gateway multiple times within a designated time period. The gateway can either send you an email or automatically reject the verifications or transactions that trigger your risk threshold rules. You can create as many of these rules as you would like.
To enable risk threshold rules:
- Log into the Control Panel
- Click on the gear icon in the top right corner
- Click Processing from the drop-down menu
- Scroll to the Fraud Tools section
- Next to Risk Thresholds, click the Options link
- Fill in the fields with your desired criteria
- Click the Create button
After enabling this feature, you can view the rules you've created by returning to the Risk Threshold Rules Options page. To create additional rules, click the Add link located on the right of the page; if a rule is not working as expected, you can delete it altogether by clicking the Delete link to the right of the rule in question. Learn more about all available rule criteria below.
The easiest way to understand risk threshold rules is to start with a basic example. Let’s say you want to be notified when a customer is adding a lot of new cards to their account, as this can be an indicator of a carding attack. Here’s how you might set up this rule:
Alert Email Address: firstname.lastname@example.org
Alert Period (minutes): 20
Fields: Customer ID
Window (minutes): 10
Based on the criteria chosen above, this would be your rule:
Email me at email@example.com every 20 minutes when 5 or more verifications with the same Customer ID occur within 10 minutes of each other.
When reviewing the recommendations below, keep in mind that a business offering subscription-based services has different needs than one that ships physical products, so they’ll likely need different risk threshold rules to help mitigate attacks. If you have questions as you set up your own rules, feel free to contact us.
Before rejecting transactions based on your rules, we recommend you start off by setting your rule’s Action to Email. This will allow you to monitor activity on your account without impacting your customers, as the Braintree gateway won't take action on the risk threshold rule's response.
When you receive an email notification, we encourage you to look up the details of the transaction or verification in the Control Panel. If you believe that it might be fraudulent, you can then void or refund the request. It's usually best to follow your instincts in these cases.
Once you have verified that the rule works as intended, you can change the Action to Gateway Reject, blocking any transactions that trigger your rule.
The Alert Period determines how often you'll be notified that your rule has been triggered. You will get one email per Alert Period, so if you'd like to receive more emails, set the Alert Period to a low value. To limit the number of emails received, set the Alert Period to a higher value.
If your customers usually make repeat purchases in a small window of time, set your rule’s Window and Threshold to higher values. This will ensure that legitimate purchases don’t trigger your rule unnecessarily.
However, if your customers are more likely to make infrequent purchases, you could set your Window and Threshold at lower values to detect any transactions that don’t follow the normal pattern.
You must define the following rule criteria for each risk threshold rule:
The Action of a risk threshold rule is the event triggered when a transaction or verification violates that rule.
- Email: Each email notification will include a list of all verifications and transactions that have triggered the rule in the current Alert Period
- Alert Email Address: The email address that we will send alerts to
- Alert Period (minutes): This will determine how often email notifications will be sent to you; the lower you set this number, the more emails you will receive if your rule is being triggered (maximum 120 minutes)
- Gateway Reject: Each rejected verification or transaction will have a status of Gateway Rejected and a Gateway Rejection Reason of Fraud
The Threshold defines the total number of times the Field must be duplicated within your designated Window before the rule is triggered. The request that causes your Threshold value to be met, along with any subsequent requests, will trigger your designated Action. The maximum Threshold value is 2147483647.
The Window sets the number of minutes during which your rule will be triggered if the Threshold is reached. The higher the number of minutes, the more likely your rule will be triggered. Once the designated window passes, the rule resets and the Field returns to 0. The maximum Window is 178 minutes.
The Field you choose determines what your rule will monitor. If the Field is duplicated enough times to reach your Threshold within your designated Window, the rule will be triggered. Only one Field can be specified per rule, but you can create as many rules as you need.
- Billing Postal Code: Counts the number of transactions or verifications that have used the same billing postal code
- Unique Credit Card Numbers per Billing Postal Code: Counts the number of transactions or verifications that have unique credit card numbers with the same billing postal code
- Credit Card Number: Counts the number of transactions or verifications that have the same credit card number
- Unique Customer ID per Credit Card Number: Counts the number of transactions or verifications that have unique customer IDs and the same credit card number
- Unique Order ID per Credit Card Number: Counts the number of transactions that have unique order IDs and the same credit card number
- Customer Email: Counts the number of transactions or verifications that have the same customer email address
- Customer ID: Counts the number of transactions or verifications that have the same customer ID
- Unique Credit Card Numbers per Customer ID: Counts the number of transactions or verifications that have unique credit card numbers and the same customer ID
- Order ID: Counts the number of transactions that have the same order ID
- Unique Credit Card Numbers per Order ID: Counts the number of transactions that have unique credit card numbers and the same order ID
- Payment Method Token: Counts the number of transactions or verifications that have the same payment method token
- Unique Credit Card Numbers per Payment Method Token: Counts the number of transactions or verifications that have unique credit card numbers with the same payment method token
The only way to override your risk threshold rules is to temporarily disable them in the Control Panel. We typically don’t recommend doing this, but it is possible if you believe an exception should be made for a customer.