Risk threshold rules, often referred to as velocity checks, are designed to detect and prevent carding attacks. The rules trigger different actions when specified customer information passes through the gateway multiple times within a designated time period. The gateway can either send you an email or automatically reject the verifications or transactions that trigger your risk threshold rules. You can create as many of these rules as you would like.
- Log into the Control Panel
- Navigate to Settings > Processing > Risk Thresholds
- Click Options
- Fill in the fields with your desired criteria
- Click Create
After enabling this feature, you can view the rule you created by going to Settings > Processing > Risk Threshold and clicking Options. To create additional rules, click Add; if a rule is not working as expected, you can delete it altogether by clicking Delete next to the rule in question.
The easiest way to understand risk threshold rules is to start with a basic example. For detailed explanations of all available rule criteria, see below.
Let’s say you want to be notified when a customer is adding a lot of new cards to their account, which can be an indicator of a carding attack. Here’s how you might set up this rule:
Alert Email Address: email@example.com
Alert Period (minutes): 20
Fields: Customer ID
Window (minutes): 10
Based on the criteria chosen above, this would be your rule:
Email me at firstname.lastname@example.org every 20 minutes when 5 or more verifications with the same Customer ID occur within 10 minutes of each other.
While this rule might work for some merchants, it's been our experience that there isn't a one-size-fits-all approach to creating risk threshold rules. Below, we've outlined some basic recommendations for you to consider when constructing rules, but they’ll still need to be tailored to your business model.
When reviewing the recommendations below, keep in mind that a business offering subscription-based services has different needs than one that ships physical products, so they’ll likely need different risk threshold rules to help mitigate attacks. If you have questions as you set up your own rules, feel free to contact our Support team.
Setting your rule’s Action to Email will allow you to monitor activity on your account without impacting your customers. Once you have verified that the rule works as intended, you can update the Action to Gateway Reject to block any transactions that trigger your rule.
If you set your rule’s Action to Email rather than Gateway Reject, the Braintree gateway won’t take any further action. We encourage you to look up the details of the transaction or verification in the Control Panel. If you believe that it might be fraudulent, we suggest that you void or refund the transaction. It's usually best to follow your instincts in these cases.
The Alert Period determines how often you'll be notified that your rule has been triggered. You will get 1 email per Alert Period, so if you'd like to receive more emails, set the Alert Period to a low value. To limit the number of emails received, set the Alert Period to a higher value.
If your customers usually make repeated purchases in a small window of time, set your rule’s Window and Threshold at higher values. This will ensure that legitimate purchases don’t trigger your rule unnecessarily.
However, if your customers are more likely to make infrequent purchases, you could set your Window and Threshold at lower values to detect any transactions that don’t follow the normal pattern.
- Email: Each email notification will include a list of all verifications and transactions that have triggered the rule in the current Alert Period
- Alert Email Address: The email address that we will send alerts to
- Alert Period (minutes): This will determine how often email notifications will be sent to you; the lower you set this number, the more emails you will receive if your rule is being triggered (maximum 120 minutes)
- Gateway Reject: Each rejected verification or transaction will have a status of Gateway Rejected and a reason of Fraud
The total number of times the Field specified below must be duplicated within your designated Window before the rule is triggered. The request that causes your threshold value to be met, along with any subsequent requests, will trigger your designated Action. Maximum value is 2147483647.
The rule will be triggered if the above threshold is reached within this window. The higher the number of minutes, the more likely your rule will be triggered. Once the designated window passes, the rule resets and the Field returns to 0. Maximum 178 minutes.
The Field you choose determines what your rule will monitor. If the Field is duplicated enough times to reach your Threshold within your designated Window, the rule will be triggered. Only one option can be specified per rule, but you can create as many rules as you need.
- Billing Postal Code: Counts the number of transactions or verifications that have used the same billing postal code
- Unique Credit Card Numbers per Billing Postal Code: Counts the number of transactions or verifications that have unique credit card numbers with the same billing postal code
- Credit Card Number: Counts the number of transactions or verifications that have the same credit card number
- Unique Customer ID per Credit Card Number: Counts the number of transactions or verifications that have unique customer IDs and the same credit card number
- Unique Order ID per Credit Card Number: Counts the number of transactions that have unique order IDs and the same credit card number
- Customer Email: Counts the number of transactions or verifications that have the same customer email address
- Customer ID: Counts the number of transactions or verifications that have the same customer ID
- Unique Credit Card Numbers per Customer ID: Counts the number of transactions or verifications that have unique credit card numbers and the same customer ID
- Order ID: Counts the number of transactions that have the same order ID
- Unique Credit Card Numbers per Order ID: Counts the number of transactions that have unique credit card numbers and the same order ID
- Payment Method Token: Counts the number of transactions or verifications that have the same payment method token
- Unique Credit Card Numbers per Payment Method Token: Counts the number of transactions or verifications that have unique credit card numbers with the same payment method token
The only way to override your risk threshold rules is to temporarily disable them in the Control Panel. We typically don’t recommend doing this, but it is possible if you believe an exception should be made for a customer.
Still have questions?
If you can’t find an answer, contact our Support team