Skip to main content

Rules Menu Overview

This section provides a quick guide to each element you see on that screen.

  1. Search Bar - Located at the top-left, this allows you to filter the list of rules.
  2. "New Rule" Button - Located at the top-right. Clicking this opens a form to create a new anti-fraud rule.
  3. Rules Table - The main area displays a table of all configured rules. Each row corresponds to one rule. The columns include:
    • ID - A unique identifier for the rule.
    • Name - The label given to the rule.
    • Level Type - Indicates the scope of the rule:
      • System - The rule applies globally to all transactions in the system.
      • Acquirer - The rule applies to all merchants under that acquirer.
      • Merchant - The rule affects only a specific merchant's transactions.
      • Shop - The rule applies to a specific shop within a merchant.
      • Payment method - The rule applies to transactions using a specific payment method.
    • Level Name - Shows which specific merchant, acquirer, shop, or payment method this rule is tied to. E.g., if Level Type is "Acquirer" and Level Name is "AeterEdge," it means the rule applies to all merchants under the "AeterEdge" acquirer. For System level rules, this field is not applicable.
    • Status - Indicates whether the rule is currently Active or Disabled. "Active" means the rule is in effect and will be evaluated for every incoming transaction that falls under its scope.
    • Action - The automated response the system performs if this rule is triggered. There is no explicit "approve" action. Approval is the default when no triggered rules block the transaction. Available actions:
      • decline - Reject the transaction without notification
      • decline + alert - Reject the transaction and notify the fraud team via email
      • alert - Approve the transaction but notify the fraud team via email
      • 3ds - Force a 3D Secure authentication challenge
    • Created - Shows the timestamp indicating when the rule was originally created.
    • Actions Menu (Three Dots) - On each row's far right, clicking the three dots offers additional options such as edit.

Anti-Fraud Rule Creation Instructions

System Overview and Processing Flow

The anti-fraud system operates as a pre-processing checkpoint. Anti-fraud decisions are made in real-time before payment processing, ensuring fraudulent transactions are blocked before any financial impact occurs. When a transaction is submitted:

  1. Pre-Processing Check: The transaction is evaluated against all applicable anti-fraud rules BEFORE being sent to the payment provider
  2. Rule Evaluation: All relevant rules are applied based on the Level Type
  3. Decision Making: If multiple rules trigger with different actions, the system applies the strongest action (decline overrides alert, decline + alert overrides decline)
  4. Processing Continuation: Only approved transactions proceed to the payment provider

Rule Identification

Rule Name - Give the rule a clear, concise name that describes its purpose.

Description (Optional) - Include a description to clarify the rule's intent.

Selecting the Rule Scope ("Level Type")

You must specify at which level the rule will operate. This is crucial for both Simple and Complex conditions, but especially critical for Complex conditions as it determines the scope of historical data searches.

  1. System

    • The rule applies globally to all transactions in the system
    • For Complex conditions: historical data search includes all transactions across the entire system
    • Use when: Creating global fraud patterns or system-wide thresholds
    • Example: Global decline rate monitoring across all system
  2. Acquirer

    • The rule applies to all merchants that belong to a specific acquirer
    • For Complex conditions: historical data search includes all transactions from all merchants under this acquirer
    • Use when: Monitoring patterns specific to an acquirer's merchant portfolio
    • Example: BIN-specific decline patterns affecting multiple merchants under one acquirer
  3. Merchant

    • The rule applies only to transactions for a specific merchant
    • For Complex conditions: historical data search is limited to transactions from this merchant only
    • Use when: Creating merchant-specific fraud detection rules
    • Example: Merchant with unique business model requiring custom thresholds
  4. Shop

    • The rule applies to transactions from a specific shop within a merchant
    • For Complex conditions: historical data search is limited to transactions from this specific shop only
    • Use when: Different shops have distinct risk profiles
    • Example: High-risk product category shop requiring stricter controls
  5. Payment method

    • The rule applies to transactions using a specific payment method
    • For Complex conditions: historical data search includes transactions using this payment method within the defined scope
    • Use when: Specific payment methods show unique fraud patterns
    • Example: Bank transfer fraud patterns differ from card payments

Level Type affects Complex conditions. A rule checking for "5 failed transactions with the same card" will search different datasets:

  • System level: Searches across ALL transactions in the entire platform
  • Acquirer level: Searches only within that acquirer's merchant transactions
  • Merchant level: Searches only within that specific merchant's history
  • Shop level: Searches only within that specific shop's transaction history
  • Payment method level: Searches transactions using that payment method within the applicable scope

Building Rule Conditions

A rule can contain one or more conditions. All conditions within a single rule are combined with a logical AND operator—every condition must be satisfied for the rule to trigger.

Conditions are of four types:

  1. Simple — Checks a single field of the current transaction
  2. Complex — Queries historical transaction data based on specified criteria
  3. Operation — Performs mathematical calculations on variables from Complex conditions

Simple Conditions

A Simple condition checks one field of the incoming transaction against a specific value, range, or another field.

Available fields include:

  • amount - Transaction amount
  • currency - Transaction currency
  • BIN - Bank Identification Number
  • PAN - Primary Account Number (card number)
  • card_brand - Payment network (visa, mastercard, amex, etc.)
  • status - Transaction status (success, declined, etc.)
  • country by IP - Country inferred from the payer's IP address
  • country of issuer - Country of the card-issuing bank
  • billing country - Country specified in the billing address
  • merchantId - Merchant identifier
  • email - Customer's email address
  • MID - Merchant ID from payment settings

Transaction Type Filtering

All rules can be filtered by transaction type to focus on specific payment flows:

Available Transaction Types:

  • payment - Standard payment transactions from customers
  • payout - Outbound payments to recipients (withdrawals, transfers)
  • refund - Refund transactions reversing previous payments

Usage Guidelines:

  • Use payment filtering for customer fraud detection rules
  • Use payout filtering for detecting unusual withdrawal patterns
  • Use refund filtering for monitoring refund abuse or processing errors
  • Combine with other conditions to create transaction-type-specific rules

Example: Monitor excessive refund requests by filtering for transaction_type = refund combined with PAN and time window conditions.

Complex Conditions

Complex conditions query historical transaction data to identify patterns or anomalies. They select transactions sharing certain characteristics within a specified time window.

Mandatory Parameters for Complex Conditions

CRITICAL: Almost every Complex condition MUST include these three parameters to function properly:

  • Time window - To limit the search scope
  • Transaction type - To specify what you're counting
  • Status

Without these parameters, rules will produce unexpected results and may be functionally meaningless.

Available aggregation types and parameters:

Aggregation Types:

  • Count - Number of matching transactions
  • Sum amounts - Total amount of matching transactions
  • Decline rate - Percentage of declined transactions
  • Has refund - Check if transactions have associated refunds

Filter Parameters:

  • BIN - Match transactions with current or specific BIN
  • PAN - Match transactions with current or specific card number
  • MID - Match transactions with current MID
  • Email - Match transactions with current email
  • Customer - Match transactions from current customer
  • IP address - Match transactions from current IP
  • Device fingerprint - Match transactions with current device fingerprint
  • Status - Filter by transaction status. Cannot be used with decline rate
    • success - Completed transactions
    • failed - Declined or failed transactions
    • override - Transactions modified during two-stage processing (see detailed explanation below)
  • Country by IP - Match transactions from specific IP-based countries
  • Currency - Match transactions in specific currency
  • Payment settings - Match transactions with specific payment configuration
  • Status code - Filter by specific error codes
  • Time - Define the time window for historical data search
  • Transaction type - Payment, Payout, Refund

"Override" Status

The "override" status applies to transactions in two-stage processing scenarios with capture functionality:

  1. Initial Transaction: Customer requests a transaction for a specific amount
  2. Pre-Capture Stage: Transaction is authorized but not yet captured/sent to the payment provider
  3. Amount Modification: Instead of confirming the original amount, the merchant sends a capture request with a different (usually increased) amount
  4. Override Creation: The system marks the original transaction as "override" and creates a new transaction with the updated amount

Use Cases for Override in Anti-Fraud Rules:

  • Detect merchants frequently increasing transaction amounts before capture
  • Monitor patterns of amount manipulation that could indicate fraudulent behavior
  • Track unusual capture behavior across different merchants or time periods

Example: A merchant consistently authorizes transactions for $100 but captures them for $150.

Decline Rate

Decline rate is the ratio of failed transactions to total transactions for specified criteria over a time period.

Formula: (Failed Transactions / Total Transactions) × 100

Important Decline Rate Rules:

  • DO NOT specify a status condition when using decline rate (it's calculated automatically)
  • Status code is OPTIONAL - you can specify it to calculate decline rate for specific error types only
  • Without status code, all failures are counted in the calculation

Advanced Status Code Usage

Beyond basic fraud detection, status codes enable sophisticated pattern analysis:

Common Status Code Applications:

  • 4051 (Insufficient Funds): Detect repeated payment attempts or card testing
  • 4052 (Invalid Card): Identify systematic card validation attacks
  • 4053 (Expired Card): Monitor outdated card usage patterns
  • 4054 (Wrong CVV): Flag potential fraud attempts
  • 4055 (Transaction Declined): Generic decline pattern analysis
  • 4056 (Card Restricted): Detect restricted card usage attempts

Has Refund Conditions

The Has Refund condition detects refund-related fraud patterns by analyzing the timing and frequency of refunds relative to original payments.

Has Refund Parameters:

  • Time Window: Specify how quickly refunds must occur after original payment
  • Duration: Set the time measurement (hours, days, weeks)
  • Transaction Matching: Automatically links refunds to their corresponding payments

Common Use Cases:

  • Refund Fraud Detection: Identify payments that are quickly refunded, indicating potential fraud
  • Processing Issues: Monitor technical problems causing immediate refunds
  • Chargeback Prevention: Detect patterns that might lead to chargebacks

Configuration Example:

has_refund:
duration < 10
measurement = day

This detects payments that have associated refunds within 10 days.

Advanced Refund Scenarios:

  • Rapid Refund Pattern: Payment followed by refund within 24 hours
  • Partial Refund Analysis: Detect unusual partial refund patterns
  • Cross-Card Refund Fraud: Monitor refunds to different cards than original payment

Business Context: Legitimate refunds typically occur 3-7 days after purchase, while fraudulent transactions often show refund requests within 24-48 hours.

Operation Conditions

Operation conditions perform mathematical calculations on variables captured from Complex conditions.

Workflow:

  1. Complex condition captures values into a variable (e.g., amounts, counts)
  2. Operation condition performs calculation (e.g., sum)
  3. Simple condition compares the result to a threshold or another variable

Available Operations:

  • sum - Add all values in the variable array
  • count - Count specific values (e.g., count of specific status)

Variables and Comparisons

Variables allow you to:

  1. Store results from Complex conditions
  2. Compare multiple Complex condition results

Variable Types:

  • amount - Store transaction amounts for later summation
  • count - Store count directly from complex conditions (actual number, not true/false)
  • status - Store status values for counting specific statuses

Variable Usage:

  • Complex conditions can store their count or sum results in named variables
  • These variables contain the actual numeric results (e.g., 15 transactions, $2,500 total)
  • Variables can be compared using Simple conditions
  • Coefficients can be applied for proportional comparisons

Coefficient-Based Comparisons: Coefficients enable sophisticated proportional analysis:

  • Compare variables with multipliers
  • Example: fail_count > 0.5 × success_count (failures exceed half of successes)
  • Example: refund_amount > 0.3 × payment_amount (refunds exceed 30% of payments)
  • Useful for percentage-based rules without explicit percentage calculations

Action Selection and Rule Conflicts

Choose the action when all rule conditions are satisfied:

  1. Decline + Alert — Reject the transaction and send email notification to the anti-fraud team
  2. Decline — Reject the transaction without notification
  3. 3DS — Force 3D Secure authentication challenge
  4. Alert — Approve the transaction but send email notification for review

Multiple Rule Conflicts

When multiple rules trigger for the same transaction, the system applies action hierarchy:

Action Priority (Strongest to Weakest):

  1. Decline + Alert (Highest priority)
  2. Decline
  3. 3DS
  4. Alert (Lowest priority)

Conflict Resolution Examples:

  • Rule A triggers "Alert" + Rule B triggers "Decline" = Transaction is Declined
  • Rule A triggers "3DS" + Rule B triggers "Decline + Alert" = Transaction is Declined with Alert
  • Multiple "Alert" rules = Single alert notification sent with all rule IDs

Email Alert

Alert Notifications

The anti-fraud system automatically sends email notifications when rules with "Alert" or "Decline + Alert" actions trigger.

Alert Email Contents:

  • Transaction ID and basic details
  • Triggered rule name and ID
  • Rule conditions that matched
  • Direct links to transaction details in admin panel

Finalizing and Saving the Rule

After configuring all conditions and action:

  1. Review all conditions for completeness
  2. Click Create Rule to save and activate
  3. Click Cancel to discard changes

The new rule appears in the rules list and immediately begins evaluating incoming transactions.


Status Code Reference

CodeDescriptionCommon Use Case
4000ApprovedMonitor successful transaction patterns
4001Refer To IssuerDetect cards requiring manual verification
4002Refer To Issuer ConditionTrack conditional approval patterns
4003Invalid MerchantIdentify merchant configuration issues
4004Capture CardFlag potentially compromised cards
4005Do Not HonorMonitor general issuer declines
4006ErrorTrack processing errors
4007Pickup Card FraudDetect fraud account patterns
4008Honor IdMonitor ID verification requirements
4010Partial ApprovalTrack partial payment patterns
4011Approved VIPMonitor VIP transaction patterns
4012Invalid TransactionDetect malformed transaction attempts
4013Invalid AmountFlag unusual amount patterns
4014Invalid Card NumberIdentify card number testing
4015Invalid IssuerTrack issuer-related problems
4016Approved Update Track3Monitor track data update patterns
4017Decline Customer CancelTrack customer cancellation patterns
4019Re-enter TransactionDetect retry patterns
4020Update QRCMonitor QR code update requirements
4021Card Not InitTrack uninitialized card usage
4022Suspect MalfunctionDetect system malfunction patterns
4025Original Tx Not FoundMonitor refund/void attempt patterns
4028File Temp UnavailableTrack temporary system issues
4030Format ErrorDetect data format attack patterns
4032Decline Partial ReversalMonitor partial reversal patterns
4033Expired Card PickupTrack expired card usage patterns
4034FraudDirect fraud detection indicator
4038Pin Limit ExceededDetect PIN brute force attempts
4039No Credit AccountTrack credit account availability
4040Unsupported FunctionMonitor unsupported operation attempts
4041Lost CardFlag lost card usage patterns
4043Stolen CardDetect stolen card usage
4045Fallback Not AllowedTrack fallback transaction patterns
4051Insufficient FundsDetect repeated payment attempts
4052No Cheque AccountMonitor cheque account issues
4053No Savings AccountTrack savings account problems
4054Expired CardPattern analysis for expired cards
4055Invalid PINFraud indicator for PIN attacks
4057Not Permitted IssuerTrack issuer restriction patterns
4058Not Permitted AcquirerMonitor acquirer restriction patterns
4059Suspected FraudDirect fraud suspicion indicator
4061Exceeds Withdrawal AmtMonitor withdrawal limit violations
4062Restricted CardRestricted card usage patterns
4063Security ViolationTrack security breach attempts
4064Original Tx Amount ErrMonitor transaction amount discrepancies
4065Exceeds Withdrawal CountTrack withdrawal frequency violations
4068Response LateMonitor timeout patterns
406PVerification FailTrack verification data failures
4070Contact IssuerMonitor issuer contact requirements
4071Pin Not ChangedTrack PIN change failures
4074Pin Encryption ErrorDetect PIN encryption issues
4075Pin Tries ExceededMonitor PIN attempt limit violations
4076Invalid To AccountTrack account transfer errors
4077Invalid From AccountMonitor source account issues
4078Invalid AccountGeneral account validation failures
4079Lifecycle MCTrack Mastercard lifecycle issues
4080Visa Credit Issuer UnavailableMonitor Visa issuer availability
4081Domestic Debit Not AllowedTrack domestic debit restrictions
4082Policy MCMonitor Mastercard policy violations
4083Fraud Security MCDetect Mastercard fraud indicators
4084Invalid Auth LifecycleTrack authorization lifecycle issues
4085Not DeclinedMonitor non-decline patterns
4086Pin Val ImpossibleTrack PIN validation failures
4087Purchase No CashbackMonitor cashback restriction patterns
4088Crypto FailDetect cryptographic failures
4089Pin UnacceptableTrack unacceptable PIN patterns
4090Cutoff In ProcessMonitor cutoff period transactions
4091Auth Sys InoperativeTrack authorization system outages
4092Unable To RouteMonitor routing failure patterns
4093Tx Violation Of LawDetect legal violation attempts
4094Duplicate TransmissionTrack duplicate transaction patterns
4096System ErrorMonitor general system errors
4097Atm Pos Term Not FoundTrack terminal identification issues
4098Issuer Resp Not ReceivedMonitor issuer response timeouts
4099Pin Block ErrorDetect PIN block format errors
40A0Mac FailedTrack MAC validation failures
40A2Success FaultMonitor successful transactions with faults
40A3Account Not Found TransferTrack transfer account issues
40A7Security Proc FailDetect security processing failures
40B1No Arrears ReceiptMonitor receipt processing issues
40C1Illegal Acquirer StatusTrack acquirer status violations
40D1Incorrect IINMonitor incorrect IIN patterns
40D2Date ErrorTrack date-related processing errors
40D3Invalid File TypeMonitor file processing issues
40D4File ProcessedTrack file processing status
40D5No Such FileMonitor file availability issues
40D6Not Supported ReceiverTrack receiver compatibility issues
40D7File LockedMonitor file locking patterns
40D8UnsuccessfulTrack general processing failures
40D9Incorrect File LengthMonitor file format issues
40DAFile Compression ErrorTrack compression failure patterns
40DBFile Name ErrorMonitor file naming issues
40DCFile Cannot Be ReceivedTrack file reception failures
40F1File Record Format ErrorMonitor record format issues
40F2File Record RepeatTrack duplicate record patterns
40F3File Record Not ExistMonitor missing record issues
40F4File Record ErrorTrack general record errors
400AApproval LoadMonitor approval with load patterns
401ASca Required VisaTrack SCA requirement patterns
40N0Force StipMonitor STIP enforcement patterns
40N1Items Not On BankbookTrack bankbook limit violations
40N3Cash Not AvailableMonitor cash service availability
40N4Cashback Exceeds LimitTrack cashback limit violations
40N7Decline Cvv2Detect CVV2 validation failures
40N8Tx Amt Exceeds Pre AuthMonitor pre-authorization violations
40P1Contact Number Not FoundTrack contact information issues
40P2Invalid BillingMonitor billing validation failures
40P5Pin Change DeclinedTrack PIN change failure patterns
40P6Unsafe PinDetect unsafe PIN patterns
40Q1Card Auth FailedTrack card authentication failures
40R0Stop PaymentMonitor stop payment order patterns
40R1Revoke AuthTrack authorization revocation patterns
40R2Tx Not Qualify Visa PinMonitor Visa PIN qualification issues
40R3Revoke All AuthTrack mass authorization revocations
40Y1Offline Tx SuccessMonitor offline transaction patterns
40Y3Offline Tx Success No OnlineTrack offline-only transaction patterns
40Z1Offline Tx FailMonitor offline transaction failures
40Z3No Online DeclinedTrack online connectivity issues
40Z5Valid Account Amt Not SupportedMonitor amount support limitations
40Z6Invalid Mcc UseTrack MCC usage violations

Glossary

  • BIN: Bank Identification Number - first 6-8 digits of a card
  • PAN: Primary Account Number - full card number
  • MID: Merchant Identifier - unique merchant code
  • Decline Rate: Percentage of failed vs total transactions
  • Level Type: Scope of rule application (System/Acquirer/Merchant/Shop/Payment method)
  • Complex Condition: Query against historical transaction data
  • Simple Condition: Check against current transaction fields
  • Has Refund: Specialized condition for detecting refund timing patterns
  • Override Status: Transaction modified during two-stage processing with capture
  • Status Code: Specific error code from payment processor
  • Device Fingerprint: Unique identifier combining browser and device data
  • Variables: Named storage for numeric values from Complex conditions
  • Coefficients: Multipliers used in variable comparisons for proportional analysis
  • Action Hierarchy: Priority system determining final action when multiple rules trigger
  • Transaction Type: Classification of transaction as payment, payout, or refund
  • Multi-Currency: System capability to handle multiple currencies with automatic conversion

Example Anti-Fraud Configurations

Below are examples of increasingly complex anti-fraud rule configurations.

Simple examples

Example #1: Single Simple Condition → Alert

Scenario: Flag large transactions for review

  1. Rule Name: "Test rule #1"
  2. Level Type: Merchant
  3. Condition: Simple condition - Amount > 500
  4. Action: Alert

Result: Transactions over 500 at this merchant trigger email alerts without blocking.

Example #2: Multiple Simple Conditions → Alert

Scenario: Flag mid-range transactions

  1. Rule Name: "Test rule #2"
  2. Level Type: Merchant
  3. Conditions:
    • Amount > 500 AND
    • Amount ≤ 1000
  4. Action: Alert

Result: Transactions between 501-1000 trigger alerts.

Example #3: Historical BIN Lookup → Alert

Scenario: Detect repeated BIN usage

  1. Rule Name: "Test rule #3"
  2. Level Type: Merchant
  3. Complex Condition:
    • Count > 3
    • BIN = Current BIN
  4. Action: Alert

Result: Alert when a BIN has been used more than 3 times in history.

Example #4: Time-Based Complex Condition → Alert

Scenario: Detect velocity attacks

  1. Rule Name: "Test rule #4"
  2. Level Type: Merchant
  3. Complex Condition:
    • Count > 3
    • BIN = Current BIN
    • Status = declined
    • Time = last 24 hours
  4. Action: Alert

Result: Alert when same BIN has >3 declines in 24 hours.

Example #5: Combined Simple and Complex → Alert

Scenario: High-value transactions with suspicious history

  1. Rule Name: "Test rule #5"
  2. Level Type: Merchant
  3. Conditions:
    • Simple: Amount > 1000
    • Complex: Count > 3, BIN = Current BIN
  4. Action: Alert

Result: Alert for high-value transactions when BIN has extensive history.

Example #6: Multiple Condition Types → Alert

Scenario: High-value transaction after multiple failures

  1. Rule Name: "Test rule #6"
  2. Level Type: Merchant
  3. Conditions:
    • Simple: Amount > 1000
    • Complex: Count > 3, BIN = Current BIN, Status = declined, Time = 24 hours
  4. Action: Alert

Result: Alert for large transactions following recent failures.

Example #7: Sum Operation with Variables → Alert

Scenario: Cumulative spending limit

  1. Rule Name: "Test rule #7"
  2. Level Type: Merchant
  3. Complex Condition:
    • PAN = Current PAN
    • Status = success
    • Time = last 24 hours
    • Store amounts in variable: "Success_Amount"
  4. Operation: Sum "Success_Amount" → "Sum_Success_Amount"
  5. Simple Condition: Sum_Success_Amount > 500
  6. Action: Alert

Result: Alert when total successful transactions for a card exceed 500 in 24 hours.

Advanced examples

Example #8: Decline Rate with Status Code

Scenario: High decline rate for insufficient funds

  1. Rule Name: "Insufficient Funds Pattern"
  2. Level Type: Acquirer
  3. Complex Condition:
    • Decline Rate > 30%
    • Status Code = "4051" (Insufficient Funds)
    • BIN = Current BIN
    • Time = last 24 hours
    • Count ≥ 100 (minimum transactions for significance)
    • PAN is uniq (unique cards)
  4. Action: Decline + Alert

Result: Block transactions when BIN shows pattern of insufficient funds across many unique cards.

Example #9: Variable Comparison with Coefficient

Scenario: Detect disproportionate failures

  1. Rule Name: "Failure Rate Analysis"
  2. Level Type: System
  3. Complex Condition 1:
    • Count all transactions → store as "total_count"
    • MID = Current MID
    • Time = last 24 hours
  4. Complex Condition 2:
    • Count failed transactions with status_code "4051" → store as "fail_51_count"
    • MID = Current MID
    • Time = last 24 hours
  5. Simple Condition: fail_51_count > 0.5 × total_count
  6. Action: Alert

Result: Alert when more than half of transactions fail with insufficient funds.

Example #10: Geographic Mismatch Detection

Scenario: Detect potential card fraud through geographic inconsistencies

  1. Rule Name: "Geographic Fraud Detection"
  2. Level Type: System
  3. Simple Conditions:
    • Country by IP ≠ Country of issuer
    • Amount > 1000
  4. Complex Condition:
    • Count > 5
    • PAN = Current PAN
    • Status = failed
    • Time = last 6 hours
  5. Action: Decline + Alert

Result: Block high-value transactions from different countries when the card has recent failure history.

Example #11: Has Refund Detection

Scenario: Detect rapid refund fraud patterns

  1. Rule Name: "Rapid Refund Fraud"
  2. Level Type: Merchant
  3. Complex Condition:
    • BIN = Current BIN
    • Transaction Type = payment
    • Has Refund: duration < 2 days
  4. Simple Condition: Amount > 1000
  5. Action: Decline + Alert

Result: Block high-value payments from BINs that show patterns of quick refunds.

Example #12: Multi-Currency Fraud Detection

Scenario: Detect unusual currency mixing patterns

  1. Rule Name: "Currency Switching Pattern"
  2. Level Type: System
  3. Complex Condition 1:
    • Count transactions → store as "eur_count"
    • PAN = Current PAN
    • Currency = EUR
    • Time = last 4 hours
  4. Complex Condition 2:
    • Count transactions → store as "usd_count"
    • PAN = Current PAN
    • Currency = USD
    • Time = last 4 hours
  5. Simple Condition: eur_count > 3 AND usd_count > 3
  6. Action: Alert

Result: Alert when same card attempts transactions in multiple currencies within short timeframe.

Example #13: BIN Decline Rate Pattern Detection

Scenario: Detect BINs with high decline rates for specific error messages across multiple merchants

Configuration Requirements:

  1. Rule Name: "BIN High Decline Pattern"
  2. Level Type: System
  3. Complex Condition 1:
    • Decline Rate > 30%
    • Status Code = [specific error code]
    • BIN = Current BIN
    • PAN is unique
    • MID is single
    • Time = consecutive 24 hours
  4. Complex Condition 2:
    • Count ≥ 3
    • BIN = Current BIN
    • MID is unique
    • Time = last 48 hours
  5. Action: Decline + Alert

Example #14: High-Value Refund with Chargeback Pattern

Scenario: Block transactions when cumulative refunds exceed threshold with chargeback history

Configuration Requirements:

  1. Rule Name: "High Refund Chargeback Risk"
  2. Level Type: Merchant
  3. Complex Condition 1 (Chargeback check):
    • Count ≥ 3
    • PAN = Current PAN
    • Transaction Type = refund
    • Time = last 30 days
    • Has Refund: duration < 2 hours (for rapid chargeback detection)
  4. Complex Condition 2 (Refund amount accumulation):
    • PAN = Current PAN
    • Transaction Type = refund
    • Currency = Current Currency
    • Time = last 24 hours
    • Store amounts in variable: "refund_amounts"
  5. Operation: Sum "refund_amounts" → "total_refunds"
  6. Simple Condition 1: total_refunds ≥ 2500
  7. Simple Condition 2: Currency = EUR OR Currency = GBP
  8. Action: Decline + Alert

Example #15: Refund Exceeds Payment Amount

Scenario: Detect when refunds exceed total payment amounts

Configuration Requirements:

  1. Rule Name: "Refund Payment Imbalance"
  2. Level Type: Merchant
  3. Complex Condition 1 (Refund amounts):
    • PAN = Current PAN
    • Transaction Type = refund
    • Status = success
    • Time = last 24 hours
    • Store amounts in variable: "refund_amounts"
  4. Complex Condition 2 (Payment amounts):
    • PAN = Current PAN
    • Transaction Type = payment
    • Status = success
    • Time = last 24 hours
    • Store amounts in variable: "payment_amounts"
  5. Operation 1: Sum "refund_amounts" → "total_refunds"
  6. Operation 2: Sum "payment_amounts" → "total_payments"
  7. Simple Condition: total_refunds > total_payments
  8. Action: Decline + Alert

Example #16: High-Risk Jurisdiction with Failed Attempts

Scenario: Block cards from high-risk countries with multiple failures

Configuration Requirements:

  1. Rule Name: "High-Risk Country Pattern"
  2. Level Type: System
  3. Complex Condition 1 (Total attempts):
    • Count > 5
    • PAN = Current PAN
    • Time = last 24 hours
  4. Complex Condition 2 (Failed attempts):
    • Count ≥ 3
    • PAN = Current PAN
    • Status = failed
    • Time = last 24 hours
  5. Simple Condition: Country of issuer IN ["AF", "AL", "BA", "BY", "CF", "CG", "CD", "CU", "GN", "GW", "HT", "IR", "IQ", "LB", "LY", "ML", "MM", "NI", "KP", "PK", "SO", "SS", "SD", "SY", "VE", "YE", "ZW"]
  6. Action: Decline + Alert

Example #17: MID Insufficient Funds Pattern

Scenario: Monitor merchants with high insufficient funds decline rates

Configuration Requirements:

  1. Rule Name: "MID Insufficient Funds Monitor"
  2. Level Type: Merchant
  3. Complex Condition:
    • Decline Rate > 30%
    • Status Code = "4051" (Insufficient Funds)
    • MID = Current MID
    • Time = consecutive 24 hours
    • Count ≥ 50 (minimum for statistical significance)
  4. Action: Alert

Example #18: New Customer High-Value Transaction

Scenario: Flag first-time high-value transactions with geographic mismatch

Configuration Requirements:

  1. Rule Name: "New Customer High Value"
  2. Level Type: Merchant
  3. Complex Condition 1 (Customer history):
    • Count = 0
    • Customer = Current Customer
    • MID = Current MID
  4. Complex Condition 2 (PAN history):
    • Count = 0
    • PAN = Current PAN
  5. Simple Condition 1: Amount ≥ 3000
  6. Simple Condition 2: Currency = EUR
  7. Simple Condition 3: Country by IP ≠ Billing country
  8. Action: Decline + Alert

Example #19: Multiple Cards Same IP with Failures

Scenario: Detect card testing from single IP address

Configuration Requirements:

  1. Rule Name: "IP Card Testing Pattern"
  2. Level Type: System
  3. Complex Condition 1 (Successful PANs from IP):
    • Count > 5
    • IP address = Current IP
    • Status = success
    • PAN is unique
    • Time = last 24 hours
    • Store PANs in variable: "successful_pans"
  4. Complex Condition 2 (Failed attempts before success):
    • Count ≥ 3
    • PAN IN "successful_pans"
    • Status = failed
    • Time = last 24 hours
  5. Action: Decline + Alert

Example #20: Multiple Cards Same Device Fingerprint

Scenario: Detect multiple cards from same device

Configuration Requirements:

  1. Rule Name: "Device Multiple Cards"
  2. Level Type: System
  3. Complex Condition:
    • Count > 5
    • IP address = Current IP
    • Status = success
    • PAN is unique
    • Device fingerprint matches at least 2 PANs
    • Time = last 24 hours
  4. Action: Decline + Alert

Example #21: Email/Phone Linked to Multiple Cards

Scenario: Detect single contact information used with multiple cards

Configuration Requirements:

  1. Rule Name: "Contact Info Multiple Cards"
  2. Level Type: System
  3. Complex Condition (Email check):
    • Count ≥ 3
    • Email = Current Email
    • Status = success
    • PAN is unique
  4. OR Complex Condition (Phone check):
    • Count ≥ 3
    • Phone = Current Phone
    • Status = success
    • PAN is unique
  5. Action: Decline + Alert

Example #22: Geographic Velocity Check

Scenario: Detect impossible travel patterns

Configuration Requirements:

  1. Rule Name: "Geographic Velocity Fraud"
  2. Level Type: System
  3. Complex Condition:
    • Count ≥ 1
    • PAN = Current PAN
    • Country by IP ≠ Current Country by IP
    • Device fingerprint ≠ Current Device fingerprint
    • Time = last 15 minutes
  4. Action: Decline + Alert