Risk Threshold Rules

Risk threshold rules, often referred to as velocity checks, are designed to detect and prevent fraud. The rules trigger different actions when specified customer information passes through the gateway multiple times within a designated time period. The gateway can either send you an email or automatically reject the verifications or transactions that trigger your risk threshold rules. You can create as many of these rules as you’d like.

Note: Risk threshold rules only apply to credit card transactions. Also, because BigCommerce does not support card verification, then any rules you create for verifications will not work.

Enabling risk threshold rules

  1. Log into the Braintree Control Panel
  2. Navigate to Settings > Processing > Basic Credit Card Fraud Tools > Risk Thresholds
  3. Click Edit
  4. Fill in the fields with your desired criteria
  5. Click Create

If the rule is not working as expected, it can be deleted altogether by going to Settings > Processing > Basic Credit Card Fraud Tools > Risk Threshold Rules > Edit and clicking Delete next to the rule in question.

Example

The easiest way to understand risk threshold rules is to start with a basic example. For detailed explanations of all available rule criteria, see below.

Let’s say you want to be notified if a customer uses the same credit card to make 5 or more purchases in a 10-minute period, which could be an indicator of fraud. Here’s how you might set up this rule:

  • Action: Email
    • Alert Email Address: fraudalerts@yourcompanyname.com
    • Alert Period (minutes): 20
  • Threshold: 5
  • Operation: Transactions
  • Fields: Credit Card Number
  • Window (minutes): 10

Based on the criteria chosen above, this would be your rule:

Email me at fraudalerts@yourcompanyname.com every 20 minutes when 5 or more transactions with the same Credit Card Number occur within 10 minutes of each other.

While this rule might work for some merchants, it's been our experience that there isn't a one-size-fits-all approach to creating risk threshold rules. Below, we've outlined some basic recommendations to consider when constructing rules, but they’ll still need to be tailored to your business model.

Recommended setup options

When reviewing the recommendations below, keep in mind that a business offering subscription-based services has different needs than one that ships physical products, so they’ll likely need different risk threshold rules to help mitigate fraud.

Monitor first

Setting your rule’s Action to Email will allow you to monitor activity on your account without impacting your customers. Once you have verified that the rule works as intended, you can update the Action to Gateway Reject to block any transactions that trigger your rule.

Review your alerts

If you set your rule’s Action to Email rather than Gateway Reject, the Braintree gateway won’t take any further action. We encourage you to look up the details of the transaction or verification in the Control Panel. If you believe that it might be fraudulent, we suggest that you void or refund the transaction. It's usually best to follow your instincts in these cases.

Choose your alert frequency

The Alert Period determines how often you'll be notified that your rule has been triggered. You will get 1 email per Alert Period, so if you'd like to receive more emails, set the Alert Period to a low value. To limit the number of emails received, set the Alert Period to a higher value.

Consider purchase frequency

If your customers usually make repeated purchases in a small window of time, set your rule’s Window and Threshold at higher values. This will ensure that legitimate purchases don’t trigger your rule unnecessarily.

However, if your customers are more likely to make infrequent purchases, you could set your Window and Threshold at lower values to detect any transactions that don’t follow the normal pattern.

Rule criteria

Action

  • Email: Each email notification will include a list of all verifications and transactions that have triggered the rule in the current Alert Period
    • Alert Email Address: The email address that alerts will be sent to
    • Alert Period (minutes): This will determine how often email notifications will be sent to you; the lower you set this number, the more emails you will receive if your rule is being triggered (maximum 120 minutes)
  • Gateway Reject: Each rejected verification or transaction will have a status of Gateway Rejected and a reason of Fraud in the Braintree Control Panel

Threshold

The total number of times the Field specified below must be duplicated before the rule is triggered. Maximum 2147483647.

Operation

Indicates whether the rule should monitor transactions or verifications.

Note: Remember, because BigCommerce does not support card verification, any rules you create for verifications will not work.

Window (minutes)

The rule will be triggered if the above Threshold is reached within this window. The higher the number of minutes, the more likely your rule will be triggered. Maximum 20160 minutes.

Fields

The Field you choose determines what your rule will monitor. If the Field is duplicated enough times to reach your Threshold, the rule will be triggered. Only one option can be specified per rule, but you can create as many rules as you need.

  • Billing Postal Code: Counts the number of transactions or verifications that have used the same billing postal code
  • Unique Credit Card Numbers per Billing Postal Code: Counts the number of transactions or verifications that have unique credit card numbers with the same billing postal code
  • Credit Card Number: Counts the number of transactions or verifications that have the same credit card number
  • Unique Customer ID per Credit Card Number: Counts the number of transactions or verifications that have unique customer IDs and the same credit card number
  • Unique Order ID per Credit Card Number: Counts the number of transactions or verifications that have unique order IDs and the same credit card number
  • Customer Email: Counts the number of transactions or verifications that have the same customer email address
  • Customer ID: Counts the number of transactions or verifications that have the same customer ID
  • Unique Credit Card Numbers per Customer ID: Counts the number of transactions or verifications that have unique credit card numbers and the same customer ID
  • Order ID: Counts the number of transactions or verifications that have the same order ID
  • Unique Credit Card Numbers per Order ID: Counts the number of transactions or verifications that have unique credit card numbers and the same order ID
  • Payment Method Token: Counts the number of transactions or verifications that have the same payment method token
  • Unique Credit Card Numbers per Payment Method Token: Counts the number of transactions or verifications that have unique credit card numbers with the same payment method token

Many of the Fields above are not required in the Braintree gateway and may not be communicated to Braintree by BigCommerce. To make sure your risk threshold rules work properly, check with the BigCommerce Support team to be sure all transactions include all the Fields your rules rely on.

Still have questions?

Chat with the BigCommerce support team today.

1-888-699-8911