101
0/273
Loading content...
Payment fraud costs the global economy over $30 billion annually, and the number grows every year. For every $1 of fraud, merchants lose an additional $3.75 in chargebacks, fees, and operational costs. But here's the paradox: aggressive fraud prevention creates its own costs—false positives that incorrectly reject legitimate customers can cost merchants up to 13x more in lost lifetime value than the fraud they prevent.
Fraud detection is not a binary problem of "block all bad transactions." It's a nuanced optimization problem: maximize legitimate transaction approval while minimizing fraud losses. This requires sophisticated real-time decision systems, machine learning models trained on billions of transactions, and constant adaptation to evolving fraud patterns.
By the end of this page, you will understand the taxonomy of payment fraud, rule-based and ML-based detection systems, real-time scoring architecture, the precision/recall tradeoff in fraud prevention, 3D Secure and SCA compliance, and post-transaction fraud analysis.
Understanding the types of fraud is essential for building effective detection systems. Each type has distinct patterns, detection signals, and mitigation strategies.
| Fraud Type | Description | Key Signals | Mitigation |
|---|---|---|---|
| Card Not Present (CNP) | Using stolen card details online | Unusual location, velocity, BIN mismatch | 3DS, velocity limits, device fingerprinting |
| Account Takeover (ATO) | Hijacking legitimate user accounts | Device change, behavior anomaly, password reset | MFA, behavioral biometrics, session analysis |
| Friendly Fraud | Customer disputes legitimate purchase | First-time disputer, digital goods, high risk MCC | Enhanced evidence collection, blacklisting |
| Card Testing | Testing stolen cards with small amounts | Micro transactions, velocity spikes, same BIN range | CAPTCHA, minimum amounts, velocity limits |
| Synthetic Identity | Created identity using mixed real/fake data | Thin credit file, new account, velocity patterns | Identity verification, credit checks |
| Merchant Fraud | Merchant processes fraudulent transactions | Chargeback ratio, transaction patterns, bust-out | Underwriting, monitoring, reserves |
| BIN Attacks | Systematically generating valid card numbers | Sequential card numbers, automated patterns | Rate limiting, BIN blacklisting, CAPTCHA |
The Fraud Lifecycle:
Fraud attempts follow a predictable lifecycle that creates detection opportunities:
The average time from card compromise to fraudulent use is 9 days. The average time from fraud to chargeback is 45 days. Your detection system has a narrow window to catch fraud before authorization, and a longer window to flag suspicious patterns for manual review before chargeback.
A production fraud detection system combines multiple layers of defense, each with different latency/accuracy tradeoffs:
No single layer catches all fraud. Blocklists catch known bad actors but miss new ones. ML models catch patterns but can be fooled. Manual review catches sophisticated attacks but doesn't scale. The combination creates robust defense.
Rules are the foundation of fraud detection—explicit, interpretable conditions that trigger actions. While ML has become dominant, rules remain essential for:
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122
// Rule Engine for Fraud Detection interface FraudRule { id: string; name: string; description: string; priority: number; // 1 = highest priority enabled: boolean; condition: RuleCondition; action: RuleAction; metadata: { createdAt: Date; lastTriggered?: Date; triggerCount: number; };} type RuleAction = | { type: 'decline'; reason: string } | { type: 'review'; queue: string } | { type: 'score_adjustment'; amount: number } | { type: 'challenge'; method: '3ds' | 'sms' | 'email' } | { type: 'flag'; tags: string[] }; interface RuleCondition { operator: 'AND' | 'OR'; conditions: (AtomicCondition | RuleCondition)[];} interface AtomicCondition { field: string; // e.g., "transaction.amount", "card.country" operator: ConditionOperator; value: unknown;} type ConditionOperator = | 'equals' | 'not_equals' | 'greater_than' | 'less_than' | 'in' | 'not_in' | 'contains' | 'matches_regex' | 'velocity_exceeds'; // Special: check velocity limits // Example Rulesconst exampleRules: FraudRule[] = [ // Rule 1: Block known fraud BINs { id: 'rule_block_fraud_bins', name: 'Block High-Risk BINs', description: 'Decline cards from known fraud-heavy BIN ranges', priority: 1, enabled: true, condition: { operator: 'OR', conditions: [ { field: 'card.bin', operator: 'in', value: FRAUD_BIN_LIST }, ], }, action: { type: 'decline', reason: 'card_not_supported' }, metadata: { createdAt: new Date(), triggerCount: 0 }, }, // Rule 2: Review high-value first-time purchases { id: 'rule_high_value_new_customer', name: 'High Value New Customer Review', description: 'Manual review for large first purchases', priority: 5, enabled: true, condition: { operator: 'AND', conditions: [ { field: 'transaction.amount', operator: 'greater_than', value: 50000 }, // $500+ { field: 'customer.is_new', operator: 'equals', value: true }, { field: 'customer.previous_orders', operator: 'equals', value: 0 }, ], }, action: { type: 'review', queue: 'high_value' }, metadata: { createdAt: new Date(), triggerCount: 0 }, }, // Rule 3: Velocity limit on cards { id: 'rule_card_velocity', name: 'Card Velocity Limit', description: 'Limit transactions per card per hour', priority: 3, enabled: true, condition: { operator: 'AND', conditions: [ { field: 'card.velocity_1h', operator: 'velocity_exceeds', value: { count: 5, window: '1h' } }, ], }, action: { type: 'challenge', method: '3ds', }, metadata: { createdAt: new Date(), triggerCount: 0 }, }, // Rule 4: Geographic mismatch { id: 'rule_geo_mismatch', name: 'Geographic Mismatch', description: 'Flag when IP country differs from card country', priority: 4, enabled: true, condition: { operator: 'AND', conditions: [ { field: 'ip.country', operator: 'not_equals', value: '$card.issuing_country' }, { field: 'customer.is_known_traveler', operator: 'equals', value: false }, ], }, action: { type: 'score_adjustment', amount: 150 }, // Add 150 to risk score metadata: { createdAt: new Date(), triggerCount: 0 }, },];123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122
class FraudRuleEngine { private rules: FraudRule[]; private velocityStore: VelocityStore; constructor(rules: FraudRule[], velocityStore: VelocityStore) { // Sort by priority (highest priority = lowest number = first) this.rules = rules .filter(r => r.enabled) .sort((a, b) => a.priority - b.priority); this.velocityStore = velocityStore; } async evaluate(context: TransactionContext): Promise<RuleEvaluationResult> { const triggeredRules: TriggeredRule[] = []; let scoreAdjustment = 0; let finalAction: RuleAction | null = null; for (const rule of this.rules) { const matches = await this.evaluateCondition(rule.condition, context); if (matches) { triggeredRules.push({ ruleId: rule.id, ruleName: rule.name, action: rule.action, }); // Apply action based on type switch (rule.action.type) { case 'decline': case 'review': case 'challenge': // Terminal actions - stop processing finalAction = rule.action; break; case 'score_adjustment': scoreAdjustment += rule.action.amount; break; case 'flag': // Non-terminal, continue processing break; } // Record rule trigger for monitoring this.recordTrigger(rule.id); // If we hit a terminal action, stop if (finalAction) { break; } } } return { triggeredRules, scoreAdjustment, finalAction, shouldProceed: !finalAction || finalAction.type === 'flag', }; } private async evaluateCondition( condition: RuleCondition | AtomicCondition, context: TransactionContext ): Promise<boolean> { if ('operator' in condition && 'conditions' in condition) { // Compound condition const results = await Promise.all( condition.conditions.map(c => this.evaluateCondition(c, context)) ); return condition.operator === 'AND' ? results.every(r => r) : results.some(r => r); } // Atomic condition const atomic = condition as AtomicCondition; const fieldValue = this.getFieldValue(atomic.field, context); return this.evaluateAtomic(atomic, fieldValue, context); } private async evaluateAtomic( condition: AtomicCondition, fieldValue: unknown, context: TransactionContext ): Promise<boolean> { const targetValue = this.resolveValue(condition.value, context); switch (condition.operator) { case 'equals': return fieldValue === targetValue; case 'not_equals': return fieldValue !== targetValue; case 'greater_than': return (fieldValue as number) > (targetValue as number); case 'less_than': return (fieldValue as number) < (targetValue as number); case 'in': return (targetValue as unknown[]).includes(fieldValue); case 'not_in': return !(targetValue as unknown[]).includes(fieldValue); case 'velocity_exceeds': return this.checkVelocity(condition.field, context, targetValue); default: return false; } } private async checkVelocity( field: string, context: TransactionContext, limit: { count: number; window: string } ): Promise<boolean> { const key = this.buildVelocityKey(field, context); const count = await this.velocityStore.getCount(key, limit.window); return count >= limit.count; }}Production systems often accumulate hundreds of rules over years. Rules conflict, overlap, and become stale. Best practice: require expiration dates on all rules, regularly audit rule effectiveness, and sunset rules that rarely trigger (potential bloat) or always trigger (potential over-blocking).
Machine learning models excel at capturing complex, non-linear patterns that rules cannot express. They can identify subtle correlations across hundreds of features that would be impossible for humans to specify manually.
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697
# Feature Engineering for Fraud Detection Models import pandas as pdimport numpy as npfrom typing import Dict, Any class FraudFeatureEngineer: """ Comprehensive feature engineering for payment fraud detection. Features fall into categories: transaction, customer, behavioral, device, velocity, and network. """ def extract_features(self, transaction: Dict[str, Any]) -> Dict[str, float]: features = {} # === Transaction Features === features['amount'] = transaction['amount'] features['amount_log'] = np.log1p(transaction['amount']) features['is_round_amount'] = 1 if transaction['amount'] % 100 == 0 else 0 features['is_micro_transaction'] = 1 if transaction['amount'] < 100 else 0 features['hour_of_day'] = transaction['timestamp'].hour features['day_of_week'] = transaction['timestamp'].weekday() features['is_weekend'] = 1 if features['day_of_week'] >= 5 else 0 features['is_night'] = 1 if features['hour_of_day'] < 6 or features['hour_of_day'] > 22 else 0 # === Card Features === features['card_age_days'] = (transaction['timestamp'] - transaction['card_created_at']).days features['is_new_card'] = 1 if features['card_age_days'] < 30 else 0 features['months_until_expiry'] = self._months_until_expiry(transaction) features['is_credit_card'] = 1 if transaction['card_type'] == 'credit' else 0 features['is_international_card'] = 1 if transaction['card_country'] != transaction['merchant_country'] else 0 features['bin_risk_score'] = self._lookup_bin_risk(transaction['bin']) # === Customer Features === features['account_age_days'] = (transaction['timestamp'] - transaction['customer_created_at']).days features['is_first_purchase'] = 1 if transaction['previous_purchases'] == 0 else 0 features['lifetime_value'] = transaction['customer_ltv'] features['previous_fraud_reports'] = transaction['customer_fraud_reports'] features['has_verified_email'] = 1 if transaction['email_verified'] else 0 features['has_verified_phone'] = 1 if transaction['phone_verified'] else 0 # === Behavioral Features === features['session_duration_seconds'] = transaction['session_duration'] features['pages_viewed'] = transaction['pages_viewed'] features['time_on_checkout_page'] = transaction['checkout_time'] features['is_fast_checkout'] = 1 if features['time_on_checkout_page'] < 10 else 0 features['cart_changes'] = transaction['cart_modifications'] features['used_coupon'] = 1 if transaction['coupon_applied'] else 0 # === Device Features === features['is_mobile'] = 1 if transaction['device_type'] == 'mobile' else 0 features['is_new_device'] = 1 if transaction['is_new_device'] else 0 features['device_trust_score'] = transaction['device_trust_score'] features['is_vpn'] = 1 if transaction['is_vpn'] else 0 features['is_tor'] = 1 if transaction['is_tor'] else 0 features['is_proxy'] = 1 if transaction['is_proxy'] else 0 # === Geographic Features === features['geo_mismatch'] = 1 if transaction['ip_country'] != transaction['card_country'] else 0 features['billing_shipping_mismatch'] = 1 if transaction['billing_zip'] != transaction['shipping_zip'] else 0 features['distance_from_usual_location'] = self._calculate_distance(transaction) features['ip_risk_score'] = self._lookup_ip_risk(transaction['ip_address']) # === Velocity Features (pre-computed) === features['card_tx_count_1h'] = transaction['velocity']['card_1h'] features['card_tx_count_24h'] = transaction['velocity']['card_24h'] features['card_amount_sum_24h'] = transaction['velocity']['card_amount_24h'] features['ip_tx_count_1h'] = transaction['velocity']['ip_1h'] features['device_tx_count_24h'] = transaction['velocity']['device_24h'] features['email_tx_count_7d'] = transaction['velocity']['email_7d'] # === Ratio Features === features['amount_vs_avg'] = transaction['amount'] / max(transaction['customer_avg_amount'], 1) features['amount_vs_max'] = transaction['amount'] / max(transaction['customer_max_amount'], 1) return features def _lookup_bin_risk(self, bin: str) -> float: """Lookup BIN risk score from pre-computed table.""" # In production: query BIN risk database return 0.0 def _lookup_ip_risk(self, ip: str) -> float: """Lookup IP risk from threat intelligence.""" # In production: query MaxMind, IPQualityScore, etc. return 0.0 def _calculate_distance(self, tx: Dict) -> float: """Calculate distance from customer's usual location.""" # Haversine distance from centroid of previous transactions return 0.0 def _months_until_expiry(self, tx: Dict) -> int: """Calculate months until card expiration.""" # Cards about to expire are riskier (fraudsters rushing to use them) return 12Model Training Considerations:
Production systems often run multiple models in parallel: a fast model (100 features, 5ms inference) for real-time decisions, and a complex model (500+ features, 50ms) for high-value transactions or score calibration. Combine scores with weighted averaging based on transaction risk tier.
Fraud detection is fundamentally a classification problem with asymmetric costs. The consequences of false positives (blocking legitimate customers) and false negatives (approving fraud) are both significant but different:
| Error Type | Definition | Immediate Cost | Long-Term Cost |
|---|---|---|---|
| False Positive | Legitimate transaction blocked | Lost sale (~$50-500) | Customer churn (13x CLV), brand damage |
| False Negative | Fraud transaction approved | Fraud loss + chargeback fee (~$50-500) | Increased fraud attraction, higher rates |
| True Positive | Fraud correctly blocked | Minor (customer friction) | Reduced fraud losses |
| True Negative | Legitimate correctly approved | None | Customer satisfaction, trust |
Optimizing the Tradeoff:
The optimal threshold depends on your business context:
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768
import numpy as npfrom sklearn.metrics import precision_recall_curve def calculate_optimal_threshold( y_true: np.ndarray, y_scores: np.ndarray, false_positive_cost: float = 100, # Cost of blocking legit customer false_negative_cost: float = 150, # Cost of approving fraud fraud_rate: float = 0.001, # Expected fraud rate) -> float: """ Calculate optimal decision threshold based on business costs. At threshold t: - Transactions with score > t are blocked - Transactions with score <= t are approved """ thresholds = np.linspace(0, 1, 100) min_cost = float('inf') optimal_threshold = 0.5 for threshold in thresholds: predictions = (y_scores > threshold).astype(int) # Calculate confusion matrix tp = np.sum((predictions == 1) & (y_true == 1)) fp = np.sum((predictions == 1) & (y_true == 0)) fn = np.sum((predictions == 0) & (y_true == 1)) tn = np.sum((predictions == 0) & (y_true == 0)) # Total cost = (FP * FP_cost) + (FN * FN_cost) # Normalize by expected transaction population total_cost = (fp * false_positive_cost) + (fn * false_negative_cost) if total_cost < min_cost: min_cost = total_cost optimal_threshold = threshold return optimal_threshold def calculate_metrics_at_threshold( y_true: np.ndarray, y_scores: np.ndarray, threshold: float) -> dict: """Calculate key metrics at a given decision threshold.""" predictions = (y_scores > threshold).astype(int) tp = np.sum((predictions == 1) & (y_true == 1)) fp = np.sum((predictions == 1) & (y_true == 0)) fn = np.sum((predictions == 0) & (y_true == 1)) tn = np.sum((predictions == 0) & (y_true == 0)) precision = tp / (tp + fp) if (tp + fp) > 0 else 0 recall = tp / (tp + fn) if (tp + fn) > 0 else 0 false_positive_rate = fp / (fp + tn) if (fp + tn) > 0 else 0 return { 'threshold': threshold, 'precision': precision, # % of blocks that were fraud 'recall': recall, # % of fraud that was caught 'false_positive_rate': false_positive_rate, # % of legit that was blocked 'true_positives': tp, 'false_positives': fp, 'false_negatives': fn, 'true_negatives': tn, }For e-commerce: Target 95%+ fraud recall (catch rate) with <1% false positive rate. This means blocking 95% of fraud while incorrectly blocking only 1 in 100 legitimate customers. However, even 1% FPR at 10M monthly transactions = 100K frustrated customers.
3D Secure (3DS) is an authentication protocol that shifts fraud liability from merchants to card issuers when authentication is completed. In Europe, Strong Customer Authentication (SCA) under PSD2 regulations makes 3DS (or equivalent) mandatory for most transactions.
How 3DS Works:
| Feature | 3DS 1.0 | 3DS 2.0+ |
|---|---|---|
| User Experience | Always redirect, password entry | Frictionless possible, biometrics |
| Mobile Support | Poor (redirect breaks flow) | Native SDK integration |
| Data Sharing | Minimal | 100+ data points for risk assessment |
| Conversion Impact | 10-20% cart abandonment | 2-5% cart abandonment |
| Regulation | Pre-PSD2 | PSD2/SCA compliant |
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596
// 3DS Integration Strategy interface ThreeDSDecision { require3DS: boolean; challengePreference: 'no_preference' | 'challenge_requested' | 'challenge_mandate'; exemptionRequested?: SCAExemption; reason: string;} type SCAExemption = | 'low_value' // Under €30 (limit cumulative) | 'low_risk' // Merchant has low fraud rate | 'trusted_beneficiary' // Customer whitelisted merchant | 'recurring' // Subsequent recurring payment | 'corporate' // B2B corporate card | 'moto'; // Mail/telephone order class ThreeDSDecisionEngine { /** * Determine whether to apply 3DS and which exemption to request */ decide(context: PaymentContext): ThreeDSDecision { // Mandatory 3DS (no exemption possible) if (this.isSCAMandatory(context)) { return { require3DS: true, challengePreference: 'no_preference', reason: 'sca_mandatory', }; } // Low value exemption (< €30, cumulative limits apply) if (context.amount < 3000 && this.checkLowValueLimits(context)) { return { require3DS: false, challengePreference: 'no_preference', exemptionRequested: 'low_value', reason: 'low_value_exemption', }; } // Trusted beneficiary (customer opted in) if (context.customer.trustedMerchants?.includes(context.merchantId)) { return { require3DS: false, challengePreference: 'no_preference', exemptionRequested: 'trusted_beneficiary', reason: 'trusted_beneficiary', }; } // Transaction Risk Analysis (TRA) exemption // Requires merchant to maintain low fraud rates if (this.qualifiesForTRAExemption(context)) { return { require3DS: true, // Still perform 3DS but request frictionless challengePreference: 'no_preference', exemptionRequested: 'low_risk', reason: 'tra_exemption', }; } // High risk - request challenge if (context.riskScore > 700) { return { require3DS: true, challengePreference: 'challenge_requested', reason: 'high_risk_score', }; } // Default: Apply 3DS, let issuer decide challenge return { require3DS: true, challengePreference: 'no_preference', reason: 'standard_3ds', }; } private qualifiesForTRAExemption(context: PaymentContext): boolean { // TRA exemption thresholds based on merchant fraud rate const traLimits = [ { fraudRate: 0.0001, limit: 50000 }, // 0.01% → €500 { fraudRate: 0.0006, limit: 25000 }, // 0.06% → €250 { fraudRate: 0.0013, limit: 10000 }, // 0.13% → €100 ]; for (const { fraudRate, limit } of traLimits) { if (context.merchantFraudRate <= fraudRate && context.amount <= limit) { return true; } } return false; }}Successful 3DS authentication shifts chargeback liability from merchant to issuer. This is the primary benefit. However, if you request an exemption and it's approved, you keep the liability. Strategic use of exemptions requires balancing conversion (fewer challenges) against fraud liability.
Fraud detection is a critical, complex discipline requiring continuous adaptation. Let's consolidate the key principles:
What's Next:
With fraud detection protecting against malicious actors, the next challenge is transaction reconciliation—ensuring that your internal records match gateway records, bank settlements, and financial reports. This is essential for auditing, dispute resolution, and financial accuracy.
You now understand the architecture and techniques for detecting payment fraud at scale. This knowledge enables you to design systems that protect revenue while maintaining customer experience.