Risk scoring

Use risk scoring to automatically manage the level of risk that is associated with each transaction, and to automate specific actions based on that level of risk. A common use case for risk scoring is to add a customer to a blocklist and to stop the transaction.

All transactions start the risk scoring process with a score of 100. If a check fails, the score is reduced by the corresponding weight. For example, if the Has Fake Name risk score adjustment weight is set to 5, and the check fails, the transaction risk score becomes 95.

To view transaction risk scores, see View payment transaction details.

risk analysis

Configure risk scoring

Use this process to configure the score by which a transaction passes or fails the risk scoring process. Adjust risk score weights based on the checks that you determine are important. If a transaction exceeds the configured risk score threshold exceeds new blocklist records are created. To view blocklist records, see View active blocklists

  1. In the left navigation bar, click automation icon Automations , then click Risk score settings .
  2. Click Update risk score setting .
  3. In the Blocklist entry section, to the define the overall transaction risk score threshold and attributes to add to a block list, select from the following:
    • To permanently block a transaction that exceeds a risk score threshold:
      1. In the Permanently block above section, in the Threshold field, enter the risk score threshold value.
      2. In the Blocklist attribute dropdown, select one or more attributes to add to a blocklist. For more information, see Blocklist .
    • To temporarily block a transaction that exceeds a risk score threshold:
      1. In the Temporary block above section, in the Threshold field, enter the risk score threshold value.
      2. In the Temporary block duration field, enter the duration of the temporary block in minutes.
      3. In the Blocklist attribute dropdown, select one or more attributes to add to a blocklist. For more information, see Blocklist .
  4. In the Risk score section, to define the risk score adjustment for each risk factor, click Add new risk factor .
  5. Select a risk factor and define the conditions. You can add multiple risk factors. For more information, see Risk factors .
  6. Click Update .

Risk factors

The following table describes all risk factors. Use this table to understand how each check works and to help determine which risk score adjustments you want to use in transaction risk scoring.

Name Description
Billing address velocity Number of transactions for this billing address in the last 24 hours.
Declined payment instrument velocity Number of declined transactions for this payment instrument fingerprint in the last 24 hours.
Device velocity Number of transactions for this device, based on fingerprint, in the last 24 hours. A device fingerprint is a unique token that is used to identify the user. The device fingerprint is generated based on device attributes, such as: hardware, software, IP address, language, browser, and more.
Email velocity Number of transactions for this email address in the last 24 hours.
Has fake name Specifies whether the holder name seems fake.
Has mismatched bank country Specifies whether the customer's bank country and geo-IP address are not the same.
Has mismatched billing address country Specifies whether the customer's billing address country and geo-IP address are not the same.
Has mismatched holder name Specifies whether the customer's billing address name and primary address name are not the same.
Has mismatched time zone Specifies whether the customer's browser time zone and the IP address associated time zone are not the same.
IP velocity Number of transactions for this IP address in the last 24 hours.
Is high risk country Specifies whether the geo-IP country, or the customer's billing country, is considered a high risk country.
Is hosting Specifies whether the customer's IP address is related to hosting.
Is proxy Specifies whether the customer's IP address is related to a proxy.
Is Tor Specifies whether the customer's IP address is related to TOR.
Is VPN Specifies whether the customer's IP address is related to a VPN.
Payment instrument velocity Number of transactions for this payment instrument, based on payment instrument fingerprint, in the last 24 hours. A payment instrument fingerprint is a unique value that is used to identify the payment instrument. This value is generated from the bin and the last4 values. This value contains alphanumeric characters.

Consistency checks

Use the risk metadata mismatched items to filter for inconsistent information. Merchants commonly check for consistent:

  • Bank country
  • Billing country
  • Time zone
  • Cardholder name and name in primary address

VPN, proxy, and TOR usage check

Use the transaction risk metadata to search for VPN, proxy, or TOR usage.

Distance check

If you sell a physical product, use the risk metadata to check the distance between the shipping address and the billing address.

Velocity checks

Velocity refers to the number of transactions in the last 24 hours. Use the risk metadata to perform the following velocity checks:

  • Velocity - the number of transactions made by a customer for a single merchant.
  • Payment instrument velocity - the number of transactions made with the same payment instrument (PAN fingerprint for payment cards or bank account fingerprint for bank transfers) across all Rebilly merchants.
  • Device velocity - the number of transactions made from the same device (using device fingerprint) across all Rebilly merchants.
  • Billing address velocity - the number of transactions made with the same billing address across all Rebilly merchants.
  • Email velocity - the number of transactions made with the same email address across all Rebilly merchants.
  • IP velocity - the number of transactions made with the same IP address across all Rebilly merchants.

Use the conditions to filter for transactions with a velocity higher than X. For example, I'll use a velocity higher than 5.