Stripe Radar Rules That Work
The prevention layer — what to actually deploy in Radar before disputes post.
Read →
Stripe Radar Academy
Stripe Radar Rule Generator
Build rules in the live generator, then sharpen on six fraud detective challenges and the attribute flashcard deck. Real Stripe syntax — straight from the supported-attributes spec.
Watch · 2 min walkthrough
Video transcript
Stripe Radar can stop fraud before it costs you — the hard part is building the rules. Card testing is happening right now: every hour, automated scripts hammer your checkout with stolen cards, looking for one that still works. On one client engagement, the chargeback rate had climbed past thirteen percent.
Building Radar rules is hard. You have to know the attribute names. You have to know the time windows. You have to pick a sensible threshold. And you have to deploy in Review first — without breaking real customers.
So we built it: a live rule generator with twenty real fraud patterns, every attribute name verified against Stripe's spec, and copy-ready output.
Step one — pick the fraud pattern you're targeting: card testing, stolen-card velocity, sign-up abuse, geo anomalies, or customer behavior. Step two — tune the parameters; the generator already knows the sensible defaults, so you start safe, then push from there. Step three — real Stripe syntax: copy the rule and paste it straight into Radar Rules.
There are twenty patterns covering five categories: card testing, stolen cards, sign-up abuse, geo and IP, and customer-amount behavior. Every one ships with field-tested defaults. Take rapid card retry — same card, multiple attempts inside an hour, almost always a script. Three attempts is the sane ceiling.
Every attribute name is pulled straight from Stripe's supported-attributes documentation. No invented identifiers. No fake names that won't compile.
On that same engagement, this is the rule set we deployed — phase one of the rescue. From thirteen percent chargebacks to under one, in ninety days.
Built by Georges Rayess. The generator captures the patterns that actually moved the dispute ratio — not generic defaults. There's a whole academy around it: story mode, speed-drill flashcards, and the risk calculator, all free and linked from the generator page. Open the generator, pick a pattern, and build a rule in under a minute. If you're approaching VAMP or ECM, book the full Radar rebuild.
Reset Academy progress?
This clears your XP, rank, completed challenges, flashcard streak, and badges. Generated rules stay safe — only your learning progress is wiped.
01 — GENERATE Live rule builder
Pick a fraud pattern, tune the parameters, copy the rule. Every move earns XP and unlocks badges as you go.
1 Pick the fraud pattern you're targeting
Deploy in Review mode first. Every rule below should be deployed with action
Review for at least 7 days against real traffic. Inspect the matched charges in Stripe Dashboard → Radar → Reviews queue. Only promote to Block when 80%+ of matches are clearly fraud. See the full backtest workflow.
Popular starting points
Hand-picked combinations that work out of the box for most subscription apps. Use these as templates and tune via the generator above.
Rapid card retry (per hour)FP: low
Block if :total_transactions_per_payment_instrument_fingerprint_hourly: > 3
Card-testing scripts retry the same card multiple times per hour. Legitimate users rarely retry the same card more than twice. The hourly window catches automation cleanly.
Many cards from one IP (debit/prepaid)FP: low
Block if :card_count_for_ip_address_hourly: > 5 and :card_funding: in ("debit", "prepaid")
The classic card-testing fingerprint. Restricting to debit/prepaid drops false positives because legitimate shared-IP traffic almost always uses credit.
Risk score + BIN/IP mismatchFP: low
Block if :risk_score: > 65 and :card_country: != :ip_country:
Combines Stripe's ML score with geographic mismatch. Each alone false-positives; together they isolate stolen-card abuse cleanly.
Block repeat-dispute cardsFP: low
Block if :dispute_count_on_card_number_yearly: > 0
A card that disputed even once has materially elevated repeat-dispute probability. Direct block prevents the second loss.
EFW on card — never authorize againFP: low
Block if :efw_count_on_card_all_time: > 0
Early Fraud Warnings are issuer-reported fraud signals — among the strongest predictors Stripe surfaces.
3DS on anonymous IP / proxy / TorFP: low
Request 3D Secure if :is_anonymous_ip: = true
Proxy and Tor traffic correlates strongly with stolen-card abuse. 3DS step-up preserves legitimate privacy-conscious customers while filtering the rest.
3DS on disposable emailFP: low
Request 3D Secure if :is_disposable_email: = true
Disposable-email signups correlate with single-use sign-up fraud. 3DS preserves edge cases while filtering scripted abuse.
CVC fail + elevated riskFP: low
Block if :cvc_check: = "fail" and :risk_score: > 50
CVC failure alone false-positives on mistyped codes. Combined with elevated ML risk, it isolates stolen-card abuse.
3DS for high-risk subscription renewalsFP: medium
Request 3D Secure if :is_recurring: = true and :risk_score: > 60
Normal renewals are frictionless. Elevated-risk renewals indicate stolen card still posting charges — 3DS step-up is cheaper than the eventual chargeback.
Many emails per IP (sign-up abuse)FP: medium
Block if :email_count_for_ip_hourly: > 5
5+ distinct emails from one IP in an hour is a scripted sign-up flow. The hourly window catches abuse without affecting multi-user households.
Review high-value one-time purchaseFP: medium
Review if :amount_in_usd: > 100 and :is_recurring: = false and :risk_score: > 40
High-value one-time purchases at moderate risk are the friendly-fraud breeding ground. Manual review catches edges before settlement.
Brand-new customer + high amountFP: medium
Review if :seconds_since_customer_was_created: < 300 and :amount_in_usd: > 50
A customer created less than 5 minutes ago making a $50+ purchase has not validated themselves — synthetic-identity fingerprint.
Multiple cards per customer per weekFP: medium
Block if :card_count_for_customer_weekly: > 3
A customer cycling through 4+ cards in a week is testing which one will authorize. Legitimate behavior almost never crosses 3.
Digital wallet on new customer — 3DS step-upFP: low
Request 3D Secure if :digital_wallet: != "none" and :hours_since_customer_was_created: < 1
Digital wallets bypass CVC/AVS for repeat customers, but first-charge customers haven't earned that trust yet. 3DS restores authentication on first charge only.
Stripe attribute reference
Every attribute below is supported by Stripe Radar's rules engine, sourced from the official supported-attributes spec. Use these directly in custom rules — the generator above wires the most common ones, but the full list is available for power users.
Show all supported attributes (200+)
Risk Scores
:risk_level:normal / elevated / highest / not_assessed:risk_score:0-100 ML risk score
Address
:billing_address_country:two-letter country code:billing_address_state:state:billing_address_city:city:billing_address_postal_code:ZIP / postal:shipping_address_country:two-letter country code:shipping_address_state:state:distance_between_billing_and_shipping_address:km:distance_between_ip_and_billing_address:km:distance_between_ip_and_shipping_address:km
Card Info
:card_bin:first 6 digits of card:card_brand:visa / mc / amex / dscvr / diners / jcb / cup:card_country:two-letter country code of issuer:card_funding:credit / debit / prepaid / unknown:card_fingerprint:unique card identifier:card_3d_secure_support:required / recommended / optional / not_supported:is_new_card_on_customer:boolean
Issuer Checks
:cvc_check:pass / fail / unavailable / unchecked / not_provided:address_zip_check:pass / fail / unavailable / unchecked / not_provided:address_line1_check:pass / fail / unavailable / unchecked / not_provided
3D Secure
:is_3d_secure:boolean:is_3d_secure_authenticated:boolean:has_liability_shift:boolean
:email:full email address:email_domain:domain only:is_disposable_email:boolean:email_count_for_ip_hourly:0-25:email_count_for_ip_daily:0-25:email_count_for_billing_address_daily:0-25:email_count_for_card_weekly:0-25
IP & Connection
:ip_address:raw IP:ip_country:two-letter country code:ip_state:state:ip_address_connection_type:cable/dsl / cellular / corporate / dialup:is_anonymous_ip:boolean (proxy or Tor):isp:ISP name:is_my_login_ip:boolean
Velocity (Payment Instrument)
:total_transactions_per_payment_instrument_fingerprint_hourly::total_transactions_per_payment_instrument_fingerprint_daily::authorized_transactions_per_payment_instrument_fingerprint_hourly::declined_transactions_per_payment_instrument_fingerprint_hourly::blocked_transactions_per_payment_instrument_fingerprint_daily:
Velocity (Customer / Card / IP)
:card_count_for_ip_address_hourly:0-25:card_count_for_ip_address_daily:0-25:card_count_for_customer_weekly:0-25:card_count_for_billing_address_weekly:0-25:name_count_for_card_weekly:0-25
Disputes & Early Fraud Warnings
:dispute_count_on_card_number_yearly:0-25:dispute_count_on_card_number_all_time:0-25:dispute_count_on_ip_weekly:0-25:efw_count_on_card_all_time:0-25:efw_count_on_card_weekly:0-25:efw_count_on_ip_weekly:0-25
Customers
:customer:Customer object ID:total_customers_for_email_yearly:0-25:total_customers_with_prior_fraud_activity_for_email_yearly:0-25:total_customers_with_prior_fraud_activity_for_card_yearly:0-25
Amount
:amount_in_usd:numeric:amount_in_eur:numeric:amount_in_gbp:numeric:average_usd_amount_attempted_on_customer_all_time::total_usd_amount_successful_on_card_all_time:
Time
:seconds_since_customer_was_created::minutes_since_customer_was_created::hours_since_customer_was_created::hours_since_card_first_seen::hours_since_email_first_seen::hours_since_first_successful_auth_on_card:
Payment Method & Wallet
:payment_method_type:card / sepa_debit / us_bank_account:digital_wallet:apple_pay / android_pay / samsung_pay / amazon_pay / revolut_pay / meta_pay / amex_express_checkout / masterpass / visa_checkout / none:has_cryptogram:boolean:is_checkout:boolean:is_off_session:boolean:is_recurring:boolean:is_setup_intent:boolean:currency:3-letter code
Full reference (200+ attributes including cross-payment-method, ACH, and Connect platform attributes) at docs.stripe.com/radar/rules/supported-attributes.
FAQ
Are these rules safe to paste straight into Stripe?
The generator produces real Radar syntax — but no rule is universally safe. Always deploy in Review mode first for at least 7 days. The Reviews queue tells you whether the rule is catching real fraud or false-positiving. Only promote to Block once the Review window confirms correctness.
Why is the generator opinionated about specific thresholds?
Default thresholds reflect operator-observed patterns across subscription apps, not arbitrary numbers. The rapid-retry threshold defaults to 3/hour because that catches scripts while sparing legitimate retry behavior. Every default is a starting point — tune against your own traffic.
Can I combine rules from multiple patterns?
Yes. Radar evaluates rules independently in priority order, so deploying one rule per pattern is the standard setup. The "Stack rules" panel collects multi-pattern configurations. For compound logic within a single rule, edit the generated syntax manually — Stripe accepts any valid combination of supported attributes.
About this generator
Built by Georges Rayess, who deployed a tuned Stripe Radar configuration as part of the 90-day ECM exit playbook that drove chargeback rate from 13% to below 1%. The generator captures the rule patterns that actually moved the dispute ratio. Connect on LinkedIn.
Approaching VAMP or ECM?
Get the full Radar rebuild
Phase 1 of the 90-day rescue program rebuilds your entire Radar configuration calibrated to your actual fraud patterns — not generic defaults.