Reference · 14 rules

Stripe Radar Rule Library

14 operator-validated Stripe Radar rules for subscription apps, organized by failure mode. Each rule includes syntax, why it works, false-positive risk, and recommended review-mode period. Copy-paste ready.

How to use this library. Every rule below should be deployed in Review mode first for at least 7 days against real traffic. Inspect the matched charges in Stripe Dashboard → Radar → Reviews queue. Only promote to Block when 80%+ of matches are clearly fraud. See the full backtest workflow.

Block rapid card retries (60s window)

Velocity 
Block if :seconds_since_last_authorization_charge_attempt: < 60

Why it works: Card-testing scripts retry the same card 5-10 times in seconds. Legitimate users rarely retry the same card within a minute — they switch cards or abandon. 60s is conservative enough to spare retries from genuine network errors.

FP risk: low Review: 7 days Pattern: card testing

Block email-level velocity abuse

Velocity 
Block if :total_charges_per_email_address_hourly: > 5

Why it works: One email address producing more than 5 charges per hour is almost certainly a scripted sign-up flow or a synthetic-identity ring. Caps multi-account fraud without affecting legitimate single-purchase users.

FP risk: low Review: 7 days Pattern: synthetic identity

Block IP-level new account flood

Velocity 
Block if :total_charges_per_ip_address_daily: > 10
   and :card_funding: != "credit"

Why it works: One IP making 10+ charges per day with debit/prepaid cards is a card-testing fingerprint. Excluding credit cards reduces false positives on shared corporate or household IPs.

FP risk: medium Review: 14 days Pattern: card testing

Risk score with BIN-IP mismatch

BIN / IP 
Block if :risk_score: > 65
   and :card_country: != :ip_country:

Why it works: Combines Stripe's ML risk score with a hard signal of geographic mismatch. Each signal alone produces false positives; together they catch elevated risk only when geography also looks off — dramatically reducing FP rate vs. naive risk-score-only blocking.

FP risk: low Review: 7 days Pattern: stolen card abuse

3DS on high-risk regions

BIN / IP 
3D Secure if :ip_country: in ("XX","YY","ZZ")
   or :card_country: in ("XX","YY","ZZ")

Why it works: Geography-targeted 3DS gating preserves checkout conversion on low-risk traffic (typically 90%+ of subscription app volume) while putting friction only on high-risk regions. Customize the country list to your observed dispute concentration — do not blanket-apply.

FP risk: medium Review: 14 days Pattern: regional fraud

Block repeat-dispute card BINs

BIN / IP 
Block if :card_bin: in (your dispute-bin list)

Why it works: Maintain a list of card BINs that have produced 2+ chargebacks against your business in the prior 6 months. New transactions on those exact BINs have materially elevated dispute probability. Refresh the list monthly from your dispute reports.

FP risk: low Review: 7 days Pattern: known bad BINs

Tighten risk threshold on credit-bundle purchases

Risk score 
Block if :risk_score: > 55
   and :amount: > 5000
   and :is_subscription: = false

Why it works: One-time credit-bundle purchases ($50+) sit in a different risk profile than subscription renewals. The default ML threshold is calibrated for subscriptions; lowering it on one-time high-value transactions catches stolen-card fraud that the default misses. Adjust the amount threshold to your bundle pricing.

FP risk: medium Review: 14 days Pattern: bundle fraud

Review risk score on new customer first charge

Risk score 
Review if :risk_score: > 50
   and :is_first_charge_for_customer: = true

Why it works: First-charge events are riskier than renewals (no prior usage history to validate). Reviewing — not blocking — at a lowered threshold catches edge cases for manual evaluation while preserving conversion. Promote to Block only after observing the matched cohort.

FP risk: low Review-by-default Pattern: new-customer risk

3DS on disposable email domains

3DS gating 
3D Secure if :email_domain: in
  ("mailinator.com","tempmail.com","guerrillamail.com",
   "10minutemail.com","trashmail.com")

Why it works: Disposable-email domains correlate strongly with single-use sign-up fraud. Forcing 3DS — not blocking — preserves the ability for legitimate edge cases to authenticate while filtering scripted disposable-email abuse. Maintain the list manually or via an email-reputation API.

FP risk: low Review: 7 days Pattern: disposable email

3DS step-up for elevated-risk renewals

3DS gating 
3D Secure if :risk_score: > 60
   and :is_subscription_renewal: = true

Why it works: Subscription renewals are usually frictionless by design, but elevated-risk renewals (likely stolen-card continued use) benefit from re-authentication. Targeted 3DS step-up here is materially cheaper than the eventual chargeback if the card was stolen.

FP risk: medium Review: 14 days Pattern: stolen card renewals

Block Stripe Link without 3DS for new customers

Stripe Link 
3D Secure if :is_stripe_link_payment: = true
   and :is_first_charge_for_customer: = true

Why it works: Stripe Link's saved-credentials flow bypasses CVC/AVS validation, which is one of the silent fraud vectors many merchants miss. For first-charge customers, forcing 3DS on Link transactions restores authentication. Existing customers with usage history are exempt.

FP risk: low Review: 7 days Pattern: Stripe Link bypass

Review Stripe Link in high-risk geographies

Stripe Link 
Review if :is_stripe_link_payment: = true
   and :ip_country: in (your high-risk country list)

Why it works: Stripe Link's frictionless flow concentrates fraud in geographies where Link-saved cards have lower likelihood of having been validated by the user recently. Reviewing — not blocking — preserves conversion while flagging the cohort for analysis.

FP risk: medium Review-by-default Pattern: geo-targeted Link fraud

Block customers with prior chargebacks

Refund / dispute 
Block if :customer_disputed_charges_count: > 0

Why it works: A customer who has disputed even one prior charge on your business has materially elevated probability of disputing again. Blocking new charges from these customers is the most direct prevention. Combine with manual refund workflow for legitimate edge cases.

FP risk: low Review: 7 days Pattern: repeat disputers

Review high-amount one-time purchases

Refund / dispute 
Review if :amount: > 10000
   and :is_subscription: = false
   and :risk_score: > 40

Why it works: One-time $100+ purchases combined with moderate risk score (above 40, well below default 65 block) are exactly the dollar-value-disputable transactions that produce "unrecognized charge" friendly fraud. Manual review catches edge cases without blocking the legitimate majority.

FP risk: medium Review-by-default Pattern: high-value friendly fraud
Rules expressed in pseudo-Radar syntax. Stripe's rule attribute names vary slightly across Radar versions and may evolve over time. The exact attribute identifier strings in Stripe Dashboard → Radar → Rules editor will be the authoritative format — verify before pasting. The logic and combinations above are what matter; the attribute strings should match what your dashboard offers.

Recommended deployment order

  1. Velocity rules first (lowest FP risk, immediate impact on card testing).
  2. BIN-IP mismatch + risk score combination next (catches stolen-card abuse).
  3. 3DS gating on geo and disposable email (reduces FP via authentication, not block).
  4. Stripe Link guardrails (silent gap most subscription apps miss).
  5. Refund/dispute repeat-customer blocks (last; depends on having dispute history).

Read next

Stuck on a rule that won't tune?

Get the full Radar rebuild

Phase 1 of the 90-day rescue program rebuilds your entire Radar rule set, calibrated to your actual fraud patterns — not generic defaults.

Book an Intro Call → See the Rescue Program