Skip to content

Fraud Prevention Fresh

Stripe Radar uses machine learning to evaluate every payment for fraud risk. Supplement with custom rules and lists.

Section overview

PageDescription
Radar RulesBuilt-in and custom rules to block, allow, review, or request 3DS
Radar ListsCustom lists of cards, emails, IPs, and customer IDs for use in rules

How Radar works

Every payment is automatically screened by Radar's AI models before it reaches the card issuer. Radar assigns a risk level:

Risk levelDefault action
normalAllow
elevatedReview (Radar for Fraud Teams)
highestBlock

Types of fraud

TypeDescription
Card testingFraudster uses stolen card numbers to test which are valid by making small purchases
Identity theft / stolen cardsFraudster uses someone else's card details for purchases
Friendly fraudCustomer disputes a legitimate purchase (first-party fraud)
Account takeoverFraudster gains access to a customer account and makes purchases
Triangulation fraudFraudster collects payments then fulfills orders with stolen cards

Common fraud indicators

  • Card and IP address in different countries
  • Disposable email addresses
  • High-value orders with new accounts
  • Many failed payment attempts in short time
  • Multiple cards attached to same customer
  • Prepaid cards on high-value orders

Radar tiers

TierIncluded withFeatures
Radar (default)All Stripe accounts, freeAI risk scoring, built-in block/review rules, CVC/AVS checks
Radar for Fraud TeamsPaid add-onCustom rules, custom lists, manual review queue, advanced metrics
Radar for PlatformsConnect platformsAccount-level risk scoring, payout pause rules, Radar for Platforms insights

3D Secure (3DS)

3DS adds an authentication step before checkout. If 3DS authenticates a payment, fraud liability typically shifts from you to the card issuer.

Stripe automatically triggers 3DS when required by regulation (PSD2 / SCA in Europe). You can also request 3DS via Radar rules.

Card verification checks

CheckWhat it verifies
CVCThe 3-4 digit code on the back of the card
AVS (postal code)Billing postal code matches issuer's record

A card issuer may approve a payment even when CVC or AVS fails. Enable Radar built-in rules to block those payments.

Note: CVC/AVS failures don't block payments from wallets (Apple Pay, Google Pay) or cards where the issuer doesn't support verification.

Best practices

  • Enable CVC and postal code verification rules in Radar
  • Require 3DS for elevated-risk payments
  • Use custom lists to track known fraudulent cards and emails
  • Monitor the review queue and convert review rules to block rules when patterns are confirmed
  • Refund and report fraudulent payments — Stripe adds those card fingerprints and emails to your block lists automatically
  • Check for card testing: a spike in small-amount declines is the primary signal

Stripe API Reference - Self-contained docs reference, refreshed 2026-05-18