Fraud Prevention Fresh
Stripe Radar uses machine learning to evaluate every payment for fraud risk. Supplement with custom rules and lists.
Section overview
| Page | Description |
|---|---|
| Radar Rules | Built-in and custom rules to block, allow, review, or request 3DS |
| Radar Lists | Custom lists of cards, emails, IPs, and customer IDs for use in rules |
How Radar works
Every payment is automatically screened by Radar's AI models before it reaches the card issuer. Radar assigns a risk level:
| Risk level | Default action |
|---|---|
normal | Allow |
elevated | Review (Radar for Fraud Teams) |
highest | Block |
Types of fraud
| Type | Description |
|---|---|
| Card testing | Fraudster uses stolen card numbers to test which are valid by making small purchases |
| Identity theft / stolen cards | Fraudster uses someone else's card details for purchases |
| Friendly fraud | Customer disputes a legitimate purchase (first-party fraud) |
| Account takeover | Fraudster gains access to a customer account and makes purchases |
| Triangulation fraud | Fraudster collects payments then fulfills orders with stolen cards |
Common fraud indicators
- Card and IP address in different countries
- Disposable email addresses
- High-value orders with new accounts
- Many failed payment attempts in short time
- Multiple cards attached to same customer
- Prepaid cards on high-value orders
Radar tiers
| Tier | Included with | Features |
|---|---|---|
| Radar (default) | All Stripe accounts, free | AI risk scoring, built-in block/review rules, CVC/AVS checks |
| Radar for Fraud Teams | Paid add-on | Custom rules, custom lists, manual review queue, advanced metrics |
| Radar for Platforms | Connect platforms | Account-level risk scoring, payout pause rules, Radar for Platforms insights |
3D Secure (3DS)
3DS adds an authentication step before checkout. If 3DS authenticates a payment, fraud liability typically shifts from you to the card issuer.
Stripe automatically triggers 3DS when required by regulation (PSD2 / SCA in Europe). You can also request 3DS via Radar rules.
Card verification checks
| Check | What it verifies |
|---|---|
| CVC | The 3-4 digit code on the back of the card |
| AVS (postal code) | Billing postal code matches issuer's record |
A card issuer may approve a payment even when CVC or AVS fails. Enable Radar built-in rules to block those payments.
Note: CVC/AVS failures don't block payments from wallets (Apple Pay, Google Pay) or cards where the issuer doesn't support verification.
Best practices
- Enable CVC and postal code verification rules in Radar
- Require 3DS for elevated-risk payments
- Use custom lists to track known fraudulent cards and emails
- Monitor the review queue and convert review rules to block rules when patterns are confirmed
- Refund and report fraudulent payments — Stripe adds those card fingerprints and emails to your block lists automatically
- Check for card testing: a spike in small-amount declines is the primary signal