Skip to content

Radar Rules Fresh

Create automated rules to block, allow, review, or request 3D Secure on payments based on attributes.

Rule types

ActionDescription
BlockDecline the payment immediately
AllowOverride block/review rules — payment proceeds (use sparingly)
ReviewPayment processes, but is flagged for manual review
Request 3DSRequire 3D Secure authentication before charge

Evaluated in this order: Block → Allow → Review → Request 3DS.

Built-in AI rules

All Stripe accounts include:

RuleBehavior
if :risk_level: = 'highest'Block payment
if :risk_level: = 'elevated'Review payment (Radar for Fraud Teams)

Radar for Platforms also evaluates account-level risk:

  • if :account_risk_level: = 'highest' — block
  • if :account_risk_level: = 'elevated' — review

Built-in CVC and AVS rules

RuleWhen to enable
if CVC verification fails based on risk scoreBlock failed-CVC payments unless low risk
if Postal code verification fails based on risk scoreBlock failed-postal-code payments unless low risk

These don't block wallet payments (Apple Pay, Google Pay) or cards where the issuer doesn't support verification.

Rule syntax

{action} if {attribute} {operator} {value}
  • Attributes start with : (e.g., :card_country:)
  • Metadata uses double colons: ::product_sku:: or ::customer:trusted::
  • Reference lists with @list_name

Example:

Block if :card_country: != 'US' and :risk_level: = 'elevated'

Useful attributes

AttributeDescription
:risk_level:'normal', 'elevated', 'highest'
:amount_in_usd:Payment amount in USD
:card_country:2-letter country code of card issuer
:ip_country:2-letter country code of customer IP
:card_funding:'credit', 'debit', 'prepaid'
:is_new_card_on_customer:True if card is newly attached to this customer
:is_disposable_email:True if email is a throwaway address
:is_3d_secure:True if 3DS attempted and not failed
:is_3d_secure_authenticated:True if customer completed full 3DS authentication
:has_liability_shift:True if Stripe expects fraud liability to shift to issuer
:payment_method_type:'card', 'us_bank_account', 'sepa_debit', etc.
:is_off_session:True for recurring/off-session payments
:digital_wallet:'apple_pay', 'android_pay', 'link', etc.

3DS rule examples

Request 3DS for elevated-risk payments above $25

Request 3D Secure if :risk_level: != 'normal' and :amount_in_usd: > 25

Block elevated-risk payments that didn't complete 3DS

Request 3D Secure if :risk_level: != 'normal' and :amount_in_usd: > 25

Block if not :is_3d_secure:
  and :risk_level: != 'normal'
  and :amount_in_usd: > 25
  and not :is_off_session:
  and :digital_wallet: != 'apple_pay'
  and not (:digital_wallet: = 'android_pay' and :has_cryptogram:)

This accepts off-session payments and wallets (which don't go through 3DS) while blocking elevated-risk non-authenticated payments.

Request 3DS for all new cards

Request 3D Secure if is_missing(:seconds_since_card_first_seen:)

Or for newly attached cards on a customer:

Request 3D Secure if :is_new_card_on_customer:

Block based on custom list

Block if :card_country: in @high_risk_countries

Block rule best practices

  • Test rules against the last 6 months before activating
  • Aim for high fraudulent-to-legitimate ratio — minimizing false positives is critical
  • Never use overly broad rules like if :card_country: != 'US' alone — always combine with risk signals
  • If unsure, use a review rule first; convert to block after patterns are confirmed

Allow rule best practices

Allow rules override ALL other rules including Stripe's AI. Use extremely cautiously:

Allow if :ip_country: = 'GB' and :risk_level: != 'highest'

Always add and :risk_level: != 'highest' to any allow rule.

Review rule guidance

Review rules flag payments for your team without blocking them:

Review if :card_funding: = 'prepaid' and :is_disposable_email:

Keep review queues manageable:

  • If most reviewed payments turn out legitimate → narrow the rule or create an allow rule
  • If most reviewed payments are fraudulent → convert to a block rule

Rule limits

  • Maximum 200 transaction rules
  • Maximum 100 account rules (Radar for Platforms)

Creating rules in the Dashboard

Dashboard → Radar → Rules → + Add rule

Use Radar Assistant (built-in LLM) to describe your rule in plain English and have it constructed automatically.

After creating: test the rule against 6 months of historical payments to see impact before activating.

Account rules (Radar for Platforms)

Create rules that evaluate connected accounts rather than individual payments:

  • Review account — flag the account for manual review
  • Payout pause — raise a review AND pause automatic payouts

Rule attributes evaluate account-level signals: dispute rate, KYC status, geographic risk.

Monitoring rule performance

View metrics per rule in Dashboard → Radar → Rules:

  • Blocked payments count and volume
  • Estimated false positive rate
  • Estimated fraudulent payments prevented (for block rules)
  • Disputes from approved reviews (for review/allow rules)

Regularly review rules and remove any that no longer match payments or no longer improve outcomes.

Stripe API Reference - Self-contained docs reference, refreshed 2026-05-18