We often think of payment fraud as an isolated, opportunistic crime. Of one fraudster operating alone: stealing cards, then using them to make illegitimate purchases.
This does happen, of course – but it’s the exception, rather than the rule. Because fraudsters rarely operate in single, isolated acts, or alone – they’re big, expansive operations that, more than anything, rely on speed. On testing stolen debit and credit cards fast, then quickly pilfering as much money from them as possible before the owner finds out.
To do this, they may target your ecommerce website: making illegitimate purchases that, when discovered, you foot the bill for – and which detract from your bottom line and brand.
Now you've learned how to accept payments online, how can you protect profitability and clamp down on bad actors?
With velocity checks, that’s how. Velocity checks use fraudsters’ greatest weapon – speed – against them by looking at the rate of transactions a user is attempting to make in a given time period. Below, we’ll explain how velocity checks and risk rules work, and – more importantly – how merchants can use them to prevent multiple types of online payment fraud.
What are velocity checks?
Velocity checks are a fraud prevention strategy designed to reduce the amount of fraud and chargebacks your business faces – and the associated financial and reputational impacts they come with.
As the name suggests, velocity checks examine the rate at which a buyer attempts to make multiple transactions through your ecommerce website.
But wait – why is that important? Multiple transactions mean more sales, and more revenue…isn’t that a good thing?
Not always. Let us explain.
Generally, the people who steal credit card information – usually hackers – aren’t the same people attempting to use it. The fraudsters attempting to use that stolen data to make illegitimate purchases have often bought it off the Dark Web. But they have a problem – they don’t know how much of that unauthorized credit card information is valid.
To find out, they engage in card testing fraud: making small-value purchases and observing whether or not they go through:
- If they don’t, the fraudster knows the card details are invalid (that the card has perhaps been canceled, or reported lost or stolen).
- If they do, the fraudster can make more, higher-value purchases on that card before its owner notices the unauthorized transactions.
Once the cardholder wises up to the illegitimate activity, they’ll contact their bank, which will result in a chargeback. When this is (rightly) upheld by the issuing bank, you – as the merchant – will be slapped with a chargeback fee on top of the goods or services you’ve already delivered to the fraudster.
This is what makes velocity checks so important – so how do they work?
How do velocity checks work?
Velocity payments work by looking at the rate at which a buyer is attempting to make multiple transactions through your site – and raising the alarm if foul play is suspected.
The most important element, here? Time. Two or three failed transactions from one customer over the course of a day, or a week, isn’t necessarily cause for concern. They may have forgotten their card details, inputted the wrong CVV, or accidentally used an expired card.
Five transactions over the course of 20 minutes, however, should set the alarm bells ringing – and this is exactly what velocity checks look at. Velocity checks are available through fraud detection solutions – like Checkout.com’s Fraud Detection product – and here’s how they work:
- Identifying relevant data points: here, a machine learning for fraud detection tool is employed to comb through your business’s historical transaction data. By examining both legitimate and illegitimate transactions, the AI (Artificial Intelligence)-powered model can learn which behaviors and patterns suggest fraudulent activity.
- Creating a velocity rule: these take into account the findings from the first step here – combining timeframes and data points to make conditional statements, such as “if X happens within Y time, do Z”. (Read more about velocity rules in the next section.)
- Applying the velocity rule: the fraud prevention platform your payment service provider (like Checkout.com) provides will apply the formulated velocity rule constantly – monitoring and evaluating the behavior of any user attempting to make a purchase through your website.
- Taking appropriate action: when the conditions of a velocity check (the ‘X’ and ‘Y’ in our simplistic example above) are satisfied, a pre-set action (‘Z’) is triggered. This could be asking the user to re-enter their password, assigning them a higher risk score, or blocking them from completing or continuing with their transaction.
- Optimizing, iterating, and improving: velocity rules can be tweaked, added to, or removed according to the unique needs of your online business.
Of course, seasoned credit card testing fraudsters have a few tricks up their sleeves to get around velocity checks. One strategy might be to create multiple fake accounts, and test different cards from each so it doesn’t look like they’re all coming from the same user.
Fortunately, there’s another type of velocity check that doesn’t look at the user, or their credit or debit card information, alone – but their IP address (a unique digital identifier assigned to every internet-connected device). This enables velocity checks to take a user’s device and location into consideration – and enable a more comprehensive fraud detection approach.
To recap, there are two types of velocity check:
- Credit card velocity checks examine cardholder information over a specific time period.
- IP address velocity checks examine the number of attempts a user has made from a specific IP address over a specific time period.
What are velocity risk rules?
Risk rules are sets of conditions that, if met, indicate a potentially fraudulent transaction.
These ‘risks’ include unusual transaction types, amounts, currencies, or locations, as well as mismatching credit card details. Machine learning models – which spit out a score of between 0 (not at all risky) and 100 (extremely risky) per transaction – also feed into risk rules.
Velocity risk rules, then, allow you to automatically trigger actions based on the frequency of transactions (this could be daily, weekly, or monthly) with matching attributes (such as account holder name or IP address) over a specific period.
Some of the commonly used parameters velocity rules rely on include:
- Customer first and last name
- Customer mail address
- Customer IP address
- Customer geolocation
- Customer billing and shipping addresses
- Card hash
- Device name and language
- Browser and version
- Installed plugins
How do these parameters look in practice? Building on our basic example from above, velocity risk rules essentially say:
“If more than X instances of Y behavior occur while Z is active and A present – all within a timeframe from B to C, from D location – increase the user’s risk score by E.”
To read more about fraud detection’s various risk rules and categories, explore our comprehensive document designed to help you understand fraud prevention.
Why are velocity checks important?
Firstly, velocity checks are important because they prevent fraud.
They can stop your business from falling prey to illegitimate transactions, and the lengthy – and often unwinnable – credit card disputes they result in. This saves your business time and money, while allowing you to sidestep the damage to your brand’s public profile and reputation.
Secondly? Velocity checks are as customizable as your business needs them to be. Velocity risk rules allow you to choose the triggers and timeframes most relevant to your ecommerce website’s unique, specific online fraud prevention needs – then tailor them accordingly.
This allows you not only to detect the various types of online fraud prevalent in 2023 – such as card testing fraud, synthetic identity fraud, and account takeover fraud – but understand them, too. Ensuring your business isn’t relying on a reactive fraud prevention solution, but a proactive one – built on the most relevant knowledge, and the most sustainable foundations.
How can merchants use velocity checks for fraud detection?
You can use velocity checks to detect and prevent a wide range of fraud, including:
- Account takeover fraud: this is when a criminal gains access to a legitimate cardholder’s account and uses it to make purchases, withdraw funds, and alter information. When a certain velocity rule threshold is met, it will require the user to verify their identity – helping reduce the likelihood of a successful account takeover.
- Synthetic identity fraud: this is when a fraudster combines real and fake information to create a new ‘identity’ – then uses this to create scam accounts or make fraudulent purchases. By flagging suspicious accounts as high-risk, velocity checks can reduce the risk of synthetic identity fraud playing havoc with your business.
- Card testing fraud: as this type of fraud involves a fraudster making multiple logins to ‘test out’ stolen card information, velocity checks (which flag excessive or repetitive purchases from a single card or IP) are a particularly effective way of combating it.
How to use velocity checks to prevent fraud
Now you know what types of fraud velocity checks can help prevent, what strategies can you use to apply them? To customize velocity checks to your business’s most pressing needs, and harness them to solve real-world commercial challenges?
To get started, try:
- Tailoring and customizing risk rules: there are essentially infinite combinations you could envision to create velocity check rules and filters – so be sure to tailor your approach to the unique attributes and pain points of your industry. Consider which fraud checks are most valuable to your business and which fraud is most rife in your sector – then, customize your risk rules and triggers to fit.
- Setting the right limits: since velocity risk rules rely on thresholds set by you, it’s important to ensure you’re configuring them with the right limits. Too lax, and you risk letting fraudsters slip through the net; too tight, and you run the risk of endangering legitimate business through false positives. Machine learning can help you set the right limits by learning from your historical (genuine and fraudulent) transaction data.
- Taking advantage of advanced velocity rules: available with our more advanced fraud prevention solution, Fraud Detection Pro, advanced rules allow you to access a range of more in-depth features. These include the ability to check the total amount spent by a user in US dollars on a specific attribute over a pre-defined time period. If, for example, attempted payments on a single card exceed a certain amount of money, velocity risk rules will trigger – blocking the payment or seeking further verification.
For a deep dive into the role of data in tackling fraud, explore our guide to fraud analytics.
How Checkout.com helps with velocity checking
Velocity checks are a brilliant anti-fraud tool – but they aren’t perfect.
Relying on velocity checks alone – or too much – can lead to false positives. And rules that are too complicated could prevent legitimate users from completing purchases on your site. Conversely, as the US Payments Forum notes, velocity rules that are too simple can be reverse engineered by fraudsters – who’ll keep activity just below the alert threshold to stay incognito.
What’s more, velocity checks can only prevent fraud that occurs before an illegitimate transaction takes place – not, in the case of ‘friendly’ fraud, after it’s already happened.
That’s why velocity checks are best used not in isolation, but as one weapon in a potent, powerful fraud detection arsenal that works seamlessly, hand in hand, with your payment processing solution.
A solution, perhaps, that’s exactly what Checkout.com offers with Fraud Detection Pro.
We engineer velocity checks directly into our fraud prevention approach: using advanced machine learning and flexible risk rules to spot – and stop – fraud at the source.
Our fraud prevention toolkit is simple to set up and get started with (Fraud Detection Pro is built into Checkout.com, so no extra integrations are required). And – like velocity rules – you can customize your fraud setup to fit your precise needs.
That means the ability to set custom lists and machine learning rule thresholds: to direct transactions to different outcomes, and leverage AI to create automated ‘risk profiles’ of customers and transactions – before they have the chance to damage your business.
Get in touch with our team today to find out more about how Checkout.com can help you combat different types of fraud – and safeguard your business from scammers.