top of page


Internal Rules, sometimes called heuristics, are simple logic statments to see if a condition is present and attempt to catch potentially risky orders.

In writing rules you must remember that it is only natural to tend to write them to catch risky behavior. If you attempt to only write rules that are based on previous fraud attempts you will find that your risk solution and catch rules will be relative in nature, causing you to have to put in fixes and updates regularly. Be proactive in building rules — look at and profile good orders and base rules on that behavior to let these orders flow freely.

Other things to know about rules:

Rules form the basis for heuristics and catching negative characteristics of orders.

With a well thought out strategy, rules can offer the lowest cost solution to keep fraud losses in check.

Most manual checks can be implemented as rules.

Within the rules discussion I have not discussed building rules based on other fraud technique tools such as card security codes, AVS, hot listsor velocities as these rules and techniques are discussed in their own sections.

Sponsor Image



Alternative Solutions - Use of third-party service to build a custom set of rules for a merchant.

Building this In-House - Building an in-house rules engine is very easy to do, and most merchants have implemented some form of rule engine already. It is recommended that, unless a merchant has a fairly sophisticated technical group, they use a commercially available rules engine to implement rules. This ensures that they can easily see what rules have been put into place and it allows them to ensure that the solution is being maintained from someone other than their internal resources.

Estimated Cost - Implementing rules in-house is very inexpensive to do. You can have an internal resource directly code the rules in, or you can hire a third party to input the rules. Merchants can purchase commercially available decisioning software that will allow them to build rule logic.

Sample Venders - Kount, CyberSource, Accertify, FICO Falcon, Subuno, FIS, LexisNexis, ACI Worldwide


Internal rules are built into e-commerce engines, payment processing systems or order management systems to attempt to catch potentially risky orders. Sometimes called “heuristics,” these are simple logic statements that look to see if a condition is present.

They usually take the form of pass/fail, true/false or yes/no type of questions, and are normally used to find risky or “negative” conditions. It doesn’t have to be that way, but that is the typical application approach.

Key considerations when implementing or buying this functionality include:

  • Implementing rules requires a merchant to keep a good overview of the intended overall strategy. This will ensure they don’t create more work for themselves by creating rules that cause them to review more orders than they really need to.

  • Rules should be based on quantitative data, so make sure that you can prove that the majority of the transactions the rule will weed out really are fraudulent.

  • Make sure only one entity is responsible for adding, changing or deleting rules, to ensure multiple parties in a business are not canceling each other’s rules out.

  • Make sure checks are done consistently.

  • A lot of e-commerce engines have some built-in ability to add rules, such as the “pipeline” object in the Microsoft e-commerce platform.


Rules look for abnormalities or indications of risk in the transaction/account setup details. Here are examples of commonly used rules:

Dollar Amount – Reject or review all orders over an order amount of $X. This is a dangerous rule, as most fraud rings will work a merchant's site to determine what this threshold is and will submit orders just below that. The merchant moves their threshold, and then the fraudsters move theirs. To be effective this rule cannot be under the average order amount for the business or within 15% of the average. The amount rule should be coupled with other rules such as shipping type, product type, quantity or region.

  • Shipping Type – looks at order to see if overnight or express shipping has been requested. In itself this does not indicate fraud but in conjunction with other rules it does and it can indicate higher risk.

Product Type Rule – Set up a list of SKUs, product names or codes that are for high risk items, things routinely stolen or have a high incidence of theft.

Quantity Rule – Set up a rule to catch orders in which unusual numbers of items are being ordered, for example more than one laptop or more than two CD’s of the same type.

Regional Rule – Set up a rule to catch orders that are from a high-risk region of the country (e.g., NY, FL, CA or down to the city level).

International Rule – Set up a rule to catch all orders that are not from a desired country by looking at shipping, billing address, card BIN or geolocation check.

Different Billing & Shipping Addresses – Set up a rule to catch all orders in which the billing and shipping address are different.

Profanity Rule – Set up a rule to review all text input fields, especially name, address, and e-mail to check for profanity (e.g., “damn,” “bitch,” “bastard” and “ass”). These are not typically found in real names or addresses and indicate high risk.

No Vowels Rule – Set up a rule that looks at addresses, e-mail, and names to check for gibberish no “a, e, i, o, u, y” characters. It is very rare for this to occur. Merchants can also vary this to check for more than six consonant with no vowels.

Famous Names Rule – Early fraud online used famous names or common names to perpetrate a crime. Create a list to check against this such as John Wayne, Marilyn Monroe, 

John and Jane Doe. Not a dead indicator of fraud but I would check twice if Mickey Mouse was ordering ten CD’s.

Card Security Number Rule – If a merchant is taking in the card security number, they can perform a quick test on the numbers the consumer provides to them to look for suspicious patterns. This check is very important if a merchant is collecting the card security number and isn’t actually checking it. Look for “000,” “001,” “123” and “111” these are all highly suspicious numbers for the Card Security number, if a merchant has the ability to do velocity of change checking on additional data fields, perform a velocity of change check on the card security number as well.

Home-Built Area Code Rule – Using your phone book, build a list of all area codes by state and set up a rule to check the area code given with the phone number to the state of billing and/or shipping address. If they don’t match, review or reject the order.

Private Mailboxes – In the past, crooks have used mail drop locations such as Mail Boxes, Etc., as delivery points for goods ordered fraudulently by telephone or the Internet.


There are three accepted methods of utilizing rules within a strategy:

1) Rule list – Merchants implement their rules as a set of checks with each one indicating fail or review. If any one condition comes up true, the list is stopped and the result is returned as review or fail. Typically all fail conditions are put at the top of the list with review conditions put afterwards. On the plus side, this is the easiest method to implement. On the negative side, merchants only get one return value so they don’t know if multiple conditions failed or required review.

2) Weighted List – Merchants implement a set of rules, with each rule having a weighted score for true or false. A score range is established and within the range sub-ranges are set for pass, fail and review. On the plus side, they can mix positive and negative factors and get quite sophisticated with scoring. On the negative side, this requires a lot of research and maintenance to ensure it doesn’t hurt sales. It typically has a longer learning curve.

3) Decision Tree – Merchants implement a set of rules that follow a path based on each preceding rule. For example, if condition A is true then do this, if not then do that.

bottom of page