top of page


Rules Engine - AKA Decision Engine, Decisioning Software, Management Software, Order Management

You can use a rules engine to help you prevent fraud. The rules engine gives you the ability to perform pre- and post-authorization tests and rules, so you can have logic on how and when you want to call for an authorization and you can have rules to handle the return results from authorization.

Merchants have been applying rules to their order flow for years. The concept of a rules engine does not derive from the growth of fraud, merchants have had to build rules to process orders. For example, merchants need rules to add tax based on the consumer’s location and to add shipping based on their preference. With fraud, merchants have reacted to losses by having their IT Departments add rules to their order management system to weed out orders they may not want to take or to separate orders that they may want to manually review (e.g., all orders over a certain dollar amount).

The intent of the rules engine is to provide the business owner with a way to add new rules to their order process to look for fraud. Good rules engines allow technical novices to apply their fraud expertise to add very complex rules that can automate the review of orders without manual intervention.

Good rules engines also provide a mechanism to more quickly make changes to the order flow if you are getting burned by fraud. This is crucial to being successful at minimizing the impact of a fraud ring. Think about it, if your company was being hit by a fraud ring and you can see the characteristics to look for, and you are in the peak holiday season, how long would it take to get your IT Department to implement a new rule to prevent these orders from processing? Could they even do it without bringing down the business for a time period? In reality I have seen that this can take as long as a month to implement a new rule without a rules engine in place.

Rules Engines also:

Put the control of the fraud-prevention process back into the hands of the fraud-prevention owner.

Allow you to more quickly react to new fraud schemes, by applying new rules in real time.

Allow you to automate the separation of orders more quickly and efficiently, reducing the number of orders to manually review.

Give you better insight to the processes that are in place.

Have a high cost to get started.

Require someone to manage the fraud business processes.

Add additional software and hardware burdens to ongoing costs.

Sponsor Image



Alternative SolutionsFraud Scoring

Building this In-House - N/A

Estimated Cost - Moderate, you will typically pay for a software purchase. There are a couple of providers that offer all of these services on a hosted and managed basis.

Sample Venders - Kount, CyberSource, Accertify, FICO Falcon, Subuno, FIS, LexisNexis, ACI Worldwide


The rules engine is a middleware application that allows the creation and prioritization of rules to be used in managing fraud. These engines allow merchants to create rules that will be evaluated on orders as they come in. The rules engine can have many different names, such as “decisioning software,” “management software” or “order management.” Most payment, CRM, and order management systems will have some of the capabilities to build and apply rules.

Key considerations when implementing or buying this functionality include:

  • How does the solution integrate into your current business flow?

  • Do you have to have a technical background to operate the solution?

  • Could anyone looking at your business process in the rules engine understand it? Or do you have to learn how to interpret it?

  • How fast can you add or change a rule?

  • Does the engine manage only a list of rules or does it allow you to set up a business process flow?

  • Does the solution integrate other fraud-prevention techniques such as geolocation, velocity and/or hot lists?

  • What type of graphical user interface does the solution come with?

  • Do you just get back a pass, fail or review, or do you get the results of all of the tests?


The rule engine concept is pretty simple to understand. You write some rules and the engine will run those rules against an order when it is submitted. But in actuality there are a couple of ways this can be done, and you need to make sure you understand that the solution you are looking at is going to do what you really want it to do.

Type 1 - The rules engine allows you to add rules into a list of checks and then when an order is processed against the engine, it will evaluate the rules one at a time. The first rule to fail, fails the entire transaction. No other rules beyond the first failed rule will be run. This type typically will not allow for very complicated comparisons.

This type of rules engine is simple to set up and maintain and produces a pass or fail type of answer. One of the major shortfalls of this solution is that not all of the rules are run, so if you try to look at a failed order you will only see the first rule that failed, making it more difficult to determine which orders you should spend more time trying to convert. With this type it is also hard to interpret what is actually being checked. So if you have high turnover of staff this solution can be a little more difficult to understand for staff coming in.

Type 2 - The rules engine allows you to add rules into a list of checks and apply weights to each of the rules to allow for some rules to be treated as more risky than others. When an order is processed against this type of rules engine all of the rules are run and weights are applied to each. The rules engine then creates a score that will determine the outcome of the order. This type can support pass, fail or review outcomes. This type is the hardest to interpret what is actually being checked, so if you have high turnover of staff this solution can be a little more difficult to understand for staff coming in.

This type of rules engine is a little more complex to set up. You will have to understand how to weigh certain conditions in order to get the effective results from the solution. It will require more intensive management.

Type 3 - The rules engine allows you to add rules into a business flow, indicating which outcomes or rules need to be run based on the outcome of any one particular rule. When an order is processed through this solution the number of actual rules ran against the order could be different for every order processed because the number of rules ran is based on the outcomes of each rule and the order’s data points. This type can produce a pass, fail or review response.

This type of rules engine is little more complex to set up but offers a much easier way to view and describe the business flow. This type offers the greatest flexibility for adding or changing the rule logic, by allowing you to blend the rules for fraud prevention with the business processes you use to make a decision on an order.

Type 4 - The rules engine is designed to be an all-encompassing engine that provides a merchant with the ability to set up and manage all of the fraud-prevention tools under one application. This gives the merchant the capability to write and edit rules and integrate new prevention tools more rapidly and effectively. With this type of rules engine, you can alter your risk-prevention capabilities on the back-end without having to touch the code in your front-end systems each time you need to make a change.

The rules engine evaluates orders using a previously deployed strategy. This part of the rules engine provides a way to encompass other business processes and fraud techniques into the solution, such as payment processing, fraud scoring, geolocation, credit checks and age verification.

Inside the rules engine you will have the ability to set up business strategies that represent your risk management decisions and consist of workflows and rules. The workflows represent a collection of rules and a rule compares data points of a transaction to a set of conditions, or it can compare data points to other data points. Think of them as IF/THEN statements that you are writing and that express what elements you look at for predicting risk.


Rules engines are great at automating the fraud-prevention business process. Make sure you take this into account when you are deciding the outcomes you want from the solution. Try to maximize the number of orders going into the accept and reject buckets while minimizing the number of orders you want to review.

Make sure their calling applications don’t contain any rules or logic. If you set them up to look for the pass, fail or review, you free yourself up to add and manipulate rules in their rules engine and not in their production system.

bottom of page