Rules
How to create custom fraud rules that trigger on specific conditions — rule logic, attributes, and how to test rules before publishing.
Overview
Rules define what Protect does when a transaction meets specific conditions. You can create custom rules to allow, block, or review transactions based on risk score, card origin, payment amount, IP address, billing email, and more.
Rules are evaluated in order — the lowest order number is checked first. The first rule that matches determines the outcome for that transaction.
Rule actions
| Action | What happens |
|---|---|
| Allow | Transaction proceeds without further review, even if other signals are elevated |
| Block | Transaction is automatically declined; no funds are captured |
| Review | Transaction is flagged and placed in the review queue for manual investigation |
Default rules
Two rules are active on all accounts by default:
review if risk_level: 'medium'
review if risk_level: 'high'These cannot be deleted but can be reordered relative to your custom rules.
Rule conditions
| Condition | Description | Example |
|---|---|---|
| risk_score_gte | Risk score is greater than or equal to | block if risk_score_gte: 800 |
| risk_score_lte | Risk score is less than or equal to | allow if risk_score_lte: 399 |
| risk_level | Risk level is low, medium, or high | block if risk_level: 'high' |
| card_country_id | Card's country (2-letter ISO code) | block if card_country_id: ['NG'] |
| billing_country_id | Customer's billing country (2-letter ISO code) | review if billing_country_id: ['PH'] |
| payment_amount_gte | Payment amount is greater than or equal to (in currency units) | review if payment_amount_gte: 10000 |
| payment_amount_lte | Payment amount is less than or equal to (in currency units) | allow if payment_amount_lte: 100 |
| ip_address | Matches an exact IP address | block if ip_address: '123.45.67.89' |
| ip_address_cidr | Matches an IP address range in CIDR format | block if ip_address_cidr: '123.45.67.0/24' |
| billing_email | Matches an exact billing email address | block if billing_email: '[email protected]' |
Logical operators
Combine multiple conditions in a single rule using AND or OR:
- AND — all conditions must match
- OR — at least one condition must match
Examples:
# Block only when both conditions are true
block if risk_score_gte: 700 AND card_country_id: ['NG']
# Review if either country matches
review if card_country_id: ['NG'] OR billing_country_id: ['NG']
# Single condition — no operator needed
block if card_country_id: ['US']Managing rules
- Create, edit, and reorder rules from the Rules section in the dashboard, or via the REST API
- Rules are evaluated in ascending order number — lower numbers are evaluated first
- Rules only apply to future transactions; existing processed payments are not affected
- Review your rules regularly and adjust them as your transaction patterns evolve
Updated 15 days ago