Velocity checks are a fraud prevention method used in payment processing. They work by monitoring the frequency and pattern of transactions made within a specific time frame and checking for unusual activity, such as an abnormally high number of transactions from a single account or IP address. Fraudulent actors often try to use stolen card information as quickly as possible before the cardholder notices, and a sudden increase in transaction attempts can be a red flag for possible fraud. Velocity checks can trigger alerts or block transactions if they exceed certain thresholds, which helps protect businesses and customers from fraudulent activity.

Fraud prevention measures such as velocity checks are increasingly important for businesses, with 80% of organizations reporting they experienced payment fraud attacks or attempts in 2023, an increase of 15 percentage points from 2022. Below, we’ll explain the types of velocity checks, how velocity checks work, how to implement them, and their challenges.

What’s in this article?

• Types of velocity checks
  
• How do velocity checks work?
  
• How are velocity checks used in fraud detection and prevention?
  
• How to implement velocity checks
  
• Challenges with velocity checks
  

Types of velocity checks

There are several types of velocity checks, each addressing different aspects of transaction patterns to detect potential fraud.

• Card velocity checks: These checks monitor the number of transactions made with a specific card in a given time frame. If a card is used for multiple purchases in a short period, it could indicate the card has been stolen and the thief is trying to maximize its use before it’s blocked.

• IP address velocity checks: These checks analyze the number of transactions originating from the same IP address within a specific time frame. A high number of transactions from the same IP address could indicate a fraudulent actor is using automated tools or bots to make multiple purchases.

• Device ID velocity checks: These checks focus on the number of transactions made from the same device within a certain period. This can help identify cases in which a fraudulent actor is using the same device to make multiple purchases.

• Account velocity checks: These checks monitor the number of transactions made from a specific account in a given amount of time. This can be useful for detecting account takeover fraud, where a fraudulent actor gains access to a legitimate account and makes unauthorized transactions.

• Shipping and billing address velocity checks: These checks analyze the number of transactions associated with the same shipping or billing address in a set time frame. A high number of transactions with different card numbers involving the same address could indicate fraudulent activity.

• Transaction amount velocity checks: These checks monitor the total amount of money spent in a certain time frame. An unusually high amount of spending could be a sign of fraud.

How do velocity checks work?

Velocity checks continuously monitor transaction activities across several parameters to detect unusual patterns. They use rules or thresholds to evaluate whether the behavior associated with a payment method such as a credit card is typical or potentially suspicious.

Here’s a look at how these checks typically work:

• Setting thresholds: The first step is to establish what constitutes normal transaction behavior for a particular user, card, or account based on historical data. Thresholds are set for different aspects, such as transaction frequency, amount, IP addresses, devices used, and geographic locations. These thresholds can be set to fit specific risk profiles for the business or industry.

• Monitoring transactions: As transactions occur, the system continuously monitors them against these established thresholds. It analyzes factors such as the number of transactions within a certain time frame, the cumulative amount spent, or repeated use from the same IP address or device.

• Detecting anomalies: When a transaction or a series of transactions breach the preset thresholds, the system flags them as anomalies. For instance, if a card that typically makes three transactions a day suddenly makes 10 transactions in an hour, this unusual behavior would trigger a flag.

• Taking action: Once an anomaly is detected, automated systems can take immediate action by blocking a transaction, requesting additional authentication, or flagging the transaction for manual review by fraud analysts. The response can be customized based on the severity and nature of the anomaly.

• Refining the system: For velocity checks to be effective, the results of these checks (whether true or false positives) feed back into the system. This data helps refine the thresholds and rules, making the fraud detection process more accurate over time.

How are velocity checks used in fraud detection and prevention?

Velocity checks are a proactive defense, used to limit the immediate impact of fraud and help businesses understand and adapt to evolving security challenges. Here are some ways they’re used in payment processing and account management:

• Identifying high-risk transactions: Velocity checks are used to spot transactions that deviate from a user’s normal behavior patterns. For example, if a credit card that is typically used once a week suddenly records several transactions in one day, this spike can trigger a review.

• Preventing automated attacks: Automated fraud attempts, such as those done with bots, often involve rapid sequences of transactions or logins from the same IP address or device. Velocity checks can quickly detect and block these attempts by identifying the unnaturally high speed and volume of activity.

• Triggering multifactor authentication (MFA): When a velocity check flags a transaction as suspicious, it can trigger MFA security measures. This step requires the user to provide extra verification (such as a code sent to their phone) to proceed with a transaction, adding a layer of security.

• Analyzing geolocation: Geolocation checks can detect transactions initiated from physically improbable locations within a short time frame, which can indicate a cloned card or a compromised account.

• Cross-referencing data points: Velocity checks can create a more comprehensive view of a customer’s behavior by integrating data from numerous sources (e.g., transaction amounts, geographic locations, device usage). This cross-referencing helps identify complex fraud schemes that might not be evident from a single data stream.

• Adapting to emerging threats: As fraudulent actors adapt and change their tactics, velocity checks can be continually updated and refined based on new patterns of observed fraudulent behavior, helping businesses stay ahead of emerging threats.

How to implement velocity checks

Effectively implementing velocity checks requires identifying the relevant data, establishing rules based on this data, applying these rules in real time, and defining appropriate responses when triggers are activated. Velocity checks should not inordinately inconvenience legitimate users, and the system should be designed to minimize false positives. They must also be designed to comply with all relevant regulations on data privacy and consumer protection.

Here’s an explanation of each step of the implementation process:

Identifying data

Identify and collect the data to be monitored. Data quality and consistency are important, as are capturing and storing the data in a way that facilitates real-time analysis.

This data typically includes:

• Transaction details, such as transaction amount, transaction frequency, time of transaction, and transaction type (e.g., purchase, withdrawal, transfer)

• User information such as account number, user ID, and historical behavior patterns

• Device data, such as IP addresses, device IDs, and possibly cookies or other identifiers

• Geographic information, such as IP addresses, GPS data, or entered location details

Establishing rules

Establish the rules that will define what constitutes suspicious activity. These rules are typically based on thresholds that reflect typical user behavior and are informed by longitudinal data and industry standards.

Sample rules might include:

• A maximum number of transactions allowed per device in a 24-hour period

• A maximum dollar amount that can be transacted from a single account in a certain time frame

• Limiting the number of login attempts from the same IP address in one hour

The process of setting these rules should involve statistical analysis to determine what constitutes normal behavior and an outlier. Being too restrictive can block legitimate transactions, while being too lenient might fail to catch fraudulent activity.

Setting triggers

Define what happens when a rule is triggered. Responses can vary based on the severity and nature of the violation and might include:

• Alerts notifying system administrators or fraud analysts of the need for manual review

• Automatically declining transactions that appear fraudulent

• Requesting additional verification, such as sending a one-time password (OTP) or requiring the user to answer a security question

• Temporary account holds until further verification can be obtained

Applying rules

Apply the established rules in real time. Implement systems that can monitor transactions as they happen and compare each transaction against the established rules. Use machine learning algorithms that can dynamically adjust the rules based on ongoing transaction patterns and emerging trends to keep the rules relevant.

Challenges with velocity checks

Though velocity checks are a powerful fraud management tool, they must be carefully designed, implemented, and continually refined to balance security, regulatory compliance, and user experience. The drawbacks and difficulties associated with velocity checks can be combated by investing in advanced analytics, machine learning, and user behavior modeling.

Here are some common challenges with velocity checks:

False positives

Velocity checks come with a risk of false positives, in which legitimate transactions are flagged as suspicious. This can happen because of:

• Overly strict rules that flag normal spikes in user activity (e.g., holiday spending, sale spending) as fraudulent.

• Rules that are not adequately customized to the specific patterns of individual users or segments. Customer behavior can vary across segments, and a one-size-fits-all approach can lead to legitimate transactions being blocked.

False negatives

Though less common, false negatives—in which fraudulent transactions are not detected and are allowed to proceed—can also occur. This can happen because of:

• Sophisticated fraud techniques such as paced transactions that avoid triggering velocity thresholds.

• Incomplete or outdated data that leads to inadequate monitoring.

Negatively affecting the user experience

Strict velocity checks can secure transactions but make the user experience worse. Each flagged transaction might require additional verification steps, delaying processing time, and frequent false positives can frustrate customers, potentially driving them to more user-friendly alternatives.

Regulatory and privacy concerns

Velocity checks often require collecting, storing, and analyzing large amounts of data. Businesses must adhere to strict data privacy regulations such as the General Data Protection Regulation (GDPR) in Europe and California Consumer Privacy Act (CCPA). Compliance can be complicated and costly.

Resource-intensive

Implementing and maintaining effective velocity checks can be resource-intensive, requiring the technological infrastructure for real-time processing and analysis of large volumes of transactions. The rules for velocity checks also require regular updates, which demands continuous analytical effort and tech support.

Integration

Integrating velocity checks with other systems, such as payment gateways, fraud management tools, and customer databases, can be challenging. Information might be segregated across different departments or systems within an organization, making comprehensive velocity checks difficult.