Velocity Checks in Fraud Detection: How to Configure Them Without Killing Conversion
Velocity checks catch fraud effectively — and misconfigure easily. Here's how to set thresholds that stop fraud without blocking legitimate customers.
2 June 2026
Velocity checks detect unusual transaction patterns by counting how many times a specific attribute appears within a defined time window. If a card number appears in 20 transactions in 10 minutes, that's almost certainly card testing. If 50 orders ship to the same address in an hour, something's off. Velocity checks catch these patterns automatically.
They're also among the most dangerous fraud controls to misconfigure. Set thresholds too aggressively, and you block legitimate customers at scale.
What Velocity Checks Monitor
Velocity controls measure frequency per time window (1 minute, 1 hour, 24 hours, 7 days) across various transaction attributes:
Card number velocity — How many transactions has this card number appeared in during the window? Most legitimate cards appear in 1–3 transactions per day. 20+ in an hour suggests card testing.
IP address velocity — How many transactions from this IP? High IP velocity catches bot attacks and shared fraud infrastructure. But be careful with shared IPs (mobile carrier NAT, corporate networks) where many users share a single IP.
Device fingerprint velocity — How many cards used on this device? Multiple cards from a single device is a strong fraud signal; legitimate customers rarely switch between multiple cards on the same device.
Email domain velocity — How many transactions from this email domain? Sudden spikes in orders from a single disposable email domain are a red flag.
Shipping address velocity — How many orders to this address? Package reshipping fraud often routes to the same drop address.
BIN velocity — How many transactions from cards starting with the same BIN (Bank Identification Number)? Coordinated attacks on compromised card portfolios often target cards from the same BIN.
The Problem with Fixed Thresholds
Most fraud systems let you set a fixed threshold: "Decline if the same card is used more than 3 times in 24 hours." The problem is that legitimate behavior varies enormously:
- A catering company might process 50 orders from the same corporate card in a day
- A customer might try multiple purchases after an initial card decline
- Retailers during Black Friday see legitimate velocity spikes across all metrics
Fixed thresholds set for normal periods generate excessive false positives during promotions and seasonal peaks. Thresholds calibrated for peak periods don't catch fraud during normal periods.
How to Set Velocity Thresholds
Baseline from actual data. Pull 30 days of legitimate transaction data and calculate the 99th percentile velocity for each attribute you're monitoring. Your threshold should be above the 99th percentile of legitimate behavior — catching the top 1% of anomalies without blocking 99% of legitimate customers.
Separate thresholds by customer segment. B2B customers (corporate cards, purchasing departments) have fundamentally different velocity patterns than individual consumers. Apply separate velocity thresholds to each segment rather than a single threshold that works for neither.
Weight by fraud risk, not just velocity. High velocity from a device with prior fraud history is more dangerous than the same velocity from a long-standing customer account. Use velocity as one input to composite risk scoring, not as a standalone hard block.
Use time-graduated thresholds. 10 transactions in 5 minutes is more anomalous than 10 transactions in 24 hours. Graduated windows catch different attack patterns: rapid automated attacks (1-minute windows), coordinated fraud sessions (1-hour windows), and sustained card testing (24-hour windows).
Velocity Checks and Card Testing
Card-testing attacks are the scenario where velocity checks provide the most unambiguous value. Automated scripts testing stolen card credentials against your checkout generate identifiable velocity patterns: multiple cards from the same IP or device, with sequential BIN numbers and micro-transaction amounts.
A well-configured velocity rule catches card testing in the first 20–30 transactions of an attack, before significant losses accumulate. Without velocity controls, card testing can run for hours before manual detection.
For comprehensive card testing prevention, see our card testing attacks guide.
Velocity Monitoring vs Velocity Blocking
Velocity monitoring raises the risk score of high-velocity transactions without automatically blocking them. High-velocity transactions are routed to manual review or stepped up to 3DS authentication.
Velocity blocking automatically declines transactions that cross thresholds without human review.
For most merchants, a hybrid approach works best: automatic blocks for extreme velocity (clearly automated attacks), and elevated risk scores for moderate velocity that feeds into composite scoring for human review or 3DS challenge.
Velocity controls reduce fraud at the authorization stage; Chargemate handles disputes that aren't caught by prevention — with automated evidence packages showing velocity analysis and authorization context for each contested transaction.
Frequently Asked Questions
Should I use velocity checks at the session level or account level?
Both. Session-level velocity (within a single browsing session) catches real-time bot attacks. Account-level velocity (across sessions) catches account takeover patterns where a fraudster uses a legitimate account over multiple sessions.
How do I handle false positives when a legitimate customer triggers velocity?
Build a manual review path for velocity-flagged transactions. Rather than automatic declines, route to a review queue where a human can evaluate context. Legitimate high-velocity customers can be whitelisted for future transactions.
Are velocity checks effective against sophisticated fraud?
Sophisticated fraud operations deliberately pace attacks to avoid velocity triggers. Against these actors, velocity checks are less effective and ML-based risk scoring becomes more important. But even sophisticated attackers can't always avoid velocity signals, and velocity remains valuable as a first-pass filter for cruder automated attacks.
What's the right time window for card velocity checks?
Multiple windows simultaneously. A 5-minute window catches automated card testing; a 24-hour window catches distributed attacks that space out individual transactions to avoid short-window triggers.