How to Configure Stripe Radar Rules to Block Failed CVC/ZIP, High-Risk Countries, and Prepaid Cards
Stripe Radar is powerful — but only if you tell it exactly what to block, review, or challenge.
By default, Stripe may still approve payments with failed CVC or ZIP checks, transactions from high-risk regions, or prepaid cards commonly used in fraud. To reduce chargebacks effectively, you need to configure Radar rules that match your business’s real risk profile.
This guide walks you through:
- The key Stripe Radar attributes you should understand
- Practical rule sets for common fraud scenarios
- The trade-offs between blocking, reviewing, and challenging payments
- How GhostAudit helps you discover which rules actually matter for your Stripe account
1 Introducing GhostAudit
GhostAudit helps you see exactly which types of risky payments are slipping through your current Stripe Radar configuration — whether that’s failed CVC/ZIP checks, transactions from high-risk countries, or anonymous prepaid cards.
Once your blind spots are clear, GhostAudit provides concrete Radar rule recommendations you can copy directly into your Stripe Dashboard to block or challenge those payments.
This guide first explains how to build these rules manually (so you understand the mechanics), and then shows how GhostAudit can automate the discovery process based on your historical data.
2 Step 1: Understand the Available Stripe Radar Attributes
Stripe Radar supports a rich set of attributes you can reference when building rules. For card payments and fraud prevention, the most important ones include:
-
Verification results
cvc_checkaddress_postal_code_checkaddress_line1_check
-
Geography
ip_countrycard_country
-
Card type
card_funding(credit, debit, prepaid)
-
Authentication
is_3d_secureis_3d_secure_authenticated
-
Risk assessment
:risk_level:(highest, elevated, normal, etc.)
These attributes are the building blocks of every Radar rule you write.
If you want a deeper explanation of how AVS, CVC, and 3D Secure actually behave in real payment flows, see:
👉 Stripe AVS, CVC, and 3DS Explained — and Where GhostAudit Fits In
3 Rule Set A: Blocking or Challenging Failed CVC / ZIP Checks
Stripe’s documentation is explicit:
a payment can still succeed even if CVC or AVS fails — unless you tell Radar to do otherwise.
This surprises many teams and is a common source of avoidable chargebacks.
Block failed CVC (strict approach)
Name: Block failed CVC
Predicate:
:card_funding: is not “prepaid” AND cvc_check = “fail”
Action: Block
This rule declines any payment where CVC verification fails.
The not prepaid condition is optional, but helps avoid being overly aggressive if your business supports prepaid cards.
Challenge failed CVC with 3DS (balanced approach)
Name: Challenge failed CVC with 3DS
Predicate:
cvc_check = “fail”
Action: Request 3D Secure
Instead of blocking outright, this rule requires 3D Secure authentication. Fraud bots usually fail 3DS, while real customers can pass — improving security without killing conversion.
ZIP / postal code verification failures
Name: Challenge failed ZIP verification
Predicate:
address_postal_code_check = “fail”
Action: Request 3D Secure
Trade-offs:
- More blocking reduces fraud but increases false positives
- Using Request 3DS is often a good middle ground, especially in regions where 3DS is common
4 Rule Set B: High-Risk Countries and IP Mismatches
Geography-based rules are effective because many attackers operate from regions you don’t actively serve.
Block payments from high-risk countries
Name: Block high-risk country list
Predicate:
ip_country is in [“XX”, “YY”, “ZZ”]
(Replace with your own list)
Action: Block
Review IP / card country mismatches
Name: Review if IP and card country differ
Predicate:
ip_country != card_country
Action: Review
This rule doesn’t automatically block the payment. Instead, it flags the charge for manual review — especially useful if you use Radar for Fraud Teams, which provides a dedicated review queue.
Trade-offs:
- Over-blocking by country may exclude travelers or expats
- Mismatch rules can create high review volume unless filtered (e.g. only for large amounts)
For more context on why these payments often slip through default configurations, see:
👉 Why Stripe Radar Still Lets Fraud Through
5 Rule Set C: Prepaid Cards and Anonymous Cards
Prepaid cards are strongly associated with fraud in certain verticals, such as digital goods and high-value SaaS.
Block high-value prepaid transactions
Name: Block high-value prepaid
Predicate:
:card_funding: = “prepaid” AND amount > 200
Action: Block
Review high-value prepaid instead
Name: Review high-value prepaid
Predicate:
:card_funding: = “prepaid” AND amount > 200
Action: Review
Trade-offs:
- Prepaid cards are also used by legitimate, privacy-conscious customers
- Blocking may be correct for high-risk products
- Reviewing or challenging may be better for inclusive or global products
6 Interception Rate vs False Positives: Understanding the Trade-Offs
Every Radar rule has a cost:
- Higher interception (more blocks) → less fraud, more false positives
- Higher conversion (fewer blocks) → happier users, higher fraud exposure
Practical guidelines:
- Use 3DS challenges for mid-risk signals (CVC/AVS failures, country mismatch)
- Use blocking for high-risk signals (
:risk_level: = highest, very high amounts, repeated attempts) - Review Radar analytics regularly and adjust thresholds over time
7 How GhostAudit Helps You Build Better Radar Rules Faster
GhostAudit accelerates this entire process by:
- Analyzing which risky patterns already appear in your approved Stripe payments
- Highlighting combinations that have historically led to disputes
- Generating Radar rule text that matches Stripe’s syntax, ready to copy or recreate
Instead of guessing which rules you need, you get a data-backed starting point based on your real traffic.
Ready to See What’s Slipping Through Your Stripe Account?
Let GhostAudit analyze your Stripe payments and recommend Radar rules for failed CVC/AVS checks, high-risk countries, and prepaid cards.
