Fraud Rules Engine Design for B2B 2026: Velocity, BIN Scoring, Fingerprinting

Q: What's the industry-average chargeback rate in digital goods?

0.6–1.2% of gross volume. Above 1% triggers Visa/Mastercard chargeback monitoring programmes with $25k+ fines. The target for a well-run reseller is <0.4%, achieved with velocity rules + 3DS2 + manual review.

Q: Should I build the fraud engine in-house or use Sift?

Up to 10k transactions/day, in-house JSON rules are enough. Past 10k, take Sift or Riskified — ML models on their data catch more fraud. Cost: Sift ≈ $0.04 per transaction, Riskified — chargeback guarantee at 0.8–1.2% of volume.

Q: How do I use device fingerprinting without breaking GDPR?

Use fpjs or ClientJS in cookie-less mode: hash of user-agent, screen, timezone, canvas. That gives ~99% recognition with no personal data — legitimate-interest basis under GDPR Art. 6(1)(f). Document it in privacy policy and DPIA.

Q: Which velocity rules catch the most fraud?

Top 3: (1) >5 orders from one IP in 10 minutes, (2) >3 different cards on one user in 24h, (3) >$2k aggregate volume on a new account <7 days old. Each rule alone catches ~25%; combined, 70%.

B2B fraud in digital goods is different from B2C: lower transaction count, but higher average ticket ($200–2000), and a chargeback costs you the product, the interchange fee, and a dispute fee. This article is the blueprint for a fraud rules engine that catches 70%+ of fraud with <0.5% false positives.

1. Velocity rules — the foundation

Velocity = frequency of actions per time window. The baseline set:

type FraudSignal = { rule: string; score: number; reason: string };

async function checkVelocity(order: Order): Promise<FraudSignal[]> {
  const signals: FraudSignal[] = [];
  const ipCount = await redis.zcount(`vel:ip:${order.ip}`, Date.now() - 600_000, '+inf');
  if (ipCount > 5) signals.push({ rule: 'ip_velocity', score: 80, reason: '>5 orders/10min' });

  const cards = await redis.scard(`vel:cards:${order.userId}:24h`);
  if (cards > 3) signals.push({ rule: 'multi_card', score: 60, reason: '>3 cards/24h' });

  return signals;
}

Storage: Redis sorted sets with TTL = window. Write: ZADD vel:ip:1.2.3.4 NOW order_id + EXPIRE 600.

2. BIN risk scoring

The first 6–8 digits of a card number (BIN) identify the issuing bank. FoxReload and most fraud vendors maintain a BIN risk table:

const binRisk = await binLookup(card.bin); // 0..100
if (binRisk > 70) flags.push({ rule: 'high_risk_bin', score: 50, reason: `BIN ${card.bin}` });
if (binRisk === 100) return reject('blocked_bin'); // prepaid mass-issuance cards

High-risk BINs are prepaid cards (especially mass-issuance non-bank), cards from sanctioned jurisdictions, and BIN ranges seen in recent fraud waves. Refresh the table weekly.

3. Device fingerprinting

Cookie-less fingerprint (fpjs, ClientJS):

import FingerprintJS from '@fingerprintjs/fingerprintjs-pro';

const fp = await FingerprintJS.load({ apiKey: process.env.FPJS_KEY });
const result = await fp.get();
// result.visitorId — stable hash, ~99% accuracy
const fpHistory = await db.fingerprints.find({ visitorId: result.visitorId });
if (fpHistory.chargebackCount > 0) flag.score += 90;

This links "one real device — many accounts" and catches mass-account-creation fraud.

4. Comparison: Sift, Sumsub, in-house

Provider	Type	Cost/transaction	Setup	Accuracy
In-house JSON rules	Rules	$0	1–2 weeks	60–70%
Sift	ML-as-service	$0.04	1 day	85–92%
Sumsub	KYC + fraud	$0.50–1.50	3 days	80–88%
Riskified	Chargeback guarantee	0.8–1.2% volume	2 weeks	90%+
Stripe Radar	Built into payments	0.5%/decision	0	75–85%

Recommendation for FoxReload partners: up to $500k/mo — in-house rules + Stripe Radar. Above $500k/mo — add Sift or Riskified. Take Sumsub only if you also need KYC.

CTA

The FoxReload built-in fraud engine flags orders in the POST /v1/orders response: fraud_score and flags[] — use them as primary signals in your pipeline. Get access.

Frequently asked questions

What's the industry-average chargeback rate in digital goods?

0.6–1.2% of gross volume. Above 1% triggers Visa/Mastercard chargeback monitoring programmes with $25k+ fines. The target for a well-run reseller is <0.4%, achieved with velocity rules + 3DS2 + manual review.

Should I build the fraud engine in-house or use Sift?

Up to 10k transactions/day, in-house JSON rules are enough. Past 10k, take Sift or Riskified — ML models on their data catch more fraud. Cost: Sift ≈ $0.04 per transaction, Riskified — chargeback guarantee at 0.8–1.2% of volume.

How do I use device fingerprinting without breaking GDPR?

Use fpjs or ClientJS in cookie-less mode: hash of user-agent, screen, timezone, canvas. That gives ~99% recognition with no personal data — legitimate-interest basis under GDPR Art. 6(1)(f). Document it in privacy policy and DPIA.

Which velocity rules catch the most fraud?

Top 3: (1) >5 orders from one IP in 10 minutes, (2) >3 different cards on one user in 24h, (3) >$2k aggregate volume on a new account <7 days old. Each rule alone catches ~25%; combined, 70%.

Fraud Rules Engine Design for B2B 2026: Velocity, BIN Scoring, Fingerprinting

1. Velocity rules — the foundation

2. BIN risk scoring

3. Device fingerprinting

4. Comparison: Sift, Sumsub, in-house

CTA

Frequently asked questions

Related articles

FoxReload Order Flow Explained — Reservation, Fulfilment, Delivery

FoxReload API Quickstart Guide 2026 — Your First Call in 10 Minutes

FoxReload Webhooks Integration — HMAC-SHA256, Retries, Idempotency