Risk Profiles
A Risk Profile is a collection of rules evaluated against each incoming transaction to determine whether it should be approved frictionlessly, sent to challenge, or rejected.
How Rules Are Evaluated
Rules within a Risk Profile are executed sequentially from top to bottom. Each rule produces one of the following outcomes:
| Outcome | Description |
|---|---|
| Accept | The transaction is approved frictionlessly and the appropriate exemption is recorded. |
| Challenge | The transaction is sent to the cardholder for authentication via the configured Challenge Profile. |
| Reject | The transaction is declined. |
| Next | The rule did not reach a conclusion; evaluation continues to the next rule. |
Once a rule produces an Accept, Challenge, or Reject outcome, no further rules are evaluated. If no rule reaches a conclusion, the transaction is challenged by default.
Challenge Preference
By default, transactions where the merchant has indicated a preference or mandate for a challenge are always challenged regardless of rule outcomes, and Data Share transactions are always accepted. These defaults can be controlled via three flags on the Risk Profile:
| Flag | When true | When false |
|---|---|---|
| Short Circuit Requested Challenge | Apata always challenges transactions where the merchant has mandated a challenge, bypassing rule evaluation. | Rules are executed as normal. |
| Short Circuit Challenge Preferred | Apata always challenges transactions where the merchant has expressed a preference for a challenge, bypassing rule evaluation. | Rules are executed as normal. |
| Accept Data Share | Data Share transactions are always accepted. | Data Share transactions are passed through the rules for evaluation. |
Rule Types
Rules that approve transactions frictionlessly based on regulatory criteria or bilateral agreements. Includes PSD2 Low Value, Recurring Payment, Whitelist, Visa DAF, and others.
Rules that apply custom logic to determine the outcome. Simple Rule, Conditional Rule, and Low Risk Rule fall into this category.
Rules that challenge a transaction once a cumulative limit is reached, such as maximum frictionless transaction count or maximum frictionless spend since the last challenge.
Exemption Rules
| Rule | Description |
|---|---|
| PSD2 Low Value | Exempts transactions that meet the Low Value Payment criteria under PSD2. |
| Acquirer Exemption | Exempts transactions where the acquirer has indicated that TRA or SCA has already been applied. |
| Recurring Payment | Exempts transactions classified as recurring payments. |
| Merchant-Initiated | Exempts merchant-initiated transactions where the cardholder is not present. |
| Whitelist | Exempts transactions for merchants that the cardholder has previously whitelisted after completing SCA. |
| One-Leg Transaction | Exempts transactions where the acquirer is located outside the EEA. |
| Secure Corporate Payment | Exempts transactions that meet the PSD2 Secure Corporate Payment criteria. |
| Non-Payment | Exempts non-payment authentication flows such as wallet provisioning. |
| Visa DAF | Exempts transactions using the Visa Digital Authentication Framework. |
| Stripe Delegate Authentication | Exempts transactions where the issuer has a bilateral delegate authentication agreement with Stripe. |
Decision Rules
| Rule | Description |
|---|---|
| Simple | Unconditionally accepts, rejects, or challenges all transactions. |
| Conditional | Applies logic based on transaction attributes such as amount, currency, merchant, or device. Can reference Variables for pattern-based decisions. |
| Low Risk | Delegates the decision to an External Risk Engine. Transactions assessed as low risk are exempted; medium or high risk are challenged. |
Threshold Rules
| Rule | Description |
|---|---|
| Max Frictionless Transactions | Challenges the transaction if the number of frictionless transactions since the last challenge exceeds a configured threshold. |
| Max Cumulative Frictionless Spend | Challenges the transaction if the cumulative spend since the last challenge exceeds a configured threshold. |
Variables
Conditional Rule evaluations can be made more powerful using Variables. A Variable is a reusable data point that aggregates transaction history at the card level, for example the total spend in the last 24 hours or the number of failed attempts from the same device.
Variables are defined with three components:
| Component | Description |
|---|---|
| Aggregation type | Count, Sum, Average, or Standard Deviation. |
| Filter (optional) | Narrows the aggregation to specific conditions such as same merchant, same device, or a particular transaction state. |
| Timeframe | Ranges from 1 hour up to 12 months, or relative periods such as since last challenged or since last frictionless transaction. |
Once defined, a Variable can be referenced in a Conditional Rule either as a field (e.g. total spend greater than 500) or as a value to compare against (e.g. current transaction amount greater than average spend).
Apata also provides a set of Predefined Variables that are automatically available in all Risk Profiles. These track average successful transaction amounts in EUR and USD across daily, weekly, and monthly timeframes, and can be used directly in Conditional Rules without any configuration.
Assigning a Risk Profile
A Risk Profile is assigned to a Card Program. All cards routed through that program will be evaluated against its Risk Profile. A default Risk Profile is provisioned automatically when a Financial Institution is created.
Backtesting
Before applying a new or updated Risk Profile to live traffic, you can use Backtesting to run historical transactions against it and evaluate the expected impact on exemption rates and challenge rates.
The Risk Profile must be in a Draft state to run a backtest.
Updated about 1 month ago