The short answer
A velocity check is a fraud-prevention rule in your gateway or fraud platform that counts how many times a particular data element (card number, billing email, IP, device fingerprint, shipping address) has shown up in transactions within a defined time window, and declines once the count crosses a threshold. Velocity is the single most effective check against card testing — the rapid-fire $1 and $5 attempts fraudsters use to validate stolen card lists.
Typical thresholds e-commerce operators set
- Same card, same merchant: max 3 attempts / hour, 5 / day, 10 / week.
- Same email: max 5 attempts / hour, 10 / day.
- Same IP: max 10 attempts / hour, 30 / day (higher because legit households / corporate NATs share IPs).
- Same device fingerprint: max 5 / hour, 15 / day.
- Same billing zip + name combo: max 8 / day (watches for test lists with one fake identity).
These are starting defaults. Every vertical tunes them — supplements with one-purchase-per-household pattern runs tighter; marketplaces with repeat buyers run looser.
What operators need to know
- Velocity alone causes false declines. Legitimate households share cards and IPs. Two adults on the same Wi-Fi each placing an order will hit a raw IP velocity rule. Pair velocity with context: match billing name? known email? returning customer?
- Card testing is the #1 reason. Fraudsters with a list of 10,000 stolen numbers need a target. They pick merchants with low-ticket items (supplements, digital goods) and no velocity controls. Your site becomes free card validation. A single unchecked testing run can push you past VAMP fraud-rate thresholds in one afternoon.
- Watch for distributed velocity. Smart fraudsters rotate IPs. Velocity on card-number alone catches them; velocity on IP alone doesn't. Run both.
- Log every velocity decline. When a legitimate customer complains their third attempt was blocked, you need the trail: which rule fired, which threshold, what the prior attempts looked like. Most gateways log this; make sure yours is turned on.
- Lower thresholds during card-testing attacks. If your fraud platform sees a spike in $1 and $5 attempts, drop velocity to 2/hour per card while the attack runs. Restore after.
- Account for 3DS. A 3DS-authenticated transaction is lower risk — most operators exempt it from velocity.
Multi-brand operators should run portfolio-wide velocity: the same card attempting Brand A, Brand B, Brand C in 10 minutes is a cross-brand card-tester, not a loyal customer. Our routing layer sees the full cross-brand picture and declines early.