Credit Card Fraud Detection at Scale: Rules + ML in Real-Time

Last updated: April 26, 2026

Credit card fraud detection at issuing-bank scale is real-time stream processing combined with ML. Every transaction is scored in <100ms; high-risk ones are challenged or declined. This article covers the practical architecture and the rules that complement ML for explainable decisions.

The pipeline

Card transaction
   ↓
Acquirer / network → Issuing bank
   ↓
Real-time fraud scoring service
   ├── Rule engine (deterministic checks)
   ├── ML model (probabilistic risk score)
   └── Combined decision: Approve / Challenge / Decline
   ↓
Response < 200ms
   ↓
Async: log to data warehouse for model retraining

The rule engine — high-leverage rules

# Velocity
IF card_id had > 5 transactions in last 60 seconds → DECLINE
IF card_id had > 20 transactions in last 1 hour → CHALLENGE

# Amount anomaly
IF amount > 10x cardholder's median transaction → CHALLENGE
IF amount > 50x median AND geography != home → DECLINE

# Geography
IF transaction_country NOT IN cardholder's recent_country_list → CHALLENGE
IF transaction_country IN high_risk_country_list → CHALLENGE
IF cardholder location-known AND transaction_country impossibly distant → DECLINE

# Merchant
IF merchant_category IN high_risk_mcc (online gambling, crypto, foreign currency exchange) AND first transaction → CHALLENGE
IF merchant_id has high recent fraud rate → CHALLENGE

# Card-not-present pattern
IF CNP transaction AND no recent CP transaction in same country → CHALLENGE
IF first CNP transaction this month for this card → review

The ML side — features that matter

• Cardholder behaviour: mean / stdev of transaction amount, frequency, merchants
• Time-since-last-transaction
• Geographic features: distance from home, distance from previous transaction, country risk
• Merchant features: merchant ID, MCC, merchant fraud rate, merchant velocity
• Network features: card-network indicators, BIN-level risk
• Device fingerprint (for CNP transactions)
• Cardholder demographics (age, account vintage)

Common models: gradient-boosted trees (XGBoost / LightGBM) for structured features; neural nets for embedding-based features; ensemble in production for robustness.

The challenge mechanism

“Challenge” is the spectrum between approve and decline:

• 3D Secure step-up authentication (issuer-side OTP)
• Push notification to cardholder app — approve/deny in 30 seconds
• Voice call to cardholder for high-value
• SMS with confirm link (legacy, less secure)

The challenge tier balances false-positive cost (legitimate cardholder friction) against fraud savings.

The customer-protection alignment

RBI Master Direction on Customer Protection (Limited Liability) means undetected fraud often becomes bank’s loss. This aligns bank incentives toward investment in detection. Mature programs typically achieve:

• <0.5% fraud loss rate
• <5% false-positive (legitimate transactions flagged)
• <30 minute median fraud-detection time

The chargeback flow

Even with detection, some fraud succeeds. The chargeback process:

1. Cardholder reports fraud
2. Issuer credits cardholder (subject to RBI Limited Liability rules)
3. Issuer disputes transaction with merchant via card network
4. Merchant accepts loss or provides evidence
5. If merchant evidence sufficient, chargeback reversed; cardholder may need to pay

The takeaway

Card fraud detection at scale is rules + ML in a real-time pipeline. The high-leverage detections are deterministic (velocity, amount anomaly, geography); ML adds nuance (subtle behavioural deviations). The customer-friction trade-off is constant — too aggressive declines damage NPS; too permissive declines absorb fraud loss. RBI Limited Liability rules align bank incentives correctly.