Stripe Radar

Stripe Radar

Stripe Radar is Stripe's machine learning-based fraud detection system. Scripts collect browser signals including device fingerprints, behavioral patterns, and network metadata during payment flows to assess transaction risk. This data is used to score transactions and trigger 3D Secure challenges for suspicious activity.

Stripe
Part of Stripe
Back to Vendor Library

Overview

Stripe Radar is Stripe's machine learning-powered fraud detection system that operates during payment flows. It collects device and behavioral signals from the customer's browser to assess transaction risk, score payment attempts for fraud probability, and trigger additional verification steps (like 3D Secure challenges) when suspicious patterns are detected. Radar is deeply integrated into Stripe's payment processing and activates automatically for all Stripe transactions.

What This Script Does

Radar's data collection is embedded within Stripe.js, the same script that handles payment form rendering and card tokenization:

  • Device fingerprinting — Stripe.js collects a comprehensive set of browser and device signals including user agent, screen dimensions, installed plugins, timezone, language settings, WebGL renderer information, and canvas fingerprint data. These signals are combined into a device fingerprint used to identify the device across transactions.
  • __stripe_mid — a persistent first-party cookie (merchant ID) set by Stripe.js that stores a device identifier. Typically expires after 1 year. This cookie helps Stripe recognize the device across multiple visits and transactions on the same merchant's site.
  • __stripe_sid — a session-scoped cookie (session ID) that tracks the current browsing session for fraud assessment context. Expires after 30 minutes of inactivity.
  • Behavioral analysis — Stripe.js monitors interaction patterns during the payment flow: typing cadence in form fields, mouse movement patterns, time spent on the checkout page, and copy-paste detection. These behavioral signals help distinguish human users from automated fraud bots.
  • Network metadata — IP address, connection type, and proxy/VPN detection data are collected and transmitted to Stripe's risk scoring engine.
  • Transaction velocity — Radar tracks the frequency of payment attempts from the same device, IP address, or card number to detect card testing attacks and brute-force fraud.

All collected signals are transmitted to Stripe's risk engine (via m.stripe.com and r.stripe.com endpoints) where machine learning models produce a risk score for each transaction. High-risk transactions may be automatically blocked, flagged for manual review, or routed through 3D Secure authentication.

Consent & Compliance

Stripe Radar is classified as essential. Fraud detection is a critical security function for payment processing that protects both the merchant and the customer. Under GDPR, the device fingerprinting and behavioral analysis performed by Radar can be justified under Article 6(1)(f) (legitimate interest) for fraud prevention, which is explicitly recognized as a legitimate interest in Recital 47. The processing is proportionate to the security risk and limited to the payment context.

The ePrivacy Directive's consent requirement for cookies has a narrow exemption for cookies strictly necessary for the service requested by the user. When a customer initiates a payment, fraud detection cookies (__stripe_mid, __stripe_sid) are strictly necessary to securely process that transaction. Multiple European data protection authorities have confirmed that fraud prevention cookies used during payment flows qualify for this exemption.

Under CCPA/CPRA, the device fingerprinting and behavioral data collected for fraud detection falls within the security exemption for processing reasonably necessary to protect the integrity of the service and detect security incidents.

Should You Block This Without Consent?

No. Stripe Radar is an essential fraud prevention system that protects payment transactions. Blocking it would expose both the merchant and customers to increased fraud risk, potentially leading to financial losses and regulatory issues. The device fingerprinting and behavioral analysis it performs are proportionate security measures limited to the payment processing context. Fraud detection cookies qualify for the strictly necessary exemption under the ePrivacy Directive.

Visit website

Consent Categories

Essential

Also Known As

stripe radarstripe fraudstripe fraud detectionstripe 3dsstripe risk scoring

Industries

Computers Electronics and TechnologyProgramming and Developer Software

Tracked Domains (1)

radar.stripe.comEssential

Frequently Asked Questions

Does Stripe Radar require cookie consent?

No. Stripe Radar is an essential fraud detection system operating within Stripe payment flows. Its cookies (__stripe_mid and __stripe_sid) qualify for the ePrivacy strictly necessary exemption for fraud prevention during user-initiated payments. EU data protection authorities have confirmed fraud prevention cookies during payment are exempt.

What does Stripe Radar track?

Stripe Radar collects browser fingerprints (user agent, screen size, timezone, WebGL), behavioral signals (typing cadence, mouse movement on payment fields), and network metadata (IP, proxy detection). It also sets __stripe_mid (1 year) and __stripe_sid (30 min) on stripe.com. Signals are sent to m.stripe.com and r.stripe.com for ML risk scoring.

How does ConsentStack detect Stripe Radar?

ConsentStack classifies Stripe Radar as essential because it is embedded within Stripe.js and inseparable from payment processing. It is detected through js.stripe.com/v3/ script loads. ConsentStack does not block it — doing so would disable fraud protection on checkout pages and is not recommended.

Other Stripe Products

Stripe Billing
Stripe Billing
Stripe Billing is Stripe's subscription and recurring revenue management module. Scripts embedded in checkout and account pages handle subscription lifecycle events, billing cycles, proration calculations, and payment retry logic. Stores session data and payment method tokens to support subscription management flows.
Stripe Connect
Stripe Connect
Stripe Connect is Stripe's platform payments product enabling marketplaces and SaaS platforms to process payments on behalf of third-party sellers. Scripts manage connected account onboarding flows, payment routing, and split payment configurations. OAuth tokens and account identifiers are stored to facilitate multi-party transactions.
Stripe Identity
Stripe Identity
Stripe Identity is a document-based identity verification service. Scripts load a verification flow that captures government-issued ID images and selfie photos via device camera, transmitting them to Stripe for automated document analysis and liveness detection. Collected biometric data and document details are processed to verify user identity.
Stripe Tax
Stripe Tax
Stripe Tax is an automated tax calculation and collection module integrated into Stripe checkout flows. Scripts calculate applicable sales tax, VAT, or GST in real time based on customer location and product type during payment. Tax calculations and jurisdiction data are transmitted to Stripe's servers for compliance reporting.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for Stripe Radar

ConsentStack automatically detects and manages Stripe Radar trackers so your site stays compliant with global privacy regulations.

Get started free