Block List
What Is a Block List in Payments? Definition and How It Works
Definition
A block list in payments is a configurable set of identifiers, such as card numbers, BIN ranges, email addresses, IP addresses, or device fingerprints, that are automatically declined when they appear in a transaction, based on prior fraud or policy decisions.
How it works
Block lists are a hard-rule component of a payment risk engine. When an incoming transaction contains an identifier that matches an entry on the block list, the transaction is declined without passing through fraud scoring or further evaluation. The decision is immediate and binary.
Block list entries are populated from several sources: confirmed fraud chargebacks (card numbers associated with disputed transactions), card testing attack patterns (IP ranges or device fingerprints identified during an attack), manual additions by fraud operations teams, and automated rules that add identifiers when velocity thresholds are breached.
Block lists require active hygiene management. An entry added during a specific fraud event may no longer be relevant months later, a stolen card that has since been reissued, a VPN IP range used in one attack that is now used by legitimate customers. Block lists that grow without review produce increasing false positive rates over time as outdated entries block legitimate transactions.
The scope of identifiers that can be block-listed varies by payment system: most support card number/token, BIN range, email address, IP address, and device fingerprint. Some support shipping address, phone number, and bank account number. The broader the identifier set, the more precisely targeted block list rules can be.
Why it matters
Block lists are point-in-time controls that degrade without maintenance: adding identifiers to a block list is easy; reviewing and retiring stale entries requires operational process. Block lists without review cycles accumulate false positives that erode conversion over months.
BIN-level blocking is a blunt instrument: blocking an entire BIN range to stop a BIN attack also blocks all legitimate cards in that range. BIN blocks should be temporary and scoped to the specific attack period, not permanent policy.
Block lists should be distinguished from allow lists: certain high-value customers or known-good identifiers can be placed on an allow list that bypasses fraud checks. The interaction between allow lists and block lists must be explicitly configured, an identifier cannot be on both simultaneously.
Block list sharing across merchants creates privacy considerations: some fraud networks share block list data across merchant portfolios to improve coverage. This is effective at stopping repeat fraudsters but requires clear data governance and in EEA markets must be assessed for GDPR compliance.
With PXP
PXP's risk engine supports configurable block lists across card, BIN, email, IP, and device identifiers. Entries can be added manually through the dashboard or automatically by velocity rule triggers. Block list entries include expiry dates to support hygiene management.
Frequently asked questions
What identifiers can typically be block-listed in a payment risk engine?
Common block-listable identifiers include: card number or token, BIN prefix (issuer range), email address, IP address, IP CIDR range, device fingerprint, shipping address, and phone number. More advanced systems also support blocking on browser fingerprint, billing address, and bank account number. The right identifier to block depends on what is known about the fraud pattern being addressed.
How should merchants decide when to remove a block list entry?
Entries should be reviewed at regular intervals, monthly at minimum for high-volume merchants. The review should assess whether the reason for the original block is still valid: has the card been reissued (making the block irrelevant), has the IP range been reallocated to a different owner, has enough time passed since the attack to safely remove the block? Automated expiry dates reduce the manual review burden.
Can block lists cause legal or discrimination issues?
Potentially, yes. Block lists applied to protected characteristics, blocking transactions by country or region in a way that systematically excludes protected groups, can create regulatory exposure in some jurisdictions. Email or name-based block lists that disproportionately affect specific demographics require legal review. Block list policies should be documented and reviewed for compliance with anti-discrimination obligations in the merchant's operating jurisdictions.
What is the difference between a block list and a deny list?
The terms are used interchangeably in payment fraud contexts. Block list, deny list, and blacklist all refer to the same concept: a list of identifiers that are automatically rejected. The industry has moved toward the term block list as the standard, replacing the older term blacklist. Some systems use deny list. The underlying functionality is identical regardless of terminology.
Revolutionize your business with PXP
Take complete control of your commerce and payments with one platform.
Get Started