A core practice for most fraudsters is to try many attempts at payments. Many refusals in a row can indicate a fraud attack that is being detected by the issuing bank, but not blocked by the merchant. This check is aimed at identifying users whose rate of refusals fits the profile of a fraudster.
Merchants can establish a threshold for both the number of refused transactions and the timeframe allowed. The default is 3 times over 7 days.
The risk check fired on the refused transactions after the set threshold (assuming that all the refusals occur consecutively with no authorizations breaking the chain). So, if a merchant sets a threshold of 3 in 7 days, it fires on the 4th consecutive refusal recorded in that 30-day period.