1 4 & 6. Merchant Web Page

Transcription

1 ADVANCED FRAUD TOOLS While Vantiv already offers fraud detection tools in the form of a variety of Fraud Filters, we have entered into a partnership with ThreatMetrix, one of the foremost fraud prevention services in the world, to provide you additional options. The close integration of Vantiv and ThreatMetrix allows you to augment our filters by taking advantage of several ThreatMetrix fraud detection features. This only requires a simple modification to the code resident on your web page. You then process your transactions, as you would normally. The figure below provides a high level overview of the process. FIGURE 1 Advanced Fraud Tools Process Overview & 6 Consumer Merchant Web Page 1. The consumer accesses your web page to make a purchase. 2. Code on your web page makes a call to the ThreatMetrix servers initiating several fraud check mechanisms. At this time, you also supply a unique session Id to ThreatMetrix. Document Version: 1.7 1

2 Advanced Fraud Tools Modifications to Your Web Page While generated by you, each session Id must include a 5-character prefix, supplied by your Implementation Consultant, followed by a dash ("-"). The remainder of the session Id must be unique for each instance of the customer accessing your page. 3. The ThreatMetrix servers examine several properties of the consumer s device and method of access. This process is invisible to the consumer. 4. You submit a normal Authorization/Sale transaction, including the session ID you designated when making the call to the ThreatMetrix Server. If you are using LitleXML version 8.25 or above, you also have the option of submitting a Fraud Check transaction. This transaction type will retrieve the results of the ThreatMetrix checks without initiating an Auth/Sale. 5. We queries the ThreatMetrix servers for the results of their analysis. These results reflect how the information about the consumer device/connection captured in the ThreatMetrix database evaluates against rules and thresholds set in your merchant profile. All this information is distilled to a Device Reputation Score. 6. We return the Device Reputation Score in your LitleXML response message with one of three possible Review Statuses: Pass, Fail, or Review. On a status of Pass, we will proceed to the card network, which may still decline it. On a status of Fail, we will automatically decline the transaction and not pass it on to the card network (excluding Info Only mode described in Information Only Option on page 5). On a status of Review, we will also proceed to the card network, which may still either approve or decline it. If a transaction is declined, you do not need to take action; however, if approved, you must decide whether to allow the transaction to stand or to take action to reverse/void the transaction. MODIFICATIONS TO YOUR WEB PAGE For ThreatMetrix to gather information for analysis, you must add certain profiling tags (see Example below) to selected pages served by you web application. These tags allow ThreatMetrix to collect information by loading objects used for detection into the consumer s browser. These tags are invisible to the consumer and add only a fraction of a second to your page s rendering time. Once loaded, these objects require only 3-5 seconds to gather profiling information from the consumer device. Place the tags as early as possible on the page, inside the <body></body> tags of the page HTML. Example: ThreatMetrix Profiling Tags <!-Begin ThreatMetrix profiling tags below --> <!- Note: replace 'UNIQUE_SESSION_ID' with a uniquely generated handle Note: the value for 'ORG_ID' is a Vantiv supplied value 2 Document Version: 1.7

3 LitleXML Transactions Advanced Fraud Tools note: the pageid tag is not used at this time. the value for 'PAGE_ID' will default to 1 note: for production, replace 'h.online-metrix.net' with a local URL and configure your web server to redirect to'h.online-metrix.net' --> <script type="text/javascript" src=" PAGE_ID"></script> <noscript> <iframe style="width: 100px; height: 100px; border: 0; position: absolute; top: -5000px;" src=" D"></iframe> </noscript> <!- End profiling tags --> LITLEXML TRANSACTIONS To subject a transaction to the advanced fraud checks performed by ThreatMetrix and retrieve the results, you simply submit the <threatmetrixsessionid> element as part of your LitleXML Authorization (or Sale) transaction. This session Id is the same unique value you assigned and sent to ThreatMetrix when your web page called the application (designated as UNIQUE_SESSION_ID in the ThreatMetrix Profiling Tags example). When we receive an Authorization/Sale that includes the <threatmetrixsessionid>, our system automatically queries the ThreatMetrix platform for the associated results. The LitleXML response message includes the <advancedfraudresults> element containing the score and status and information about any triggered rules. The following two examples show a standard Authorization transaction, including a <threatmetrixsessionid> and a pass response. To bypass the ThreatMetrix fraud checks, simply omit the <threatmetrixsessionid> from the transaction. Example: Authorization including <threatmetrixsessionid> Element <litleonlinerequest version="8.25" xmlns=" merchantid="81601"> <authentication> <user>username</user> <password>password</password> </authentication> <authorization id="002" reportgroup="001601"> <orderid> _sessionid_app</orderid> <amount>1002</amount> <ordersource>ecommerce</ordersource> <billtoaddress> Document Version: 1.7 3

4 Advanced Fraud Tools LitleXML Transactions <name>john Doe</name> <addressline1>15 Main Street</addressLine1> <city>san Jose</city> <state>ca</state> <zip> </zip> <country>usa</country> <phone> </phone> </billtoaddress> <card> <type>mc</type> <number> </number> <expdate>1115</expdate> </card> <advancedfraudchecks> <threatmetrixsessionid>axxxxab999</threatmetrixsessionid> </advancedfraudchecks> </authorization> </litleonlinerequest> Example: Authorization Response including <advancedfraudresults> Element <litleonlineresponse version="8.25" xmlns=" response="0" message="valid Format"> <authorizationresponse id="002" reportgroup="001601"> <litletxnid> </litletxnid> <orderid> _sessionid_app</orderid> <response>000</response> <responsetime> t21:36:50</responsetime> <postdate> </postdate> <message>approved</message> <authcode>000003</authcode> <fraudresult> <avsresult>00</avsresult> <advancedfraudresults> <devicereviewstatus>pass</devicereviewstatus> <devicereputationscore>50</devicereputationscore> <triggeredrule>flashimagescookiesdisabled</triggeredrule> </advancedfraudresults> </fraudresult> </authorizationresponse> </litleonlineresponse> 4 Document Version: 1.7

5 Information Only Option Advanced Fraud Tools The other possible values for the <devicereviewstatus> element are fail, review, invalid_session, unavailable, and unknown_session. The <devicereputationscore> value can range from -100 to 100. The resulting pass, fail, or review value depends upon your profile settings. The <triggeredrule> element can occur multiple times, once for each rule triggered. INFORMATION ONLY OPTION If you wish to retain full control of the decision to accept or decline transactions, we offer the option of using the Advanced Fraud Tools in an Information Only mode. In this configuration, you receive the same information in the response as you would with the full implementation; however, we will not automatically decline transactions with a failing score. If the authorization is declined by the network, you can choose to recycle the transaction or do nothing. If an authorization with a failing score receives approval from the network, it would be up to you to reverse the authorization should you decide not to proceed with the transaction. This is similar to the case of an approved transaction that has a status of Review, but you decide not to proceed. Issuing an authorization reversal allows you to avoid any misuse of Auth fees otherwise imposed by the card networks. FRAUD CHECK TRANSACTION If you have coded to LitleXML V8.25 or above and wish to retrieve the Advanced Fraud results without introducing a Authorization or Sale transactions, use a Fraud Check transaction as shown in the example below. Fraud Check transactions are only supported as Online transactions. Example: Fraud Check Transaction <litleonlinerequest version="8.25" xmlns=" merchantid="81601"> <authentication> <user>username</user> <password>password</password> </authentication> <fraudcheck id="002" reportgroup="001601"> <advancedfraudchecks> <threatmetrixsessionid>asdfg-axxxxab999</threatmetrixsessionid> </advancedfraudchecks> </authorization> </litleonlinerequest> Document Version: 1.7 5

6 Advanced Fraud Tools Fraud Check Transaction Example: Fraud Check Response <litleonlineresponse version="8.25" xmlns=" response="0" message="valid Format"> <fraudcheckresponse id="002" reportgroup="001601"> <litletxnid> </litletxnid> <response>000</response> <message>approved</message> <responsetime> t21:36:50</responsetime> <advancedfraudresults> <devicereviewstatus>pass</devicereviewstatus> <devicereputationscore>50</devicereputationscore> <triggeredrule>flashimagescookiesdisabled</triggeredrule> </advancedfraudresults> </fraudcheckresponse> </litleonlineresponse> 6 Document Version: 1.7