ThreatMetrix is the industry leader in device identification based fraud management. Their global fraud-prevention network is based on third generation device identification and transaction behavior tracking technology that delivers device and transaction confidence scores, reason codes and attributes in real-time. Using device identification coupled with their advanced rules-engine, and machine learning technology, ThreatMetrix is able to stop first-time fraud and recognize valued, returning customers more effectively than competing alternatives.
The eBizCharge gateway provides an interface for integrating the ThreatMetrix service into merchant's existing transaction processing. Merchants looking to enhance their fraud prevention efforts can leverage this premium service with a minimal amount of code change. Once integrated, the ThreatMetrix scoring and extended device profile data is visible within the merchant console. The ThreatMetrix fraud module can be configured on a per source key basis to block transactions which reach a given score.
For pricing information merchants should contact their merchant service provider.
For development assistance please contact the integration support department.
Merchants accepting payments via the eBizCharge hosted Payment Form can add ThreatMetrix device profiling by adding the DeviceProfiler tag to their payment form. Typically this is added near the bottom of their template, just above the body tag:
.... [DeviceProfiler] </body> </html>
Device identification is currently available on the Transaction API. Partial support is available in the Soap API using the runTransactionAPI method. Full support in the Soap API will be available in 1.5 when it is released. Developers using other libraries can request assistance by contacting the developer integration department at devtickets@ebizcharge.com
There are three addition/changes that need to be made by the merchant's developer or software vendor:
To properly track the customer throughout the payment process a unique session id is required. This session id must be generated by eBizCharge and should be stored throughout the check out process. A session id is retrieved by calling the “getsession” action in the profiler api.
Example REST request:
https://secure.ebizcharge.com/interface/profiler/getsession? SourceKey=123123123123123123&Hash=s/sjhj2489sh/fe2cece09552cbb5855865c1f582252cff1e2dea
The SourceKey variable is generated in the merchant console. It must be setup with a pin assigned. The Hash is calculated by concatenating the action (getsession), the pin, and a random seed separated by colons. For example, if your pin is '1234' and your seed is 'sjhj2489sh', the prehashed text would be 'getsession:1234:sjhj2489sh' and the sha1 hash would be 'fe2cece09552cbb5855865c1f582252cff1e2dea'. The Hash variable is then set to type/seed/hash. In this example Hash would be set to 's/sjhj2489sh/fe2cece09552cbb5855865c1f582252cff1e2dea'
Example response:
<?xml version="1.0"?> <Output> <Result>A</Result> <SessionID>u820nnd3t9tsfr7bhnxxfaww1sess57sspnk8hmrzkyrvh4wu9fa9w7idon4wue8</SessionID> <OrgID>sdffss</OrgID> </Output>
The SessionID variable should be stored for the duration of the payment process. The OrgID is needed for the HTML display but does not need to be stored for later use.
Taking the variables received during the 'getsession' call above, display the following HTML to the customer. Typically this html can be added to bottom of the same page that is used to collect the card number.
<p style="background:url(https://content-05.ebizcharge.com/fp/clear.png?org_id=[OrgID]&session_id=[SessionID]&m=1)"></p> <img src="https://content-05.ebizcharge.com/fp/clear.png?org_id=[OrgID]&session_id=[SessionID]&m=2" width="1" height="1" alt=""> <script src="https://content-05.ebizcharge.com/fp/check.js?org_id=[OrgID]&session_id=[SessionID]" type="text/javascript"></script> <object type="application/x-shockwave-flash" data="https://content-05.ebizcharge.com/fp/fp.swf?org_id=[OrgID]&session_id=[SessionID]" width="1" height="1" id="obj_id"> <param name="movie" value="https://content-05.ebizcharge.com/fp/fp.swf?org_id=[OrgID]&session_id=[SessionID]" /> <div></div> </object>
The session id needs to be passed in the UMsession variable with the rest of the transaction data. Example sale request:
https://secure.ebizcharge.com/gate? UMkey=123123123123123123& UMcard=4444555566667779& UMexpir=1212& UMamount=10.00& UMinvoice=12345& UMdescription=Example+Order& UMsession=u820nnd3t9tsfr7bhnxxfaww1sess57sspnk8hmrzkyrvh4wu9fa9w7idon4wue8
There are also additional response variables such as the profiler score that the developer may wish to capture. While it is not necessary to do anything with these variables, they can be useful in making business decisions such as whether to ship product or not. Example response:
UMversion=2.9& UMstatus=Approved& UMauthCode=000038& UMrefNum=1453072& .... UMprofilerScore=-15& UMprofilerResponse=pass& UMprofilerReason=NewDeviceID& UMfiller=filled
The UMprofilerScore variable contains the score calculated by ThreatMetrix based on the device and transaction details. The higher the number, the less risk. “0” represents a clean, safe transaction. ”-99” is a high risk transaction and should be investigated manually. UMprofilerResponse will return 'reject','pass','review' or 'error'. The first three of these are based on score thresholds (ie >-30 = pass, >-60 = warn ←60 = reject). 'error' indicates that the gateway was unable to complete the profiling request. A list of factors that triggered the score will be returned in the UmprofilerReason variable.