Contents

Protect Plus

 

Protect Plus is a sophisticated counter-fraud service that provides your site with an extra layer of security against fraudulent transactions. It makes use of the industry’s largest negative database to perform a comprehensive suite of fraud assessments, including identity checks against the UK electoral roll and BT databases.

 

Process overview

Status good
Sign up for Protect Plus
Before you can get started, you will need to contact our Sales Team and enable Protect Plus on your account.

 

What checks are performed?

We analyse the customer’s billing, delivery and payment details using a rule-based system to detect suspicious patterns in user activity. Our system will assist you in deciding on whether to process a customer’s transaction based on the perceived level of risk. Checks performed include:

 

Warning
Protect Plus does not guarantee against fraud
You should consider all data regarding a transaction before accepting the payment.

 

What happens after the checks are performed?

The Protect Plus system will analyse transaction details and issue one of the following fraudcontrolshieldstatuscode values:

“ACCEPT” The details are not deemed suspicious.
“CHALLENGE” Further investigation is recommended.
“DENY” The details are suspicious and a transaction should not be performed.
“NOSCORE” Transaction was declined by the acquirer before checks were performed.

 

Order of requests

Protect Plus checks are performed when you update your payment form to submit a RISKDEC request as part of the transaction. There are two methods to do this:

 


 

RISKDEC then AUTH request

 

Process overview

  1. When the customer clicks “Pay” on your checkout, the JavaScript library submits a request to Secure Trading.
  2. Secure Trading checks the payment details and generates a shield status code.
  3. Secure Trading contacts the acquiring bank to process the payment.
  4. Secure Trading returns the response JWT to your system. You will need to interpret the response.
Info
By default, if the shield status code is “CHALLENGE” or “DENY”, Secure Trading will then suspend the transaction (updated to settle status “2”).  This allows you to review the transaction and either opt to proceed by updating the settle status of the AUTH to “1” or to cancel by updating the settle status to “3”.

 

Update your payment form

You will need to update your payment form to instruct our JavaScript library to process a RISKDEC prior to performing a standard transaction. This is done by specifying custom requestTypes, as shown in the example below:


<html>
<head>
</head>
<body>
  <div id="st-notification-frame"></div>
  <form id="st-form" action="https://www.example.com">
    <div id="st-card-number" class="st-card-number"></div>
    <div id="st-expiration-date" class="st-expiration-date"></div>
    <div id="st-security-code" class="st-security-code"></div>
    <button type="submit" id="st-form__submit" class="st-form__submit">
      Pay securely
    </button>
  </form>
 <script src=<DOMAIN>/js/v2/st.js></script>
 <script> 
  (function() {
   var st = SecureTrading({  
    jwt: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwYXlsb2FkIjp7ImFjY291bnR0eXBlZGVzY3JpcHRpb24iOiJFQ09NIiwiYmFzZWFtb3VudCI6IjEwNTAiLCJjdXJyZW5jeWlzbzNhIjoiR0JQIiwic2l0ZXJlZmVyZW5jZSI6InRlc3Rfc2l0ZTEyMzQ1In0sImlhdCI6MTU1OTAzMzg0OSwiaXNzIjoiand0LnVzZXIifQ.jXI151RhD5ob1qJkQOM9tk0wyyvlewGXsTTlkz-jiYA',          
    });  
   st.Components({"requestTypes":["RISKDEC","THREEDQUERY","AUTH"]}); 
  })(); 
 </script>
</body>
</html>

Replace <DOMAIN> with a supported domain. Click here for a full list.

 

Response example

As with a standard payment, you will need to decode the JWT returned and check the response, in particular, the fraudcontrolshieldstatuscode and settlestatus fields.

 

The response is divided into two parts:

 

For the RISKDEC response field specification, scroll down to the “Interpreting the response” section.

Example:


{
  'requestreference': 'A0dcb11e6',
    'version': '1.00',
    'response': [{
      'acquirerrecommendedaction': 'C',
        'fraudcontrolresponsecode': '0100',
        'paymenttypedescription': 'VISA',
        'orderreference': 'My_Order_123',
        'transactionstartedtimestamp': '2016-12-07 16:19:28',
        'errormessage': 'Ok',
        'operatorname': '[email protected]',
        'fraudcontrolreference': 'TEST',
        'accounttypedescription': 'FRAUDCONTROL',
        'errorcode': '0',
        'transactionreference': '1-2-345678',
        'maskedpan': '411111######1111',
        'requesttypedescription': 'RISKDEC',
        'fraudcontrolshieldstatuscode': 'ACCEPT',
        'livestatus': '0'
    }, {
      'transactionstartedtimestamp': '2016-12-07 16:19:28',
        'parenttransactionreference': '1-2-345678',
        'livestatus': '0',
        'issuer': 'SecureTrading Test Issuer1',
        'splitfinalnumber': '1',
        'dccenabled': '0',
        'settleduedate': '2016-12-07',
        'errorcode': '0',
        'orderreference': 'My_Order_123',
        'tid': '27882788',
        'merchantnumber': '00000000',
        'merchantcountryiso2a': 'GB',
        'transactionreference': '1-2-345679',
        'merchantname': 'Test Merchant',
        'paymenttypedescription': 'VISA',
        'baseamount': '1011',
        'accounttypedescription': 'ECOM',
        'acquirerresponsecode': '00',
        'requesttypedescription': 'AUTH',
        'securityresponsesecuritycode': '2',
        'currencyiso3a': 'GBP',
        'authcode': 'TEST19',
        'errormessage': 'Ok',
        'operatorname': '[email protected]',
        'securityresponsepostcode': '0',
        'maskedpan': '411111######1111',
        'securityresponseaddress': '0',
        'issuercountryiso2a': 'US',
        'settlestatus': '0'
    }]
}

 


 

AUTH then RISKDEC request

Specifying for the RISKDEC to be performed after the AUTH allows Secure Trading to take into account the results of AVS, Security Code Checks and 3-D Secure checks performed when analysing the submitted details for fraud.

 

Process overview

  1. When the customer clicks “Pay” on your checkout, the JavaScript library submits a request to Secure Trading.
  2. Secure Trading contacts the acquiring bank to process the payment.
  3. Secure Trading checks the payment details and generates a shield status code.
  4. Secure Trading returns the response JWT to your system. You will need to interpret the response.
Info
If the shield status code is “CHALLENGE” or “DENY”, Secure Trading recommends that you update the AUTH to a suspended state (settle status “2”).  This allows you to review the transaction and either opt to proceed by updating the settle status of the AUTH to “1” or to cancel by updating the settle status to “3”.

 

Update your payment form

You will need to update your payment form to instruct our JavaScript library to process a RISKDEC after performing a standard transaction. This is done by specifying custom requestTypes, as shown in the example below:


<html>
<head>
</head>
<body>
  <div id="st-notification-frame"></div>
  <form id="st-form" action="https://www.example.com">
    <div id="st-card-number" class="st-card-number"></div>
    <div id="st-expiration-date" class="st-expiration-date"></div>
    <div id="st-security-code" class="st-security-code"></div>
    <button type="submit" id="st-form__submit" class="st-form__submit">
      Pay securely
    </button>
  </form>
 <script src=<DOMAIN>/js/v2/st.js></script>
 <script> 
  (function() {
   var st = SecureTrading({  
    jwt: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwYXlsb2FkIjp7ImFjY291bnR0eXBlZGVzY3JpcHRpb24iOiJFQ09NIiwiYmFzZWFtb3VudCI6IjEwNTAiLCJjdXJyZW5jeWlzbzNhIjoiR0JQIiwic2l0ZXJlZmVyZW5jZSI6InRlc3Rfc2l0ZTEyMzQ1In0sImlhdCI6MTU1OTAzMzg0OSwiaXNzIjoiand0LnVzZXIifQ.jXI151RhD5ob1qJkQOM9tk0wyyvlewGXsTTlkz-jiYA',          
    });  
   st.Components({"requestTypes":["THREEDQUERY","AUTH","RISKDEC"]}); 
  })(); 
 </script>
</body>
</html>

Replace <DOMAIN> with a supported domain. Click here for a full list.

 

Response example

As with a standard payment, you will need to decode the JWT returned and check the response, in particular, the fraudcontrolshieldstatuscode and settlestatus fields.

 

The response is divided into two parts:

 

For the RISKDEC response field specification, scroll down to the “Interpreting the response” section.

Example:


{
  'requestreference': 'Ad4ft45gp',
    'version': '1.00',
    'response': [{
      'transactionstartedtimestamp': '2016-12-07 16:25:19',
        'livestatus': '0',
        'issuer': 'SecureTrading Test Issuer1',
        'splitfinalnumber': '1',
        'dccenabled': '0',
        'settleduedate': '2016-12-07',
        'errorcode': '0',
        'orderreference': 'My_Order_123',
        'tid': '27882788',
        'merchantnumber': '00000000',
        'merchantcountryiso2a': 'GB',
        'transactionreference': '1-2-345678',
        'merchantname': 'Test Merchant',
        'paymenttypedescription': 'VISA',
        'baseamount': '1011',
        'accounttypedescription': 'ECOM',
        'acquirerresponsecode': '00',
        'requesttypedescription': 'AUTH',
        'securityresponsesecuritycode': '2',
        'currencyiso3a': 'GBP',
        'authcode': 'TEST57',
        'errormessage': 'Ok',
        'operatorname': '[email protected]',
        'securityresponsepostcode': '0',
        'maskedpan': '411111######1111',
        'securityresponseaddress': '0',
        'issuercountryiso2a': 'US',
        'settlestatus': '0'
    }, {
      'acquirerrecommendedaction': 'C',
        'fraudcontrolresponsecode': '0100',
        'paymenttypedescription': 'VISA',
        'orderreference': 'My_Order_123',
        'transactionstartedtimestamp': '2016-12-07 16:25:19',
        'errormessage': 'Ok',
        'operatorname': '[email protected]',
        'parenttransactionreference': '1-2-345678',
        'fraudcontrolreference': 'TEST',
        'accounttypedescription': 'FRAUDCONTROL',
        'errorcode': '0',
        'transactionreference': '1-2-345679',
        'maskedpan': '411111######1111',
        'requesttypedescription': 'RISKDEC',
        'fraudcontrolshieldstatuscode': 'ACCEPT',
        'livestatus': '0'
    }]
}

 


 

Interpreting the response

The AUTH part of the response follows the same structure as a standard AUTH response. The RISKDEC part of the response contains new fields that are described below:

 

Key

Field name Type Length Response Description
fraudcontrolshieldstatuscode Alpha 10 One of the following values:

  • “ACCEPT” – The details are not deemed suspicious.
  • “CHALLENGE” – Further investigation is recommended.
  • “DENY” – The details are suspicious and a transaction should not be performed.
  • “NOSCORE” – Returned when a parent AUTH Request has been declined.
fraudcontrolreference Alphanumeric 255 Unique reference to identify the Risk Decision check performed.
fraudcontrolresponsecode Numeric 4 A numeric code that is mapped to further information on the results of the Risk Decision checks performed.
acquirerrecommendedaction Char 1 Either:

  • “C” – Continue with the transaction.
  • “S” – Stop transaction.

Note that this ONLY a recommendation. Protect Plus does not guarantee against fraud.

rulecategoryflag Alphanumeric 255 Reference used to identify a condition that was met to return the DENY or CHALLENGE fraudcontrolshieldstatuscode.
rulecategorymessage Alphanumeric Not defined Condition that was met to return the DENY or CHALLENGE fraudcontrolshieldstatuscode.

 


 

Testing

We recommend that you thoroughly test your solution before enabling on your live Site Reference.
Click here for details that you can submit to simulate different RISKDEC responses on our test system.