How do I follow a payment with a Risk Decision?
Specifying for the RISKDEC to be performed after the AUTH allows Trust Payments to take into account the results of AVS, Security Code Checks and 3-D Secure checks performed when analysing the submitted details for fraud.
Process overview
- When the customer clicks “Pay” on your checkout, the JavaScript library submits a request to Trust Payments.
- The customer is authenticated with 3-D Secure.
- Trust Payments contacts the acquiring bank to process the payment.
- Trust Payments checks the payment details and generates a shield status code.
- Trust Payments returns the response JWT to your system. You will need to interpret the response.

Update the JWT payload
You will need to update the JWT payload to instruct our JavaScript Library to process a RISKDEC following a standard transaction. This is done by submitting requesttypedescriptions following the specification outlined below:
Field specification
Field | Format | Description | |
![]() |
requesttypedescriptions | List | This must be set to [“THREEDQUERY”,”AUTH”,”RISKDEC”] |
Payload example
{"payload":{"accounttypedescription":"ECOM","baseamount":"1050","currencyiso3a":"GBP","sitereference":"test_site12345","requesttypedescriptions":["THREEDQUERY","AUTH","RISKDEC"]},"iat":1559033849,"iss":"jwt.user"}
Replace <DOMAIN> with a supported domain. Click here for a full list.
Handling the response
The contents of the response is dependent on whether the customer was subject to more stringent authentication (referred to as “Step-up” authentication):
- For “Step-up” authentication: After the customer has completed the payment session, you will receive a single response JWT, consisting of the responses to the AUTH and RISKDEC requests.
- For “Frictionless” authentication: After the customer has completed the payment session, you will receive a single response JWT consisting of the THREEDQUERY, AUTH and RISKDEC responses.
- When checking the THREEDQUERY and AUTH responses:
- We recommend following the checks outlined in the Getting started section.
- When checking the RISKDEC response:
- It is important that this request is successful (check the errorcode is “0”).
- Check the fraudcontrolshieldstatuscode – We recommend investigating instances where “CHALLENGE” and “DENY” are returned.
- There are additional fields specific to Protect Plus that your system will need to check. These are described in the table below.
Field | Format | Description | |
![]() |
acquirerrecommendedaction | Char (1) | Either:
Note that this ONLY a recommendation. Protect Plus does not guarantee against fraud. |
![]() |
fraudcontrolreference | Alphanumeric (255) | Unique reference to identify the Risk Decision check performed. |
![]() |
fraudcontrolresponsecode | Numeric (4) | A numeric code that is mapped to further information on the results of the Risk Decision checks performed. |
![]() |
fraudcontrolshieldstatuscode | Alpha (10) | One of the following values:
|
![]() |
rulecategoryflag | Alphanumeric (255) | Reference used to identify a condition that was met to return the DENY or CHALLENGE fraudcontrolshieldstatuscode. |
![]() |
rulecategorymessage | Not defined | Condition that was met to return the DENY or CHALLENGE fraudcontrolshieldstatuscode. |
Testing
We recommend that you thoroughly test your solution before enabling on your live Site Reference.
Click here for details that you can submit to simulate different RISKDEC responses on our test system.
Mobile SDKHow do I precede a payment with a Risk Decision?