How do I follow a payment with a Risk Decision?

Specifying for the RISKDEC to be performed after the AUTH allows Trust Payments to take into account the results of AVS, Security Code Checks and 3-D Secure checks performed when analysing the submitted details for fraud.

Process overview

1. When the customer clicks “Pay” on your checkout, the JavaScript library submits a request to Trust Payments.
2. The customer is authenticated with 3-D Secure.
3. Trust Payments contacts the acquiring bank to process the payment.
4. Trust Payments checks the payment details and generates a shield status code.
5. Trust Payments returns the response JWT to your system. You will need to interpret the response.

If the shield status code is “CHALLENGE” or “DENY”, Trust Payments recommends that you update the AUTH to a suspended state (settle status “2”).  This allows you to review the transaction and either opt to proceed by updating the settle status of the AUTH to “1” or to cancel by updating the settle status to “3”.

Update the JWT payload

You will need to update the JWT payload to instruct our JavaScript Library to process a RISKDEC following a standard transaction. This is done by submitting requesttypedescriptions following the specification outlined below:

Field specification

	Field	Format	Description
	requesttypedescriptions	List	This must be set to [“THREEDQUERY”,”AUTH”,”RISKDEC”]

Payload example

{"payload":{"accounttypedescription":"ECOM","baseamount":"1050","currencyiso3a":"GBP","sitereference":"test_site12345","requesttypedescriptions":["THREEDQUERY","AUTH","RISKDEC"]},"iat":1559033849,"iss":"jwt.user"}

Replace <DOMAIN> with a supported domain. Click here for a full list.

Handling the response

The contents of the response is dependent on whether the customer was subject to more stringent authentication (referred to as “Step-up” authentication):

• For “Step-up” authentication: After the customer has completed the payment session, you will receive a single response JWT, consisting of the responses to the AUTH and RISKDEC requests.
• For “Frictionless” authentication: After the customer has completed the payment session, you will receive a single response JWT consisting of the THREEDQUERY, AUTH and RISKDEC responses.

• When checking the THREEDQUERY and AUTH responses:
  • We recommend following the checks outlined in the Getting started section.
• When checking the RISKDEC response:
  • It is important that this request is successful (check the errorcode is “0”).
  • Check the fraudcontrolshieldstatuscode – We recommend investigating instances where “CHALLENGE” and “DENY” are returned.
  • There are additional fields specific to Protect Plus that your system will need to check. These are described in the table below.

	Field	Format	Description
	acquirerrecommendedaction	Char (1)	Either: “C” – Continue with the transaction. “S” – Stop transaction. Note that this ONLY a recommendation. Protect Plus does not guarantee against fraud.
	fraudcontrolreference	Alphanumeric (255)	Unique reference to identify the Risk Decision check performed.
	fraudcontrolresponsecode	Numeric (4)	A numeric code that is mapped to further information on the results of the Risk Decision checks performed.
	fraudcontrolshieldstatuscode	Alpha (10)	One of the following values: “ACCEPT” – The details are not deemed suspicious. “CHALLENGE” – Further investigation is recommended. “DENY” – The details are suspicious and a transaction should not be performed. “NOSCORE” – Returned when a parent AUTH Request has been declined.
	rulecategoryflag	Alphanumeric (255)	Reference used to identify a condition that was met to return the DENY or CHALLENGE fraudcontrolshieldstatuscode.
	rulecategorymessage	Not defined	Condition that was met to return the DENY or CHALLENGE fraudcontrolshieldstatuscode.

Testing

We recommend that you thoroughly test your solution before enabling on your live Site Reference.
Click here for details that you can submit to simulate different RISKDEC responses on our test system.