Protect Plus

Protect Plus is a sophisticated counter-fraud service that provides your site with an extra layer of security against fraudulent transactions. It makes use of the industry’s largest negative database to perform a comprehensive suite of fraud assessments, including identity checks against the UK electoral roll and BT databases.

Process overview

Sign up for Protect Plus
Before you can get started, you will need to contact our Sales Team and enable Protect Plus on your account.

What checks are performed?

We analyse the customer’s billing, delivery and payment details using a rule-based system to detect suspicious patterns in user activity. Our system will assist you in deciding on whether to process a customer’s transaction based on the perceived level of risk. Checks performed include:

The industry’s largest negative database.
Neural-based fraud assessments.
Tumbling or Swapping, where there is an unusual usage pattern in the card number, expiration date or customer details associated with a transaction.

Protect Plus does not guarantee against fraud

You should consider all data regarding a transaction before accepting the payment.

What happens after the checks are performed?

The Protect Plus system will analyse transaction details and issue one of the following fraudcontrolshieldstatuscode values:

“ACCEPT”	The details are not deemed suspicious.
“CHALLENGE”	Further investigation is recommended.
“DENY”	The details are suspicious and a transaction should not be performed.
“NOSCORE”	Transaction was declined by the acquirer before checks were performed.

Order of requests

Protect Plus checks are performed when you update your payment form to submit a RISKDEC request as part of the transaction. There are two methods to do this:

RISKDEC then AUTH – Perform the checks first, then seek authorisation for the payment. By default, we suspend suspicious payments, allowing you to investigate them before proceeding.
AUTH then RISKDEC – Seek authorisation for the payment first, then perform the checks. Checks performed are more accurate because they take the results of AVS, Security Code Checks and 3-D Secure into account.

RISKDEC then AUTH request

Process overview

When the customer clicks “Pay” on your checkout, the JavaScript library submits a request to Trust Payments.
Trust Payments checks the payment details and generates a shield status code.
Trust Payments contacts the acquiring bank to process the payment.
Trust Payments returns the response JWT to your system. You will need to interpret the response.

By default, if the shield status code is “CHALLENGE” or “DENY”, Trust Payments will then suspend the transaction (updated to settle status “2”). This allows you to review the transaction and either opt to proceed by updating the settle status of the AUTH to “1” or to cancel by updating the settle status to “3”.

Update your payment form

You will need to update your payment form to instruct our JavaScript library to process a RISKDEC prior to performing a standard transaction. This is done by specifying custom requestTypes, as shown in the example below:

HTML

<html>
<head>
</head>
<body>
  <div id="st-notification-frame"></div>
  <form id="st-form" action="https://www.example.com" method="POST">
    <div id="st-card-number" class="st-card-number"></div>
    <div id="st-expiration-date" class="st-expiration-date"></div>
    <div id="st-security-code" class="st-security-code"></div>
    <button type="submit" id="st-form__submit" class="st-form__submit">
      Pay securely
    </button>
  </form>
 <script src=<DOMAIN>/js/v2/st.js></script>
 <script> 
  (function() {
   var st = SecureTrading({  
    jwt: 'INSERT YOUR JWT HERE'
    });  
   st.Components({"requestTypes":["RISKDEC","THREEDQUERY","AUTH"]}); 
  })(); 
 </script>
</body>
</html>

Replace <DOMAIN> with a supported domain. Click here for a full list.

Response example

As with a standard payment, you will need to decode the JWT returned and check the response, in particular, the fraudcontrolshieldstatuscode and settlestatus fields.

The response is divided into two parts:

The first response section provides information on the RISKDEC request processed:
- Check the fraudcontrolshieldstatuscode – We recommend investigation instances where “CHALLENGE” and “DENY” are returned.
The second response section provides information on the AUTH request processed:
- Check the errorcode – if the errorcode is not “0”, an error has occurred that needs investigation.
- Check the settlestatus – if the settlestatus is “2” or “3”, the payment won’t be settled.

For the RISKDEC response field specification, scroll down to the “Interpreting the response” section.

Example:

Decoded JWT

{
  'requestreference': 'A0dcb11e6',
    'version': '1.00',
    'response': [{
      'acquirerrecommendedaction': 'C',
        'fraudcontrolresponsecode': '0100',
        'paymenttypedescription': 'VISA',
        'orderreference': 'My_Order_123',
        'transactionstartedtimestamp': '2016-12-07 16:19:28',
        'errormessage': 'Ok',
        'operatorname': '[email protected]',
        'fraudcontrolreference': 'TEST',
        'accounttypedescription': 'FRAUDCONTROL',
        'errorcode': '0',
        'transactionreference': '1-2-345678',
        'maskedpan': '411111######1111',
        'requesttypedescription': 'RISKDEC',
        'fraudcontrolshieldstatuscode': 'ACCEPT',
        'livestatus': '0'
    }, {
      'transactionstartedtimestamp': '2016-12-07 16:19:28',
        'parenttransactionreference': '1-2-345678',
        'livestatus': '0',
        'issuer': 'SecureTrading Test Issuer1',
        'splitfinalnumber': '1',
        'dccenabled': '0',
        'settleduedate': '2016-12-07',
        'errorcode': '0',
        'orderreference': 'My_Order_123',
        'tid': '27882788',
        'merchantnumber': '00000000',
        'merchantcountryiso2a': 'GB',
        'transactionreference': '1-2-345679',
        'merchantname': 'Test Merchant',
        'paymenttypedescription': 'VISA',
        'baseamount': '1011',
        'accounttypedescription': 'ECOM',
        'acquirerresponsecode': '00',
        'requesttypedescription': 'AUTH',
        'securityresponsesecuritycode': '2',
        'currencyiso3a': 'GBP',
        'authcode': 'TEST19',
        'errormessage': 'Ok',
        'operatorname': '[email protected]',
        'securityresponsepostcode': '0',
        'maskedpan': '411111######1111',
        'securityresponseaddress': '0',
        'issuercountryiso2a': 'US',
        'settlestatus': '0'
    }]
}

AUTH then RISKDEC request

Specifying for the RISKDEC to be performed after the AUTH allows Trust Payments to take into account the results of AVS, Security Code Checks and 3-D Secure checks performed when analysing the submitted details for fraud.

Process overview

When the customer clicks “Pay” on your checkout, the JavaScript library submits a request to Trust Payments.
Trust Payments contacts the acquiring bank to process the payment.
Trust Payments checks the payment details and generates a shield status code.
Trust Payments returns the response JWT to your system. You will need to interpret the response.

If the shield status code is “CHALLENGE” or “DENY”, Trust Payments recommends that you update the AUTH to a suspended state (settle status “2”). This allows you to review the transaction and either opt to proceed by updating the settle status of the AUTH to “1” or to cancel by updating the settle status to “3”.

Update your payment form

You will need to update your payment form to instruct our JavaScript library to process a RISKDEC after performing a standard transaction. This is done by specifying custom requestTypes, as shown in the example below:

HTML

<html>
<head>
</head>
<body>
  <div id="st-notification-frame"></div>
  <form id="st-form" action="https://www.example.com" method="POST">
    <div id="st-card-number" class="st-card-number"></div>
    <div id="st-expiration-date" class="st-expiration-date"></div>
    <div id="st-security-code" class="st-security-code"></div>
    <button type="submit" id="st-form__submit" class="st-form__submit">
      Pay securely
    </button>
  </form>
 <script src=<DOMAIN>/js/v2/st.js></script>
 <script> 
  (function() {
   var st = SecureTrading({  
    jwt: 'INSERT YOUR JWT HERE'
    });  
   st.Components({"requestTypes":["THREEDQUERY","AUTH","RISKDEC"]}); 
  })(); 
 </script>
</body>
</html>

Replace <DOMAIN> with a supported domain. Click here for a full list.

Response example

As with a standard payment, you will need to decode the JWT returned and check the response, in particular, the fraudcontrolshieldstatuscode and settlestatus fields.

The response is divided into two parts:

The first response section provides information on the AUTH request processed:
- Check the errorcode – if the errorcode is not “0”, an error has occurred that needs investigation.
- Check the settlestatus – if the settlestatus is “2” or “3”, the payment won’t be settled.
The second response section provides information on the RISKDEC request processed:
- Check the fraudcontrolshieldstatuscode – We recommend investigation instances where “CHALLENGE” and “DENY” are returned.

For the RISKDEC response field specification, scroll down to the “Interpreting the response” section.

Example:

Decoded JWT

{
  'requestreference': 'Ad4ft45gp',
    'version': '1.00',
    'response': [{
      'transactionstartedtimestamp': '2016-12-07 16:25:19',
        'livestatus': '0',
        'issuer': 'SecureTrading Test Issuer1',
        'splitfinalnumber': '1',
        'dccenabled': '0',
        'settleduedate': '2016-12-07',
        'errorcode': '0',
        'orderreference': 'My_Order_123',
        'tid': '27882788',
        'merchantnumber': '00000000',
        'merchantcountryiso2a': 'GB',
        'transactionreference': '1-2-345678',
        'merchantname': 'Test Merchant',
        'paymenttypedescription': 'VISA',
        'baseamount': '1011',
        'accounttypedescription': 'ECOM',
        'acquirerresponsecode': '00',
        'requesttypedescription': 'AUTH',
        'securityresponsesecuritycode': '2',
        'currencyiso3a': 'GBP',
        'authcode': 'TEST57',
        'errormessage': 'Ok',
        'operatorname': '[email protected]',
        'securityresponsepostcode': '0',
        'maskedpan': '411111######1111',
        'securityresponseaddress': '0',
        'issuercountryiso2a': 'US',
        'settlestatus': '0'
    }, {
      'acquirerrecommendedaction': 'C',
        'fraudcontrolresponsecode': '0100',
        'paymenttypedescription': 'VISA',
        'orderreference': 'My_Order_123',
        'transactionstartedtimestamp': '2016-12-07 16:25:19',
        'errormessage': 'Ok',
        'operatorname': '[email protected]',
        'parenttransactionreference': '1-2-345678',
        'fraudcontrolreference': 'TEST',
        'accounttypedescription': 'FRAUDCONTROL',
        'errorcode': '0',
        'transactionreference': '1-2-345679',
        'maskedpan': '411111######1111',
        'requesttypedescription': 'RISKDEC',
        'fraudcontrolshieldstatuscode': 'ACCEPT',
        'livestatus': '0'
    }]
}

Interpreting the response

The AUTH part of the response follows the same structure as a standard AUTH response. The RISKDEC part of the response contains new fields that are described below:

Key

Field name	Type	Length	Response	Description
fraudcontrolshieldstatuscode	Alpha	10		One of the following values: “ACCEPT” – The details are not deemed suspicious. “CHALLENGE” – Further investigation is recommended. “DENY” – The details are suspicious and a transaction should not be performed. “NOSCORE” – Returned when a parent AUTH Request has been declined.
fraudcontrolreference	Alphanumeric	255		Unique reference to identify the Risk Decision check performed.
fraudcontrolresponsecode	Numeric	4		A numeric code that is mapped to further information on the results of the Risk Decision checks performed.
acquirerrecommendedaction	Char	1		Either: “C” – Continue with the transaction. “S” – Stop transaction. Note that this ONLY a recommendation. Protect Plus does not guarantee against fraud.
rulecategoryflag	Alphanumeric	255		Reference used to identify a condition that was met to return the DENY or CHALLENGE fraudcontrolshieldstatuscode.
rulecategorymessage	Alphanumeric	Not defined		Condition that was met to return the DENY or CHALLENGE fraudcontrolshieldstatuscode.

Testing

We recommend that you thoroughly test your solution before enabling on your live Site Reference.
Click here for details that you can submit to simulate different RISKDEC responses on our test system.