Capture Fraud Risk Data in the Webstore
When you integrate a webstore with Radial Order Management, you must include specific fraud risk data in the OrderCreateRequest message for every order.
Important: The fraud risk data elements are essential for successful completion of the order. If you submit an order without fraud risk data, the order will be placed on fraud hold and will not proceed to fulfillment. Even if fraud is not a particular concern at your store, you still must implement fraud risk integration so that your store’s orders can complete successfully.
Fraud Risk Integration
To implement fraud risk integration for your web store, you must complete each of the following processes:
- During the early stages of integrating a store with ROM, install the JavaScript Collector, a set of .js files, on your web server. See “Install the JavaScript Collector,” below.
- Invoke the JavaScript Collector function from the final Submit or Confirm button that a customer clicks to create the order.
- For each order, capture the JavaScript Collector data. Include the data in the OrderCreateRequest message submitted to the Order service. See “Return Captured Data,” below.
Fraud Risk Assessment in the Order Life Cycle
Several data elements for fraud risk assessment are gathered in the customer’s web browser at the time the order is submitted. The data includes a server timestamp, several browser header data elements, and a long string generated by a fraud detection component called the JavaScript Collector. The fraud risk data is included in the OrderCreateRequest message submitted to the Order Service.
During the processing of each order, Radial Order Management submits the order’s fraud risk data to an automated fraud validation process. The order is placed on hold until a fraud validation process returns a response message. The fraud response determines the next steps in handling the order.
- If the fraud response is SUSPEND, REJECT_PENDING or IGNORE, the order is placed on fraud hold and a fraud suspend alert is raised. An internal fraud check and risk validation is done on the order before the order proceeds through its processing. If the order fails these checks, the order is canceled and the hold is resolved.
- If the status is REJECT or CANCEL, then the order is canceled and the hold is resolved.
- If the status is APPROVE or any other success status, then the hold is resolved and the order proceeds through its processing.
About the JavaScript Collector
The JavaScript Collector is a set of 15 JavaScript files that collect data in the customer’s web browser during order submission. All of the JavaScript files are functionally equivalent, and you need to call only one of them for each order. A recommended implementation is to randomly select a JavaScript file for each order.
All 15 JavaScript files collect 90% of the same data and 10% different data from the client browser. Each of the JavaScript files uses a different sequence for data collection and organization.
The resulting information is evaluated by the fraud validation service in Radial. The order’s fraud risk is estimated based on certain parameters being present in the data and the sequence of the data.
For improved security of the risk validation process, Radial recommends using random selection among the 15 JavaScript files. A random element makes it harder for hackers to determine the pattern of data and to manipulate the system.
Install the JavaScript Collector
To install and implement the JavaScript Collector in your web store, complete the following steps:
- Obtain the most recent JavaScript Collector archive file (eE–v5.6_JSC.zip) from Radial. (The file name might change if a new version of the collector is released.)
- Unpack the archive file. It contains multiple .zip files, each of which contains a single JavaScript file.
- Install all of the JavaScript files on the web server for your web store.
- Include or link the source in the header of the pages that include a final Submit button for an order.
- Add a hidden field to the final form to capture the JavaScript Collector data.
- Invoke the JavaScript Collector function from the final Submit or Confirm button that a customer clicks to create the order.
All of the JavaScript files are functionally equivalent to each other, and you need to call only one of them for each order. A recommended implementation is to randomly select a JavaScript file for each order.
If your store includes multiple pages or paths for order submission, be sure to invoke the JavaScript Collector from each final order submission button. It is important that the function call occurs on submit, not on load, and is the last functionality executed within the page.
- On the server side, capture the string generated by the JavaScript Collector, along with other key data from the time of order creation, and include that data in the OrderCreateRequest message submitted to the Order Service.
Important: Make sure that the capture process saves the saves the string in its original RAW format, preserving any special characters and non-URL encoded data.
Return Captured Data
The fraud risk data must be captured and included in the OrderCreate request XML. Include the fraud risk elements within the <JavaScriptData> element inside <Context>.
The key piece of data is the JavaScript Collector string value, which is included as the <DeviceID> element.
Several browser attributes are also important for fraud detection. These should be captured from the HTTP header.
The customer’s ShipToEmailAddress, which is part of order information for items that are electronically fulfilled, is also used for fraud detection when available.
Fraud Data Elements Included in OrderCreateRequest
- DeviceID — This string variable (usually 2000-4000 Bytes in length) is generated by the JavaScript Collector. Make sure that the capture process saves the string in its original raw format, preserving any special characters and non-URL encoded data.
- BrowserID — userAgent String.
- BrowserSessionId — Session ID
- BrowserConnection — Browser’s connection type user agent prefers.
- BrowserAccept — Content-Types that are acceptable for the response.
- BrowserAcceptEncoding — List of all acceptable encodings.
- BrowserAcceptCharset — Character sets that are acceptable.
- BrowserIdLanguageCode — List of acceptable human languages for response.
- RawCookie — JSessionID cookie value.
- BrowserCookie — Browser cookie value.
- BrowserReferer — The address of the previous web page from which a link to the currently requested page was followed. (The word “referrer” is misspelled in the RFC as well as in most implementations.)
- CustomerIPAddress — IP address of the customer.
- TimeSpentOnSite — Time spent by the customer on the site before making the purchase.
- ServerDateTime — UTC timestamp in specific format at the time the customer clicks the final submission button. This timestamp is collected at the end of the checkout flow, at the final Submit action and before the Thanks page. This time value is critical for the TDL algorithm that is used for fraud evaluation. It also helps detect tampering of data en route to Radial servers.
Sample Data
<DeviceID>TF1;015;;;;;;;;;;;;;;;;;;;;;;Mozilla;Netscape;5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome/28.0.1500.72%20Safari/537.36;20030107;undefined;true;;true;Win32;undefined;Mozilla/5.0%20%28Windows%20NT%206.1%3B%20WOW64%29%20AppleWebKit/537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome/28.0.1500.72%20Safari/537.36;en-US;ISO-8859-1;ace.tst04.gspt.net;undefined;undefined;undefined;undefined;true;true;1374071565938;-5;6/7/2005%209%3A33%3A44%20PM;1440;900;;11.8;;;;2010;13;300;240;7/17/2013%2010%3A32%3A45%20AM;32;1440;860;0;0;Adobe%20Acrobat%7CAdobe%20PDF%20Plug-In%20For%20Firefox%20and%20Netscape%2010.1.7;;;;;Shockwave%20Flash%7CShockwave%20Flash%2011.8%20r800;;;;;;;;;;;;;15;</DeviceID>
<BrowserID>Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36</BrowserID>
<BrowserSessionId>ymhYRyXCQWSTpXc12hpBYfQndgPlJDscV5yvLTv7QG4zGkfFX9pQ!-1375352248!1374197570207</BrowserSessionId>
<BrowserConnection>Keep-Alive</BrowserConnection>
<BrowserAccept>text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</BrowserAccept>
<BrowserAcceptEncoding>gzip,deflate,sdch</BrowserAcceptEncoding>
<BrowserAcceptCharset>utf-8, iso-8859-1, utf-16, *;q=0.8</BrowserAcceptCharset>
<BrowserIdLanguageCode>en-US,en;q=0.8</BrowserIdLanguageCode>
<RawCookie>JSESSIONID=PhdKPGtRPL4RflTDRKvG3M7vTdg33P44NxSTb8tMbl77rrHc8zxn!1067109436; browser_id=156320795304</RawCookie>
<BrowserCookie>5833657a09d0cfc16c6b87e38c41d8514140c80b</BrowserCookie>
<BrowserReferer>https://www.the-model-store-us.com/checkout.jsp?_flowExecutionKey=_c4F2B474C-E772-9336-DE5B-E699A2890456_kB08FEFF0-9BE4-0876-69DE-685DCDB6809A</BrowserReferer>
<CustomerIPAddress>208.93.199.12</CustomerIPAddress>
<TimeSpentOnSite>121352</TimeSpentOnSite>
<ServerDateTime>2013-12-24T01:23:40.052Z</ServerDateTime>