Title Page

CyberSource Decision Manager

Account Takeover Protection Service

July 2018

CyberSource Corporation HQ | P.O. Box 8999 | San Francisco, CA 94128-8999 | Phone: 800-530-9095
CyberSource Contact Information
For general information about our company, products, and services, go to
http://www.cybersource.com.

For sales questions about any CyberSource Service, email [email protected] or

call 650-432-7350 or 888-330-2300 (toll free in the United States).

For support information about any CyberSource Service, visit the Support Center at
http://www.cybersource.com/support.

Copyright
© 2016 CyberSource Corporation. All rights reserved. CyberSource Corporation (“CyberSource”) furnishes this
document and the software described in this document under the applicable agreement between the reader of
this document (“You”) and CyberSource (“Agreement”). You may use this document and/or software only in
accordance with the terms of the Agreement. Except as expressly set forth in the Agreement, the information
contained in this document is subject to change without notice and therefore should not be interpreted in any way
as a guarantee or warranty by CyberSource. CyberSource assumes no responsibility or liability for any errors
that may appear in this document. The copyrighted software that accompanies this document is licensed to You
for use only in strict accordance with the Agreement. You should read the Agreement carefully before using the
software. Except as permitted by the Agreement, You may not reproduce any part of this document, store this
document in a retrieval system, or transmit this document, in any form or by any means, electronic, mechanical,
recording, or otherwise, without the prior written consent of CyberSource.

Restricted Rights Legends

For Government or defense agencies. Use, duplication, or disclosure by the Government or defense agencies
is subject to restrictions as set forth the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and in similar clauses in the FAR and NASA FAR Supplement.
For civilian agencies. Use, reproduction, or disclosure is subject to restrictions set forth in subparagraphs (a)
through (d) of the Commercial Computer Software Restricted Rights clause at 52.227-19 and the limitations set
forth in CyberSource Corporation's standard commercial agreement for this software. Unpublished rights
reserved under the copyright laws of the United States.

Trademarks
Authorize.Net, eCheck.Net, and The Power of Payment are registered trademarks of CyberSource Corporation.
CyberSource, CyberSource Payment Manager, CyberSource Risk Manager, CyberSource Decision Manager,
and CyberSource Connect are trademarks and/or service marks of CyberSource Corporation.
All other brands and product names are trademarks or registered trademarks of their respective owners.

2
 CONTENTS
Contents

Recent Revisions to This Document 7

About This Guide 9

Audience and Purpose 9
Scope 9
Conventions 10
Note, Important, and Warning Statements 10
Text and Command Conventions 10
Related Documents 11
Customer Support 11

Chapter 1 Implementing the Decision Manager Account Takeover Protection

Service 12
Introduction 12
Device Fingerprinting 13
Enhanced Profiling 13
Enhanced Profiling via Hosted SSL 13
Web Site Implementations 17
Adding the Fingerprinting Code to Your Web Site 17
Supported Tag Deployments 18
Mobile Implementations 20
Implementing the Device Fingerprinting SDK in Android Applications 20
Android Code Example 23
Android Return and Error Codes 23
Implementing the Device Fingerprinting SDK in iOS Applications 25
iOS Code Examples 27
iOS Return and Error Codes 27

Decision Manager Account Takeover Protection Service | July 2018 3

 Contents

Chapter 2 Configuring Rules and Profiles 29

Creating and Editing a Profile 29
Defining a Profile 29
Setting Business Rules 29
Rule Options 30
Rule Priority 30
Custom Rules 30
Editing an Event Profile 31
Copying a Profile 31
Deleting a Profile 31
Selecting Profiles 31
Creating Profile Selectors 31
Rule Sequence 32
Creating Custom Rules 33
Components 33
Event Elements 33
Comparison Operators 34
Comparison Values 35
Creating a Rule 35
Creating Custom Lists 37
Custom Lists 38
Merchant Region 40
Creating Custom Fields 40
Copying, Editing, Deleting Rules 42
Managing Rules and Categories 43
Categories 43
Core Rules 44
Overview of Available Tools 45
Adding Data to the Database 45
Manual Input in the Business Center 45
CyberSource API 45
Using Data from the Database 46
Deleting Data 46
Adding Event Data to Customer Lists 47
Positive Records 47
Negative and Review Records 49
Searching and Reviewing Customer Lists 51
Search Criteria 51
Date Range 51
Field Options 52

Decision Manager Account Takeover Protection Service | July 2018 4

 Contents

Results 53
Negative List 53
Review List 54
Positive List 54
Deleting Records 54
Downloading Customer Lists 55
Downloading in CSV Format 55
Example of Report in CSV Format 58
Downloading in XML Format 59
Example of Report in XML Format 60
Uploading Data 61
Editing and Preparing to Upload Customer Lists 61
Uploading Files in CSV Format 62
Uploading Files in XML Format 64
File Format 67
Uploading Customer Lists 69
Verifying the Results 70
Managing Velocity 71
Rules Summary 71
Event Velocity Rule Elements 72
Creating Velocity Rules 73
Velocity Definition 74
Time Interval 75
Threshold 75
Morphing 75
Deleting Velocity Rules 76
Using the Decision Manager Event Detail Report 77
Creating an Event Detail Report 77
Downloading an Event Detail Report 78
Editing an Event Detail Report 78
Decision Manager Event Detail Report XML Example 79
XSD for the Decision Manager Event Detail Report 82

Appendix A API Fields and Examples 84

Simple Order API Fields 84
Formatting Restrictions 84
Data Type Definitions 84
Simple Order API Request Fields 85
Simple Order API Request Examples 89
Name-Value Pair Request 89
XML Request 90
Simple Order API Reply Fields 91

Decision Manager Account Takeover Protection Service | July 2018 5

 Contents

Simple Order API Reply Examples 98

Name-Value Pair Reply 98
XML Reply 100
Reason Codes 104
SCMP API Fields 105
Formatting Restrictions 105
Data Type Definitions 105
SCMP API Request Fields 105
SCMP API Request Example 110
SCMP API Reply Fields 111
SCMP API Reply Example 118
Reply Flags 119

Appendix B Information Codes 120

Event Information Codes 120
Customer List Information Codes 128

Appendix C Code Examples for Mobile Implementation 130

Android Code Example 130
iOS Code Example 133

Appendix D Decision Manager Account Takeover Protection Service Cookie FAQ 137

Decision Manager Account Takeover Protection Service | July 2018 6

 REVISIONS
Recent Revisions to This
Document

Release Changes
July 2018 Updated the "Using the Decision Manager Event Detail Report" section for
the New Business Center.
April 2018  Updated the profiling tag examples and added the JavaScript code
example for clarification for web site device fingerprinting. See "Web Site
Implementations," page 17.
 Added the following dynamic provider reply fields:
 dm_event_provider_#_field_#_name

 dm_event_provider_#_field_#_value
 dm_event_provider_#_name
 dmeReply_providerFields_#_field_#_name
 dmeReply_providerFields_#_field_#_value
 dmeReply_providerFields_provider_#_name
See "API Fields and Examples," page 84.
March 2018  Added information about the CyberSource APIs to the CyberSource web
site. See the CyberSource API Versions page.
 Added new information about Enhanced Profiling. See "Enhanced
Profiling," page 13.
 Updated implementation steps to support new versions of device
fingerprinting SDKs for iOS (v5.0-32) and Android (v5.0-96) applications.
See "Web Site Implementations," page 17, and "Mobile
Implementations," page 20.
 Updated the error codes. See "iOS Return and Error Codes," page 27.
 Added new tracking elements for velocity: billing address, email domain,
shipping first name, shipping last name, shipping postal code, and true IP
address state. See "Managing Velocity," page 71.
 Added the Decision Manager Event Detail Report XSD and updated the
Decision Manager Event Detail Report XML example with dynamic
provider fields. See "Using the Decision Manager Event Detail Report,"
page 77.
October 2017 Added multiple morphing elements for velocity. See "Managing Velocity,"
page 71.

Decision Manager Account Takeover Protection Service | July 2018 7

 Recent Revisions to This Document

Release Changes
September 2017  Added information about the Decision Manager Account Takeover
Protection Service normalizing the customer IP address. See "Creating
Profile Selectors," page 31, "Creating Custom Rules," page 33, and
"Creating Custom Lists," page 37.
 Added a section about the new velocity feature. See "Managing Velocity,"
page 71.
May 2017 Added true IP state reply field. See "API Fields and Examples," page 84.

Decision Manager Account Takeover Protection Service | July 2018 8

 ABOUT GUIDE
About This Guide

Audience and Purpose

This guide describes how to implement and use the Decision Manager Account Takeover
Protection Service, which is used to perform risk screening of events on your web sites or
in your mobile applications.

The audience for this guide includes:

 Web developers and mobile application developers who modify the check-out page of
your company’s web site or who develop mobile applications that your customers use
to purchase merchandise from you on their phones or tablets. Mobile application
developers should have either Android or iOS platform application programming skills.

 Web administrators who manage the web server.

 Software developers who add API fields to transaction requests and replies and who
write software code that integrates CyberSource services with your company’s order
management system.

 E-commerce managers who are responsible for monitoring events related to account
access and passwords to ensure that customer accounts remain secure.

Scope
This guide narrowly focuses on implementing and using the Decision Manager Account
Takeover Protection Service. For information about implementing other CyberSource
services and about using Decision Manager in the Business Center, see "Related
Documents," page 11.

Decision Manager Account Takeover Protection Service | July 2018 9

 About This Guide

Conventions

Note, Important, and Warning Statements

A Note contains helpful suggestions or references to material not contained in

the document.
Note

An Important statement contains information essential to successfully

completing a task or learning a concept.
Important

A Warning contains information or instructions, which, if not heeded, can result

in a security risk, irreversible loss of data, or significant cost in time or revenue
Warning or both.

Text and Command Conventions

Convention Usage
bold  Field and service names in text; for example:
Include the ics_applications field.
 Items that you are instructed to act upon; for example:
Click Save.
italic  Filenames and pathnames. For example:
Add the filter definition and mapping to your web.xml file.
 Placeholder variables for which you supply particular values.
screen text  XML elements.
 Code examples and samples.
 Text that you enter in an API environment; for example:
Set the davService_run field to true.

Decision Manager Account Takeover Protection Service | July 2018 10

 About This Guide

Related Documents
You must be logged in to the Business Center to view these guides.

 Decision Manager Using the Simple Order API Developer Guide describes how to
integrate Decision Manager, a fraud detection service, with your order management
system using the Simple Order API. (PDF | HTML)

 Decision Manager Using the SCMP API Developer Guide describes how to integrate
Decision Manager, a fraud detection service, with your order management system
using the SCMP API. (PDF | HTML)

 Decision Manager Device Fingerprinting Guide describes how to implement and use
device fingerprinting on your web site or with your mobile applications. (PDF | HTML)

 The CyberSource API Versions page provides information about the CyberSource API
versions.

Refer to the Support Center for complete CyberSource technical documentation:

http://www.cybersource.com/support_center/support_documentation

Customer Support
For support information about any CyberSource service, visit the Support Center:
http://www.cybersource.com/support

Decision Manager Account Takeover Protection Service | July 2018 11

 CHAPTER
Implementing the Decision
Manager Account Takeover
1
Protection Service

Introduction
The Decision Manager Account Takeover Protection Service enables you to configure
rules to screen customer account access events, such as account login or account
creation, on your e-commerce web site or mobile application. Screening for these events
enables you to monitor activity to enhance the security of your customer accounts and
reduce the likelihood of identity spoofing.

Account Takeover Protection uses the Decision Manager Events technology to monitor
new account creation, log in, and account update behaviors. It helps merchants identify
valuable returning customers while defending against fraudulent account creation and
takeover attempts.

Table 1 Decision Manager Account Takeover Protection Service Default Events

Event Type Screens Each Time That…

Account Login A customer logs in to an account
Account Creation A new customer account is created
Account Update Customer account details are updated

You cannot use the Account Takeover Protection Service to screen payment
transactions. To screen payment transactions, use Decision Manager.
Note

To sign up for the Decision Manager Account Takeover Protection Service, contact your
account representative.

Decision Manager Account Takeover Protection Service | July 2018 12

 Chapter 1 Implementing the Decision Manager Account Takeover Protection Service

Device Fingerprinting
The Account Takeover Protection Service uses device fingerprinting which gathers
information about the devices that use your web site or your mobile application.

Fingerprints enable you to identify many characteristics of a device, for example:

 Connections between accounts and other customer data
 True locations of devices when they are hidden behind a proxy
 Suspicious configurations of devices, such as language settings inconsistent with the
country

Enhanced Profiling
Device fingerprint collection technology uses the connection between the customer’s
device and the merchant’s shopping cart. Because dozens of browsers are supported on
hundreds of device platforms, which often change regularly, there may be instances in
which aspects of the device fingerprint are not reliable or present during a transaction.
This could be due to a customer explicitly blocking device collection methods or certain
default browser behaviors—all which are out of a merchant’s control.

Certain network-based enhancements can improve aspects of device fingerprint

collection. One such enhancement is Enhanced Profiling, which implements SSL
certificates to make all browser communication and web objects appear to be from the
merchant’s domain. Enhanced Profiling increases the accuracy of device profiling,
mitigates third party cookie blocking, substantially reduces end-user’s ability to filter out
profiling code, and increases your confidence in blocking transactions from unprofiled
devices.

CyberSource can manage the SSL process, which has an associated cost. For more
information, contact your CyberSource account manager.

Enhanced Profiling via Hosted SSL

CyberSource recommends that all customers using Device Fingerprint use the Enhanced
Profiling feature. It increases the accuracy of device profiling and reduces the visitor’s
potential concern about third-party content on your website. With the enhanced profiling
service, all profiling requests from the visitor’s browser or native mobile application are
made to a domain that is secured by the customer's SSL digital certificates.

In order to profile a device, profiling tags are placed on your website, or the Device
Fingerprint SDK is embedded in your mobile application. The tags or SDK request objects
from and transmit data to the device fingerprinting profiling server. Because the
CyberSource-based profiling server is a different domain than the original domain from
which the initial page or mobile application typically requests resources, visitors who are
monitoring the network requests can see that the requests are being made to a third-party
server.

Decision Manager Account Takeover Protection Service | July 2018 13

 Chapter 1 Implementing the Decision Manager Account Takeover Protection Service

Enhanced Profiling prevents the blocking of third-party requests, either natively as a

feature of the browser, or through using third-party browser privacy tools.

Enhanced Profiling is required for device fingerprinting mobile implementations

and highly recommended for web site implementations.
Note

Steps for Setting Up Enhanced Profiling

Setting up Enhanced Profiling involves these steps:

1 Choose a host name.

2 Provide required and/or optional fields to your CyberSource services representative.

3 CyberSource generates a certificate signing request (CSR) and provides it to you.

4 Have the CSR signed by your preferred Certificate Authority (CA).

5 Return the signed certificate, root certificate for your CA, and the chain (or bundle) file to
CyberSource.

6 CyberSource supplies the dedicated host name that is assigned for your profiling server.

7 Deploy the SSL certificate to the production environment.

8 Configure your DNS.

9 Update your profiling tags to use the new host name.

The deployment timeframe for SSL certificates is 5 to 7 days upon receipt of the SSL
certificate, bundle certificates, and root certificate authority (CA). All of these file are
required to minimize the deployment time of the SSL certificates.

See the following sections "Selecting a Sub-Domain Name for Your Profiling Server,"
page 14, and "Obtaining the CSR for Your Profiling Server Host Name and a Signed
Certificate File," page 15, for further details on submitting SSL requests. Contact
CyberSource Customer Support if you have questions.

Selecting a Sub-Domain Name for Your Profiling Server

Choose a host name that does not indicate that the server is used as a security measure.
For example:

 content.yourdomain.com
 img2.yourdomain.com
 cdnA.yourdomain.com

Decision Manager Account Takeover Protection Service | July 2018 14

 Chapter 1 Implementing the Decision Manager Account Takeover Protection Service

When you have chosen a host name to use for profiling, provide it to your CyberSource
services representative along with the fields described below.

These fields are the minimum information needed to create a certificate signing
request (CSR). Your Certificate Authority (CA) may require additional
Note information. Check with them prior to providing this information to CyberSource
to ensure that the CSR is created according to the CA requirements.

The following fields are required:

 Country name (two-letter code): US

 Organization name (for example, company) [Internet Widgits Pty Ltd.]: Lemon Bank,
Inc.

 Common name or fully qualified domain name (for example, sub-domain that has
been chosen): content.lemonbank.com

The following fields are optional:

 State or province name (full name) [some-state]: California

 Locality name (for example, city): San Jose

 Organizational unit name (for example, section): Services

Obtaining the CSR for Your Profiling Server Host Name and a Signed
Certificate File
The following examples use content.yourdomain.com. If you decide on a different name,
simply substitute it in the instructions outlined.

CyberSource generates a certificate signing request (CSR), which is delivered to you to

be signed by your preferred Certificate Authority (CA). You return the signed certificate,
root certificate for your CA, and the chain (or bundle) file to CyberSource. The certificate
should be in PEM format and named in this format: content.yourdomain.com.crt. If the
certificate requires a chain file (Intermediate CA bundle file), provide that file using the
name content.yourdomain.com_bundle.crt. In some cases the CA may require more than
one chain; verify with the CA you chose.

In addition to supplying the CSR, CyberSource supplies the dedicated host name that is
assigned for your profiling server. This unique host name is required in order for you to
configure your DNS. Please note that the DNS redirection is not available until the SSL
certificate is deployed into the production environment. You can direct all traffic to
content.yourdomain.com by setting up a CNAME record in your DNS.

Decision Manager Account Takeover Protection Service | July 2018 15

 Chapter 1 Implementing the Decision Manager Account Takeover Protection Service

The entry should resemble the following example:

content.yourdomain.com. CNAME h-yourdomain.online-metrix.net.

The certificate is then installed on the Profiling Servers.

If your corporate security policy does not allow generation of the CSR, contact
CyberSource Customer Support to discuss alternative methods.
Note

In the event that a wildcard certificate is deployed, a Fully Qualified Domain Name
(FQDN) is required for monitoring proposes. This requires you to create an entry as
outlined in the example above and provide it to CyberSource.

Updating Profiling Code to Use the New Host Name

After you receive confirmation from CyberSource that your SSL certificate is deployed to
the profiling servers, you should change the host name used in the profiling tags and/or
SDK to content.yourdomain.com.

You should make this change only after you verify that the certificate is
deployed. Making this change before the certificate is deployed (even if the
Warning DNS changes are complete) might generate security warnings in your end-
users’ web browsers.

Decision Manager Account Takeover Protection Service | July 2018 16

 Chapter 1 Implementing the Decision Manager Account Takeover Protection Service

Web Site Implementations

You can deploy Decision Manager Account Takeover Protection Service device
fingerprinting by configuring your web site as described in the following section.

To ensure your customers’ privacy, CyberSource encodes fingerprints as soon

as they are received. Fingerprints persist for approximately 24 hours. This
Important interval begins when the customer opens the HTML page with the tags, and it
ends when the transaction request is sent to CyberSource. Add the fingerprint
to your request as soon as possible.

CyberSource recommends that you use domain names instead of using IP

addresses and relying on domain name resolution. Device fingerprinting stops
Warning working when the IP address of the domain name changes.

Adding the Fingerprinting Code to Your Web Site

Various parameters are specified in the profiling tag:

 <org ID> (mandatory): to obtain this value, contact your CyberSource

representative and specify whether it is for testing or production.

 <merchant ID> (mandatory): your unique CyberSource merchant ID.

 <session ID> (mandatory): a session ID must be a unique identifier for the

transaction, such as an order number. It can contain lowercase and uppercase
English letters, digits, hyphens (-), and underscores (_). The maximum length is 88
characters. The session ID must be unique for each transaction and for each
merchant ID. You can use any string that you are already generating, such as an order
number or web session ID. Do not use the same uppercase and lowercase letters to
indicate different session IDs.

The session ID must be unique for each page load regardless of an individual’s web
session ID. If a user navigates to a profiled page and is assigned a web session,
navigates away from the profiled page, then navigates back to the profiled page, the
generated session ID should be different and unique. You may use a web session ID,
but it is preferable to use an application GUID (Globally Unique Identifier). This
measure ensures that a unique ID is generated every time the page is loaded, even if
it is the same user reloading the page.

 Custom Profiling Domain (optional): domain that serves the JavaScript tag. The
default is h.online-metrix.net. As an alternative, you can implement Enhanced
Profiling so that all profiling requests are made to a domain that is secured by your
SSL digital certificates. See "Enhanced Profiling," page 13, for more information.

Decision Manager Account Takeover Protection Service | July 2018 17

 Chapter 1 Implementing the Decision Manager Account Takeover Protection Service

Be sure to copy all characters correctly and to omit the angle brackets (< >) when
substituting your values for the variables.

Supported Tag Deployments

Two methods are available to deploy the profiling tag as described in the "Tag Placement"
section.

To allow device profiling time to complete, ensure that 3 to 5 seconds elapse between the
execution of the profiling code and when your customers submit their orders.

Tag Placement
Place the basic <script> tag in the <head> tag for optimal performance for either
method.

For the basic <script> tag with <noscript> tag method, place the <noscript> tag in
the <body> tag, as in Example 1. Do not place the <noscript> tag in the <head> tag
because it contains an <iframe> tag. Placing iframes in the head tag violates W3C
validation and might cause problems.

JavaScript Code

<head>

<script type="text/javascript" src="https://h.online-metrix.net/fp/

tags.js?org_id=<org ID>&session_id=<merchant ID><session ID>"></
script>

</head>

<body>

<noscript>

<iframe style="width: 100px; height: 100px; border: 0; position:

absolute; top: -5000px;" src="https://h.online-metrix.net/fp/tags?org_
id=<org ID>&session_id=<merchant ID><session ID>"></iframe>

</noscript>

</body>

Decision Manager Account Takeover Protection Service | July 2018 18

 Chapter 1 Implementing the Decision Manager Account Takeover Protection Service

Basic <script> Tag with <noscript> Tag (Recommended)

The recommended deployment includes a basic <script> tag, which loads a Javascript
resource: tags.js, as well as an additional <noscript> tag. The purpose of the
<noscript> tag is to ensure that profiling occurs, even if JavaScript is disabled.

Example 1 Basic <script> Tag with <noscript> Tag

<head>

<script type="text/javascript" src="https://h.online-metrix.net/fp/

tags.js?org_id=sample_orgID&session_id=sample_merchantIDsample_
sessionID"></script>

</head>

<body>

<noscript>

<iframe style="width: 100px; height: 100px; border: 0; position:

absolute; top: -5000px;" src="https://h.online-metrix.net/fp/tags?org_
id=sample_orgID&session_id=sample_merchantIDsample_sessionID"></iframe>

</noscript>

</body>

Basic <script> Tag (without <noscript> Tag)

This deployment includes a single <script> tag that loads a JavaScript resource:
tags.js. If JavaScript is disabled, this tag does not load, and profiling does not occur.

Example 2 Basic <script> Tag (without <noscript> Tag)

<head>

<script type="text/javascript" src="https://h.online-metrix.net/fp/

tags.js?org_id=sample_orgID&session_id=sample_merchantIDsample_
sessionID"></script>

</head>

Decision Manager Account Takeover Protection Service | July 2018 19

 Chapter 1 Implementing the Decision Manager Account Takeover Protection Service

Mobile Implementations
You can deploy Decision Manager Account Takeover Protection Service device
fingerprinting in Android and iOS applications.

Implementing device fingerprinting in mobile applications requires either

Android or iOS platform application programming skills.
Important

Implementing the Device Fingerprinting SDK in

Android Applications
To implement the device fingerprinting mobile SDK for Android, you must use Android 4.0
or later.

Devices using MIPS application processors are not supported.

The SDK uses Android’s native API as the default API for data transmission. You can use
the OkHTTP library (3+) by passing true to the setUseOKHTTP() method.

You must explicitly set the time unit for all timeout settings within the SDK.

If your application supports Android API 15 or earlier, you must do one of the
following:
Important  Add this code to your application before making any calls to the SDK:
System.setProperty("java.io.tmpdir",
getApplicationContext().getDir("files", Context.MODE_
PRIVATE).getPath())
OR

 Add this permission to the manifest file of your application:

<uses-permission
android:name="android.permission.WRITE_EXTERNAL_
STORAGE" />

Decision Manager Account Takeover Protection Service | July 2018 20

 Chapter 1 Implementing the Decision Manager Account Takeover Protection Service

To implement device fingerprinting in Android applications:

Step 1 Download the CyberSourceTMDeviceFingerprintingMobileSDK_for_Android.zip file from

the Business Center Documentation page, and add it to your project.

Step 2 The zip file contains two different formats. Include only one of these formats in your
project. The selection of files includes:

a TrustDefender-<version>.aar contains both the Java files and the Android native
shared library.

The standard way of including an AAR dependency to Android is described at:

https://developer.android.com/studio/projects/android-library.html. Refer to the "Add
your library as a dependency" section.
When updating with the new AAR file, ensure that you "Clean Project" to delete the
cached version of the library.

b TrustDefender-<version>.zip contains the Java files as a Jar file (TrustDefender-

<version>.jar) and the native files as Shared Object Files (.so). This is intended for
integrating with Eclipse because Eclipse doesn't recognize AAR files.
To use the zip file, simply unzip it and put the content in the lib directory of your
project. Assuming the current path is the root of project, use the following command to
unzip the ThreatMetrix SDK to the libs directory of your project:
unzip TrustDefender-<VERSION>.zip -d libs

The directory structure should appear as follows:

libs/armeabi/libtrustdefender-jni.so
libs/armeabi-v7a/libtrustdefender-jni.so
libs/armeabi-v8a/libtrustdefender-jni.so
libs/TrustDefender-<version>.jar
libs/x86/libtrustdefender-jni.so
libs/x86_64/libtrustdefender-jni.so

c TrustDefender-<version>-javadoc.jar contains the Javadoc style documentation,

which may be added to the project to provide documentation within the Integrated
Development Environment (provided the IDE supports it). It is not required, however,
and is included only as a programming aid.

Step 3 Include the following permission in the mobile application manifest file:
<uses-permission android:name="android.permission.INTERNET">
</uses-permission>

Decision Manager Account Takeover Protection Service | July 2018 21

 Chapter 1 Implementing the Decision Manager Account Takeover Protection Service

Step 4 Specify your merchant ID and the session ID as a concatenated value for a variable that is
passed to the TrustDefenderMobile class in your Android application. In the following
example, my_variable=your merchant ID + the session ID as a concatenated value:
profile.setSessionID ("my_variable");

The TrustDefenderMobile class is contained in the

CyberSourceTMDeviceFingerprintingMobileSDK_for_Android.zip file. A session ID must
be a unique identifier for the transaction, such as an order number. It can contain
lowercase and uppercase English letters, digits, hyphens (-), and underscores (_). The
maximum length is 88 characters. The session ID must be unique for each transaction
and for each merchant ID. You can use any string that you are already generating, such as
an order number or web session ID. Do not use the same uppercase and lowercase
letters to indicate different session IDs.

The session ID must be unique for each page load, regardless of an individual’s web
session ID. If a user navigates to a profiled page and is assigned a web session, navigates
away from the profiled page, then navigates back to the profiled page, the generated
session ID should be different and unique. You may use a web session ID, but it is
preferable to use an application GUID (Globally Unique Identifier). This measure ensures
that a unique ID is generated every time the page is loaded, even if it is the same user
reloading the page.

Step 5 Add the doProfileRequest() function to your application, and specify the following
required calling options:

Option Description
Org ID Contact CyberSource Customer Support for this value and
specify whether it is for testing or production.
Fingerprint server URL Fully qualified domain name (FQDN) of the server. It must be
specified in an FQDN format, for example, host.domain.com,
NOT in URL format.

Decision Manager Account Takeover Protection Service | July 2018 22

 Chapter 1 Implementing the Decision Manager Account Takeover Protection Service

Android Code Example

See Appendix C, "Code Examples for Mobile Implementation," on page 130 for the
Android code example.

After you add the device fingerprinting mobile SDK to your application, you must specify
the session ID in the API request that you send to CyberSource by using the
deviceFingerprintID Simple Order API request field or the device_fingerprint_id SCMP
API request field.

Android Return and Error Codes

The following table lists the codes you may encounter when implementing the Device
Fingerprinting SDK in an Android application.

The return profiling code THM_OK must be present before you send the API
request. This code ensures the presence of a complete profile.
Important

Table 2 Android Return and Error Codes

Value Description
THM_NotYet The profiling request is not yet complete.
THM_OK Device profiling completed with no errors.
THM_Connection_Error A connection issue was encountered between the
device and the fingerprint online server. Ensure that
you are referencing the server correctly and that you
can access it from the device.
THM_HostNotFound_Error The host name of the fingerprint server could not be
resolved. Ensure that you are referencing the server
correctly and that you can access it from the device.
THM_NetworkTimeout_Error A timeout occurred while the device was
communicating with the fingerprint server. A timeout
can occur if the device’s internet connection is
disabled while it is communicating with the server.
THM_HostVerification_Error The fingerprint server host name in use does not
match the host name in the certificate, which may be
evident when you use the Advanced Profiling feature
or implement in a proxied scenario with the custom
URL option. Ensure that a valid certificate is in use
on the target host name specified in the custom URL
option.
THM_Internal_Error A miscellaneous error was detected. Check the
input/options used when calling the library.
THM_Interrupted_Error The profiling request was interrupted or canceled
mid-flight.

Decision Manager Account Takeover Protection Service | July 2018 23

 Chapter 1 Implementing the Decision Manager Account Takeover Protection Service

Table 2 Android Return and Error Codes (Continued)

Value Description
THM_InvalidOrgID This code is returned if an invalid or NULL value is
present in the org_id calling option.
THM_PartialProfile A connection error resulted in partial profiling.
THM_Blocked The profiling request cannot be processed because
profiling is blocked due to some conditions. The
most common scenario is that the phone screen is
off longer than the amount of time specified by the
screenOffTimeout value. You can customize this
value by calling the Config.setScreenOffTimeout()
method during init().
Config config = new Config()
.setContext(getApplicationContext())
.setScreenOffTimeout(180); profile.init(config);
THM_ConfigurationError Mobile SDK is not activated for the customer.
THM_Already_Initialised SDK is already initialized; use the current instance.
THM_EndNotifier_Not_Found EndNotifier is not passed to doProfileRequest,
and it is mandatory in the profile request.
THM_ThirdPartyLibrary_Not_Found OkHttp library is not available; include the library.
For information about how to include the library see
http://square.github.io/okhttp/
Note Both OkHttp 2 and OkHttp 3 are supported.

Decision Manager Account Takeover Protection Service | July 2018 24

 Chapter 1 Implementing the Decision Manager Account Takeover Protection Service

Implementing the Device Fingerprinting SDK in iOS

Applications

To develop iOS applications, you must be enrolled in the iOS Developer Program, which
enables you to upload your applications to the Apple App Store. To link to the
CyberSource device fingerprinting mobile SDK, you must use the iOS 8 or later and the
Apple Xcode 6.0 IDE.

To implement device fingerprinting in iOS applications:

Step 1 Download the CyberSourceTMDeviceFingerprintingMobileSDK_for_iOS.zip file from the

Business Center Documentation page, and add it to your project.

Step 2 Import the device fingerprinting SDK libraries and frameworks into your iOS application:
#import <TrustDefender/TrustDefender.h>

 If using Modular Import, add the following code as needed to your project:
@import TrustDefender; //Objective-C
Or
import TrustDefender //Swift

Step 3 Link your framework(s):

 If using Modular Import, link the following framework:
 zlib (libz.dylib)

 If not using Modular Import, link the following frameworks:

 Security
 UIKit
 Foundation
 CoreTelephony
 CoreLocation
 zlib (libz.dylib)

For Modular Import:

 Autolinking does not work because the SDK is a static framework.
Note Therefore, you must add the framework to your project manually.
 Ensure that the "Enable Modules (C and Objective-C)" option in the
project setting is set to "YES."
 Remember to add the -ObjC linker flag in Xcode; otherwise,
SystemConfiguration and CoreTelephony are not linked
automatically.

Decision Manager Account Takeover Protection Service | July 2018 25

 Chapter 1 Implementing the Decision Manager Account Takeover Protection Service

For information about linking to libraries and frameworks in iOS applications, see:
https://developer.apple.com/library/ios/recipes/xcode_help-project_editor/Articles/
AddingaLibrarytoaTarget.html

Step 4 Specify your merchant ID and the session ID as a concatenated value for a variable that is
passed to the TrustDefenderMobile class in your iOS application. In the following
example, my_variable = your merchant ID + the session ID as a concatenated value:
self.profile.sessionID = @"my_variable";

The TrustDefenderMobile class is contained in the

CyberSourceTMDeviceFingerprintingMobileSDK_for_iOS.zip file. A session ID must be a
unique identifier for the transaction, such as an order number. It can contain lowercase
and uppercase English letters, digits, hyphens (-), and underscores (_). The maximum
length is 88 characters. The session ID must be unique for each transaction and for each
merchant ID. You can use any string that you are already generating, such as an order
number or web session ID. Do not use the same uppercase and lowercase letters to
indicate different session IDs.

The session ID must be unique for each page load, regardless of an individual’s web
session ID. If the same user navigates to a profiled page and is assigned a web session,
navigates away from the profiled page, then navigates back to the profiled page, the
generated session ID should be different and unique. You may use a web session ID, but
it is preferable to use an application GUID (Globally Unique Identifier). This measure
ensures that a unique ID is generated every time the page is loaded, even if it is the same
user reloading the page.

Step 5 Add the doProfileRequest() function to your application, and specify the following
calling options:

Option Description
Org ID Contact CyberSource Customer Support for this value and
specify whether it is for testing or production.
Fingerprint server URL Fully qualified domain name (FQDN) of the server. It must be
specified in an FQDN format, for example, host.domain.com,
NOT in URL format.

To fix "selector not recognized" runtime exceptions when trying to

use category methods from a static library:

Step 1 See the following article for more information:

https://developer.apple.com/library/mac/qa/qa1490/_index.html

Decision Manager Account Takeover Protection Service | July 2018 26

 Chapter 1 Implementing the Decision Manager Account Takeover Protection Service

iOS Code Examples

See Appendix C, "Code Examples for Mobile Implementation," on page 130 for the iOS
code examples.

After you add the device fingerprinting mobile SDK to your application, you must specify
the session ID in the API request that you send to CyberSource by using the
deviceFingerprintID Simple Order API request field or the device_fingerprint_id SCMP
API request field.

iOS Return and Error Codes

The following table lists the codes you may encounter when implementing the Device
Fingerprinting SDK in an iOS application.

The return profiling code THMStatusCodeOk must be present before you send
the API request. This code ensures the presence of a complete profile.
Important

Table 3 iOS Return and Error Codes

Value Description
THMStatusCodeNotYet The profiling request is not yet complete.
THMStatusCodeOk Device profiling completed with no errors.
THMStatusCodeConnectionError A connection issue was encountered between the
device and the fingerprint online server. Ensure that
you are referencing the server correctly and that you
can access it from the device.
THMStatusCodeHostNotFoundError The host name of the fingerprint server could not be
resolved. Ensure that you are referencing the server
correctly and that you can access it from the device.
THMStatusCodeNetworkTimeoutError A timeout occurred while the device was
communicating with the fingerprint server. A timeout
can occur if the device’s internet connection is
disabled while it is communicating with the server.
THMStatusCodeHostVerificationError The fingerprint server host name in use does not
match the host name in the certificate, which may be
evident when you use the Advanced Profiling feature
or implement in a proxied scenario with the custom
URL option. Ensure that a valid certificate is in use
on the target host name specified in the custom URL
option.
THMStatusCodeInternalError A miscellaneous error was detected. Check the
input/options used when calling the library.
THMStatusCodeInterruptedError The profiling request was interrupted or canceled
mid-flight.

Decision Manager Account Takeover Protection Service | July 2018 27

 Chapter 1 Implementing the Decision Manager Account Takeover Protection Service

Table 3 iOS Return and Error Codes (Continued)

Value Description
THMStatusCodePartialProfile A connection error resulted in partial profiling.
THMStatusCodeInvalidOrgID This code is returned if an invalid or NULL value is
present in the org_id calling option.
THMStatusCodeNotConfigured This code is returned if the object is not configured
properly. You may receive this code if you pass the
wrong options to the configure method.
THMStatusCodeCertificateMismatch This code is returned when there is a mismatch
between the certificate pinned and the certificate
used in the host.

Notice to European Union Merchants

The European Union’s Privacy and Electronic Communications Directive (the “Directive”) restricts
the deposit and storage of cookies on the devices of customers of online merchants operating in
the European Union.
The device fingerprint feature of CyberSource Decision Manager and CyberSource Decision
Manager Account Takeover Protection Service is one of more than two hundred global fraud
detectors and tests. This feature enables the deposit and storage on the customer’s computer of a
cookie that profiles the specific attributes of the computer used in transactions. This cookie is used
to mitigate fraud.
While we cannot provide legal advice to our merchants, we can provide the following information.
The restrictions under the Directive require, among other things, that you
 Provide “clear and comprehensive information” to visitors of your web site about the storage of
cookies on their computer.
 Obtain the consent of visitors before depositing and storing cookies on their computer unless
certain exceptions apply.
Your compliance with applicable privacy laws depends on how you use the cookies, on what
information you disclose to customers, and on what consent you obtain from customers. Because
CyberSource has no direct connection to your customers, you are responsible for ensuring that
cookies are used properly to perform the requested CyberSource services. CyberSource believes
that the safest course of action is for you to clearly and conspicuously disclose the use of cookies
to your customers and to obtain their consent before placing cookies on their devices. If you
operate in Europe and use the device fingerprint, you should consult your legal counsel and other
advisors to find out how to comply with the requirements of the Directive and whether an exception
might be available for you. CyberSource cannot take any position on the storage of cookies on the
devices of customers for purposes other than to provide CyberSource services. When used
without the device fingerprint, Decision Manager does not store cookies. Decision Manager
Account Takeover Protection Service requires the device fingerprint and must store cookies to
operate.

Decision Manager Account Takeover Protection Service | July 2018 28

 CHAPTER
Configuring Rules and
Profiles
2

An event profile is a group of business rules that screen account access events for risk.
The rule calculation causes the event to be accepted, rejected, or challenged.

Creating and Editing a Profile

You can create a profile in one of two ways:
 Add Profile with Core Rules: each rule is set to accept, challenge, reject, or monitor.
 Add Empty Profile: none of the core rules is in use.

In both cases, custom rules that you have created are listed in the categories that you
select. After you make your changes, click Save if you are creating a profile or Apply if
you are modifying a profile.

Defining a Profile
Give your profiles a descriptive name. The name appears in the list of events with the
description. Both should reflect the purpose of each profile.

You can set a priority level for each profile according to your business rules or the types of
events that are screened by the profile. Priority levels range from 1 (high) to 5 (low). Your
selection takes effect as soon as you save the profile.

The default priority level is 3. Events are assigned the same priority as the profile when
either of the following applies:
 no priority is set for the triggered rules
 no rules are triggered even if a priority level is set for them.

Setting Business Rules

In each profile, you can add up to 100 custom rules.

Decision Manager Account Takeover Protection Service | July 2018 29

 Chapter 2 Configuring Rules and Profiles

Rule Options
For each rule, select the appropriate check box for profile impact on the event. You can
choose only one option for each rule:

 Monitor: the rule is used to evaluate the event, but the result has no impact on event
acceptance or challenge. Use this setting for rules that you want to test before putting
them into production.

 Accept: the event should be allowed. Use this rule for specific cases only, such as
when customers who are added temporarily to the positive list replace an event.

 Challenge: the event is risky or suspicious and should be challenged before it is

allowed to continue.

 Reject: the event should not be allowed due to high risk.

Rule Priority
You can set a priority level for each rule. Priority levels range from 1 (highest) to 5 (lowest).
Your selections take effect as soon as you update the profile. By default, no priority is set
for any rule. If you save a profile in which no priority is assigned to a rule, events are
assigned the profile’s priority. When you set a priority level to a rule, events are assigned
priority as follows:

 Events are assigned priority according to the triggered rule that has the highest priority
level.

 The priority level of any triggered rule supersedes that of the profile (1) whether the
rule's priority is higher or lower than that of the profile and (2) regardless of the impact
of the rule (accept, monitor, review, or reject) on the profile.

Custom Rules
You can add up to 100 custom rules in each profile, and for each merchant ID, you can
create up to 600 custom rules that can be used in any profile. You can set each custom
business rule to Monitor, Accept, Challenge, or Reject. Rules that are set to Monitor
evaluate events, but the evaluation is not considered in the final results.

The Account Takeover Protection Service and Decision Manager do not share
custom rules.
Note

Decision Manager Account Takeover Protection Service | July 2018 30

 Chapter 2 Configuring Rules and Profiles

Editing an Event Profile

You can edit an existing event profile by changing the settings and by adding or removing
custom rules. You can edit event profiles at any time.

Copying a Profile
cloning

To save time when creating additional profiles, you can copy and modify an existing
profile. Any user with permission to edit profiles can do it. To make a copy, save the event
profile with a different name and description.

Deleting a Profile
To delete a profile, click Delete at the top of the profile. Make sure the profile is not in use
before deleting it. Deleted profiles no longer appear in the list of profiles.

Selecting Profiles
After creating a profile, you choose how to use it by:
1 Creating a rule to select the profile.
2 Selecting a default profile.

Creating Profile Selectors

Profile selectors are rules that you use to select the profile that evaluates each event.
Each event is prescreened by each selector rule according to its placement in the list.

If you use the customer IP address in a profile selector rule, the address requires special
formatting. The Decision Manager Account Takeover Protection Service normalizes the
customer IP address in the API request as follows:

 For Internet Protocol version 4 (IPv4): by removing leading zeros in any of the octets.

 For Internet Protocol version 6 (IPv6): by including all eight groups of hexadecimal
digits, by removing leading zeros in any of the groups, and by converting all letters to
lowercase.

If you create a profile selector rule using the customer IP address, make sure that you
enter it in the Custom Value field as described above.

Decision Manager Account Takeover Protection Service | July 2018 31

 Chapter 2 Configuring Rules and Profiles

To create a profile selector rule:

Step 1 Under Event Configuration, click Profiles.

Step 2 Click Add Selector Rule.

Step 3 Name and describe the rule.

Step 4 Select the profile that you want to screen with this rule.

Step 5 Create your condition.

Step 6 Click Save.

Your rule appears at the bottom of the list. You can now change its position in the event
evaluation sequence.

Step 7 Drag the rule to a new evaluation position by using the handle.

Rule Sequence
After creating selector rules, you must choose the order in which you want the Decision
Manager Account Takeover Protection Service to use them to choose a profile. To
rearrange the profile selector rules, drag the handle on the left edge to move the rule up or
down. The order number of the selector rule is updated as soon as you release the
handle.

When... Account Takeover Protection Service

Selects This Profile:
One or more selector rules are triggered. First profile listed in the Profile Selector table
No rule in the Profile Selectors is triggered. Default active profile
or
Account Takeover Protection Service cannot find
the profile specified in the request or in the Profile
Selector.

Decision Manager Account Takeover Protection Service | July 2018 32

 Chapter 2 Configuring Rules and Profiles

Creating Custom Rules

Case

You can create custom rules to meet your business requirements. For each merchant ID,
you can create up to 600 custom rules. Rules are not case sensitive, except for merchant
velocity rules that contain custom fields and product velocity rules that contain product
SKUs.

Before creating a custom rule, make sure that your development team has
added the fields to your API request that correspond to the event elements and
Important that you plan to use in your custom rules. If the event information is not
available, your custom rules do not work, and you do not receive an error
message.

Components
The components of a custom rule comprise an event element, a condition operator, and a
comparison value.

Event Elements
Event elements are request fields, reply fields, and other event data fields. Some elements
contain only a single value while others can contain multiple values. For example, an
event can contain only one billing address. The Rule Editor has more than 100 predefined
elements. You can also create rules with custom fields, which are listed at the bottom of
the event elements. For example, you could use one or more of the following custom
fields:

 PossibleVM—the transaction is suspected of coming from a virtual machine.

 NoDeviceID—no device fingerprint was generated for the transaction.

 EMailinGlobalBlacklist—an email address is on the global blacklist.

 MultiDevicePerMerchantAccountLoginPerHour—four fingerprints were detected with

the same account login in the past hour.

Decision Manager Account Takeover Protection Service | July 2018 33

 Chapter 2 Configuring Rules and Profiles

Event Elements with Unique Characteristics

normalization

Rules created with address elements evaluate an address as it is entered by your

customer. The Decision Manager Account Takeover Protection Service normalizes the
address by correcting some of the problems and by formatting it consistently. For
example, instead of street, the common abbreviation st is used. The normalized address
is used to compare the address to your customer lists and to return the appropriate
information codes in the case details window.

If you create a custom rule using the customer IP address, the IP address requires special
formatting. The Decision Manager Account Takeover Protection Service normalizes the
customer IP address in the API request as follows:

 For Internet Protocol version 4 (IPv4): by removing leading zeros in any of the octets.
 For Internet Protocol version 6 (IPv6): by including all eight groups of hexadecimal
digits, by removing leading zeros in any of the groups, and by converting all letters to
lowercase.

 Before: 123A:45cd:0067:89::EF
 After: 123a:45cd:67:89:0:0:0:ef

If you create a custom rule using the customer IP address, make sure that you enter it in
the Custom Value field as described above.

Comparison Operators
Comparison operators enable you to compare an element to one or more values or to
determine whether a condition is present.

Equal, Contains, Starts, and Ends

Use with elements and comparison values that can contain multiple values (or lists), such
as the fraud score information codes. Depending on the operator that you choose, you
can match any event element value to any comparison value as follows: <value 1> or
<value 2>... or <value n>.

Equal and contains function differently: equal matches a complete event

element, but contains matches part of an event element. Therefore, when you
Note convert a rule that uses contains to one that uses equal, the rule is not triggered
when matching a single comparison value, such as email domain, to part of an
event element, such as email address.

Greater and Less

Use with a single value as event element and comparison value.

Decision Manager Account Takeover Protection Service | July 2018 34

 Chapter 2 Configuring Rules and Profiles

Present
Use to obtain a yes or no answer about the presence of a specific value in the event data.

Regular Expressions
Use with elements that can contain multiple values.

The comparison operators named member of are being discontinued.

Although this operator is still visible in the menu, use equal to instead when
Important creating or modifying rules.

Comparison Values
Some of the values are predetermined. In other cases, you must enter the value(s) that
you want to find, such as an amount or a list of custom fields. When appropriate for the
event element that you are using, you can select multiple comparison values by using
Ctrl-click, for example: several possible card verification values, custom lists, and custom
fields. When using custom values, separate lists of values with a comma, except with the
greater than and less than operators.

Creating a Rule

To create a rule:

Step 1 Under Event Configuration, choose Custom Rules > Add Rule at the bottom of the
window. The rule editor opens.

Step 2 Name and describe a rule.

Step 3 If you know where you want to place this rule, choose a category. Or, you can choose the
category later in the Custom Rules list window.

Decision Manager Account Takeover Protection Service | July 2018 35

 Chapter 2 Configuring Rules and Profiles

Step 4 If you want this rule to be added automatically to profiles created with core rules, check
the Core Rule box, and from the drop-down menu choose the rule to be used in the
profile.

Initially, set new rules to Monitor so that you can evaluate and refine how a rule functions
before placing it into production.

You can choose only one option for each rule:

 Monitor indicates that the rule is used to evaluate the event, but the result has no
impact on event acceptance or challenge. Use this setting for rules that you want to
test before putting them into production.

 Accept indicates that the event is automatically accepted. Use this rule for specific
cases only, for example, when customers who are added temporarily to the positive
list replace an event.

 Challenge indicates that the event is automatically challenged.

 Reject indicates that the event is automatically rejected.

Step 5 Create your first condition as follows:

a Choose an event from the Event Element drop-down menu.
b Choose a comparison operator.
c Choose a comparison value.
d Click OK.

Step 6 Create more conditions as needed. For rules that contain two or more conditions, decide
how the conditions should interact:

 If you want the rule to be triggered only when all conditions are triggered, select all
conditions are true.

 If you want the rule to be triggered when any one condition is triggered, select at least
one condition is true.

Step 7 To add this rule immediately to your existing profiles (optional), click Edit Rule
Configuration in Profiles.

This option enables you to set simultaneously in all profiles how you want to use the rule
(monitor, accept, challenge, or reject) and how you want to set the rule priority. When you
set a custom rule as a core rule, the profiles created with core rules will show the rule as
you set it. In profiles created without core rules, the rule setting may be different. If you
prefer, you can add the rule to your profiles later.

Step 8 For each profile listed, check the box to indicate how to use the rule (accept, review,
challenge, or monitor) and a priority, if you wish.

Step 9 To close the window, click Update.

Decision Manager Account Takeover Protection Service | July 2018 36

 Chapter 2 Configuring Rules and Profiles

Step 10 To close the Rule Editor and return to the list of custom rules, click Save.

If two users are modifying a rule at the same time, the changes saved last are
kept.
Note

Step 11 To view your rule, go to the navigation pane and click Custom Rules.

Your rule appears in the category in which you placed it. You can modify the rule at any
time.

Creating Custom Lists

Decision Manager and the Account Takeover Protection Service share custom
lists.
Note

Custom lists enable you to streamline your business and product information by
combining several items into lists. Initially, this menu contains only the list of countries, as
shown below. To view and edit the content of a list, click anywhere on a name or
description of the list or on the pencil icon:

Figure 1 Custom Lists

The lists that you create are added above the list of countries.

Decision Manager Account Takeover Protection Service | July 2018 37

 Chapter 2 Configuring Rules and Profiles

Custom Lists
You can define up to 200 custom lists, which you can use in custom rules and as product
groups in velocity rules. Each list can contain up to 8000 elements of up to 50 characters
each. The same element can be used in several lists. As soon as you save a list, you can
use it in custom rules.

The elements of custom lists are not case sensitive. However, the elements of
the lists that you plan to use as product groups in velocity rules are case
Important sensitive.

You can change the name, description, and content of the lists at any time. Rules that
contain the modified custom lists are updated automatically. All custom lists use the string
data type, which includes letters and numbers. Even if a list contains other characters or
types of information, such as a date, the list is screened as if it contains only letters and
numbers. Make sure that each element within a list is unique.

The Decision Manager Account Takeover Protection Service normalizes the customer IP
address in the API request as follows:

 For Internet Protocol version 4 (IPv4): by removing leading zeros in any of the octets.
 For Internet Protocol version 6 (IPv6): by including all eight groups of hexadecimal
digits, by removing leading zeros in any of the groups, and by converting all letters to
lowercase.

 Before: 123A:45cd:0067:89::EF
 After: 123a:45cd:67:89:0:0:0:ef

If you create a custom list using the customer IP address, make sure that you format each
item as described above.

Decision Manager Account Takeover Protection Service | July 2018 38

 Chapter 2 Configuring Rules and Profiles

Figure 2 Custom List Editor

To create a list:

Step 1 To create a list, click Add Custom List at the bottom of the page.

Step 2 Choose a unique name with a maximum of 30 characters.

Step 3 Enter a description with a maximum of 255 characters.

Step 4 Enter one item on each line.

Step 5 When done, click Save.

The list appears in alphabetical order in the Custom Lists summary window.

You can edit your lists as needed. After you delete an item from the list, click Apply. The
item is deleted without a warning message. You can delete any custom list unless it is
being used in a custom or velocity rule. If you attempt to delete such a list, a warning
message appears. To delete a custom list, click Delete Custom List.

Decision Manager Account Takeover Protection Service | July 2018 39

 Chapter 2 Configuring Rules and Profiles

Merchant Region
Choose the countries from which you will accept events. When you choose the countries,
you can use the predefined rule Event outside merchant's region, and you can create
custom rules that use your countries as comparison values when you use billing country or
shipping country as event elements. You can modify your list of countries at any time.

To select countries, click the Merchant Region line in the Custom Lists summary window.
In the Merchant Region List Editor, select countries one by one, or to select multiple
countries at once, use Ctrl-click and Shift-click. When done, click Save. Although you
can view and edit its content, you cannot delete this list.

Creating Custom Fields

Decision Manager and the Account Takeover Protection Service share custom
fields.
Note

You can use custom fields in custom and velocity rules. You can use up to 100 fields. To
use a custom field, assign a name that is meaningful to your business.

Although you can name custom fields only in the Business Center, you can use them
either in the API or in the Business Center. To use custom fields correctly, you need to
coordinate the names with your development team. The first four merchant-defined fields
are also used by the Secure Data services. For information on using the merchant-defined
data API fields, see the Decision Manager Using the Simple Order API Developer Guide
(PDF | HTML) or the Decision Manager Using the SCMP API Developer Guide (PDF |
HTML). You must be logged in to the Business Center to view these guides.

Decision Manager Account Takeover Protection Service | July 2018 40

 Chapter 2 Configuring Rules and Profiles

To create custom fields:

Step 1 Click Add Custom Field.

In Figure 4, the order element is merchant_defined_data13. When creating a field, you
can select any available name from the menu. You do not need to use the names in the
event in which they appear.

Figure 3 Custom Field Editor

Step 2 Enter a name (up to 30 characters) and description (up to 255 characters).
In the name, do not use the back slash (\) or the single quote (‘).

Step 3 Choose the type of data that the custom field should contain:
 String, which includes letters and numbers
 Number, which includes only numbers
 Date, which includes date and time

Step 4 Click Save.

After you have created a custom field, you can change the name and the description but
not the data type. To change the data type, you must delete the field and create a new
one. When you do so, rules that used the old custom field no longer function correctly
because they are not updated with the new data type. Therefore, when deleting a custom
field, be sure that it is not currently being used or that you recreate a corresponding field
with the same data type.

Decision Manager Account Takeover Protection Service | July 2018 41

 Chapter 2 Configuring Rules and Profiles

Copying, Editing, Deleting Rules

To copy, edit, or delete a custom rule, click anywhere on the rule’s description line or on
the pencil icon on the right:

To copy, edit, or delete rules:

Step 1 In the Rule Editor, click Copy Rule. A simplified version of the Rule Editor appears.

Step 2 Change at least the name of the rule, ensuring that the name does not conflict with the
names of your existing rules.

Step 3 Modify the description of the new rule appropriately.

Step 4 Update your existing profiles with the new rule.

You can do so immediately or later. If you update your existing profiles with the new rule
now, the original rule is replaced by the new rule. However, the profiles do not evaluate
events differently because the conditions in the rule have not changed.

Step 5 When done with your changes, click Save.

The Rule Editor reappears so that you can change the conditions appropriately for your
new rule.

You can delete rules from the Rule Editor or from the rules summary window:

 From the Rule Editor, click Delete at the top of the window.

 From the rules summary window, check the boxes to the right of the rules, and click
Delete at the bottom of the window.

Decision Manager Account Takeover Protection Service | July 2018 42

 Chapter 2 Configuring Rules and Profiles

Managing Rules and Categories

The rules list contains all the categories that contain core and custom rules.

Categories
Categories are user-defined sets of rules that you can group together as appropriate for
your business. You may create new categories and add rules to categories as desired.
The number next to the name of a category indicates the number of rules in the category.

For example, you might create a category of rules associated with payment types or
specific groups of products. By default, the categories are open. The number next to the
name of the category indicates the number of rules in that category.

To create or edit categories:

Step 1 Click Add Category at the bottom of the window.

or
Open the folder menu on the left side of a category, and choose Add Category:

Step 2 Enter a name and click Add.

Your category is added without any rules as indicated by the number 0 next to the name of
the category.

To move the new (or any other) category in the window, use the handle to drag the
category to a new location.

To move a rule from one category to another, use the handle on the left of the rule. The list
of categories appears. Drag the rule to the category of your choice.

Decision Manager Account Takeover Protection Service | July 2018 43

 Chapter 2 Configuring Rules and Profiles

Core Rules
Core rules are rules that you want added automatically when you create a profile with core
rules instead of an empty profile:

When you create a profile, you can set any rule as a core rule and you can change your
settings at any time.

To set a rule as a core rule, click the red C; to remove the setting click the gray C:

Addresses are normalized before they are added to a list. In the search results
and in the files that you download, all minor errors are corrected, and the
Important address information is formatted consistently using common abbreviations, for
example: st for street. In addition, the address information is changed to
lowercase. For example:
“44 Fisher Str./Mtn View/California/94053”
is changed to:
“44 fisher St/mountain view/ca/94043”
Addresses are normalized before being compared to other addresses.

Decision Manager Account Takeover Protection Service | July 2018 44

 Chapter 2 Configuring Rules and Profiles

Overview of Available Tools

You can use many tools to add data to or retrieve data from the customer lists.

Tool Type of Data Retrieval or Deletion

Business Center
List Manager Positive, negative, and fraudulent data Delayed retrieval and deletion
Mark as Trusted Excellent data –
Mark as Temporarily Trusted Good data –
Mark as Suspect Fraudulent data –
Mark for Review Uncertain data –
Remove from History Positive and negative data Delayed retrieval but no deletion
CyberSource API Services
Risk Update Service Positive, negative, review list Delayed retrieval and deletion
Decision Manager Positive, negative, review list Real-time retrieval but no deletion

Adding Data to the Database

This section describes how to add information to the database and retrieve information
from it by using the Business Center and the API.

Manual Input in the Business Center

In the Business Center, you can use List Manager to search for entries.

List Manager
With List Manager, you can add individual entries. For all lists, you choose the type of data
(negative, review, or positive) and the event elements that you want to add to the
database.

CyberSource API
You can use the Risk Update service to update your customer lists. You choose the type of
negative or positive data and the customers that you want to add to the lists. Adding lists
also affects Decision Manager. For more information, see the Decision Manager Using the
Simple Order API Developer Guide (PDF | HTML) or the Decision Manager Using the
SCMP API Developer Guide (PDF | HTML). You must be logged in to the Business Center
to view these guides.

Decision Manager Account Takeover Protection Service | July 2018 45

 Chapter 2 Configuring Rules and Profiles

Using Data from the Database

You can use all data in real time or in a delayed manner. While reviewing or searching for
events, you can mark events as follows:

 Events that you mark as suspect are challenged.

 Events that you mark as trusted are added to the positive list temporarily or
permanently.

 While updating your customer lists with List Manager, you can search for up to 5000
records. However, you can export the complete lists in XML or CSV format even if the
lists contain more than 5000 records.

Deleting Data
You can delete some of the data from the customer lists.

 API: using the appropriate action code of the Risk Update service, you can delete
information from customer lists. For more information on the API fields, see the
Decision Manager Using the Simple Order API Developer Guide (PDF | HTML) or the
Decision Manager Using the SCMP API Developer Guide (PDF | HTML). You must be
logged in to the Business Center to view these guides.

 List Manager: after searching your lists, you can delete entries in the search results
window. In addition, if you download the results of your searches, you can delete
entries before uploading your modified lists.

After reviewing events, you can use the Remove from History feature to ignore specific
data that you no longer consider fraudulent.

Decision Manager Account Takeover Protection Service | July 2018 46

 Chapter 2 Configuring Rules and Profiles

Adding Event Data to Customer Lists

Use the List Addition menu to add event data directly to your customer lists.
The positive list differs from the negative list:

 With the positive list, each record that you create comprises all the identity elements
of the option that you choose.

 With the negative and review lists, each identity element is added to the list as an
individual record. For example, if you create a list record by entering data in four fields,
you effectively add four records to your list. However, all the address elements are
counted as one identity element.

Data added to the review list is deleted automatically after one year if you
do not move it to the negative list or delete it manually.
Note

An event will return a match if a single item from the event is matched to the negative or
the review list, but all the items of a positive list record must match the event for it to be
considered good.

Positive Records

To add records to your positive list:

Step 1 Choose one of the options.

If you select an option but do not enter a value in one of the required fields, you receive an
error message. A billing or shipping address comprises the street address, city, state or
province, country, and postal code.

Table 4 Types of Positive Records

Email address and Average customer who shops from the home computer and has the
billing address order shipped to the home address.
Email address and Customer who shops from home, work, or while travelling and has the
shipping address item shipped to an address other than the home address, such as the
work address. The item may also be a gift.

Decision Manager Account Takeover Protection Service | July 2018 47

 Chapter 2 Configuring Rules and Profiles

Table 4 Types of Positive Records (Continued)

Email domain and Organization, such as a company or college campus, which usually
billing address contains two types of users:
 Corporate users who use the company card and have items
shipped not necessarily to the building where they work.
 Students and others who use a personal card and have a billing
address outside the campus.

Because of the added complexity, this case is more subject to fraud

than the previous ones. You need to recognize the email domain as
an important factor in determining whether the order is legitimate or
fraudulent. In this case, you may want to use other rules, especially
custom or profile selector rules to screen these orders completely and
accurately.
Email address, phone Customer who shops often from home or work with the same account
number, billing address, number and uses always the same shipping address and phone
and shipping address number. Orders that match this case are the most secure. This option
is the most complex, the least common, and the most difficult to
match.
Customer Account ID Optional account ID, tracking number, reward number, or other
unique number that you assign to the customer.
Email address and Customer who uses the same email address but may be using a new
device fingerprint computer or device that they have not previously used when
shopping.
Email address Usually associated with the shipping location.
Device fingerprint and Customer who may be using a new computer or device and the same
phone number phone number.
Device fingerprint and Customer who may be using a new computer or device and the same
shipping address shipping address.
Device fingerprint Available if you are using the Device Fingerprint service. To detect
and prevent repeated fraud, you can use this ID (unique computer ID)
to link transactions made from that computer.
CPF/CNPJ CPF or CNPJ identification number for an individual or a business,
used by the Brazilian revenue agency, Receita Federal.

Step 2 Enter a name for the record, which can be a number, name, or other identifier that you
assign to your customers.
This identifier is used for reference only; it is not used as a matching criterion.

Step 3 Enter notes or reasons for adding the customer or the event to your positive list.

Step 4 Enter the customer's complete email address, such as [email protected] or the
customer's email domain, which is the part of the address after the @ sign, such as
example.com.

Decision Manager Account Takeover Protection Service | July 2018 48

 Chapter 2 Configuring Rules and Profiles

Step 5 Click Add Entry.

If you try to add a record that already exists in the positive list, you receive a
failure message specifying that at least one duplicate record exists. If you try to
Important add a record that already exists in the negative list, you are not notified.
However, when you attempt to process a transaction with data present in both
lists, you receive the information code CON-POSNEG in the API reply and in
the case details window.

Step 6 To verify the result of your action, search the positive list for data that you added.

Negative and Review Records

The review list is a temporary location for data that you want to keep reviewing until you
can confirm whether it is valid or fraudulent. The fields for the review list are the same as
those for the negative list.

You can mark events up to 6 months in the past.

To add records to the negative list or the review list:

Step 1 Choose a reason and add notes to document your reason for marking the event.

Step 2 Enter as much information as you can in the List Fields section.

Decision Manager Account Takeover Protection Service | July 2018 49

 Chapter 2 Configuring Rules and Profiles

Table 5 Types of Negative and Review Records

Email address and The email address is generally specific to an individual, but the domain
email domain can comprise several email addresses. If you believe that several email
addresses that are part of a single domain are undesirable, you can add
the entire domain to your negative list.
Complete IP and The complete IP address generally applies to a single computer, but the
Network IP network address applies to the entire network to which a computer
Addresses belongs. If you believe that several IP addresses that are part of a
network are undesirable, you can add the entire network to your
negative list.
Phone Number If billing and shipping information are present in an order, the order may
also have two phone numbers. When deciding whether to add the phone
number to the negative list, consider the rest of the information,
especially the address(es).
Customer Account Optional account ID, tracking number, reward number, or other unique
ID number that you assign to the customer.
CPF/CNPJ CPF (individual) or CNPJ (business) identification number used by the
Brazilian revenue agency, Receita Federal, for Brazilian customers only.
Device Fingerprint Unique ID of the computer used by the customer to place the order.
Smart ID Device identifier generated from attributes collected during profiling.

Step 3 Enter any available address information.

Be as specific as possible to ensure a precise record. The Business Center adds only one
address to each record. If you have a customer's identity with a different billing and
shipping address, you can add both with the API instead of the Business Center.

Step 4 Click Add Entry.

Step 5 To verify the result of your action, search the negative list for data that you added.

Decision Manager Account Takeover Protection Service | July 2018 50

 Chapter 2 Configuring Rules and Profiles

Searching and Reviewing Customer Lists

An important part of managing your lists is to search the data that they contain so that you
can update it whenever necessary. Your search results are limited to 5000 records. All
search results are displayed in your time zone.

Decision Manager and the Account Takeover Protection Service share

customer lists.
Note

Search Criteria
You can search for negative list, review list, and positive list records from the List Search
window. See the "Negative List," "Review List," and "Positive List" sections for more
information.

Figure 4 List Search Window

Date Range
The first criterion that you must choose is the date or date range during which the data
was added to the customer list. The preset ranges enable you to search from the past
hour to the past six months. Although all other Business Center searches are limited to six
months, you can search through all your past customer list records in CyberSource’s
database; from the Creation Date drop-down menu, choose All.

Figure 5 Creation Date Options

Decision Manager Account Takeover Protection Service | July 2018 51

 Chapter 2 Configuring Rules and Profiles

Field Options
Narrow the scope of your search as much as possible to shorten the duration of your
search. This table describes all the options available for all types of lists: negative (N),
review (R), and positive (P).

Table 6 Field Options

Option List Description

All fields All All field options for the selected list.
Address N&R Street address, city, state or province, country, and postal
code in the event.
Note You can search individually for the city, state or
province, postal code, or country. However, when you specify
the street address, you must also provide the city, postal
code, and country. The state or province is optional.
Billing Address P Customer's complete address.
CPF/CNPJ All CPF (individual) or CNPJ (business) identification number
used by the Brazilian revenue agency, Receita Federal, for
Brazilian customers only.
Complete IP N&R Customer's IP address, such as 111.111.111.111 (four
Address sections).
Customer Account All Your company’s identifier for the customer.
ID
Device Fingerprint All Unique ID of the computer used by the customer to place the
order.
Email Address All Customer's complete email address, such as
[email protected].
Email Domain All Email domain, such as example.com.
Network IP Address N&R Network IP address, such as 111.111.111 (three sections).
Phone Number All Phone number associated with the event.
Shipping Address P Customer's complete address.
Smart ID N&R Device identifier generated from attributes collected during
profiling.

Decision Manager Account Takeover Protection Service | July 2018 52

 Chapter 2 Configuring Rules and Profiles

Results
For all lists, the account number and address results are displayed as follows.

Complete Address
The complete address comprises the street address (one or two fields), city, state or
province, postal code, and country. When you search for an address, List Manager always
returns all addresses that contain the element that you searched for and all addresses that
contain no value for this element.
For example, if you search for the postal code 94520, List Manager returns all addresses
within this postal code and all addresses that have no postal code regardless of the
content of the other address elements. These addresses without data are returned
because some of them may be located within the postal code that you are searching. You
can further investigate these empty address elements to find out if they are relevant.

Marking Request ID
The request ID appears in the far right column. The request ID is a link to an event that
was marked. If the list entry is older than six months, its details are not available. If
multiple fields from different events are found on the negative list, the request ID of the first
event is shown.

Negative List
You can search the negative list to view its data or to move it to the review list. Each type
of data, such as billing address, email address, and account suffix, appears on a separate
row. In the Entry Type column, the billing or shipping address is labeled Address.

When an event contains customer data that was previously added to the negative list, the
data from the new event is automatically added to the negative list.

To move event data from the negative to the review list, select one or more lines. When
you do so, the button named Convert to Review is activated.

After you click Convert to Review, a message confirms that the action was successful.

Decision Manager Account Takeover Protection Service | July 2018 53

 Chapter 2 Configuring Rules and Profiles

Review List
You can search the review list to view its data, to move it to the negative list, or to delete
the data confirmed valid that was previously marked suspicious. Searching for review list
items returns results similar to the negative list search. Each type of event data, such as IP
address and billing address, appears on a separate row. In the Entry Type column, the
billing or shipping address is labeled Address.

To move event data from the review to the negative list, select one or more lines. When
you do so, the button named Convert to Negative is activated.

Positive List
Searching the positive list is especially important in order to keep track of temporary
records. These records are dropped automatically from the positive list when:

 The customer triggers an event again.

 The time allowed to trigger an event has elapsed whether or not the customer has
triggered the event again.

Deleting Records
To delete records, check one or more records and click Delete. The results window
reappears with a success message.

Decision Manager Account Takeover Protection Service | July 2018 54

 Chapter 2 Configuring Rules and Profiles

Downloading Customer Lists

This section provides summary information about reports. For complete information about
the elements and fields, see the Decision Manager Reporting Guide (PDF | HTML). You
must be logged in to the Business Center to view these guides.

When you download your lists, you can edit the content as needed and later add the
updated data to the Business Center. You can export your lists in XML or CSV format.

Although you can view a maximum of 5000 records in the results window, you can export
your complete positive and negative lists. You can download your lists before or after
searching for the content.

The following figure shows the export features in the List Search window:

Figure 6 Export Features in the List Search Window

Downloading in CSV Format

To download a list in CSV format:

Step 1 Click Export as CSV. A dialog box appears.

Step 2 Click Save.

Step 3 Change the file extension from .csv to .txt so that all data in long numeric strings
appears correctly.

Step 4 Save the file to your computer.

Decision Manager Account Takeover Protection Service | July 2018 55

 Chapter 2 Configuring Rules and Profiles

Step 5 Import the text file into a spreadsheet as described in the Decision Manager Reporting
Guide (PDF | HTML). You must be logged in to the Business Center to view this guide.

Optional fields contain information only if you added the corresponding data to the list. In
this figure, the fields that contain no data have been collapsed so that you can more easily
view the fields that contain data.

Table 7 Column Headings in Customer List Report

Report headings
Report Date Range All
or
Report Start Date Jun 01 2009 12:00:00 AM
Report End Date Jun 11 2009 07:24:03 PM
Column headings for a positive list
recordName, listType, creationDate, createdBy, groupID, merchantID, expiration,
customerAccountID, billingPhone, shippingPhone, paymentType, accountSuffix, email,
emailDomain, billingAddress1, billingAddress2, billingCity, billingState,
billingPostalCode, billingCountry, shippingAddress1, shippingAddress2, shippingCity,
shippingState, shippingPostalCode, shippingCountry, creditCardBINCountry, IPCountry,
customerEmailCountry, deviceFingerprint, markingNotes, markingRequestID, cpfCnpj,
lastUsedDate
Column headings for negative and review lists
recordName, creationDate, createdBy, groupID, merchantID, customerAccountID,
billingPhone, shippingPhone, paymentType, accountSuffix, creditCardBINNumber, email,
emailDomain, address1, address2, city, state, postalCode, country, IPAddress,
networkIP, creditCardBINCountry, IPCountry, customerEmailCountry, deviceFingerprint,
markingReason, markingNotes, markingRequestID, cpfCnpj, smartId, lastUsedDate

Decision Manager Account Takeover Protection Service | July 2018 56

 Chapter 2 Configuring Rules and Profiles

These fields are derived as follows:

Table 8 Origins of Data

Field List Type Description

recordName Positive list only; always Created in the List Addition window or when
present. you use the Event Marking Tool.
creationDate, createdBy, All lists; always present. Automatically inserted by List Manager
merchantID, and groupID when you create the record or mark an
event.
listType and expiration Positive list only; always Automatically inserted by List Manager
present. when you mark events temporarily trusted in
the case or search details window.
customerAccountID All lists; optional. Entered when you mark events or in the
Negative List Addition window. For the
positive list, this field may not contain a
value even if the event does.
billingAddress1, All lists; optional. Entered in the list addition windows or when
billingAddress2, billingCity, you mark events. Billing and shipping fields
billingState, billingPostalCode, are always returned as a complete address.
and billingCountry For example, even if you search for only one
element, such as the city, your search
shippingAddress1,
results contain the complete billing and
shippingAddress2, shippingCity,
shipping addresses that contain that city and
shippingState,
those that contain no data for the city.
shippingPostalCode, and
shippingCountry Negative list: address elements not specific
to billing or shipping.
billingPhone and shippingPhone
Positive list: address elements specific to
email and emailDomain
billing or shipping.
IPAddress and networkIP Negative and Review lists; Entered in the list addition windows or when
optional. you mark events.
accountSuffix, and All lists; optional. Event Marking Tool: you can view and can
accountNumber add only the suffix.
IPCountry and All lists; optional. Country decoded from the IP address and
customerEmailCountry email address in the event.
markingReason Negative and Review lists; Automatically inserted when an event is
always present. marked suspect.
markingNotes and All lists; optional. Notes are available if the reviewer has
markingRequestID entered comments when marking the event
and if the event was marked with the Event
marking tool.
deviceFingerprint All lists; optional. Device identifier generated from attributes
collected during profiling. Available if you
are using the Device Fingerprint service.
cpfCnpj All lists; optional. This value is sent by the merchant in the
transaction request.

Decision Manager Account Takeover Protection Service | July 2018 57

 Chapter 2 Configuring Rules and Profiles

Table 8 Origins of Data (Continued)

Field List Type Description

smartId Negative and Review lists; Unique ID of the computer used by the
optional. customer to place the order. Available if you
are using the Device Fingerprint service.
lastUsedDate All lists; always present. Inserted by List Manager. Indicates the
latest date when the value matches an item
on a negative, positive or review list.

Example of Report in CSV Format

The following example shows a negative or review list report in CSV format. Positive list
reports are similar.

Example 3 Negative or Review List Report in CSV

Report Start Date Oct 23 2010 04:00:00 PM

Report End Date Oct 23 2010 04:35:59 PM

creationDate, createdBy, groupID, merchantID, customerAccountID,

billingPhone, shippingPhone, accountSuffix, email, emailDomain,
billingAddress1, billingAddress2, billingCity, billingState,
billingPostalCode, billingCountry, shippingAddress1, shippingAddress2,
shippingCity, shippingState, shippingPostalCode, shippingCountry,
IPAddress, networkIP, creditCardBINCountry, IPCountry,
customerEmailCountry, deviceFingerprint, markingReason, markingNotes,
markingRequestID

Oct 23 2010 04:05:54 PM,, dmtest19, dmtest19,,,,,,,,,,,,,,,,,,,,,,,,,,

574bca09e5964d0cbed932bb35cbf70a, suspected,, 2563250986800000139320

Decision Manager Account Takeover Protection Service | July 2018 58

 Chapter 2 Configuring Rules and Profiles

Downloading in XML Format

Before downloading an XML report, make sure that you have the current DTD
so that you can take advantage of the most recent features.
Important

To download a list, click XML and save the file on your computer.

Start and end dates or a date range appears in the attributes of the report. Optional fields
appear only when the record contains data. These elements are derived as follows:

Table 9 Origins of Data

Field List Type Description

recordName Positive list only; Created in the List Addition window or when
always present. you use the Event Marking Tool.
creationDate, createdBy, merchantID, All lists; always Automatically inserted by List Manager when
and groupID present. you create the record or mark an event.
listType and expiration Positive list only; Automatically inserted by List Manager when
always present. you mark events temporarily trusted in the case
details window.
customerAccountID All lists; optional. Entered when you mark events or in the
Negative List Addition window. For the positive
list, this field may not contain a value even if the
event does.
billingAddress1, billingAddress2, All lists; optional. Entered in the list addition windows or when
billingCity, billingState, you mark events. Billing and shipping fields are
billingPostalCode, and billingCountry always returned as a complete address. For
example, even if you search for only one
shippingAddress1, shippingAddress2,
element, such as the city, your search results
shippingCity, shippingState,
contain the complete billing and shipping
shippingPostalCode, and
addresses that contain that city and those that
shippingCountry
contain no data for the city.
billingPhone, shippingPhone
Negative list: address elements not specific to
emailAddress, and emailDomain billing or shipping.
Positive list: address elements specific to billing
or shipping.
IPAddress and networkIP Negative and Entered in the list addition windows or when
Review lists; you mark events.
optional.
accountSuffix, and accountNumber All lists; optional. Event Marking Tool: you can view and can add
only the suffix.
IPCountry and customerEmailCountry All lists; optional. Country decoded from the IP address and
email address in the event.

Decision Manager Account Takeover Protection Service | July 2018 59

 Chapter 2 Configuring Rules and Profiles

Table 9 Origins of Data (Continued)

markingReason Negative and Automatically inserted when an event is

Review lists; always marked suspect.
present.
markingNotes and markingRequestID All lists; optional. Notes are available if the reviewer has entered
comments when marking the event and if the
event was marked with the Event marking tool.
deviceFingerprint All lists; optional. Device identifier generated from attributes
collected during profiling. Available if you are
using the Device Fingerprint service.
cpfCnpj All lists; optional. This value is sent by the merchant in the
transaction request.
smartId Negative and Unique ID of the computer used by the
Review lists; customer to place the order. Available if you are
optional. using the Device Fingerprint service.
lastUsedDate All lists; always Inserted by List Manager. Indicates the latest
present. date when the value matches an item on a
negative, positive, or review list.

Example of Report in XML Format

This example shows a negative list report. The reports for the positive and review lists are
similar.

Example 4 Negative List Report in XML

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE ListManager SYSTEM "https://ebctest.cybersource.com/ebctest/
reports/dtd/list_manager.dtd">
<ListManager xmlns="https://ebctest.cybersource.com/ebctest/reports/
dtd/list_manager.dtd" MerchantID="test" Name="Negative List"
SearchDate="Dec 01 2010 12:26:28 PM" ReportDateRange="All"
Version="1.0">
<NegativeItem>
<CreationDate>Nov 30 2010 08:30:37 PM</CreationDate>
<CreatedBy>test</CreatedBy>
<MerchantID>test</MerchantID>
<BillingPhone>6505551212</BillingPhone>
<MarkingReason>suspected</MarkingReason>
</NegativeItem>
<NegativeItem>
<CreationDate>Nov 30 2010 08:30:37 PM</CreationDate>
<CreatedBy>test</CreatedBy>
<MerchantID>test</MerchantID>
<EmailAddress>[email protected]</EmailAddress>
<MarkingReason>suspected</MarkingReason>
</NegativeItem>
</ListManager>

Decision Manager Account Takeover Protection Service | July 2018 60

 Chapter 2 Configuring Rules and Profiles

Uploading Data
This section describes how to prepare your files before adding them to the Business
Center. Remember that addresses are normalized by List Manager before they are added
to a list.

Editing and Preparing to Upload Customer Lists

You can examine the content of your downloaded lists to correct errors and
inconsistencies, and you can add information that you obtained from other sources.

You can upload files with negative, positive, and review list data in CSV format or in XML
format. When preparing your files for uploading, make sure that you follow these important
points:

 CyberSource recommends that when you name your files you date them to track the
updates more easily, for example: negative_list_updates_03-02-06.csv

 The character encoding is usually included in the XML file, but you have to specify the
encoding for CSV files when you upload them:
 If you are using a Western European language, use the default (Latin-1).
 If you are using Japanese characters, choose Shift-JIS.
 In all other cases, choose UTF-8 or UTF-16.

 When you upload data to a list, you must format each record according to the options
available in the Business Center. Otherwise, your file does not upload successfully.
 Each record you that you add to the positive list must contain one of these sets of
data in addition to the required record name:

Email Address and Billing Address

Email Address and Shipping Address
Email Domain and Billing Address
Email Address, Phone Number, Billing Address, and Shipping Address
Email address
Email Address and Device Fingerprint
Device Fingerprint and Phone Number
Device Fingerprint and Shipping Address
Device Fingerprint
CPF/CNPJ

Decision Manager Account Takeover Protection Service | July 2018 61

 Chapter 2 Configuring Rules and Profiles

 Each record you that you add to the negative list can contain as many of these
elements as you want. Email addresses and phone numbers are not specific. You
can use these fields for customer data.

Email Address
Email Domain
Complete IP Address
Network IP Address
Phone Number (numbers only)
Address
City
State/Province
Postal Code
Country
CPF/CNPJ
Smart ID
True IP Address
Proxy IP Address

Uploading Files in CSV Format

Although you may have saved the file that you downloaded with the .txt extension, make
sure that you save the file that you upload with the .csv extension.

Positive List

To prepare your file for uploading:

Step 1 Insert the field headings in the correct order:

record_name, customer_email, domain, device_fingerprint_hash, bill_
address1, bill_address2, bill_city, bill_state, bill_zip, bill_country,
customer_phone, ship_to_address1, ship_to_address2, ship_to_city, ship_to_
state, ship_to_zip, ship_to_country, ship_to_phone, personal_id

These headings are deleted in Step 3. You cannot add a temporary record to your positive
list when you upload a file, but you can do so in the Business Center with the List Addition
menu.

Step 2 Enter your data.

In a spreadsheet, a file with three records appears as follows:

In this example, the first line contains an email and the billing address, the second line
contains an email domain and billing address, and the last line contains an email address
and shipping address.

Decision Manager Account Takeover Protection Service | July 2018 62

 Chapter 2 Configuring Rules and Profiles

Step 3 When you are done, delete the heading row.

Negative List
Files for the negative list are the simplest because each entry contains only a field name
and a field value from this list:

Table 10 Negative List

Field Name Field Value

address billing and shipping address
customer_phone billing phone number
customer_email email address
domain email domain
customer_ipaddress IP address
customer_ipaddress_class3 network IP address
device_fingerprint_hash device fingerprint
personal_id CPF/CNPJ
device_fingerprint_smart_id smart ID
true_ipaddress true IP address
proxy_ipaddress proxy IP address

When you include a street address, follow this format:

address1/address2/city/state/postal_code/country

Country is required. If you have no data for one or more of the address sections, you must
still include five forward slashes (/):

address1//city//postal_code/country

When you add an address, it appears in the uploaded results as the billing and the
shipping address. If you want to save only one of the entries, delete one of them from the
uploaded results.
repeated field names

You can upload a list that contains only some of the field names, such as a list of names or
email addresses. In this case, each row would consist of the field name and the
corresponding value:

customer_email [email protected]
customer_email [email protected]
customer_email [email protected]

IP addresses will match any IP address field.

Decision Manager Account Takeover Protection Service | July 2018 63

 Chapter 2 Configuring Rules and Profiles

In the file, do not include a heading row, and insert the fields in the correct order:
FieldName followed by FieldValue, for example:

Uploading Files in XML Format

Positive List
To construct your XML file, use this DTD:

<!ELEMENT PositiveList (Entry)*>

<!ELEMENT Entry (RecordName, EmailAddress?, EmailDomain?,
DeviceFingerprint?, BillingAddress1?, BillingAddress2?, BillingCity?,
BillingState?, BillingPostalCode?, BillingCountry?, BillingPhone?,
ShippingAddress1?, ShippingAddress2?, ShippingCity?, ShippingState?,
ShippingPostalCode?, ShippingCountry?, ShippingPhone?)>
<!ELEMENT RecordName (#PCDATA)>
<!ELEMENT EmailAddress (#PCDATA)>
<!ELEMENT EmailDomain (#PCDATA)>
<!ELEMENT DeviceFingerprint (#PCDATA)>
<!ELEMENT BillingAddress1 (#PCDATA)>
<!ELEMENT BillingAddress2 (#PCDATA)>
<!ELEMENT BillingCity (#PCDATA)>
<!ELEMENT BillingState (#PCDATA)>
<!ELEMENT BillingPostalCode (#PCDATA)>
<!ELEMENT BillingCountry (#PCDATA)>
<!ELEMENT BillingPhone (#PCDATA)>
<!ELEMENT ShippingAddress1 (#PCDATA)>
<!ELEMENT ShippingAddress2 (#PCDATA)>
<!ELEMENT ShippingCity (#PCDATA)>
<!ELEMENT ShippingState (#PCDATA)>
<!ELEMENT ShippingPostalCode (#PCDATA)>
<!ELEMENT ShippingCountry (#PCDATA)>
<!ELEMENT ShippingPhone (#PCDATA)>

Decision Manager Account Takeover Protection Service | July 2018 64

 Chapter 2 Configuring Rules and Profiles

This XML section shows a positive list example:

<?xml version="1.0" encoding="utf-8"?>

<PositiveList>
<Entry>
<RecordName>John Smith</RecordName>
<EmailAddress>[email protected]</EmailAddress>
<BillingAddress1>123 Elm Ave</BillingAddress1>
<BillingCity>Mountain View</BillingCity>
<BillingState>CA</BillingState>
</Entry>
<Entry>
<RecordName>Sarah Young</RecordName>
<EmailAddress>[email protected]</EmailAddress>
<ShippingAddress1>123 Walnut Ave</ShippingAddress1>
<ShippingCity>Palmdale</ShippingCity>
<ShippingState>GA</ShippingState>
</Entry>
<Entry>
<RecordName>Sarah Young</RecordName>
<PersonalID>123456</PersonalID>
</Entry>
</PositiveList>

Negative List
The field name can be the customer’s name, the billing or shipping address, the billing or
shipping phone number, the email address or email domain, or the IP address or network
IP address. To construct your file, use this DTD:

<!ELEMENT NegativeList (Entry)*>

<!ELEMENT Entry (FieldName, FieldValue)>
<!ELEMENT FieldName (#PCDATA)>
<!ELEMENT FieldValue (#PCDATA)>

Decision Manager Account Takeover Protection Service | July 2018 65

 Chapter 2 Configuring Rules and Profiles

This XML section shows a negative list example:

<?xml version="1.0" encoding="utf-8"?>

<NegativeList>
<Entry>
<FieldName>Address</FieldName>
<FieldValue>123 Walnut Ave/Mountain View/CA/U.S.A.</FieldValue>
</Entry>
<Entry>
<FieldName>Phone number</FieldName>
<FieldValue>8005551212</FieldValue>
</Entry>
<Entry>
<FieldName>personal_id</FieldName>
<FieldValue>8005551212</FieldValue>
</Entry>
<Entry>
<FieldName>device_fingerprint_smart_id</FieldName>
<FieldValue>8833445566</FieldValue>
</Entry>
<Entry>
<FieldName>true_ipaddress</FieldName>
<FieldValue>99.88.77.66</FieldValue>
</Entry>
<Entry>
<FieldName>proxy_ipaddress</FieldName>
<FieldValue>67.78.89.99</FieldValue>
</Entry>
</NegativeList>

Review List
The field name can be the customer’s name, the billing or shipping address, the billing or
shipping phone number, the email address or email domain, or the IP address or network
IP address. To construct your file, use this DTD:

<!ELEMENT ReviewList (Entry)*>

<!ELEMENT Entry (FieldName, FieldValue)>
<!ELEMENT FieldName (#PCDATA)>
<!ELEMENT FieldValue (#PCDATA)>

Decision Manager Account Takeover Protection Service | July 2018 66

 Chapter 2 Configuring Rules and Profiles

This XML section shows a sample review list:

<?xml version="1.0" encoding="utf-8"?>

<ReviewList>
<Entry>
<FieldName>Address</FieldName>
<FieldValue>123 Walnut Ave/Mountain View/CA/U.S.A.</FieldValue>
</Entry>
<Entry>
<FieldName>Phone number</FieldName>
<FieldValue>8005551212</FieldValue>
</Entry>
<Entry>
<FieldName>personal_id</FieldName>
<FieldValue>8005551212</FieldValue>
</Entry>
<Entry>
<FieldName>device_fingerprint_smart_id</FieldName>
<FieldValue>8833445566</FieldValue>
</Entry>
<Entry>
<FieldName>true_ipaddress</FieldName>
<FieldValue>99.88.77.66</FieldValue>
</Entry>
<Entry>
<FieldName>proxy_ipaddress</FieldName>
<FieldValue>67.78.89.99</FieldValue>
</Entry>
</ReviewList>

File Format
You can upload data in CSV or XML format. Each file must have a unique name. In the
Business Center, the formats are processed differently:

 Files in CSV format are not verified. If the Decision Manager Account Takeover
Protection Service encounters errors, you receive an error message only if the
merchant ID is incorrect. Incorrect events are not marked.

 Files in XML format are verified after you upload to ensure conformance with the DTD.
If the marked events contain errors, you receive an error message immediately if the
merchant ID, format, file size, or data is incorrect.

To ensure that all transactions are verified and marked correctly, CyberSource
recommends that you use the XML format.

Decision Manager Account Takeover Protection Service | July 2018 67

 Chapter 2 Configuring Rules and Profiles

CSV Format
When assigning a name to a file, make sure that you use these names only if they
represent the content of your file. For example, the file MYvitalFile.csv is not processed
correctly, but the file MYcsvFile.csv is processed correctly. When creating text files, follow
this template:

merchant_id, request_id, email, date, reason, notes

Heading Row

Even if you do not include all of the fields, make sure that you keep the structure with all of
the commas. CyberSource recommends that you include a heading row. If you use the
heading row, make sure that you start the row with the pound sign (#). Each record is
followed by a description of the record in the Notes section.
You can also prepare your records in a spreadsheet, as shown in Figure 8.

If you use a spreadsheet, make sure that the date is formatted correctly. To do
so, format the cell as a custom number (yyyy-mm-dd).
Important

Figure 7 Spreadsheet Report

XML Format
When assigning a name to a file, make sure that you use the following names only if they
represent the content of your file. For example, the file MYcsvFile.xml is not processed
correctly, but the file MYEventFile.xml is processed correctly.

Even if you do not include all of the fields, make sure that you keep the structure. Each
record is followed by a description of the record in the Notes section.
When creating XML files, follow this XSD. The XSD is also available in the online help
where you upload your chargeback data.

Decision Manager Account Takeover Protection Service | July 2018 68

 Chapter 2 Configuring Rules and Profiles

Example 5 XML Format

<?xml version="1.0" encoding="ISO-8859-1"?>

<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<xsd:complexType name="account_email_type">
<xsd:sequence>
<xsd:element name="email_address" type="xsd:string"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="marking_criteria_type">
<xsd:choice>
<xsd:element name="request_id" type="xsd:string"/>
<xsd:element name="email_address" type="xsd:string"/>
<xsd:element name="account_email" type="account_email_type"/>
</xsd:choice>
</xsd:complexType>
<xsd:complexType name="event_request_type">
<xsd:sequence>
<xsd:element name="merchant_id" type="xsd:string"/>
<xsd:element name="marking_criteria" type="marking_criteria_
type"/>
<xsd:element name="marking_reason" type="xsd:string"
default="fraud_chargeback" minOccurs="0"/>
<xsd:element name="marking_notes" type="xsd:string"
minOccurs="0"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:schema>

Uploading Customer Lists

This procedure applies to both CSV and XML formats.

To upload an XML or CSV file:

Step 1 In the List Manager menu, choose List Addition > Upload File. The List Addition window
opens.

Step 2 From the List Type drop-down menu, choose a list type.

Decision Manager Account Takeover Protection Service | July 2018 69

 Chapter 2 Configuring Rules and Profiles

Step 3 Choose an XML or CSV file type.

 If you choose CSV, choose the character encoding from the drop-down menu:
 For Western European languages, use the default.
 For Japanese characters, choose Shift-JIS.
 For all other cases, choose UTF-8.

 If you choose XML, the character encoding is already in the file.

Step 4 To find your file, click Browse.

Step 5 Enter your email address. You will receive a notification when the file has been uploaded.

Step 6 Click Upload File.

List Manager adds your merchant ID to the file. Your files are encrypted before being
processed. All new entries are added to the negative list. If an entry is already in the
negative list, the most serious reason is added to the database.

If an entry is already on the negative list, and you upload it with a review list, it will remain
in the negative list. If an entry is already on the review list, and you upload it with a
negative list, it will be moved to the negative list.

Verifying the Results

The files that you upload are processed hourly. When your files are ready, you will receive
a notification email. You can view the processing status of your uploaded list file in the
Batch Upload Search window.

To verify uploaded files:

Step 1 In the Business Center navigation panel, choose Tools & Settings > Batch Transactions
> Batch Upload Search.

Step 2 Specify a search date range and click Search. Your results display in the status grid.

Decision Manager Account Takeover Protection Service | July 2018 70

 Chapter 2 Configuring Rules and Profiles

Managing Velocity
You can create custom velocity rules that are specific to your type of business for each
type of event. You should revise your rules frequently to accommodate the trends in
fraudulent account attempts and in your customers' access habits.

To prevent fraud, create rules that evaluate the access habits of your customers. Use
these parameters: tracking elements, time interval, threshold, and morphing elements.
Always consider the parameters as a group. For broadest coverage, create several
related rules that differ in only one parameter.

Rules Summary
The Rules Summary window displays the merchant event velocity rules that you can use
to evaluate each event. Each rule is evaluated independently. A rule is triggered when the
number of matching transactions exceeds the threshold. You can create up to 50 event
velocity rules.

When you create an event rule, a pencil icon appears adjacent to the rules that you
create, which indicates that you can edit those rules. If you are an administrator, you can
change only the rules that you create.

The figure below shows the Event Velocity summary table.

Figure 8 Event Velocity Summary Table

Decision Manager Account Takeover Protection Service | July 2018 71

 Chapter 2 Configuring Rules and Profiles

Event Velocity Rule Elements

The following table summarizes the rule elements.

Table 11 Velocity Rule Elements

Element Description
Velocity Rule Name Unique name for the rule. The parameters that define the rule appear
in the columns to the right of the name.
Tracking Elements Customer parameter that you want to track in your orders.
Time Interval Interval selected for this rule in the rule editor.
Threshold Minimum number of instances that you want to allow for this
combination of tracking element(s) and time interval before the rule is
triggered.
Info Code Identifier that is assigned by CyberSource to each rule:
 MVEL-E<number>
Numbers start at 1 and increase by one for each rule. However, the
numbers that you see may not be sequential, for example: MVEL-E8,
MVEL-E2, MVEL-E1, MVEL-E11. These information codes enable you
to track the events that trigger the rule.

Decision Manager Account Takeover Protection Service | July 2018 72

 Chapter 2 Configuring Rules and Profiles

Creating Velocity Rules

Use the Event Velocity Editor window to create and modify rules.

Figure 9 Event Velocity Editor

To create a velocity rule, choose the appropriate tab and click Add Event Velocity. To
modify a rule, click anywhere on the rule line in the summary table.

The following sections provide more information about creating a rule.

Decision Manager Account Takeover Protection Service | July 2018 73

 Chapter 2 Configuring Rules and Profiles

Velocity Definition
Provide the appropriate information.

Name
Enter a descriptive name for the rule.

Event Type
Choose the event type for your rule: account creation, account login, or account update.

Tracking Element
Choose up to four elements that you want to track. All of the elements that you choose
must be in the transaction and match in order to trigger the rule. You can choose custom
merchant-defined data fields or from the following:
 Account number
 Billing address
 Billing first name
 Billing last name
 Billing phone number
 Card BIN
 Customer account ID
 Customer’s IP address
 Customer’s username
 Customer’s password
 Device fingerprint
 Email address
 Email domain
 Merchant reference number
 Proxy IP address
 Shipping address
 Shipping first name
 Shipping last name
 Shipping phone number
 Shipping postal code
 Smart ID
 True IP address
 True IP address state

Decision Manager Account Takeover Protection Service | July 2018 74

 Chapter 2 Configuring Rules and Profiles

Apply To
Choose the type of orders that the velocity rule should count: accepted events, rejected
events, and/or challenged events. You must choose at least one.

Time Interval
Choose a custom period or calendar period. Enter the interval that you want to allow
between events for this tracking element. The time interval can be as short as a minute or
as long as 180 days.

If you choose Custom Period, you can also exclude a period of time from the interval.

For example, you might wish to create a rule going back from 90 days to 180 days.

 In the Track back in the past dialog box, enter 180.

 In the Exclude most recent dialog box, enter 90.

When you modify the time interval for a rule, be aware of the implications: you need to
allow a number of items that is proportional to the interval that you choose if you want to
detect the same relative number of fraudulent attempts.

For example, your initial interval (24 hours) has a threshold of 6 items. If you want to
reduce the interval to 8 hours:

 To keep the same ratio of interval to events (4:1), reduce the threshold to 2 events.
 If the risk of fraud is lower, increase the threshold to 3 events.
 If the risk of fraud is higher, decrease the threshold to 1 event.

Threshold
This setting, which depends on your business practices, combines the time interval and
tracking elements specific to a customer identity. Enter the minimum number of instances
that you want to allow for this combination of tracking element(s) and time interval before
the rule is triggered. For example, if your threshold is 4, the fifth event triggers the rule
indicating possible risk.

Morphing
If desired, choose up to five morphing elements from the drop-down list..

You cannot choose an item as a morphing element if you have already

chosen it as a tracking element.
Note

Decision Manager Account Takeover Protection Service | July 2018 75

 Chapter 2 Configuring Rules and Profiles

The Decision Manager Account Takeover Protection Service returns a morphing count
when the values of the tracking elements are the same for multiple transactions, but the
morphing element value changes. You can use this value when building custom rules.

For example, to track more than two orders from the same email address and IP address
for 30 days, and note the number of different shipping addresses the orders contain:

 Choose Email address and Customer’s IP address as the tracking elements.

 Choose Shipping address as the morphing element.

This rule is triggered when you receive two or more orders with the same email and IP
address in 30 days. Once these orders have different shipping addresses, you also
receive the morphing count. Decision Manager returns the morphing count when it counts
two orders with different values. Even if the rule does not trigger, Decision Manager
returns the morphing count once it is greater than one.

When done, click Save if you are creating a rule, or click Apply if you are modifying a rule.

Your rule appears with an information code specific to the rule.

Deleting Velocity Rules

You can delete rules in the summary table and in the rule editor. Whether you are a
merchant or an administrator, you can delete only the rules that you create.

 In the summary table, check the boxes for the rules that you want to delete, and click
Delete at the bottom of the table.

 In the rule editor, click the Delete button at the top of the window.

When you delete a velocity rule created with an information code, the
corresponding information code is also deleted. Therefore, before deleting a
Important velocity rule, be sure to verify that the information code is not used in custom
rules.

Decision Manager Account Takeover Protection Service | July 2018 76

 Chapter 2 Configuring Rules and Profiles

Using the Decision Manager Event Detail

Report
You can configure a detail report of account login, account creation, and account update
events for regular download and analysis. Required fields are automatically included in the
report and you can add fields.

The report uses the XSD for the Decision Manager Detail Report. You can download the
latest XSD from the Business Center. To access it, under Reports choose Report DTDs.
For more information about the XSD, see "XSD for the Decision Manager Event Detail
Report," page 82.

Creating an Event Detail Report

This report is available in the New Business Center reporting system. When you click the
New Reports link in the Classic Business Center, you are redirected to the New Business
Center to create and download the report.

To create an Event Detail Report:

Step 1 In the left navigation panel, click the Reports icon.

Step 2 Click Report Subscription Management.

Step 3 Click the plus sign at the bottom of the page.

Step 4 Enter a report name.

Step 5 From the Frequency drop-down menu, choose the interval at which the report is to be
generated:
 One Time
 Daily
 Weekly
 Monthly

Step 6 From the Report Type drop-down menu, choose Decision Manager Event Detail Report.

Your account must be enabled for the Decision Manager Account Takeover
Service for this option to be available.
Note

Step 7 Choose a report format: XML or CSV.

Decision Manager Account Takeover Protection Service | July 2018 77

 Chapter 2 Configuring Rules and Profiles

Step 8 From the Report Start Time drop-down menu, choose the time of day for the reports to be
generated.

Step 9 Choose the time zone.

Step 10 Under Report Fields, expand a category and select the additional fields that you want to
include in the report. Click Expand All to view all available fields at once.

Fields are added to the Selected list as you select them.

Step 11 Click Save.

Downloading an Event Detail Report

Access the New Business Center through the New Reports link in the Classic Business
Center to download your Decision Manager Event Detail Report. The Available Reports
tab displays the reports you have created, once they have been generated depending on
the frequency and report start time you selected.

Editing an Event Detail Report

To edit an Event Detail Report:

Step 1 In the left navigation panel, click the Reports icon.

Step 2 Click Available Reports. A list of all available reports appears.

Step 3 Choose the report that you want to edit.

Step 4 Make the necessary changes to the report.

Step 5 Click Save.

Decision Manager Account Takeover Protection Service | July 2018 78

 Chapter 2 Configuring Rules and Profiles

Decision Manager Event Detail Report XML

Example
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Report SYSTEM "https://ebctest.cybersource.com/ebctest/reports/
dtd/DecisionManagerEventDetailReport.xsd">
<Report ReportEndDate="2018-02-15T20:59:59Z"
ReportStartDate="2018-02-12T21:00:00Z"
OrganizationID="risk_bvt"
xmlns="https://ebctest.cybersource.com/ebctest/reports/dtd/
DecisionManagerEventDetailReport.xsd" Version="2.0"
Type="DecisionManagerEventDetailReport" Name="DMEDRXML11">

<Transaction>
<Order>
<MerchantID>risk_bvt</MerchantID>
<RequestID>5186364085676001601540</RequestID>
<TransactionDate>2018-02-14T19:26:48-08:00</TransactionDate>
<MerchantReferenceNumber>900</MerchantReferenceNumber>
<ConnectionMethod>SCMP API</ConnectionMethod>
<Reply>
<ReasonCode>482</ReasonCode>
<ReplyCode>0</ReplyCode>
<ReplyFlag>DCHALLENGE</ReplyFlag>
<ReplyMessage>Decision is CHALLENGE.</ReplyMessage>
</Reply>
</Order>
<Customer>
<BillTo>
<FirstName>SAM100</FirstName>
<LastName>DISOUZA200</LastName>
<Address1>123 Metro blvd</Address1>
<City>San Jose</City>
<State>CA</State>
<PostalCode>91234</PostalCode>
<Country>US</Country>
<Phone>4447776666</Phone>
<Email>[email protected]</Email>
</BillTo>
<ShipTo>
<FirstName>RAJAKUMARAN</FirstName>
<LastName>GOWTHAMAN</LastName>
<Address1>96</Address1>
<Address2>powers street</Address2>
<City>Clearwater milford</City>
<State>NH</State>
<PostalCode>`03055</PostalCode>
<Country>US</Country>
</ShipTo>
</Customer>
<Payment>

Decision Manager Account Takeover Protection Service | July 2018 79

 Chapter 2 Configuring Rules and Profiles

<AccountSuffix>1745</AccountSuffix>
<CardBINNumber>491757</CardBINNumber>
</Payment>
<Providers>
<Provider>
<Name>DeviceFingerprint</Name>
<Field>
<Name>Device Fingerprint</Name>
<Value>b1c8be931e5845c4afaaf3f5384c4d27</Value>
</Field>
<Field>
<Name>Device Smart ID</Name>
<Value>664d93c996a24db087ead801d59fe05d</Value>
</Field>
<Field>
<Name>Device Smart ID Confidence</Name>
<Value>100.00</Value>
</Field>
<Field>
<Name>Screen Resolution</Name>
<Value>1920x1080</Value>
</Field>
<Field>
<Name>Application Type</Name>
<Value>browser_computer</Value>
</Field>
<Field>
<Name>Browser Language</Name>
<Value>en-US,en;q=0.9</Value>
</Field>
<Field>
<Name>Java Script Enabled</Name>
<Value>yes</Value>
</Field>
<Field>
<Name>Flash Enabled</Name>
<Value>no</Value>
</Field>
<Field>
<Name>Cookies Enabled</Name>
<Value>yes</Value>
</Field>
<Field>
<Name>Images Enabled</Name>
<Value>yes</Value>
</Field>
<Field>
<Name>Proxy Server Type</Name>
<Value>anonymous</Value>
</Field>
<Field>
<Name>Proxy IPaddress</Name>
<Value>103.79.116.22</Value>

Decision Manager Account Takeover Protection Service | July 2018 80

 Chapter 2 Configuring Rules and Profiles

</Field>
<Field>
<Name>Proxy IPaddress Attributes</Name>
<Value>_LOGIN_PASSED</Value>
</Field>
<Field>
<Name>Date Device Matched</Name>
<Value>success</Value>
</Field>
<Field>
<Name>Profiled URL</Name>
<Value>http://sl73kraknapq001.visa.com:8080/fp/
fp.jsp?0c8cb10bd310cc39fd8973b9ea445add</Value>
</Field>
<Field>
<Name>Profiling Duration</Name>
<Value>35</Value>
</Field>
<Field>
<Name>Time On Page</Name>
<Value>1587</Value>
</Field>
<Field>
<Name>AutoDPF sreekar handle Id</Name>
<Value>risk_bvt732306215172627203</Value>
</Field>
<Field>
<Name>AutoDPF reghu proxy ip</Name>
<Value>103.77.111.22</Value>
</Field>
</Provider>
</Providers>
<DecisionManagerEvents>
<TypeofEvent>login</TypeofEvent>
<EventPolicy>default</EventPolicy>
<EventInformation>
<EventInfoCodes>
<InfocodeType>device_fingerprint</InfocodeType>
<InfocodeString>AnonymousProxy,NewDevice</InfocodeString>
</EventInfoCodes>
</EventInformation>
</DecisionManagerEvents>
</Transaction>
</Report>

Decision Manager Account Takeover Protection Service | July 2018 81

 Chapter 2 Configuring Rules and Profiles

XSD for the Decision Manager Event Detail

Report
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:tns="https://ebc.cybersource.com/ebc/reports/xsd/
DecisionManagerEventDetailReport.xsd"
xmlns:dmt="https://ebc.cybersource.com/ebc/reports/xsd/
DecisionManagerTypes.xsd"
elementFormDefault="qualified"
targetNamespace="https://ebc.cybersource.com/ebc/reports/xsd/
DecisionManagerEventDetailReport.xsd">

<xs:import schemaLocation="DecisionManagerTypes.xsd"
namespace="https://ebc.cybersource.com/ebc/reports/xsd/
DecisionManagerTypes.xsd" />

<xs:element type="tns:DecisionManagerEventDetailReport"
name="DecisionManagerEventDetailReport"/>
<xs:complexType name="DecisionManagerEventDetailReport">
<xs:sequence>
<xs:element type="tns:Transaction" name="Transaction" minOccurs="0"
maxOccurs="20000000"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="Transaction">
<xs:sequence>
<xs:element type="dmt:Order" name="Order" minOccurs="0"/>
<xs:element type="dmt:Customer" name="Customer" minOccurs="0"/>
<xs:element type="dmt:Payment" name="Payment" minOccurs="0"/>
<xs:element type="dmt:AFSInformation" name="AFSInformation"
minOccurs="0"/>
<xs:element type="dmt:MarkedSuspect" name="MarkedSuspect"
minOccurs="0"/>
<xs:element type="dmt:TravelData" name="TravelData" minOccurs="0"/>
<xs:element type="dmt:MerchantDefinedData"
name="MerchantDefinedData" minOccurs="0"/>
<xs:element type="dmt:Providers" name="Providers" minOccurs="0"/>
<xs:element type="dmt:MorphingElements" name="MorphingElements"
minOccurs="0"/>
<xs:element type="tns:DecisionManagerEvents"
name="DecisionManagerEvents" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="DecisionManagerEvents">
<xs:sequence>
<xs:element type="xs:string" name="TypeOfEvent" minOccurs="0"/>
<xs:element type="xs:string" name="EventPolicy" minOccurs="0"/>
<xs:element type="tns:EventInformation" name="EventInformation"
minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="EventInformation">

Decision Manager Account Takeover Protection Service | July 2018 82

 Chapter 2 Configuring Rules and Profiles

<xs:sequence>
<xs:element type="tns:EventInfoCodes" name="EventInfoCodes"
minOccurs="0" maxOccurs="100000"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="EventInfoCodes">
<xs:sequence>
<xs:element type="xs:int" name="InfocodeType" minOccurs="1"/>
<xs:element type="xs:string" name="InfoCodeString" minOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:schema>

Decision Manager Account Takeover Protection Service | July 2018 83

 APPENDIX
API Fields and Examples
A

In addition to implementing device fingerprinting to support risk screening of events, you

must send information about your transactions to CyberSource using one of the following
APIs and be prepared to receive specific fields and information codes in the reply. For
information about implementing device fingerprinting, see the Decision Manager Device
Fingerprinting Guide (PDF | HTML). You must be logged in to the Business Center to view
this guide.

Simple Order API Fields

Formatting Restrictions
Unless otherwise noted, all field names are case sensitive and all fields accept special
characters such as @, #, and %.

Data Type Definitions

For more information about these data types, see the World Wide Web Consortium (W3C)
XML Schema Part 2: Datatypes specification.

Data Type Description

Integer Whole number {…, -3, -2, -1, 0, 1, 2, 3, …}
String Sequence of letters, numbers, spaces, and special characters.

Decision Manager Account Takeover Protection Service | July 2018 84

 Appendix A API Fields and Examples

Simple Order API Request Fields

All Simple Order API request fields are used by the dmEvent service.

Table 12 Simple Order API Request Fields

Field Description Required (R) or Data Type

Optional (O) & Length
billTo_city City of the customer’s address. O String (50)
billTo_country Country of the customer’s address. O String (2)
Use the two-character country code listed
in the Support Center.
billTo_customerPassword Customer’s account password. This value O String (255)
is not stored, displayed, or returned.
billTo_customerUserName Specifies the customer account user O String (255)
name.
billTo_email Customer’s email address, including the O String (255)
full domain name. Use the following
format: [email protected] (for example,
[email protected]).
billTo_firstName Customer’s first name as it appears on O String (60)
the account.
billTo_lastName Customer’s last name as it appears on the O String (60)
account.
billTo_phoneNumber Telephone number of the customer. Long- O String (15)
distance codes (0 and 1) that precede
phone numbers are removed before
processing. Do not use dashes, spaces,
or parentheses because they might
interfere with the creation of custom rules
that use the request data as is.
For countries other than US or CA, add
the country code at the beginning of the
phone number, if possible.
billTo_postalCode Postal code for the billing address. The O String (10)
postal code must consist of 5 to 9 digits.
When the billing country is the U.S., the 9-
digit postal code must follow this format:
[5 digits][dash][4 digits]
Example 12345-6789
When the billing country is Canada, the 6-
digit postal code must follow this format:
[alpha][numeric][alpha][space]
[numeric][alpha][numeric]
Example A1B 2C3

Decision Manager Account Takeover Protection Service | July 2018 85

 Appendix A API Fields and Examples

Table 12 Simple Order API Request Fields (Continued)

Field Description Required (R) or Data Type

Optional (O) & Length
billTo_state State or province of the customer’s O String (2)
address.
Use the two-character country code listed
in the Support Center.
billTo_street1 Street address of the customer as it O String (60)
appears on the account.
billTo_street2 Used for additional address information. O String (60)
For example: Attention: Accounts Payable
card_accountNumber Customer’s credit card number. Non- O String w/
numeric values are ignored. numbers
only (20)
card_bin Credit card BIN (first six digits of the credit O Positive
card). The BIN will be used in place of the Integer (6)
first six digits of the credit card when
present.
deviceFingerprintID Field that contains the session ID that you R String (88)
send to Decision Manager to obtain the
device fingerprint information. The string
can contain uppercase and lowercase
letters, digits, hyphen (-), and underscore
(_). However, do not use the same
uppercase and lowercase letters to
indicate different session IDs.
The session ID must be unique for each
merchant ID. You can use any string that
you are already generating, such as an
order number or web session ID.
For information about configuring your
web site or mobile application to include
the deviceFingerprintID field, see the
Decision Manager Device Fingerprinting
Guide (PDF | HTML). You must be logged
in to the Business Center to access the
guide.
dmeService_run Whether to include dmEvent service in O String (255)
your request. Possible values:
 true: Include the service in your
request.
 false (default): Do not include the
service in your request.

Decision Manager Account Takeover Protection Service | July 2018 86

 Appendix A API Fields and Examples

Table 12 Simple Order API Request Fields (Continued)

Field Description Required (R) or Data Type

Optional (O) & Length
dmEventService_eventType Specifies one of the following types of R String (255)
events:
 login
 account_creation
 account_update
merchantDefinedData_ Fields that you can use to store O String (255)
mddField_1 information. The value appears in the
to Case Management Details window in the
Business Center. The first four fields are
merchantDefinedData_
the same fields that are used by the
mddField_100
Secure Data services. These values are
shared with Decision Manager.
Warning Merchant-defined data fields
are not intended to and must not be used
to capture personally identifying
information. Accordingly, merchants are
prohibited from capturing, obtaining, and/
or transmitting any personally identifying
information in or via the merchant-defined
data fields. Personally identifying
information includes, but is not limited to,
address, credit card number, social
security number, driver's license number,
state-issued identification number,
passport number, and card verification
numbers (CVV, CVC2, CVV2, CID, CVN).
In the event CyberSource discovers that a
merchant is capturing and/or transmitting
personally identifying information via the
merchant-defined data fields, whether or
not intentionally, CyberSource will
immediately suspend the merchant's
account, which will result in a rejection of
any and all transaction requests submitted
by the merchant after the point of
suspension.
merchantReferenceCode Merchant-generated order reference or O String (50)
tracking number.
shipTo_city City of the shipping address. O String (50)

shipTo_country Country of the shipping address. Use the O String (2)

two-character ISO Standard Country
Codes.

Decision Manager Account Takeover Protection Service | July 2018 87

 Appendix A API Fields and Examples

Table 12 Simple Order API Request Fields (Continued)

Field Description Required (R) or Data Type

Optional (O) & Length
shipTo_postalCode Postal code for the shipping address. The O String (10)
postal code must consist of 5 to 9 digits.
When the shipping country is the U.S., the
9-digit postal code must follow this format:
[5 digits][dash][4 digits]
Example 12345-6789
When the shipping country is Canada, the
6-digit postal code must follow this format:
[alpha][numeric][alpha][space]
[numeric][alpha][numeric]
Example A1B 2C3

shipTo_state State or province of the shipping address. O String (2)

Use the State, Province, and Territory
Codes for the United States and Canada.

shipTo_street1 First line of the shipping address. O String (60)

shipTo_street2 Second line of the shipping address. O String (60)

Decision Manager Account Takeover Protection Service | July 2018 88

 Appendix A API Fields and Examples

Simple Order API Request Examples

Name-Value Pair Request

merchantID=merchantid
merchantReferenceCode=abcd
customerID=customerid
customerFirstName=john
customerLastName=smith
billTo_firstName=Jim
billTo_lastName=Jimmy
billTo_street1=9808 Gate Ave
billTo_city=San Jose
billTo_state=CA
billTo_postalCode=95128
billTo_country=US
billTo_company=abcd
billTo_phoneNumber=6505555555
[email protected]
billTo_ipAddress=10.11.12.13
billTo_customerUserName=username
billTo_customerPassword=password1234
billTo_personalID=personalid
shipTo_firstName=shipFName
shipTo_lastName=shipLastname
shipTo_street1=1176 Stevens Creek Street
shipTo_street2=Apt #1
shipTo_city=Cupertino
shipTo_state=CA
shipTo_postalCode=71626
shipTo_country=US
shipTo_phoneNumber=5673458900
card_accountNumber=5111111111111111
card_expirationMonth=12
card_expirationYear=15
dmeService_run=true
dmeService_eventType=login
deviceFingerprintID=369365465498791792

Decision Manager Account Takeover Protection Service | July 2018 89

 Appendix A API Fields and Examples

XML Request

<urn:customerID>test_customer_account_id</urn:customerID>
<urn:customerFirstName>first</urn:customerFirstName>
<urn:customerLastName>notsimilar</urn:customerLastName>
<urn:billTo>
<urn:firstName>Jim</urn:firstName>
<urn:lastName>Jimmy</urn:lastName>
<urn:street1>9808 Gate Ave</urn:street1>
<urn:city>San Jose</urn:city>
<urn:state>CA</urn:state>
<urn:postalCode>95128</urn:postalCode>
<urn:country>US</urn:country>
<urn:company>abcd</urn:company>
<urn:phoneNumber>6505555555</urn:phoneNumber>
<urn:email>[email protected]</urn:email>
<urn:ipAddress>10.11.12.13</urn:ipAddress>
<urn:customerUserName>usernametest</urn:customerUserName>
<urn:customerPassword>passwordtest</urn:customerPassword>
<urn:personalID>personal</urn:personalID>
</urn:billTo>
<urn:shipTo>
<urn:firstName>shipFName</urn:firstName>
<urn:lastName>shipLastname</urn:lastName>
<urn:street1>1176 Stevens Creek Street</urn:street1>
<urn:street2>Apt #1</urn:street2>
<urn:city>Cupertino</urn:city>
<urn:state>CA</urn:state>
<urn:postalCode>71626</urn:postalCode>
<urn:country>US</urn:country>
<urn:phoneNumber>5673458900</urn:phoneNumber>
</urn:shipTo>
<urn:card>
<urn:accountNumber>4111111111111111</urn:accountNumber>
<urn:expirationMonth>12</urn:expirationMonth>
<urn:expirationYear>15</urn:expirationYear>
</urn:card>
<urn:dmeService run="true">
<urn:eventType>login</urn:eventType>
</urn:dmeService>
<urn:deviceFingerprintID>276249094975537664</urn:deviceFingerprintID>

Decision Manager Account Takeover Protection Service | July 2018 90

 Appendix A API Fields and Examples

Simple Order API Reply Fields

NVP reply fields are returned in the form:
dmeReply_additionalFields_field_x_provider=device
dmeReply_additionalFields_field_x_name=name
dmeReply_additionalFields_field_x_value=value

XML reply fields are returned in the form:

<additionalFields>
<field>
<provider>device</provider>
<name>field</name>
<value>value</value>
</field>
</additionalFields>

For provider fields, NVP reply fields are returned in the form:
dmeReply_providerFields_provider_x_name=Provider Name
dmeReply_providerFields_x_field_x_name=Field Name
dmeReply_providerFields_x_field_x_value=Field Value

For provider fields, XML reply fields are returned in the form:
<providerFields>
<provider>
<name>provider_name_0</name>
<field>
<name>fieldname0</name>
<value>fieldvalue0</value>
</field>
</provider>
<provider>
<name>provider_name_1</name>
<field>
<name>fieldname1</name>
<value>fieldvalue1</value>
</field>
</provider>
</providerFields>

Example 6 NVP Provider Reply Field Example

decision_provider_1_name=fingerprint
decision_provider_1_field_5_name=device_match
decision_provider_1_field_5_value=success

Decision Manager Account Takeover Protection Service | July 2018 91

 Appendix A API Fields and Examples

Example 7 XML Provider Reply Field Example

<providerFields>
<provider>
<name>fingerprint</name>
<field>
<name>device_match</name>
<value>success</value>
</field>
<field>
<name>first_encounter</name>
<value>2018-01-02</value>
</field>
</provider>
</providerFields>

In Table 13 the fields returned within the <name> field are described.

Table 13 Simple Order API Reply Fields

Field Description Data Type

& Length
agent_type Indicates whether a mobile device or a computer was used String (255)
to initiate the session. If the session is initiated with a
mobile device, this field indicates whether the mobile
browser or mobile application is being used. This field can
return the following values:
 browser_computer: Device is using a standard
browser, which contains the fingerprinting tags.
 browser_mobile: Device is using a mobile browser,
which contains the fingerprinting tags.
 agent_mobile: Device is using a mobile application,
and fingerprinting mobile SDK tags are present in that
mobile application.
binCountry Country (two-digit country code) associated with the BIN of String (255)
the customer’s card used for the payment. Returned if the
information is available.
Use this field for additional information when reviewing
orders. This information is also displayed in the details page
of the Business Center.

Decision Manager Account Takeover Protection Service | July 2018 92

 Appendix A API Fields and Examples

Table 13 Simple Order API Reply Fields (Continued)

Field Description Data Type

& Length
browser_language Comma-separated list of languages preferred or supported String (255)
by the browser. When the browser supports more than one
language, a Q value between 0 and 1 can be assigned to
each language to indicate which language the browser
prefers or supports. The preferred language is assigned the
default value of 1, which may be omitted from the string.
Examples:
 en-us, en;q=0: the browser prefers U.S. English but
can support non-U.S. English.
 es, en-us; q=0.3, de;q=0.1: the browser
prefers Spanish (es) but can support U.S. English (en-
us;q=0.3) and German (de;q=0.1).
cardAccountType Type of payment card account. This field can refer to a String (255)
credit card, debit card, or prepaid card account type.
cardBin BIN of the credit card used for the payment. String (255)
cardIssuer Name of the bank or entity that issued the card account. String (255)
cardScheme Subtype of card account. For example: Maestro String (255)
International, Mastercard Credit, or Visa Credit.
enabled_ck Boolean value indicating whether cookies are enabled. String (255)
enabled_fl Indicates whether flash is enabled. String (255)
enabled_im Indicates whether images are enabled. String (255)
enabled_js Indicates whether Javascript is enabled. String (255)
field_#_name Field name, for example, email address domain name String (255)
(domain_name).
field_#_value Value for the field, for example, yahoo.com. String (255)
fingerprint_hash Unique identifier of the computer. String (255)
flash_os Device operating system as reported by Flash. String (255)
This field is not returned for iOS applications.
flash_version The version of Flash installed on the device. String (255)
This field is not returned for iOS applications.
fuzzy_device_id Smart ID. String (255)
fuzzy_device_id_confidence Confidence level in the smart ID. String (255)
hw_gps_accuracy Indicates the accuracy of the mobile device’s GPS. String (255)
hw_latitude Latitude location of the device. String (255)
hw_longitude Longitude location of the device. String (255)

Decision Manager Account Takeover Protection Service | July 2018 93

 Appendix A API Fields and Examples

Table 13 Simple Order API Reply Fields (Continued)

Field Description Data Type

& Length
jb_root Returned for mobile devices only. String (255)
Detects whether a mobile device running an application that
contains Decision Manager device fingerprinting code has
root privileges. This form of privilege escalation is known as
“jailbreaking” on iOS devices. This field returns a numerical
value that indicates the number of root elements or
“jailbreaks” detected on the device. A “0” indicates that
there are no root elements or jailbreaks detected.
jb_root_reason Returned for mobile devices only. String (255)
Returns additional information that describes the elements
on the device that triggered the escalation to root privileges.
match_result Indicates whether the device was encountered before and String (255)
whether enough attributes were gathered to identify the
device. This field can return the following values:
 Success: Device fingerprint was previously
encountered.
 New_Device: Device was not previously encountered.
 Not_Enough_Attribs: Not enough attributes were
gathered to identify whether the device was previously
encountered.
morphingElement_#_count Morphing count specified by the number #. Integer (5)
Note The count is not returned for the initial transaction.

Decision Manager Account Takeover Protection Service | July 2018 94

 Appendix A API Fields and Examples

Table 13 Simple Order API Reply Fields (Continued)

Field Description Data Type

& Length
morphingElement_#_fieldName Field name of the morphing element specified by the String (255)
number # according to the setting that you chose in the
velocity editor. This field can contain one of the following
values:
 account_number
 billing_phone_number
 billing_first_name
 billing_last_name
 card_BIN
 customer_account_ID
 customer_IP_address
 customer_username
 customer_password
 device_fingerprint
 email_address
 merchant_reference_number
 proxy_IP_address
 shipping_address
 shipping_phone_number
 smart_ID
 true_IP_address
morphingElement_#_infoCode Identifier that CyberSource assigned to the velocity rule String (255)
specified by the number #.
page_time_on Time period in milliseconds that the device profiling page String (255)
displays on the browser before it closes or the user
navigates away from the page.
profiled_url URL of the profiled page. String (255)
If the device fingerprinting mobile SDK is used, this reply
field returns the custom URL that was specified in the
doProfileRequest() function of your mobile
application.
provider_#_name Name of the provider, for example, Emailage. String (255)
proxy_ip IP address of the proxy if it is available. String (255)

Decision Manager Account Takeover Protection Service | July 2018 95

 Appendix A API Fields and Examples

Table 13 Simple Order API Reply Fields (Continued)

Field Description Data Type

& Length
proxy_ip_activities Actions associated with the proxy IP address. This field can String (255)
contain one or more of these values, separated by carets
(^):
 BANK: IP address belongs to a financial organization.
 CLICK_FRAUD: IP address has been used for click
fraud.
 CONNECTING_TO_BOTNET: IP address has been
connected to a botnet.
 CONNECTING_TO_MALWARE_SITE: IP address has
been connected to a malware site.
 DNS_CONNECTION_ANOMALY: IP address has had a
DNS connection anomaly.
 INSTANT_MSG: IP address has been used for instant
messaging.
 IRC_CONNECTION_ANOMALY: IP address has been
connected to a suspicious IRC server.
 LEGITIMATE: IP address has been legitimate.
 MALWARE: IP address has been used for malware.
 NIGERIAN: IP address has been used for Nigerian
email or spam.
 OTHER: IP has been involved in other activities.
 P2P: IP address has been used for peer-to-peer
communication.
 PHISH: IP address has been used for phishing.
 SPAM: IP address has been used to send spam.
 TCP_SCAN_FLAG: IP address has been used as TCP
port scanner.
 UDP_SCAN_FLAG: IP address has been used as UDP
port scanner.

Decision Manager Account Takeover Protection Service | July 2018 96

 Appendix A API Fields and Examples

Table 13 Simple Order API Reply Fields (Continued)

Field Description Data Type

& Length
proxy_ip_attributes Characteristics of the proxy IP address. This field can String (255)
contain one or more of these values, separated by carets
(^):
 BOGON: IP address has been part of a range of bogus IP
addresses.
 BOTNET_ZOMBIE: IP address has been either a
zombie or a botnet.
 DYNAMIC: IP address has been dynamic.
 HIJACKED: IP address has been part of a range of
hijacked IP addresses.
 NAME_SERVER: IP address has been a name server.
 OPEN_PROXY: IP address has been an open proxy.
 OPEN_RELAY: IP address has been an open relay.
 PORTAL: IP address has been a portal.
 PROXY: IP address has been a proxy.
 RANGE: IP address has been part of a range of IP
addresses.
 STATIC: IP address has been static.

Decision Manager Account Takeover Protection Service | July 2018 97

 Appendix A API Fields and Examples

Simple Order API Reply Examples

Name-Value Pair Reply

decision=ACCEPT
requestID=4302369440065000001547
dmeReply_additionalFields_field_0_provider=device
dmeReply_additionalFields_field_0_name=true_ip_city
dmeReply_additionalFields_field_0_value=san francisco
dmeReply_additionalFields_field_1_provider=device
dmeReply_additionalFields_field_1_name=request_duration
dmeReply_additionalFields_field_1_value=79
dmeReply_additionalFields_field_2_provider=device
dmeReply_additionalFields_field_2_name=fuzzy_device_id
dmeReply_additionalFields_field_2_value=2ea5fd0820294b48ab33d7ec13e1257e
dmeReply_additionalFields_field_3_provider=device
dmeReply_additionalFields_field_3_name=screen_res
dmeReply_additionalFields_field_3_value=2400x1350
dmeReply_additionalFields_field_4_provider=device
dmeReply_additionalFields_field_4_name=flash_version
dmeReply_additionalFields_field_4_value=WIN 17,0,0,169
dmeReply_additionalFields_field_5_provider=device
dmeReply_additionalFields_field_5_name=enabled_js
dmeReply_additionalFields_field_5_value=true
dmeReply_additionalFields_field_6_provider=device
dmeReply_additionalFields_field_6_name=agent_type
dmeReply_additionalFields_field_6_value=browser_computer
dmeReply_additionalFields_field_7_provider=device
dmeReply_additionalFields_field_7_name=fuzzy_device_id_confidence
dmeReply_additionalFields_field_7_value=100.00
dmeReply_additionalFields_field_8_provider=device
dmeReply_additionalFields_field_8_name=flash_os
dmeReply_additionalFields_field_8_value=Windows 7
dmeReply_additionalFields_field_9_provider=device
dmeReply_additionalFields_field_9_name=fingerprint_hash
dmeReply_additionalFields_field_9_value=2ea5fd0820294b48ab33d7ec13e1257e
dmeReply_additionalFields_field_10_provider=device
dmeReply_additionalFields_field_10_name=profiled_url
dmeReply_additionalFields_field_10_value=http://website.com
dmeReply_additionalFields_field_11_provider=device
dmeReply_additionalFields_field_11_name=browser_language
dmeReply_additionalFields_field_11_value=en-US,en;q=0.8
dmeReply_additionalFields_field_12_provider=device
dmeReply_additionalFields_field_12_name=true_ip_geo
dmeReply_additionalFields_field_12_value=US
dmeReply_additionalFields_field_13_provider=device
dmeReply_additionalFields_field_13_name=true_ip
dmeReply_additionalFields_field_13_value=198.241.217.15
dmeReply_additionalFields_field_14_provider=device
dmeReply_additionalFields_field_14_name=match_result

Decision Manager Account Takeover Protection Service | July 2018 98

 Appendix A API Fields and Examples

dmeReply_additionalFields_field_14_value=success
dmeReply_additionalFields_field_15_provider=device
dmeReply_additionalFields_field_15_name=enabled_ck
dmeReply_additionalFields_field_15_value=true
dmeReply_additionalFields_field_16_provider=device
dmeReply_additionalFields_field_16_name=enabled_fl
dmeReply_additionalFields_field_16_value=true
dmeReply_additionalFields_field_17_provider=device
dmeReply_additionalFields_field_17_name=enabled_im
dmeReply_additionalFields_field_17_value=false
dmeReply_additionalFields_field_18_provider=device
dmeReply_additionalFields_field_18_name=page_time_on
dmeReply_additionalFields_field_18_value=84897471
dmeReply_additionalFields_field_19_provider=device
dmeReply_additionalFields_field_19_name=true_ip_attributes
dmeReply_additionalFields_field_19_value=_LOGIN_PASSED^_WATCH
dmeReply_morphingElement_0_count=2
dmeReply_morphingElement_0_fieldName=account_number
dmeReply_morphingElement_0_infoCode=MVEL-E5226
dmeReply_cardBin=411111
dmeReply_cardIssuer=JPMORGAN CHASE BANK, N.A.
dmeReply_cardScheme=VISA CREDIT
dmeReply_binCountry=US
dmeReply_cardAccountType=001

Decision Manager Account Takeover Protection Service | July 2018 99

 Appendix A API Fields and Examples

XML Reply

<c:decision>ACCEPT</c:decision>
<c:reasonCode>100</c:reasonCode>
<c:requestToken>AhizbwSR0na8z7NcIlgWXgKf+24Z7DAE/
6GTbjgGcY265wDIHCuV</c:requestToken>
<c:dmeReply>
<c:eventInfo>ExactIDinGlobalRejectList</c:eventInfo>
<c:eventHotlistInfo>NEG-EM^NEG-SUSP</c:eventHotlistInfo>
<c:additionalFields>
<c:field>
<c:provider>device</c:provider>
<c:name>true_ip_city</c:name>
<c:value>san francisco</c:value>
</c:field>
<c:field>
<c:provider>device</c:provider>
<c:name>request_duration</c:name>
<c:value>116</c:value>
</c:field>
<c:field>
<c:provider>device</c:provider>
<c:name>fuzzy_device_id</c:name>
<c:value>2ea5fd0820294b48ab33d7ec13e1257e</c:value>
</c:field>
<c:field>
<c:provider>device</c:provider>
<c:name>screen_res</c:name>
<c:value>2400x1350</c:value>
</c:field>
<c:field>
<c:provider>device</c:provider>
<c:name>flash_version</c:name>
<c:value>WIN 17,0,0,169</c:value>
</c:field>
<c:field>
<c:provider>device</c:provider>
<c:name>enabled_js</c:name>
<c:value>true</c:value>
</c:field>
<c:field>
<c:provider>device</c:provider>
<c:name>agent_type</c:name>
<c:value>browser_computer</c:value>
</c:field>
<c:field>
<c:provider>device</c:provider>
<c:name>fuzzy_device_id_confidence</c:name>
<c:value>100.00</c:value>
</c:field>
<c:field>

Decision Manager Account Takeover Protection Service | July 2018 100

 Appendix A API Fields and Examples

<c:provider>device</c:provider>
<c:name>flash_os</c:name>
<c:value>Windows 7</c:value>
</c:field>
<c:field>
<c:provider>device</c:provider>
<c:name>fingerprint_hash</c:name>
<c:value>2ea5fd0820294b48ab33d7ec13e1257e</c:value>
</c:field>
<c:field>
<c:provider>device</c:provider>
<c:name>profiled_url</c:name>
<c:value>http://website.com</c:value>
</c:field>
<c:field>
<c:provider>device</c:provider>
<c:name>browser_language</c:name>
<c:value>en-US,en;q=0.8</c:value>
</c:field>
<c:field>
<c:provider>device</c:provider>
<c:name>true_ip_geo</c:name>
<c:value>US</c:value>
</c:field>
<c:field>
<c:provider>device</c:provider>
<c:name>true_ip</c:name>
<c:value>198.241.217.15</c:value>
</c:field>
<c:field>
<c:provider>device</c:provider>
<c:name>match_result</c:name>
<c:value>success</c:value>
</c:field>
<c:field>
<c:provider>device</c:provider>
<c:name>enabled_ck</c:name>
<c:value>true</c:value>
</c:field>
<c:field>
<c:provider>device</c:provider>
<c:name>enabled_fl</c:name>
<c:value>true</c:value>
</c:field>
<c:field>
<c:provider>device</c:provider>
<c:name>enabled_im</c:name>
<c:value>false</c:value>
</c:field>
<c:field>
<c:provider>device</c:provider>
<c:name>page_time_on</c:name>
<c:value>84887801</c:value>

Decision Manager Account Takeover Protection Service | July 2018 101

 Appendix A API Fields and Examples

</c:field>
<c:field>
<c:provider>device</c:provider>
<c:name>true_ip_attributes</c:name>
<c:value>_LOGIN_PASSED^_WATCH</c:value>
</c:field>
</c:additionalFields>
<c:morphingElement>
<c:element>
<c:infoCode>MVEL-E1001</c:infoCode>
<c:fieldName>customer_phone</c:fieldName>
<c:count>5</c:count>
</c:element>
<c:element>
<c:infoCode>MVEL-E1002</c:infoCode>
<c:fieldName>customer_ip_address</c:fieldName>
<c:count>3</c:count>
</c:element>
</c:morphingElement>
<c:field>
<c:cardBin>411111</c:cardBin>
<c:cardIssuer>JPMORGAN CHASE BANK, N.A.</c:cardIssuer>
<c:cardScheme>VISA CREDIT</c:cardScheme>
<c:binCountry>US</c:binCountry>
<c:cardAccountType>001</c:cardAccountType>
</c:field>
</c:dmeReply>
<c:reserved>
<ics_message xmlns="urn:schemas-cybersource-com:
transaction-data:ics">
<decision>ACCEPT</decision>
<dm_event_rmsg>ics_dm_event service was successful
</dm_event_rmsg>
<dm_event_device_true_ip_city>san francisco
</dm_event_device_true_ip_city>
<ics_rflag>SOK</ics_rflag>
<dm_event_device_request_duration>116
</dm_event_device_request_duration>
<ics_decision_reason_code>100</ics_decision_reason_code>
<dm_event_device_fuzzy_device_ id>
2ea5fd0820294b48ab33d7ec13e1257e
</dm_event_device_fuzzy_device_id>
<dm_event_return_code>1340000</dm_event_return_code>
<ics_rmsg>Request was processed successfully.</ics_rmsg>
<dm_event_device_screen_res>2400x1350
</dm_event_device_screen_res>
<dm_event_hotlist_info>NEG-EM^NEG-SUSP
</dm_event_hotlist_info>
<dm_event_device_flash_version>WIN 17,0,0,169
</dm_event_device_flash_version>
<merchant_ref_number>ED Testing</merchant_ref_number>
<dm_event_info>ExactIDinGlobalRejectList</dm_event_info>
<dm_event_rflag>SOK</dm_event_rflag>

Decision Manager Account Takeover Protection Service | July 2018 102

 Appendix A API Fields and Examples

<dm_event_device_enabled_js>true
</dm_event_device_enabled_js>
<dm_event_device_agent_type>browser_computer
</dm_event_device_agent_type>
<request_token>AhizbwSR0na8z7NcIlgWXgKf+24Z7DAE
6GTbjgGcY265wDIHCuV</request_token>
<dm_event_device_fuzzy_device_id_confidence>100.00
</dm_event_device_fuzzy_device_id_confidence>
<dm_event_device_flash_os>Windows 7
</dm_event_device_flash_os>
<ics_rcode>1</ics_rcode>
<dm_event_device_fingerprint_hash>
2ea5fd0820294b48ab33d7ec13e1257e
</dm_event_device_fingerprint_hash>
<dm_event_device_profiled_url>http://website.com
</dm_event_device_profiled_url>
<dm_event_device_browser_language>en-US,en;q=0.8
</dm_event_device_browser_language>
<dm_event.reason_code>100</dm_event.reason_code>
<ics_return_code>1000000</ics_return_code>
<request_id>4302369340055000001547</request_id>
<dm_event_device_true_ip_geo>US
</dm_event_device_true_ip_geo>
<dm_event_device_true_ip>198.241.217.15
</dm_event_device_true_ip>
<dm_event_device_match_result>success
</dm_event_device_match_result>
<dm_event_device_enabled_ck>true
</dm_event_device_enabled_ck>
<dm_event_device_enabled_fl>true
</dm_event_device_enabled_fl>
<dm_event_device_enabled_im>false
</dm_event_device_enabled_im>
<dm_event_device_page_time_on>84887801
</dm_event_device_page_time_on>
<dm_event_rcode>1</dm_event_rcode>
<dm_event_device_true_ip_attributes>_LOGIN_PASSED^_WATCH
</dm_event_device_true_ip_attributes>

Decision Manager Account Takeover Protection Service | July 2018 103

 Appendix A API Fields and Examples

Reason Codes
The following table describes the reason codes returned by the Simple Order API for the
Decision Manager Account Takeover Protection Service.

Table 14 Reason Codes

Reason Description
Code
100 Successful transaction.
101 The request is missing one or more required fields.
Possible action: See the reply fields missingField_0 through missingField_N for which fields are
missing. Resend the request with the complete information.
102 One or more fields in the request contains invalid data.
Possible action: See the reply fields invalidField_0 through invalidField_N for which fields are invalid.
Resend the request with the correct information.
150 Error: General system failure.
Possible action: Wait a few minutes and resend the request.
151 Error: The request was received but there was a server time-out. This error does not include time-outs
between the client and the server.
Possible action: Wait a few minutes and resend the request.
152 Error: The request was received but there was a service time-out.
Possible action: Wait a few minutes and resend the request.
202 CyberSource declined the request because the card has expired. You may also receive this reason
code if the expiration date that you provided does not match the date on file at the issuing bank. If the
payment processor allows issuance of credits to expired cards, CyberSource does not limit this
functionality.
Possible action: Request a different card or another form of payment.
231 The account number is invalid.
Possible action: Request a different card or other form of payment.
234 There is a problem with your CyberSource merchant configuration.
Possible action: Do not resend the request. Contact Customer Support to correct the configuration
problem.
481 The order is rejected by Decision Manager Account Takeover Protection Service.
482 The order is marked for challenge by Decision Manager Account Takeover Protection Service.

Decision Manager Account Takeover Protection Service | July 2018 104

 Appendix A API Fields and Examples

SCMP API Fields

This section describes the SCMP (Simple Commerce Message Protocol) API fields that
you can use to access the Decision Manager Account Takeover Protection Service. The
SCMP API is a legacy name-value pair API that is supported for merchants who have
already implemented it. If you are new to CyberSource and want to connect to services,
use the Simple Order API, page 84.

Formatting Restrictions
Unless otherwise noted, all fields are order and case insensitive and the fields accept
special characters such as @, #, and %.

Data Type Definitions

Data Type Description
Nonnegative Integer Whole number greater than or equal to zero {0,1,2,3, …}
String Sequence of letters, numbers, spaces, and special characters

SCMP API Request Fields

All SCMP API request fields are used by the ics_dm_event service.

Table 15 SCMP API Request Fields

Field Description Required (R) Data Type

or Optional (O) & Length
bill_address1 Street address of the customer as it appears on O String (60)
the account.
bill_address2 Used for additional address information. For O String (60)
example: Attention: Accounts Payable
bill_city City of the customer’s address. O String (50)
bill_country Country of the customer’s address. O String (2)
Use the two-character country code listed in the
Support Center.
bill_state State or province of the customer’s address. O String (2)
Use the two-character country code listed in the
Support Center.

Decision Manager Account Takeover Protection Service | July 2018 105

 Appendix A API Fields and Examples

Table 15 SCMP API Request Fields (Continued)

Field Description Required (R) Data Type

or Optional (O) & Length
bill_zip Postal code for the billing address. The postal O String (10)
code must consist of 5 to 9 digits.
When the billing country is the U.S., the 9-digit
postal code must follow this format:
[5 digits][dash][4 digits]
Example 12345-6789
When the billing country is Canada, the 6-digit
postal code must follow this format:
[alpha][numeric][alpha][space]
[numeric][alpha][numeric]
Example A1B 2C3
cc_bin Credit card BIN (first six digits of the credit card). O Positive
The BIN will be used in place of the first six digits Integer (6)
of the credit card when present.
customer_cc_number Customer’s credit card number. Non-numeric O Non-
values are ignored. negative
integer (20)
customer_email Customer’s email address, including the full O String (255)
domain name. Use the following format:
[email protected] (for example,
[email protected]).
customer_firstname Customer’s first name as it appears on the O String (60)
account.
customer_lastname Customer’s last name as it appears on the O String (60)
account.
customer_password Customer’s account password. This value is not O String (255)
stored, displayed, or returned.
customer_phone Telephone number of the customer. Long-distance O String (15)
codes (0 and 1) that precede phone numbers are
removed before processing. Do not use dashes,
spaces, or parentheses because they might
interfere with the creation of custom rules that use
the request data as is.
For countries other than US or CA, add the
country code at the beginning of the phone
number, if possible.
customer_username Specifies the customer account user name. O String (255)

Decision Manager Account Takeover Protection Service | July 2018 106

 Appendix A API Fields and Examples

Table 15 SCMP API Request Fields (Continued)

Field Description Required (R) Data Type

or Optional (O) & Length
device_fingerprint_id Field that contains the session ID that you send to R String (88)
Decision Manager to obtain the device fingerprint
information. The string can contain uppercase and
lowercase letters, digits, hyphen (-), and
underscore (_). However, do not use the same
uppercase and lowercase letters to indicate
different session IDs.
The session ID must be unique for each merchant
ID. You can use any string that you are already
generating, such as an order number or web
session ID.
For information about configuring your web site or
mobile application to use the device_fingerprint_
id field, see the Decision Manager Device
Fingerprinting Guide (PDF | HTML). You must be
logged in to the Business Center to access the
guide.
dm_event_type Specifies one of the following types of events: R String (255)
 login
 account_creation
 account_update
ics_applications Specifies the ics_dm_event service: O String (255)
ics_applications=ics_dm_event
Decision Manager Account Takeover Protection
Service cannot be called with other applications.

Decision Manager Account Takeover Protection Service | July 2018 107

 Appendix A API Fields and Examples

Table 15 SCMP API Request Fields (Continued)

Field Description Required (R) Data Type

or Optional (O) & Length
merchant_ Fields that you can use to store information. The O String (255)
defined_data1 value appears in the Case Management Details
window in the Business Center. The first four fields
to
are the same fields that are used by the Secure
merchant_ Data services. These values are shared with
defined_data100 Decision Manager.
Warning Merchant-defined data fields are not
intended to and must not be used to capture
personally identifying information. Accordingly,
merchants are prohibited from capturing,
obtaining, and/or transmitting any personally
identifying information in or via the merchant-
defined data fields. Personally identifying
information includes, but is not limited to, address,
credit card number, social security number,
driver's license number, state-issued identification
number, passport number, and card verification
numbers (CVV, CVC2, CVV2, CID, CVN). In the
event CyberSource discovers that a merchant is
capturing and/or transmitting personally identifying
information via the merchant-defined data fields,
whether or not intentionally, CyberSource will
immediately suspend the merchant's account,
which will result in a rejection of any and all
transaction requests submitted by the merchant
after the point of suspension.
merchant_ref_number Merchant-generated order reference or tracking O String (50)
number.
ship_to_address1 First line of the shipping address. O String (60)

ship_to_address2 Second line of the shipping address. O String (60)

ship_to_city City of the shipping address. O String (50)

ship_to_country Country of the shipping address. Use the two- O String (2)
character ISO Standard Country Codes.

ship_to_state State or province of the shipping address. Use the O String (2)
State, Province, and Territory Codes for the United
States and Canada.

Decision Manager Account Takeover Protection Service | July 2018 108

 Appendix A API Fields and Examples

Table 15 SCMP API Request Fields (Continued)

Field Description Required (R) Data Type

or Optional (O) & Length
ship_to_zip Postal code for the shipping address. The postal O String (10)
code must consist of 5 to 9 digits.
When the shipping country is the U.S., the 9-digit
postal code must follow this format:
[5 digits][dash][4 digits]
Example 12345-6789
When the shipping country is Canada, the 6-digit
postal code must follow this format:
[alpha][numeric][alpha][space]
[numeric][alpha][numeric]
Example A1B 2C3

Decision Manager Account Takeover Protection Service | July 2018 109

 Appendix A API Fields and Examples

SCMP API Request Example

bill_address1=7011 McNeil Drive

bill_city=Austin
bill_country=US
bill_state=TX
bill_zip=78729
ship_to_address1=10 forest valley road
ship_to_address2=Apt #1
ship_to_city=markham
ship_to_country=CA
ship_to_state=ON
ship_to_zip=l6e 1v1
ship_to_phone=5128652200
customer_firstname=cooldude
customer_lastname=boom
ship_to_firstname=cooldude
ship_to_lastname=boom
[email protected]
customer_cc_number=5111111111111111
customer_cc_expyr=2015
customer_cc_expmo=12
customer_ipaddress=10.20.30.40
ics_applications=ics_dm_event
dm_event_type=account_creation
device_fingerprint_id=702193363073745025
customer_password=testing
merchant_ref_number=dme_service
customer_phone=6506339876
personal_id=512.132.493-68
shipping_method=DMEFirstclasskljdlfjs803280482
merchant_defined_data2=Testing MDD *(((()))
merchant_defined_data3=Testing MDD one more timekljldsjflsdja
merchant_id=ruleengine1
decision_manager_travel_departure_time=2015-04-10 6:30pm PDT

Decision Manager Account Takeover Protection Service | July 2018 110

 Appendix A API Fields and Examples

SCMP API Reply Fields

All of these reply fields are returned by the ics_dm_event service.

Table 16 SCMP API Reply Fields

Field Description Data Type

& Length
dm_event_device_agent_type Indicates whether a mobile device or a computer was String (255)
used to initiate the session. If the session is initiated
with a mobile device, this field indicates whether the
mobile browser or mobile application is being used.
This field can return the following values:
 browser_computer: Device is using a standard
browser, which contains the fingerprinting tags.
 browser_mobile: Device is using a mobile
browser, which contains the fingerprinting tags.
 agent_mobile: Device is using a mobile
application, and fingerprinting mobile SDK tags are
present in that mobile application.
dm_event_device_browser_language Comma-separated list of languages preferred or String (255)
supported by the browser. When the browser supports
more than one language, a Q value between 0 and 1
can be assigned to each language to indicate which
language the browser prefers or supports. The
preferred language is assigned the default value of 1,
which may be omitted from the string.
Examples:
 en-us, en;q=0: the browser prefers U.S.
English but can support non-U.S. English.
 es, en-us; q=0.3, de;q=0.1: the browser
prefers Spanish (es) but can support U.S. English
(en-us;q=0.3) and German (de;q=0.1).
dm_event_device_fingerprint_hash Unique identifier of the computer. String (255)
dm_event_device_match_result Indicates whether the device was encountered before String (255)
and whether enough attributes were gathered to
identify the device. This field can return the following
values:
 Success: Device fingerprint was previously
encountered.
 New_Device: Device was not previously
encountered.
 Not_Enough_Attribs: Not enough attributes
were gathered to identify whether the device was
previously encountered.
dm_event_device_enabled_ck Boolean value indicating whether cookies are enabled. String (255)
dm_event_device_enabled_fl Indicates whether flash is enabled. String (255)

Decision Manager Account Takeover Protection Service | July 2018 111

 Appendix A API Fields and Examples

Table 16 SCMP API Reply Fields (Continued)

Field Description Data Type

& Length
dm_event_device_enabled_im Indicates whether images are enabled. String (255)
dm_event_device_enabled_js Indicates whether Javascript is enabled. String (255)
dm_event_device_flash_os Device operating system as reported by Flash. String (255)
This field is not returned for iOS applications.
dm_event_device_flash_version The version of Flash installed on the device. String (255)
This field is not returned for iOS applications.
dm_event_device_fuzzy_device_id Smart ID. String (255)
dm_event_device_fuzzy_device_id_ Confidence level in the smart ID. String (255)
confidence
dm_event_device_hw_gps_accuracy Indicates the accuracy of the mobile device’s GPS. String (255)
dm_event_device_hw_latitude Latitude location of the device. String (255)
dm_event_device_hw_longitude Longitude location of the device. String (255)
dm_event_device_jb_root Returned for mobile devices only. String (255)
Detects whether a mobile device running an
application that contains Decision Manager device
fingerprinting code has root privileges. This form of
privilege escalation is known as “jailbreaking” on iOS
devices. This field returns a numerical value that
indicates the number of root elements or “jailbreaks”
detected on the device. A “0” indicates that there are
no root elements or jailbreaks detected.
dm_event_device_jb_root_reason Returned for mobile devices only. String (255)
Returns additional information that describes the
elements on the device that triggered the escalation to
root privileges.
dm_event_device_page_time_on Time period in milliseconds that the device profiling String (255)
page displays on the browser before it closes or the
user navigates away from the page.
dm_event_device_profiled_url URL of the profiled page. String (255)
If the device fingerprinting mobile SDK is used, this
reply field returns the custom URL that was specified in
the doProfileRequest() function of your mobile
application.
dm_event_device_proxy_ip IP address of the proxy if it is available. String (255)

Decision Manager Account Takeover Protection Service | July 2018 112

 Appendix A API Fields and Examples

Table 16 SCMP API Reply Fields (Continued)

Field Description Data Type

& Length
dm_event_device_proxy_ip_activities Actions associated with the proxy IP address. This field String (255)
can contain one or more of these values, separated by
carets (^):
 BANK: IP address belongs to a financial
organization.
 CLICK_FRAUD: IP address has been used for click
fraud.
 CONNECTING_TO_BOTNET: IP address has been
connected to a botnet.
 CONNECTING_TO_MALWARE_SITE: IP address
has been connected to a malware site.
 DNS_CONNECTION_ANOMALY: IP address has
had a DNS connection anomaly.
 INSTANT_MSG: IP address has been used for
instant messaging.
 IRC_CONNECTION_ANOMALY: IP address has
been connected to a suspicious IRC server.
 LEGITIMATE: IP address has been legitimate.
 MALWARE: IP address has been used for malware.
 NIGERIAN: IP address has been used for Nigerian
email or spam.
 OTHER: IP has been involved in other activities.
 P2P: IP address has been used for peer-to-peer
communication.
 PHISH: IP address has been used for phishing.
 SPAM: IP address has been used to send spam.
 TCP_SCAN_FLAG: IP address has been used as
TCP port scanner.
 UDP_SCAN_FLAG: IP address has been used as
UDP port scanner.

Decision Manager Account Takeover Protection Service | July 2018 113

 Appendix A API Fields and Examples

Table 16 SCMP API Reply Fields (Continued)

Field Description Data Type

& Length
dm_event_device_proxy_ip_attributes Characteristics of the proxy IP address. This field can String (255)
contain one or more of these values, separated by
carets (^):
 BOGON: IP address has been part of a range of
bogus IP addresses.
 BOTNET_ZOMBIE: IP address has been either a
zombie or a botnet.
 DYNAMIC: IP address has been dynamic.
 HIJACKED: IP address has been part of a range of
hijacked IP addresses.
 NAME_SERVER: IP address has been a name
server.
 OPEN_PROXY: IP address has been an open proxy.
 OPEN_RELAY: IP address has been an open relay.
 PORTAL: IP address has been a portal.
 PROXY: IP address has been a proxy.
 RANGE: IP address has been part of a range of IP
addresses.
 STATIC: IP address has been static.
dm_event_device_proxy_type Type of proxy server based on the HTTP header. This String (255)
field can contain one of these values:
 Anonymous: Presence of an HTTP header
indicates the presence of a proxy but does not
disclose the client IP address.
 Hidden: Absence of an HTTP header indicates the
presence of a proxy attempting to hide its purpose.
Often returned for compromised servers or botnets
that are used as proxies.
 Transparent: Presence of an HTTP header
indicates the presence of a proxy and discloses the
client IP address. This value usually corresponds to
a proxy that filters corporate or ISP content. This
value is the safest.
dm_event_device_request_duration Total time in milliseconds to process the profiling String (255)
request.
dm_event_device_screen_res Screen resolution of the device. The value is a number String (255)
in the format nnnnXmmmm.
dm_event_device_true_ip True customer’s IP address detected by the String (255)
application.

Decision Manager Account Takeover Protection Service | July 2018 114

 Appendix A API Fields and Examples

Table 16 SCMP API Reply Fields (Continued)

Field Description Data Type

& Length
dm_event_device_true_ip_activities Actions associated with the true IP address. This field String (255)
can contain one or more of these values, separated by
carets (^):
 BANK: IP address belongs to a financial
organization.
 CLICK_FRAUD: IP address has been used for click
fraud.
 CONNECTING_TO_BOTNET: IP address has been
connected to a botnet.
 CONNECTING_TO_MALWARE_SITE: IP address
has been connected to a malware site.
 DNS_CONNECTION_ANOMALY: IP address has
had DNS connection anomaly.
 INSTANT_MSG: IP address has been used for
instant messaging.
 IRC_CONNECTION_ANOMALY: IP address has
been connected to a suspicious IRC server.
 LEGITIMATE: IP address has been legitimate.
 MALWARE: IP address has been used for malware.
 NIGERIAN: IP address has been used for Nigerian
email or spam.
 OTHER: IP has been involved in other activities.
 P2P: IP address has been used for peer-to-peer
communication.
 PHISH: IP address has been used for phishing.
 SPAM: IP address has been used to send spam.
 TCP_SCAN_FLAG: IP address has been used as
TCP port scanner.
 UDP_SCAN_FLAG: IP address has been used as
UDP port scanner.

Decision Manager Account Takeover Protection Service | July 2018 115

 Appendix A API Fields and Examples

Table 16 SCMP API Reply Fields (Continued)

Field Description Data Type

& Length
dm_event_device_true_ip_attributes Characteristics of the true IP address. This field can String (255)
contain one or more information codes, separated by
carets (^). This field can contain one of these values:
 BOGON: IP address has been part of a range of
bogus IP addresses.
 BOTNET_ZOMBIE: IP address has been either a
zombie or a botnet.
 DYNAMIC: IP address has been dynamic.
 HIJACKED: IP address has been part of a range of
hijacked IP addresses.
 NAME_SERVER: IP address has been a name
server.
 OPEN_PROXY: IP address has been an open proxy.
 OPEN_RELAY: IP address has been an open relay.
 PORTAL: IP address has been a portal.
 PROXY: IP address has been a proxy.
 RANGE: IP address has been part of a range of IP
addresses.
 STATIC: IP address has been static.
dm_event_device_true_ip_city City associated with the true IP address. If the data is String (255)
available, the content of this field is more reliable than
other city information in the order because any
cloaking by the customer has been removed.
dm_event_device_true_ip_geo Indicates the geolocation of the true IP. String (255)
dm_event_device_true_ip_state State associated with the true IP address. If the data is String (255)
available, the content of this field is more reliable than
other state information in the order because any
cloaking by the customer has been removed.
dm_event_bin_country Country (two-digit country code) associated with the String (255)
BIN of the customer’s card used for the payment.
Returned if the information is available.
Use this field for additional information when reviewing
orders. This information is also displayed in the details
page of the Business Center.
dm_event_card_account_type Type of payment card account. This field can refer to a String (255)
credit card, debit card, or prepaid card account type.
dm_event_card_issuer Name of the bank or entity that issued the card String (255)
account.
dm_event_card_scheme Subtype of card account. For example: Maestro String (255)
International, Mastercard Credit, or Visa Credit.
dm_event_cc_bin BIN of the credit card used for the payment. String (255)

Decision Manager Account Takeover Protection Service | July 2018 116

 Appendix A API Fields and Examples

Table 16 SCMP API Reply Fields (Continued)

Field Description Data Type

& Length
dm_event_decision Indicates whether the event is accepted, rejected, or String (255)
challenged.
dm_event_info Returns the event information codes from the event String (255)
server. See "Event Information Codes," page 120.
dm_event_hotlist_info Returns the following codes that indicate suspicious String (255)
behavior. See "Customer List Information Codes,"
page 128.
dm_event_provider_#_field_#_name Field name, for example, email address domain name String (255)
(domain_name).
dm_event_provider_#_field_#_value Value for the field, for example, yahoo.com. String (255)
dm_event_provider_#_name Name of the provider, for example, Emailage. String (255)
dm_event_velocity_morphing_#_count Morphing count specified by the number #. Integer (5)
Note The count is not returned for the initial
transaction.
dm_event_velocity_morphing_#_field_ Field name of the morphing element specified by the String (255)
name number # according to the setting that you chose in the
velocity editor. This field can contain one of the
following values:
 account_number
 billing_phone_number
 billing_first_name
 billing_last_name
 card_BIN
 customer_account_ID
 customer_IP_address
 customer_username
 customer_password
 device_fingerprint
 email_address
 merchant_reference_number
 proxy_IP_address
 shipping_address
 shipping_phone_number
 smart_ID
 true_IP_address
dm_event_velocity_morphing_#_info_ Identifier that CyberSource assigned to the velocity String (255)
code rule specified by the number #.

Decision Manager Account Takeover Protection Service | July 2018 117

 Appendix A API Fields and Examples

SCMP API Reply Example

dm_event.reason_code=100
dm_event_device_agent_type=browser_computer
dm_event_device_browser_language=en-US,en;q=0.8
dm_event_device_enabled_ck=true
dm_event_device_enabled_fl=true
dm_event_device_enabled_im=false
dm_event_device_enabled_js=true
dm_event_device_fingerprint_hash=aeaf7eef524f4aaa81cd4322706c62fc
dm_event_device_flash_os=Windows 7
dm_event_device_flash_version=WIN 17,0,0,169
dm_event_device_fuzzy_device_id=88bd3e53db9345978bff0fd85151e256
dm_event_device_fuzzy_device_id_confidence=100.00
dm_event_device_match_result=success
dm_event_device_page_time_on=196247
dm_event_device_profiled_url=http://website.com
dm_event_device_request_duration=289
dm_event_device_screen_res=1680x1050
dm_event_device_true_ip=198.241.217.15
dm_event_device_true_ip_attributes=_LOGIN_PASSED^_WATCH
dm_event_device_true_ip_city=san francisco
dm_event_device_true_ip_state=CA
dm_event_device_true_ip_geo=US
dm_event_hotlist_info=NEG-CC^NEG-SUSP
dm_event_info=ExactIDinGlobalRejectList
dm_event_velocity_morphing_0_count=3
dm_event_velocity_morphing_1_field_name=customer_ip_address
dm_event_velocity_morphing_2_info_code=MVEL-E1002
dm_event_bin_country=US
dm_event_card_account_type=001
dm_event_cc_bin=411111
dm_event_card_issuer=JPMORGAN CHASE BANK, N.A.
dm_event_card_scheme=VISA CREDIT
dm_event_rcode=1
dm_event_return_code=1340000
dm_event_rflag=SOK
dm_event_rmsg=ics_dm_event service was successful
ics_decision_reason_code=100
ics_rcode=1
ics_return_code=1000000
ics_rflag=SOK
ics_rmsg=Request was processed successfully.
merchant_ref_number=mp_dme_service
request_id=4301510080315000001547
request_token=AhizbwSR0l7jZ1azJSgWXgKf+21rqIAE/2GTbjgGcY266IFAyUtt

Decision Manager Account Takeover Protection Service | July 2018 118

 Appendix A API Fields and Examples

Reply Flags
The following table describes the reply flags returned by the SCMP API for the Decision
Manager Account Takeover Protection Service.

Table 17 Reply Flags

Reply Flag Description

DCARDEXPIRED CyberSource declined the request because the credit card has
expired. You may also receive this reason code if the expiration date
that you provided does not match the date on file at the issuing bank.
If the payment processor allows issuance of credits to expired cards,
CyberSource does not limit this functionality.
DCARDREFUSED The bank declined the transaction. This reply flag includes declines
due to insufficient funds, which cannot be distinguished from other
transactions at the time of authorization.
DCHALLENGE This is the Decision Manager Account Takeover Protection Service
default reply flag for the orders that you want to challenge.
DINVALIDADDRESS The customer entered an invalid city, state, country, or postal code.
DINVALIDCARD The account number does not pass CyberSource basic checks.
DINVALIDDATA The data provided is not consistent with the request. For example, you
requested a product with negative cost.
DMISSINGFIELD The request is missing a required field.
DREJECT This is the Decision Manager Account Takeover Protection Service
default reply flag for the orders that you want to reject.
ESYSTEM System error. Wait a few minutes, and try sending your request again.
ETIMEOUT The request timed out.
SOK The transaction was successful.

Decision Manager Account Takeover Protection Service | July 2018 119

 APPENDIX
Information Codes
B

This appendix includes the event information codes and customer list information codes.

Event Information Codes

The following table describes the event information codes returned by the Decision
Manager Account Takeover Protection Service.

The list of event information codes may change.

Note

Table 18 Event Information Codes Returned by dm_event_info

Code Description Event

Type
ExactIDinGlobalRejectList Device fingerprint has been rejected at least  Account
once in the past week. Creation
 Account
Login
 Account
Update
ExactIDinGlobalBlacklist Device fingerprint is on the global blacklist.  Account
Creation
 Account
Login
 Account
Update
TorExitNode Transaction is suspected as coming from a Tor  Account
exit node. Creation
 Account
Login
 Account
Update

Decision Manager Account Takeover Protection Service | July 2018 120

 Appendix B Information Codes

Table 18 Event Information Codes Returned by dm_event_info (Continued)

Code Description Event

Type
PossibleVPN Transaction is suspected as coming from a  Account
virtual private network (VPN). Creation
 Account
Login
 Account
Update
HiddenProxy Proxy has been detected attempting to avoid  Account
detection. Creation
 Account
Login
 Account
Update
AnonymousProxy Proxy has been detected attempting to  Account
anonymize web surfing. Creation
 Account
Login
 Account
Update
OpenProxy Proxy has been detected that is fully open to  Account
any user. Creation
 Account
Login
 Account
Update
TransparentProxy Proxy has been detected that is transparent.  Account
Creation
 Account
Login
 Account
Update
3ProxyPerDeviceDay Device fingerprint has been seen with at least  Account
three different proxy IPs in the past day. Creation
 Account
Login
 Account
Update

Decision Manager Account Takeover Protection Service | July 2018 121

 Appendix B Information Codes

Table 18 Event Information Codes Returned by dm_event_info (Continued)

Code Description Event

Type
DeviceProxyGeoMismatch Location of proxy IP and True IP do not match.  Account
Creation
 Account
Login
 Account
Update
ProxyTrueOrganizationMismatch Proxy IP organization and True IP organization  Account
exist and do not match. Creation
 Account
Login
 Account
Update
ProxyTrueISPMismatch Proxy IP ISP and True IP ISP exist and do not  Account
match. Creation
 Account
Login
 Account
Update
ProxyTrueRegionMismatch Proxy IP region and True IP region exist and  Account
do not match. Creation
 Account
Login
 Account
Update
ProxyTrueCityMismatch Proxy IP city and True IP city exist and do not  Account
match. Creation
 Account
Login
 Account
Update
UnusualProxyAttributes Proxy IP is unallocated or appears to have  Account
dial-up characteristics. Creation
 Account
Login
 Account
Update

Decision Manager Account Takeover Protection Service | July 2018 122

 Appendix B Information Codes

Table 18 Event Information Codes Returned by dm_event_info (Continued)

Code Description Event

Type
PossibleVM Transaction is suspected as coming from a  Account
virtual machine. Creation
 Account
Login
 Account
Update
VirtualMachine4ormoreScreenResolutions Virtual machine suspected due to greater than  Account
four resolutions in the last day. Creation
 Account
Login
 Account
Update
ScreenColorDepthLow The screen color depth is less than 8 bits.  Account
Creation
 Account
Login
 Account
Update
ScreenResAnomaly Screen resolution is not on the list of generally  Account
used resolutions. Creation
 Account
Login
 Account
Update
TimeonPageLessThan500ms Transaction time on page is less than 500  Account
milliseconds. Creation
 Account
Login
 Account
Update
NoDeviceID No device fingerprint has been generated for  Account
the transaction. Creation
 Account
Login
 Account
Update

Decision Manager Account Takeover Protection Service | July 2018 123

 Appendix B Information Codes

Table 18 Event Information Codes Returned by dm_event_info (Continued)

Code Description Event

Type
SessionAnomaly A session anomaly has been detected.  Account
Creation
 Account
Login
 Account
Update
SystemStateAnomaly At least two system state anomalies (time  Account
since mobile device or computer was last Creation
booted) have been detected locally over the
 Account
past hour.
Login
 Account
Update
NewDevice The device fingerprint was first seen in the past  Account
day. Creation
 Account
Login
 Account
Update
ExactIDDistanceTravelled Device locations (IP Geo) in the past hour are  Account
1000 kilometers or more apart. Creation
 Account
Login
 Account
Update
LanguageMismatch Browser language does not match the country  Account
of the True IP Geo. Creation
 Account
Login
 Account
Update
FlashBrowserLanguageMismatch Browser language does not match the Flash  Account
language. Creation
 Account
Login
 Account
Update
DeviceAccountGeoMismatch Account address does not match the True IP  Account
Geo. Creation
 Account
Update

Decision Manager Account Takeover Protection Service | July 2018 124

 Appendix B Information Codes

Table 18 Event Information Codes Returned by dm_event_info (Continued)

Code Description Event

Type
ShippingAddress/TrueGeoMismatch Shipping address does not match the True IP  Account
Geo. Creation
 Account
Update
3MthTrustedExactIDAccount_Persona Device fingerprint/account login were detected  Account
more than 90 days in the past. Login
2MthTrustedExactIDAccount_Persona Device fingerprint/account login were detected  Account
in the past 60 to 90 days. Login
1MthTrustedExactIDAccount_Persona Device fingerprint/account login were detected  Account
in the past 30 to 90 days. Login
PossibleCookieWiping At least three fingerprints were detected for the  Account
same smart ID in the past hour. Creation
 Account
Login
 Account
Update
MultiAccountLoginPerMerchantDevicePerHour Three different account logins were detected  Account
with the same device in the past hour. Login
MultiAccountLoginPerMerchantDevicePerDay Three different account logins were detected  Account
with the same device in the past day. Login
MultiAccountLoginPerMerchantDevicePerWeek Three different account logins were detected  Account
with the same device in the past week. Login
MultiAccountLoginPerMerchantDevicePerMonth Three different account logins were detected  Account
with the same device in the past month. Login
MultiAccountLoginPerMerchantSmartIDPerHour Three different account logins were detected  Account
with the same smart ID in the past hour. Login
MultiAccountLoginPerMerchantSmartIDPerDay Three different account logins were detected  Account
with the same smart ID in the past day. Login
MultiAccountLoginPerMerchantSmartIDPerWeek Three different account logins were detected  Account
with the same smart ID in the past week. Login
MultiAccountLoginPerMerchantSmartIDPerMonth Three different account logins were detected  Account
with the same smart ID in the past month. Login
MultiDevicePerMerchantAccountLoginPerHour Four fingerprints were detected with the same  Account
account login in the past hour. Login
MultiSmartIDPerMerchantAccountLoginPerDay Four fingerprints were detected with the same  Account
account login in the past day. Login
MultiSmartIDPerMerchantAccountLoginPerWeek Four fingerprints were detected with the same  Account
account login in the past week. Login
MultiSmartIDPerMerchantAccountLoginPerMonth Four fingerprints were detected with the same  Account
account login in the past month. Login

Decision Manager Account Takeover Protection Service | July 2018 125

 Appendix B Information Codes

Table 18 Event Information Codes Returned by dm_event_info (Continued)

Code Description Event

Type
MultiSmartIDPerMerchantAccountLoginPerHour Four smart IDs were detected with the same  Account
account login in the past hour. Login
MultiSmartIDPerMerchantAccountLoginPerDay Four smart IDs were detected with the same  Account
account login in the past day. Login
MultiSmartIDPerMerchantAccountLoginPerWeek Four smart IDs were detected with the same  Account
account login in the past week. Login
MultiSmartIDPerMerchantAccountLoginPerMonth Four smart IDs were detected with the same  Account
account login in the past month. Login
EmailDistanceTravelled Device and email addresses seen in the past  Account
hour are more than 1000 kilometers apart. Creation
 Account
Update
EmailAgeOver30Days Email address passed has been seen in more  Account
than 30 days in the past. Creation
 Account
Update
EMailinGlobalRejectList Email address has been rejected at least once  Account
in the past week. Creation
 Account
Update
EMailinGlobalBlacklist Email address is on the global blacklist.  Account
Creation
 Account
Update
3MthTrustedExactIDEmail_Persona Device fingerprint/email were detected more  Account
than 90 days in the past. Creation
 Account
Update
2MthTrustedExactIDEmail_Persona The device fingerprint/email combination were  Account
detected in the past 60 to 90 days. Creation
 Account
Update
1MthTrustedExactIDEmail_Persona The device fingerprint/email combination were  Account
detected in the past 30 to 90 days. Creation
 Account
Update
3MthTrustedExactIDCreditCard_Persona The device fingerprint/credit card combination  Account
were detected more than 90 days in the past. Creation
 Account
Update

Decision Manager Account Takeover Protection Service | July 2018 126

 Appendix B Information Codes

Table 18 Event Information Codes Returned by dm_event_info (Continued)

Code Description Event

Type
2MthTrustedExactIDCreditCard_Persona The device fingerprint/credit card combination  Account
were detected in the past 60 to 90 days. Creation
 Account
Update
1MthTrustedExactIDCreditCard_Persona The device fingerprint/credit card combination  Account
were detected in the past 30 to 90 days. Creation
 Account
Update
MultiEmailPerDevicePerHour Three different email addresses were detected  Account
with the same device fingerprint in the past Creation
hour globally.
 Account
Update
MultiEmailPerDevicePerDay Three different email addresses were detected  Account
with the same device fingerprint in the past day Creation
globally.
 Account
Update
MultiEmailPerDevicePerWeek Three different email addresses were detected  Account
with the same device fingerprint in the past Creation
week globally.
 Account
Update
MultiEmailPerDevicePerMonth Three different email addresses were detected  Account
with the same device fingerprint in the past Creation
month globally.
 Account
Update
MultiEmailPerSmartIDPerHour Three different email addresses were detected  Account
with the same device smart ID in the past hour Creation
globally.
 Account
Update
MultiEmailPerSmartIDPerDay Three different email addresses were detected  Account
with the same device smart ID in the past day Creation
globally.
 Account
Update
MultiEmailPerSmartIDPerWeek Three different email addresses were detected  Account
with the same device smart ID in the past week Creation
globally.
 Account
Update
MultiEmailPerSmartIDPerMonth Three different email addresses were detected  Account
with the same device smart ID in the past Creation
month globally.
 Account
Update

Decision Manager Account Takeover Protection Service | July 2018 127

 Appendix B Information Codes

Customer List Information Codes

Table 19 Customer List Information Codes

Code Description
CON-POSNEG The order triggered both a positive and negative list match. The result of the positive list match
overrides that of the negative list match.
NEG-ACRB The transaction was automatically marked as a creditback and is on the negative list.
NEG-AFCB The transaction was automatically marked as a fraud chargeback and is on the negative list.
NEG-ANFCB The transaction was automatically marked as a non-fraud chargeback and is on the negative
list.
NEG-ASUSP The transaction was automatically marked as suspected fraud and is on the negative list.
NEG-BA The billing address is on the negative list.
NEG-BCO The billing country is on the negative list.
NEG-BIN The credit card BIN (the first six digits of the number) is on the negative list.
NEG-BINCO The country in which the credit card was issued is on the negative list.
NEG-BZC The billing postal code is on the negative list.
NEG-CC The credit card number is on the negative list.
NEG-CPF The CPF or CNPJ identification number is on the negative list.
NEG-CRB The transaction was marked as a creditback and is on the negative list.
NEG-EM The email address is on the negative list.
NEG-EMCO The country in which the email address is located is on the negative list.
NEG-EMDOM The email domain (for example, mail.example.com) is on the negative list.
NEG-FCB The transaction was marked as a fraud chargeback and is on the negative list.
NEG-HIST An event was found on the negative list.
NEG-ID The customer’s account ID is on the negative list.
NEG-IP The IP address (for example, 10.1.27.63) is on the negative list.
NEG-IP3 The network IP address (for example, 10.1.27) is on the negative list. A network IP address
includes up to 256 IP addresses.
NEG-IPCO The country in which the IP address is located is on the negative list.
NEG-NFCB The transaction was marked as a non-fraud chargeback and is on the negative list.
NEG-PEM A passenger’s email address is on the negative list.
NEG-PH The phone number is on the negative list.
NEG-PID A passenger’s account ID is on the negative list.
NEG-PIP The proxy IP address is on the negative list.
NEG-PPH A passenger’s phone number is on the negative list.
NEG-SA The shipping address is on the negative list.
NEG-SCO The shipping country is on the negative list.

Decision Manager Account Takeover Protection Service | July 2018 128

 Appendix B Information Codes

Table 19 Customer List Information Codes (Continued)

Code Description
NEG-SID The Smart ID is on the negative list.
NEG-SUSP The transaction was marked as suspected fraud and is on the negative list.
NEG-SZC The shipping postal code is on the negative list.
NEG-TIP The true IP address is on the negative list.
POS-TEMP The customer is on the temporary positive list.
POS-PERM The customer is on the permanent positive list.
REV-BA The billing address is on the review list.
REV-BCO The billing country is on the review list.
REV-BIN The credit card BIN (the first six digits of the number) is on the review list.
REV-BINCO The country in which the credit card was issued is on the review list.
REV-BZC The billing postal code is on the review list.
REV-CC The credit card number is on the review list.
REV-CPF The CPF or CNPJ identification number is on the review list.
REV-CRB The transaction was marked as a creditback and is on the review list.
REV-EM The email address is on the review list.
REV-EMCO The country in which the email address is located is on the review list.
REV-EMDOM The email domain (for example, mail.example.com) is on the review list.
REV-FCB The transaction was marked as a fraud chargeback and is on the review list.
REV-ID The customer’s account ID is on the review list.
REV-IP The IP address (for example, 10.1.27.63) is on the review list.
REV-IP3 The network IP address (for example, 10.1.27) is on the review list. A network IP address
includes up to 256 IP addresses.
REV-IPCO The country in which the IP address is located is on the review list.
REV-NFCB The transaction was marked as a non-fraud chargeback and is on the review list.
REV-PEM A passenger’s email address is on the review list.
REV-PH The phone number is on the review list.
REV-PID A passenger’s account ID is on the review list.
REV-PIP The proxy IP address is on the review list.
REV-PPH A passenger’s phone number is on the review list.
REV-SA The shipping address is on the review list.
REV-SCO The shipping country is on the review list.
REV-SID The Smart ID is on the review list.
REV-SUSP The transaction was marked as suspected fraud and is on the review list.
REV-SZC The shipping postal code is on the review list.
REV-TIP The true IP address is on the review list.

Decision Manager Account Takeover Protection Service | July 2018 129

 APPENDIX
Code Examples for Mobile
Implementation
C

This appendix includes code examples for Android and iOS mobile implementations.

Android Code Example

The following excerpt from an Android application shows how to set the
doProfileRequest() function calling options.

Example 8 Android Code

@Override
protected void onCreate(Bundle savedInstanceState)
{
Log.d(TAG, "onCreate");
super.onCreate(savedInstanceState);
setContentView(R.layout.login_activity);

/*
* When the device rotates the activity will be destroyed and created again, although
* before destroying the state of the app will be written in a Bundle. To avoid
* unnecessary profiling (i.e. when device rotates) we check the bundle here and skip
* profiling if the device is rotated.
* */
if(savedInstanceState == null)
{
//Resetting the status of the application to make sure we have a clean activity
reset();

/*
* Creating a config instance to be passed to the init() method. Note this
* instance must include orgId and application context otherwise the init()
* method will fail.
* */
Config config = new Config().setOrgId(ORG_ID // (REQUIRED) Organisation ID
.setFPServer(FP_SERVER)// (REQUIRED) Enhanced
fingerprint server
.setContext(getApplicationContext())
// (REQUIRED) Application Context
.setTimeout(10, TimeUnit.SECONDS)
// (OPTIONAL) Set the connection

Decision Manager Account Takeover Protection Service | July 2018 130

 Appendix C Code Examples for Mobile Implementation

time out in seconds

.setRegisterForLocationServices(true)
// (OPTIONAL) init() should request
location updates
.setRegisterForPush(true);
// (OPTIONAL) enable Strong
authentication notification
/*
* Call init to get some of the slow start up items completed before
* we request a profile. This is a mandatory call, and requires, at a minimum,
* the application context and the orgId.
*
* Only the first call to init() will use the configuration object, Subsequent
* calls will be ignored. init() can fail due to illegal argument or state in
* which cases throws exception to draw attention to the programming problem.
* Failure cases include malformed organisation id, malformed fingerprint
* server, missing okhttp library without setting .setDisableOKHTTP(true), etc
*/
TrustDefender.getInstance().init(config);

//Init was successful or there is a valid instance to be used for further calls.
//Fire a profile request
Log.e(TAG, "Successfully init-ed ");
doProfile();
}
}
void doProfile()
{
// (OPTIONAL) Retrieve the version of the SDK
Log.i(TAG, "Using: " + TrustDefender.version);

// (OPTIONAL) Assign some custom attributes to be included with the profiling

information
List<String> list = new ArrayList<String>();
list.add("attribute 1");
list.add("attribute 2");

ProfilingOptions options = new ProfilingOptions().setCustomAttributes(list);

// Fire off the profiling request. We could use a more complex request,
// but the minimum works fine for our purposes.
Profile.Handle profilingHandle =
TrustDefender.getInstance().doProfileRequest(options,
new CompletionNotifier()); // (REQUIRED) The end notifier must be passed to
the doProfileRequest() method

// Session id can be collected here

Log.d(TAG, "Session id = "+ profilingHandle.getSessionID());

/*
* profilingHandle can also be used to cancel this profile if needed
*
* profilingHandle.cancel();

Decision Manager Account Takeover Protection Service | July 2018 131

 Appendix C Code Examples for Mobile Implementation

* */
}
/**
* Used for notification from the SDK. Any code that needs to be run upon profiling
* completion should be called from here.
* <p>
* Note: Be careful about calling UI update functions from here, as any callbacks will
* not happen from the UI thread.
* </p>
*/
private class CompletionNotifier implements EndNotifier
{
/**
* This gets called when the profiling has finished.
* We have to be careful here because we are not going to be called on the UI thread,
* and if we want to update UI elements we can only do it from the UI thread.
*/
@Override
public void complete(Profile.Result result)
{
//Get the session id to use in API call (AKA session query)
m_sessionID = result.getSessionID();

Log.i("<YourAppName>Completion", "Profile completed with: " +

result.getStatus().toString()
+ " - " + result.getStatus().getDesc());
/*
* Profiling is complete, so login can proceed when the Login button is clicked.
*/
setProfileFinished(true);
/*
* Fire off a package scan. This will run in the background and process any newly
* installed apps
* We pass a value of 0 to disable the timeout; it will run until all
* packages are scanned.
* PackageScan runs on a different thread and doesn't interfere with
* <YourAppName> app or profiling request
*/
TrustDefender.getInstance().doPackageScan();
/*
* The Login button is clicked before the profiling is finished, therefore we
* should login
* */
if(isLoginClicked())
{
login();
}
}
}

Decision Manager Account Takeover Protection Service | July 2018 132

 Appendix C Code Examples for Mobile Implementation

iOS Code Example

The following excerpt from an iOS application shows how to set the
doProfileRequest() function calling options where ApplicationName is the name
of your iOS application:

Example 9 iOS Code

- (instancetype) init
{
self = [super init];

_sessionID = nil;
_timeout = @10;
_profile = [THMTrustDefender sharedInstance];

static dispatch_once_t configureOnce = 0;

// The [_profile configure] method is effective only once and subsequent calls to it
// will be ignored. By having a dipatch_once here we make sure configure is called
// only once, although using a dispatch_once is not technically required.
dispatch_once(&configureOnce,
^{
// The profile.configure method is effective only once and subsequent
// calls to it will be ignored.
// Note that configure may throw NSException if NSDictionay key/
// value(s) are invalid.
// This only happen due to programming error, therefore we don't
// catch the exception to make sure there is no error in our
// configuration dictionary
[_profile configure:@{
THMOrgID : ORG_ID,
// (REQUIRED) Enhanced fingerprint server
THMFingerprintServer : FP_SERVER,
// (OPTIONAL) Set the connection
// timeout, in seconds
THMTimeout : _timeout,
// (OPTIONAL) If Keychain Access sharing groups
// are used, specify like this
THMKeychainAccessGroup:
@"TEAMID.com.threatmetrix",
// (OPTIONAL) Register for location service
// updates
// Note that this call can prompt the user for
// permissions. The related call
// registerLocationServices will only activate
// location services have already been granted.

Decision Manager Account Takeover Protection Service | July 2018 133

 Appendix C Code Examples for Mobile Implementation

// But in this case, we want the request to happen

THMLocationServicesWithPrompt: @YES,
//(OPTIONAL) Register for ThreatMetrix Strong
// Authentication, using this feature needs some
// setup in the AppDelegate class.
THMRegisterForPush: @YES,
}];
});
return self;
}

-(void)doProfile
{
// (OPTIONAL) Retrieve the version of the mobile SDK
NSLog(@"Using: %@", self.profile.version);

NSArray *customAttributes = @[@"attribute 1", @"attribute 2"];

// Fire off the profiling request.

THMProfileHandle *profileHandle = [self.profile
doProfileRequestWithOptions:@{
// (OPTIONAL) Assign some custom
// attributes to be included with the
// profiling information
THMCustomAttributes: customAttributes
}
andCallbackBlock:^(NSDictionary *result)
{
THMStatusCode statusCode = [[result
valueForKey:THMProfileStatus] integerValue];
// If we registered a delegate, this function
// will be called once the profiling is
// complete
if(statusCode == THMStatusCodeOk)
{
// No errors, profiling succeeded!
}
NSLog(@"Profile completed with: %s and session ID: %@", statusCode ==
THMStatusCodeOk ? "OK"
: statusCode == THMStatusCodeNetworkTimeoutError ? "Timed out"
: statusCode == THMStatusCodeConnectionError ? "Connection Error"
: statusCode == THMStatusCodeHostNotFoundError ? "Host not found error"
: statusCode == THMStatusCodeInternalError ? "Internal Error"
: statusCode == THMStatusCodeInterruptedError ? "Interrupted"
: "other",
[result valueForKey:THMSessionID]);
}];

// Session id can be collected here (to use in API call (AKA session query))
self.sessionID = profileHandle.sessionID;
NSLog(@"Session id is %@", self.sessionID);

/*

Decision Manager Account Takeover Protection Service | July 2018 134

 Appendix C Code Examples for Mobile Implementation

* profileHandle can also be used to cancel this profile if needed

*
* [profileHandle cancel];
* */
}

Example 10 iOS Code (Swift v4.0)

class <YourAppName>ProfileController: NSObject

{
var profile: THMTrustDefender!
dynamic var loginOkay: Bool = false
var sessionID: String = ""

override init()
{
super.init()

//Get a singleton instance of TrustDefenderMobile

profile = THMTrustDefender.sharedInstance() as THMTrustDefender

//Configuration only fails due to programming error, therefore by using an assert

//here we make sure there is no error in our configuration object
assert(profile.configure([
THMOrgID:<ORG_ID>,
// (OPTIONAL) Set the connection timeout, in
// seconds
THMTimeout : 10,
// (OPTIONAL) If Keychain Access sharing groups
// are used, specify like this
THMKeychainAccessGroup: "TEAMID.com.threatmetrix",
//(OPTIONAL) Register for location service updates
// Note that this call can prompt the user for
// permissions. The related call
// registerLocationServices will only activate
// location services have already been
// granted. But in this case, we want the
// request to happen
THMLocationServicesWithPrompt: true,

]),
"Configuration failed")
}

func doProfile()
{
// (OPTIONAL) Retrieve the version of the mobile SDK
NSLog("Using \(profile.version)")

Decision Manager Account Takeover Protection Service | July 2018 135

 Appendix C Code Examples for Mobile Implementation

let customAttributes : [String : Array<String>] = [THMCustomAttributes:

["attribute 1", "attribute 2"]]

loginOkay = false

// Fire off the profiling request.

let status: THMStatusCode = profile.doProfileRequest(options: customAttributes,
andCallbackBlock:
{(result: [AnyHashable : Any]?) -> Void in

let results:NSDictionary! = result! as NSDictionary

let status:THMStatusCode =
THMStatusCode(rawValue:(results.value(forKey: THMProfileStatus) as!
NSNumber).intValue)!

self.sessionID = results.value(forKey: THMSessionID) as! String

if(status == .ok)
{
// No errors, profiling succeeded!
}

NSLog("Profile completed with: %@ and session ID: \(self.sessionID)",

status == .ok ? "OK" :
status == .networkTimeoutError ? "Timed out" :
status == .connectionError ? "Connection Error" :
status == .hostNotFoundError ? "Host Not Found Error" :
status == .internalError ? "Internal Error" :
status == .interruptedError ? "Interrupted Error" :
"Other"
)
self.loginOkay = true
})

if(status == .ok)
{
// The profiling successfully started
NSLog("Profiling started successfully")
}
else
{
// We errored out, allow the login to proceed
// The most common case of this error is THM_NotYet which means another
// profiling is in progress and we should wait for that one to finish.
loginOkay = true
}
}
}

Decision Manager Account Takeover Protection Service | July 2018 136

 APPENDIX
Decision Manager Account
Takeover Protection Service
D
Cookie FAQ

Because of developing regulations regarding cookie usage in the European Union,1

CyberSource has received questions about how its services use cookies. This information
is included here because CyberSource Decision Manager Device Fingerprinting and
CyberSource Decision Manager Account Takeover Protection Service use cookies.

1 What is a cookie?

A cookie is a small file, typically consisting of letters and numbers, which is downloaded to
and stored on a user’s computer or other electronic device when the user visits certain
web sites. Information from cookies is used for a variety of purposes. For example,
cookies can be used to enhance security or configure a web site to make it more
convenient for a visitor.

2 Does CyberSource Decision Manager set cookies on users’ computers?

Yes, but only if you are using device fingerprinting or the Decision Manager Account
Takeover Protection Service. If you are not using device fingerprinting or the Decision
Manager Account Takeover Protection Service, Decision Manager does not set any
cookies.

3 What purpose does the cookie serve? Will the service function without the cookie?

If you are using device fingerprinting or the Decision Manager Account Takeover
Protection Service, one cookie is dropped as described in the following chart:

Purpose Data Stored Will the service Persistent?

function without
the cookie?
Provides identification The user’s device fingerprint Decision Manager Yes, for five
of a returning device. generated by CyberSource’s will function without years.
device fingerprint the cookie.
technology vendor.

1 This information is not intended to be legal advice. CyberSource recommends that you seek advice from
independent counsel regarding your obligations regarding the use of cookies under applicable law.

Decision Manager Account Takeover Protection Service | July 2018 137

 Appendix D Decision Manager Account Takeover Protection Service Cookie FAQ

4 Does CyberSource obtain user consent for this cookie?

No. CyberSource is a third-party vendor and does not have contact or a direct relationship
with your users. Under your agreement with CyberSource, it is the merchant’s
responsibility to provide their users any legally required notices or obtain necessary
consent in order to set cookies.

Please contact us if you have any questions.

Decision Manager Account Takeover Protection Service | July 2018 138