Fraud Profiling
Explore our fraud profiling capability and its implementation with the Acquisition API.
Implementation of device profiling
This functionality is currently provided for NewDay by ThreatMetrix and is achieved through the inclusion of specific JavaScript tags on the UI pages supporting the Apply and Purchase APIs. The JavaScript tag must be configured with three discrete parameters:
profiling_domain
, org_id
and session_id
, described below.- 1
profiling_domain
This is the domain from which a call to ThreatMetrix is being made. All domains, from where the Fraud Profiling all to ThreatMetrix will be made, must be passed to NewDay, so that the associated 'SAN' Certificate (used to secure the Profiling call) can be updated. This certificate needs to match the domain where the JavaScript is hosted, therefore the Client needs to be involved in the creation of this certificate. There should be one certificate for UAT and one for production. - 2
org_id
This is a mandatory parameter. It is a string of characters that serves to uniquely identify a ThreatMetrix Client (in this case, NewDay). For the UAT value please reach out to your contact at NewDay. For the Production value please reach out to your contact at NewDay. - 3
session_id
This is a mandatory parameter. It is a unique value that identifies a single event performed by the customer. Thissession_id
is passed in the ThreatMetrix link, outlined below, and is subsequently in theverificationId
field in the Order Processing and Acquisitions APIs API Requests. It must be an RFC-4122 compliant GUID and must be generated by the client. The value should be different for a single customer between Order Processing and Acquisitions APIs.
The JavaScript to be added to the UI screens is as follows:
Javascript
1<head>
2 <script type="text/javascript" src="path/to/toolkit.js"/>
3 <!-- other head content -->
4<head>
5<body>
6 <script type="text/javascript">
7 var session_id = <%=generateSessionId()%>;
8 threatmetrix.profile("<profiling_domain>", "<org_id>", session_id);
9 </script>
10 <noscript>
11 <iframe style="width: 100px; height: 100px; border: 0; position: absolute; top: -5000px;" src="<profiling_doman>/fp/tags?org_id=<org_id>&session_id=<session_id>"></iframe>
12 </noscript>
13</body>
Subject Alternative Names (SANs)
In addition to embedding this Javascript in your UI screens, a SANs (Subject Alternative Names) certificate needs to be created and used. This certificate is obtained through collaboration directly with ThreatMetrix.
- 1Define a Sub-Domain
Use the name that is not suggestive of security/fraud profiling. e.g.img.client.com
- 2Provide SSL/TLS Certificate information:
- Common name (FQDM) ->img.client.com
- Company Name ->Client
- Company Department ->IT
- Country Name & Code - >Great Britain GBR
- State or Province name ->UK
- City name ->London
` - 3Generate Certificate from CSR:
- Sign and submit the following: signed certificate, root certificate of your CA and chain ->
- Return file as PEM file named:-Img.client.com.crt
-> - 4Set up redirection
- Add a DNS record, such asimg.client.co CNAME h.online-metrix.net.
- 5Replace
profiling_domain
in the above JavaScript withhttps://img.client.com
You may also like:
Was this page helpful?