Fraud Profiling

Learn more about fraud profiling and its implementation when integrating with NewDay’s Acquisition API.

Implementation of device profiling

This functionality is currently provided for NewDay by ThreatMetrix and is achieved through the inclusion of specific JavaScript tags on the UI pages supporting the Apply and Purchase APIs. The JavaScript tag must be configured with three discrete parameters: profiling_domain, org_id and session_id, described below.
  1. 1
    profiling_domain This is the domain from which a call to ThreatMetrix is being made. All domains, from where the Fraud Profiling all to ThreatMetrix will be made, must be passed to NewDay, so that the associated 'SAN' Certificate (used to secure the Profiling call) can be updated. This certificate needs to match the domain where the JavaScript is hosted, therefore the Client needs to be involved in the creation of this certificate. There should be one certificate for UAT and one for production.
  2. 2
    org_id This is a mandatory parameter. It is a string of characters that serves to uniquely identify a ThreatMetrix Client (in this case, NewDay). For the UAT value please reach out to your contact at NewDay. For the Production value please reach out to your contact at NewDay.
  3. 3
    session_id This is a mandatory parameter. It is a unique value that identifies a single event performed by the customer. This session_id is passed in the ThreatMetrix link, outlined below, and is subsequently in the verificationId field in the Order Processing and Acquisitions APIs API Requests. It must be an RFC-4122 compliant GUID and must be generated by the client. The value should be different for a single customer between Order Processing and Acquisitions APIs.

The JavaScript to be added to the UI screens is as follows:


2	<script type="text/javascript" src="path/to/toolkit.js"/>
3	<!-- other head content -->
6	<script type="text/javascript">
7		var session_id = <%=generateSessionId()%>;
8		threatmetrix.profile("<profiling_domain>", "<org_id>", session_id);
9	</script>
10	<noscript>
11    <iframe style="width: 100px; height: 100px; border: 0; position: absolute; top: -5000px;" src="<profiling_doman>/fp/tags?org_id=<org_id>&session_id=<session_id>"></iframe>
12	</noscript>

Subject Alternative Names (SANs)

In addition to embedding this Javascript in your UI screens, a SANs (Subject Alternative Names) certificate needs to be created and used. This certificate is obtained through collaboration directly with ThreatMetrix.
  1. 1
    Define a Sub-Domain
    Use the name that is not suggestive of security/fraud profiling. e.g.
  2. 2
    Provide SSL/TLS Certificate information:
    - Common name (FQDM) ->
    - Company Name -> Client
    - Company Department -> IT
    - Country Name & Code - > Great Britain GBR
    - State or Province name -> UK
    - City name -> London`
  3. 3
    Generate Certificate from CSR:
    - Sign and submit the following: signed certificate, root certificate of your CA and chain ->
    - Return file as PEM file named:- ->
  4. 4
    Set up redirection
    - Add a DNS record, such as CNAME
  5. 5
    Replace profiling_domain in the above JavaScript with

Getting Started with NewDay

Quick start guides for how you can start working with NewDay as a partner and learn about the end-to-end processes of integrating with APIs.

Engagement with Commercial team

This section guides potential businesses on how to become a NewDay credit partner and explains the end-to-end on-boarding process.

Integration Guide for Developers

This section provides guidance on how to start building with NewDay i.e. how to integrate with NewDay's various deployment environments, getting access to APIs etc.

Still have questions

Can’t find the answer to your question? Our friendly team are more than happy to help

Was this page helpful?