In the digital world, fraudsters are continuously finding new ways to target merchants. This means that it’s more important than ever to weed out fraudulent transactions as early in the transaction process as possible to protect consumers and your business. Risk scoring is one of the best tools to help merchants identify and decline potentially fraudulent transactions.
When integrated into your application, risk scoring API can detect patterns of behavior that indicate credit card fraud or other security risks. It uses data from multiple sources, including IP addresses, geolocation information, device attributes, and previous user behavior to evaluate a transaction’s risk and determine whether it should be allowed or declined.
As a result, merchants can avoid costly chargebacks and lower their risk rating with payment processors, gateways, and card issuers. Additionally, using risk scoring can prevent fraudsters from exploiting vulnerabilities in your website or mobile apps and reduce the amount of time it takes to recover from a breach.
The Risk Scoring API allows you to create custom rules based on telltales, which can be either global or customer-specific. When enabled, the API will return an additional field in the Verify v4 response called session_risk. This is a JSON object that has the following fields:
Name – The name of a triggered telltale that contributed to calculating a Risk Score. Weight – The weight assigned to this triggered telltale when calculating a Risk Score.
If the value of a triggering telltale is high enough, then the risk score will be very high. If the risk score is high enough, it may trigger a secondary authentication request. If the second authentication is successful, then the advice will be “INCREASEAUTHTH”; otherwise, it will be “ALLOW”.
A transaction’s risk level can also depend on the country in which the credit card was issued. For example, if the country of the card’s issuing bank does not match the billing address of the transaction, this can be a sign of fraud. Other factors that can be used to detect fraud include the email address, geolocation, and proxy use.
To determine a risk score, the Evaluate Risk API passes the transaction details to CA Risk Authentication. A risk advice is returned to your application, which can then validate PSS headers for the transaction and decide whether to allow or deny it. If your application calls the Evaluate Risk API and receives an advice of INCREASEAUTH, it must pass the transaction id from the Evaluate Risk API call and any association name (if applicable) to the post evaluateRisk API call in order to initiate the secondary authentication workflow. The post evaluateRisk API will then send back the secondary authentication status and the associated advise. If the advice is ALLOW, then the user-device association information will be updated and the request can proceed. If the advised action is to DECLINE, then your application must decline the transaction. For more information on how to enable the Risk Scoring API, contact your Arkose Labs CSM.