Results for

icon-search-large No search results yet
Enter your search query above

Introduction

A device fingerprint is information collected about a remote computing device for the purpose of identification. Fingerprints can be used to fully or partially identify individual users or devices and may detect and prevent online identity theft and credit card fraud.

Ingenico has chosen to partner with InAuth to collect, create and assess the device fingerprints. Utilizing JavaScript collectors, inAuth provides device identification and risk assessment. They collect data provided to both real-time login or transaction logic, such as geographical and time attributes, plug-ins, and IP address – using the data to create a strong device ID and uncovering high-risk indicators to understand device trustworthiness.

InAuth’s browser identification recipe determines how well devices are differentiated from each other, allowing your business to seamlessly authenticate users with less friction. InAuth leverages high-tech technology and device-specific browser identification to recognize any web-connected device and produce a unique identifier. InAuth analyzes the collected data and applies rules to identify business-relevant risk information. They calculate a score based on the Anomalies, Velocity, Location, Integrity, List-Based, and Device Reputation. This score, along with the raw data from the device is fed as additional data-points for our fraud prevention using Retail Decisions.

Benefits

  • Reduce fraud based on device trustworthiness
  • Non-invasive seamless user experience
  • Detection of spoofed data used to create a fake fingerprint
  • Detection of Replay and Bot attacks
  • Device fingerprint is collected even if the consumer has cookies and/or JavaScript disabled

Availability

The service is available if you process on the GlobalCollect platform for cards and you use Retail Decisions to prevent fraud. The service is available for all card payment products. The collection and analysis of device fingerprints is seamlessly integrated into the MyCheckout hosted payment pages. No changes on your side are needed to make use of the service.

The service is also available for integration on your own checkout pages, though our Server API integration.

Limitations

Collection of device fingerprints from web clients (browser software) relies on the availability of JavaScript or similar client-side scripting language for the harvesting of a suitably large number of parameters. Two classes of users with limited client-side scripting are those with mobile devices and those running privacy software or browser extensions which block ads and trackers. Separately a single device may have multiple web clients installed or even multiple virtual operating systems making it hard or even impossible to identify it as a single device.

Note that the solution we provide is able to still collect a device fingerprint even if the consumer has cookies and/or JavaScript disabled.

Technical integration

For both the MyCheckout hosted payment pages as well as the integration using your own checkout pages you need to make sure that the device fingerprint service has been enabled for each of the payment products on your account. Please contact your account manager to have it enabled.

1. Using the MyCheckout hosted payment pages

You don't need to do anything in your integration to use this service, except tell us you want it enabled on your account. The service is seamlessly integrated in the MyCheckout hosted payment pages. The output of the service is automatically included in the messaging towards Retail Decisions and the output can be used to create additional rules. At this moment no special output properties are returned for this service.

2. Using your own checkout pages

To use device fingerprint on your own payment pages you will need to add some code to your payment pages, that will collect the device information. The code is transaction specific and can be retrieved dynamically using an API call. This API call returns both the HTML code that needs to be added to your checkout pages as well as the deviceFingerprintTransactionId that you will need to include in your Create Payment API request. Because the routing for further processing can be different per payment product the API to retrieve the HTML and the deviceFingerprintTransactionId is payment product specific. By calling this API for each transaction you are sure that you use the correct device fingerprint collection code including the right collection flags and a unique deviceFingerprintTransactionId.

Step 1: Determine for which payment products device fingerprint has been enabled

By calling the get products API call the system will tell us for which payment products the device fingerprint service has been enabled. This API call is available both in the Server as well as in the Client API.

Get Payment products request
GET /v1/9930/products?currencyCode=EUR&countryCode=NL&hide=fields HTTP/1.1
Authorization: GCS v1HMAC:36f6f588bff5373d:S9HKCdy2el8l+i013Ar2cais8nJA761Ikt3eyrpiz+g=
Date: Sat, 08 Jun 2019 22:46:57 GMT
Content-Type: application/json
Host: world.preprod.api-ingenico.com
Connection: close
User-Agent: Paw/3.1.8 (Macintosh; OS X/10.14.5) GCDHTTPRequest

In the response we need to look for the property deviceFingerprintEnabled. For each payment product this is true we can call the get device fingerprint API call (in case the consumer is using this payment product in their current checkout). In below example response the device fingerprint service has been enabled for Visa and Mastercard, but not for iDeal.

Get Payment products response
HTTP/1.1 200
Date: Sat, 08 Jun 2019 22:46:57 GMT
Server: Apache
Content-Type: application/json
Connection: close
Transfer-Encoding: chunked

{
"paymentProducts": [
{
"deviceFingerprintEnabled": true,
"allowsRecurring": true,
"allowsTokenization": true,
"authenticationIndicator": {
"name": "AUTHENTICATIONINDICATOR",
"value": "1"
},
"autoTokenized": false,
"displayHints": {
"displayOrder": 9,
"label": "Visa",
"logo": "templates/master/global/css/img/ppimages/pp_logo_1_v1.png"
},
"id": 1,
"maxAmount": 100000000,
"mobileIntegrationLevel": "OPTIMISED_SUPPORT",
"paymentMethod": "card",
"paymentProductGroup": "cards",
"usesRedirectionTo3rdParty": false
},
{
"deviceFingerprintEnabled": true,
"allowsRecurring": true,
"allowsTokenization": true,
"authenticationIndicator": {
"name": "AUTHENTICATIONINDICATOR",
"value": "1"
},
"autoTokenized": false,
"displayHints": {
"displayOrder": 12,
"label": "MasterCard",
"logo": "templates/master/global/css/img/ppimages/pp_logo_3_v2.png"
},
"id": 3,
"maxAmount": 1000000,
"mobileIntegrationLevel": "OPTIMISED_SUPPORT",
"paymentMethod": "card",
"paymentProductGroup": "cards",
"usesRedirectionTo3rdParty": false
},
{
"deviceFingerprintEnabled": false,
"allowsRecurring": true,
"allowsTokenization": false,
"autoTokenized": false,
"canBeIframed": false,
"displayHints": {
"displayOrder": 17,
"label": "iDEAL",
"logo": "templates/master/global/css/img/ppimages/pp_logo_809_v1.png"
},
"id": 809,
"maxAmount": 1000000,
"mobileIntegrationLevel": "OPTIMISED_SUPPORT",
"paymentMethod": "redirect",
"usesRedirectionTo3rdParty": true
}
]
}

Step 2: Calling the get device fingerprint API

Once you have determined which payment product is being used by your consumer and the device fingerprint service is available for this payment product you can call the get device fingerprint API. In our example we are performing these actions against our pre-production environment and the selected payment product is Visa (1). We also want to execute some JavaScript after the device fingerprint collection script has finished. The JavaScript can be provided in the request using the property collectorCallback. If you don't want to call any JavaScript you can just submit an empty JSON.

Please see below an example request and response, including the full HTTP Headers.

Get Device Fingerprint request
POST /v1/9930/products/1/deviceFingerprint HTTP/1.1
Authorization: GCS v1HMAC:36f6f588bff5373d:wNRg7TDq+KtD2nivdyxxBqtKgU3jSO5WQBr+t7DKt2E=
Date: Sat, 08 Jun 2019 17:00:51 GMT
Content-Type: application/json
Host: world.preprod.api-ingenico.com
Connection: close
User-Agent: Paw/3.1.8 (Macintosh; OS X/10.14.5) GCDHTTPRequest
Content-Length: 82
 
{
"collectorCallback" : "function() { alert('Device fingerprint submitted!') };"
}
Get Device Fingerprint response
HTTP/1.1 200
Date: Sat, 08 Jun 2019 17:00:52 GMT
Server: Apache
Content-Type: application/json
Connection: close
Transfer-Encoding: chunked
 
{
   "deviceFingerprintTransactionId" : "b3883837-991e-410b-a5d4-fe936631984b",
   "html" : "<script data-test-selector=\"DeviceFingerprint\">
    window._cc = window._cc || [];
    _cc.push(['ci', {'sid': 'd34c3b6505b24a76', 'tid': 'b3883837-991e-410b-a5d4-fe936631984b'}]);
    _cc.push(['cf', '34577395']);
    _cc.push(['run', 'https://devicefingerprint.pay1.preprod.secured-by-ingenico.com']);
    _cc.push(['sf', function() {alert(\\'Device fingerprint submitted!\\')};]);
    (function() {
	var c = document.createElement('script');
	 c.type = 'text/javascript';
	 c.async = true;
	 c.src ='https://devicefingerprint.pay1.preprod.secured-by-ingenico.com/cc.js?ts=' + (new Date()).getTime();
	var s = document.getElementsByTagName('script')[0];
	 s.parentNode.insertBefore(c, s);
	})();
    function doDevicefingerPrintSubmit(callback) { _cc.push(['csd', callback}]);}
   </script>
   <noscript><img src=\"https://devicefingerprint.pay1.preprod.secured-by-ingenico.com/s1.gif?sid=d34c3b6505b24a76&tid=b3883837-991e-410b-a5d4-fe936631984b\"></noscript>"
}

The two properties html and deviceFingerprintTransactionId that are being returned each serve their own purpose. The content of the html property needs to be incorporated in your checkout page where you have the final submit button. You should not incorporate it into any of your other pages as each time the script is executed it is counted and has an affect on your invoice. The script will only get executed when the consumer clicks on the submit button and it already contains all the right settings, the deviceFingerprintTransactionId and the optional JavaScript you provided in the collectorCallback property in the request.

More detailed information on this API and SDK specific code example can be found in our API Reference on the Get Device Fingerprint API.

Step 3: Calling the create payment API

When the submit button has been pressed you will normally have collected all the payment information to perform a Create Payment API call. To make sure the device fingerprint data that has been collected will be taken into account you will need to include the deviceFingerprintTransactionId that was returned in the get device fingerprint API in the order.customer.device.deviceFingerprintTransactionId property.

Create Payment request (including deviceFingerprintTransactionId)
POST /v1/9930/payments HTTP/1.1
Authorization: GCS v1HMAC:36f6f588bff5373d:4ItHCmmjtYuovLPKSOWjORLrWx+cjPpso9aOZGvlHCM=
Date: Sat, 08 Jun 2019 22:17:19 GMT
Content-Type: application/json
Host: world.preprod.api-ingenico.com
Connection: close
User-Agent: Paw/3.1.8 (Macintosh; OS X/10.14.5) GCDHTTPRequest
Content-Length: 512
 
{
  "order": {
    "amountOfMoney": {
      "currencyCode": "USD",
      "amount": 240
    },
    "customer": {
      "device": {
        "deviceFingerprintTransactionId": "b3883837-991e-410b-a5d4-fe936631984b"
      },
      "billingAddress": {
        "countryCode": "US"
      }
    }
  },
  "cardPaymentMethodSpecificInput": {
    "paymentProductId": 1,
    "card": {
      "cvv": "123",
      "cardNumber": "4111111111111111",
      "expiryDate": "1220",
      "cardholderName": "Wile E. Coyote"
    }
  }
}

Currently no additional properties are returned regarding the device fingerprint service. If Retail Decisions (ReD) has also been configured on the account for the same payment product as used for the device fingerprint service, some of the output of the device fingerprint service will be submitted to ReD for evaluation. In the final advise returned by ReD the device fingerprint data will have been taken into account.

Create Payment response
HTTP/1.1 201
Date: Sat, 08 Jun 2019 22:36:49 GMT
Server: Apache
Location: https://world.preprod.api-ingenico.com/v1/9930/payments/000000993010000638450000100001
Content-Type: application/json
Connection: close
Transfer-Encoding: chunked
 
{
   "creationOutput" : {
      "additionalReference" : "00000099301000063845",
      "externalReference" : "000000993010000638450000100001"
   },
   "payment" : {
      "id" : "000000993010000638450000100001",
      "paymentOutput" : {
         "amountOfMoney" : {
            "amount" : 240,
            "currencyCode" : "EUR"
         },
         "references" : {
            "paymentReference" : "0",
            "providerId" : "3000"
         },
         "paymentMethod" : "card",
         "cardPaymentMethodSpecificOutput" : {
            "paymentProductId" : 1,
            "authorisationCode" : "306398",
            "fraudResults" : {
               "fraudServiceResult" : "accepted",
               "avsResult" : "0",
               "cvvResult" : "P",
               "retailDecisions" : {
                  "fraudCode" : "0150",
                  "fraudNeural" : "142"
               }
            },
            "card" : {
               "cardNumber" : "************1111",
               "expiryDate" : "1220"
            }
         }
      },
      "status" : "PENDING_APPROVAL",
      "statusOutput" : {
         "isCancellable" : true,
         "statusCategory" : "PENDING_MERCHANT",
         "statusCode" : 600,
         "statusCodeChangeDateTime" : "20190609003650",
         "isAuthorized" : true,
         "isRefundable" : false
      }
   }
}

Reporting

Some of the data points that were captured using the device fingerprint service are visible in the Payment Console (WPC).

Payment Console example device fingerprint data

PropertyDescription
DeviceID This is the device fingerprint value. Based on the amount of data that the device fingerprint collector script was able to collect, this will be a proxy ID for the device used by the consumer.
Device Category

The type of device used by the consumer. Possible values:

  • SMARTPHONE
  • PERSONAL_COMPUTER
  • TABLET
  • WEARABLE_COMPUTER
  • GAME_CONSOLE
  • SMART_TV
  • PDA
  • OTHER
  • UNKNOWN
Risk Result Score The score calculated on the basis of Anomalies, Velocity, Location, Integrity, List-Based, and Device Reputation. Range of the score is between 0 and 100. A lower value is better.
True IP Address The true IP address as determined by inAuth. This might be different from the IP address that you are seeing on your side due to the proxy piercing technology deployed by inAuth.
Country (IP) The country of the consumer based on the location of the True IP Address determined by inAuth.