Create a purchase with fraud screening
/purchasesData Notes
If a value is to be omitted (e.g. has no value, doesn't apply to your systems) you should use null or not include the key/value in the payload.
There are maximum length constraints on the values for fraud checks. If the value provided is greater then the allowed length the value will be truncated.
In general strings must only contain the following characters:
- a-z
- A-Z
- 0-9
- - (hyphen)
- _ (underscore)
- ' (single quote)
- , (comma)
- . (period)
- ; (semi-colon)
- : (colon)
- space
Exceptions to the above rule includes email addresses and Device ID
Fraud Detection Strategy
As a purchase can be made from either web browsers or mobile apps, different strategy is employed to defect fraudulent behaviour. If the purchase call is made from within the mobile app, you can specify a device object (see Device below) in the fraud payload. The object contains information about the physical device and application that a purchase takes place.
On the other hand if the purchase is made from web browsers (desktop or mobile), you can provide the device_id. See Device ID.
Important
Please note that you only need to provide either a device object or device id. An error will be returned if both are present in the fraud payload.
Device
Although UID is the only field marked as mandatory, it is highly recommended that you provide all the fields enclosed within the device object in order to the optimise fraudulent behaviours tracking.
Device ID
Fraud Screening uses Device ID, a customer fingerprinting technology to help accurately identify a customer regardless of where they are accessing a merchant website from. The use of Device ID is highly recommended as this assists in tracking fraudulent behaviour across multiple websites (the Device ID is specific to the customer's system, not the merchants website). To implement Device ID the following will need to be added to every page of the website:
<!-- First add a hidden field with an ID of pmnts_id (or similar) to your form - ensure that the value of this field is included in your checkout postback -->
<input type='hidden' name='pmnts_id' id='pmnts_id' />
<!-- Then include the following script tag at the bottom of your page, right before </body> -->
<!-- For production -->
<script type='text/javascript' async defer src="https://gateway.pmnts.io/fraud/fingerprint/MERCHANT_USERNAME.js"></script>
<!-- For Sandbox -->
<script type='text/javascript' async defer src="https://gateway-sandbox.pmnts.io/fraud/fingerprint/MERCHANT_USERNAME.js"></script>To test load the page where the script is included and then inspect the value of the field after a few seconds:
alert(document.getElementById('pmnts_id').value);The field should be populated with a large amount of encoded data. In the checkout page capture the value of the pmnts_id field and submit this in the request to the Gateway.
Placement of Fingerprint Scripts
It is important to ensure that this script is loaded on every page, to allow the fingerprinting scripts to accurately provide the customer interactions with your website. If you only add this script to your checkout page you may be impacted by incomplete data or false positives.
Customer IP Considerations
When a payment request is sent one of the required fields is the customer_ip which most commonly is retrieved from the REMOTE_ADDR param of the server request (this is dependent on the framework being used to host the website). In cases where the website is behind a load balancer or proxies the true IP address will be of the last-hop server, and the original IP address will (if standards are being followed) be moved to the X-Forwarded-For header. In situations where there are multiple proxy hops before reaching the webserver this header may hold multiple IP addresses, separated with a comma and a space (e.g. X-Forwarded-For: 1.2.3.4, 99.98.99.1). In this case it is important that the IP address used is the first address from this set.
The following example code can be used to extract the correct customer IP address from the request:
$customer_ip = $_SERVER['REMOTE_ADDR'];
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$forwarded_ips = explode(', ', $_SERVER['HTTP_X_FORWARDED_FOR']);
$customer_ip = $forwarded_ips[0];
}Testing
General testing procedures for Fat Zebra still apply, however there are additional requirements for testing with Fraud Screening.
The fraud screening has 3 different response types: Accept, Challenge and Deny. To simulate any of these responses use one of the following email addresses:
| Response | |
|---|---|
| accept@email.com | Fraud Check Accepted, transaction processed as normal |
| challenge@email.com | Fraud Check Challenge, transaction processed as normal |
| deny@email.com | Fraud Check Deny, transaction declined and not processed |
Testing with email addresses other then this may result in mixed results (for example transactions may be accepted at first but start receiving challenge responses and eventually deny responses as a result of velocity rules). Should you need to test email functionality within your integration simply get in touch with Fat Zebra and we can temporarily disable Fraud Screening for this account.
An additional response type of Error may be returned if there is a problem processing the fraud request, including but not limited to invalid inputs or problems communicating with the fraud screening services. If this response is received the transaction will not be processed. If the request payload has been confirmed to meet the data type requirements details above and the Error response is still returned please contact support for further assistance.
Body Parameters
amountinteger (int32)A positive integer representing how much to charge, in the smallest currency unit (eg., 100 to charge $1.00, or 100 to Charge ¥100, a zero decimal currency)
referencestringReference of the transaction. Max length 255 characters.
customer_ipstringRFC791-compliant IP address
currencystring· Defaults to AUDThree letter ISO currency code, in UPPERCASE
card_numberstringCard number
card_holderstringName of the card holder
card_expirystringFormat: MM/YYYY
card_tokenstring(optional)cvvstring(optional)CVV card number. (3/4 characters)
metadataobject(optional)addendum_datastring(optional)fraudobject(optional)fraud.device_idstringThe fraud screening service device fingerprint ID. See the Device ID section below for further details
fraud.deviceobjectfraud.device.uidstringThe device identifier such as IMEI in android or identifier for vendor in iOS. Maximum length is 128 characters.
fraud.device.os_typestring(optional)The operating system running on the user's device (relevant for native app only). For example: android, ios, etc
fraud.device.app_versionstring(optional)The version of the merchant application which is running on the user's device. Maximum length is 50 characters. For example: '2.0.1'
fraud.device.brandstring(optional)The user's device brand (relevant for native app only). For example: htc, apple, etc
fraud.device.modelstring(optional)The model of the user's device (relevant for native app only) Maximum length is 50 characters. For example: 'iPhone X', 'Galaxy 3'.
fraud.customerobjectDetails about the customer
fraud.customer.first_namestringThe customer's first name
fraud.customer.last_namestringThe customer's last name
fraud.customer.emailstringThe customer's email address
fraud.customer.date_of_birthstring (date)(optional)The customer's date of birth, if available
fraud.customer.idstring(optional)The customer record ID in the merchant database, if available
fraud.customer.address_1stringThe customer's primary address line
fraud.customer.address_2string(optional)The customer's secondary address line (such as building name)
fraud.customer.citystringThe customer's city
fraud.customer.statestringThe customer's state
fraud.customer.post_codestringThe customer's post code
fraud.customer.countrystringThe ISO 8166 alpha-3 country code for the customer
fraud.customer.existing_customerboolean(optional)Indicates if this customer is already in the merchants records or not
fraud.customer.created_atstring (date)(optional)The date/time that the customer record was created
fraud.customer.home_phonestring(optional)The customer's primary phone number. This can be a mobile number, if a home phone number is not provided. Required field for Forter.
fraud.shipping_addressobject(optional)fraud.shipping_address.first_namestringThe shipping address first name
fraud.shipping_address.last_namestringThe shipping address last name
fraud.shipping_address.emailstringThe shipping address email
fraud.shipping_address.home_phonestringThe shipping address phone number
fraud.shipping_address.address_1stringThe shipping address primary address line
fraud.shipping_address.address_2string(optional)The shipping address secondary address line (such as building name)
fraud.shipping_address.citystringThe shipping address city or suburb
fraud.shipping_address.statestringThe shipping address state
fraud.shipping_address.post_codestringThe shipping address post code
fraud.shipping_address.countrystringThe ISO 3166 alpha-3 country code for the shipping address
fraud.shipping_address.shipping_methodstringOne of the following shipping options: low_cost, same_day, overnight, express, international, pickup, other If none of these options apply choose the closest match.
fraud.recipientsarray of objectsRecipients are only required if the recipient differs from the shipping address, or if the order is being multi-shipped
fraud.recipients[0].titlestringThe recipient title/salutation (e.g. Mr, Mrs, Dr)
fraud.recipients[0].first_namestringThe recipients first name
fraud.recipients[0].last_namestringThe recipients last name
fraud.recipients[0].emailstringThe recipients email address
fraud.recipients[0].address_1stringThe recipients primary address line
fraud.recipients[0].address_2string(optional)The recipients secondary address line (such as building name)
fraud.recipients[0].citystringThe recipients city or suburb
fraud.recipients[0].statestringThe recipients state
fraud.recipients[0].post_codestringThe recipients post code
fraud.recipients[0].countrystringThe recipients country code - ISO 3166 alpha-3
fraud.recipients[0].phone_numberstring(optional)The recipients phone number
fraud.itemsarray of objectsfraud.items[0].product_codestringThe product code (base level product code)
fraud.items[0].skustring(optional)The product SKU (the stock keeping unit code, for example size/color variants)
fraud.items[0].descriptionstringThe description of the product. For longer descriptions (greater then 26 chars) truncate item specifics and add the truncated information to the gift_message field
fraud.items[0].qtyinteger (int32)The quantity of items ordered
fraud.items[0].costnumber (double)The base-cost for the product
fraud.items[0].line_totalnumber (double)The line total for the product (cost times quantity)
fraud.items[0].tracking_numberstring(optional)The shipping tracking number for this item
fraud.items[0].gift_messagestring(optional)Addendum product description, or gift message
fraud.items[0].part_numberstring(optional)The manufacturers part number (if applicable)
fraud.items[0].shipping_commentsstring(optional)Any comments for shipping of the item
fraud.customobject(optional)fraud.custom.xstring(optional)Custom data for the fraud screening. This is usually agreed upon and configured with the fraud provider. Please discuss using these fields with Support should you require assistance. x may be numerical or a string.
fraud.websitestringThe URL for the website where the order is being placed.
Request
curl https://gateway.pmnts-sandbox.io/v1.0/purchases -u TEST:TEST -d'
{
"card_holder": "Jim Smith",
"card_number": "5123456789012346",
"card_expiry": "05/2023",
"cvv": "987",
"amount": 1000,
"reference": "fd792da68ea1b8a1ba791zzzfc6f73b4",
"customer_ip": "111.222.111.123",
"currency": "USD",
"fraud": {
"device_id": "04003h...truncated...y16eGlPDmAXrXEYZfU=",
"device": {
"uid": "625400941054585",
"os_type": "android",
"app_version": "2.1",
"brand": "Samsung",
"model": "Galaxy 3"
},
"customer": {
"address_1": "23 Smith Road",
"city": "Canberra",
"country": "AUS",
"created_at": "2014-05-28T21:38:51+11:00",
"date_of_birth": "1994-05-28",
"email": "deny@email.com",
"existing_customer": true,
"first_name": "James",
"home_phone": "0421858999",
"id": "ABD123",
"last_name": "Smith",
"post_code": "2600"
},
"items": [
{
"cost": 23.3,
"description": "Widgets",
"line_total": 23.3,
"product_code": "9999-A",
"qty": 1,
"sku": "9999"
}
],
"recipients": [
{
"address_1": "1 Fairfield Road",
"city": "Austin",
"country": "USA",
"email": "james@smith.com",
"first_name": "James",
"last_name": "Smith",
"phone_number": "555-555-55555",
"post_code": "55555-1234",
"state": "TX"
}
],
"shipping_address": {
"first_name": "James",
"last_name": "Smith",
"email": "deny@email.com",
"home_phone": "0421858999",
"address_1": "23 Smith Road",
"city": "Canberra",
"country": "AUS",
"state": "NSW",
"post_code": "2600",
"shipping_method": "express"
},
"custom": {
"3": "Facebook"
},
"website": "http://www.website.com"
}
}'Response
{
"successful": true,
"response": {
"authorization": "0",
"id": "071-P-RHN5DC15",
"card_number": "512345XXXXXX2346",
"card_holder": "Jim Smith",
"card_expiry": "2023-05-31",
"card_token": "pfjeiyx4fk0uko3ev4kd",
"card_type": "MasterCard",
"card_category": "Credit",
"card_subcategory": "Standard",
"amount": 1000,
"decimal_amount": 10.0,
"successful": false,
"message": "Declined.",
"reference": "Ud5CfaAlwTKJi2kfsAesdAwvIk2fpJjP",
"currency": "USD",
"transaction_id": "071-P-RHN5DC15",
"settlement_date": null,
"transaction_date": "2018-10-09T14:01:06+11:00",
"response_code": "01",
"captured": false,
"captured_amount": null,
"rrn": "0",
"cvv_match": "U",
"metadata": {},
"addendum_data": {},
"fraud_result": "Deny",
"fraud_messages": [
"An attribute associated with an Order matched a pre-configured 'Always Deny' rule."
]
},
"errors": [],
"test": true
}