Menu

FraudSight (Hosted)

Unparalleled data insights, industry leading technology, and fraud expertise combine to predict and prevent fraud.

Here you will find everything you need to get started with FraudSight - Hosted Payment Pages.

Before you start

  • Talk to your Worldpay Relationship Manager or our Customer Support Team to confirm your requirements
  • Confirm that your account has been enabled for FraudSight by Worldpay

Integration overview

There is no integration required for FraudSight with HPP. The Hosted Payment Pages collect the generic data used by FraudSight.

You have the option to supply additional shopper data in your payment request. This data contributes to the decision of authorising or refusing a payment in real time.

If you already use our Risk Management Module (RMM) you receive the <riskScore> element in your order notifications. The content of this element changes specifically to FraudSight. This is an optional <FraudSight> response element that returns the model reason codes. SeePayment responsesfor details.

FraudSight risk checks

FraudSight risk checks can be completed either before authentication/authorisation, or after authorisation.

  • FraudSight <beforeAuthorisation> risk check, without any other Worldpay Protect products:

FraudSight without DDC

  • FraudSight <beforeAuthorisation> risk check, with other Worldpay Protect products:

FraudSight with other products - before Authorisation

  1. You submit your payment request, including anyadditional data.
  2. The shopper lands on the Hosted Payment Page and theWorldpay Device JavaScript Collector (JSC)collects shopper device data. If you're using Worldpay's 3DS Flex, Device Data Collection (DDC) for 3DS authentication is also performed.
  3. The payment request is submitted to the WPG.
  4. This example includes Worldpay's Exemption Engine, and an exemption decision is made.
  5. Where exemption does not apply, 3DS authentication is performed.
  6. The FraudSight Risk Check is performed.
  7. If the risk is low, payment is sent for authorisation. See theFraudSight response tablefor a list of responses and what they mean.
  8. The shopper receives a response and you receive anorder notification.
  • FraudSight <afterAuthorisation> risk check, without other Worldpay Protect products:

FraudSight without other products - after authorisation

  • FraudSight <afterAuthorisation> risk check, with other Worldpay Protect products:

FraudSight with other products - after authorisation

  1. You submit your payment request, including anyadditional data.
  2. The shopper lands on the Hosted Payment Page and theWorldpay Device JavaScript Collector (JSC)collects shopper device data. If you're using Worldpay's 3DS Flex, Device Data Collection (DDC) for 3DS authentication is also performed.
  3. The payment request is submitted to the WPG.
  4. This example includes Worldpay's Exemption Engine, and an exemption decision is made.
  5. Where exemption does not apply, 3DS authentication is performed.
  6. Payment is sent for authorisation.
  7. If payment is authorised, the FraudSight Risk Check is performed. See theFraudSight response tablefor a list of responses and what they mean.
  8. The shopper receives a response and you receive anorder notification.
  • FraudSight <beforeAuthentication> risk check, with 3DS Flex:

FraudSight with Flex - before Authentication

  • FraudSight <beforeAuthentication> risk check, with 3DS Flex and Exemption Engine:

FraudSight with Flex and EE - before Authentication

  1. You submit your payment request, including anyadditional data.
  2. The shopper lands on the Hosted Payment Page and theWorldpay Device JavaScript Collector (JSC)collects shopper device data. If you're using Worldpay's 3DS Flex, Device Data Collection (DDC) for 3DS authentication is also performed.
  3. The payment request is submitted to the WPG.
  4. FraudSight Risk check is performed. See theFraudSight response tablefor a list of responses and what they mean.
  5. This example includes Worldpay's Exemption Engine, and an exemption decision is made.
  6. Where exemption does not apply, 3DS authentication is performed.
  7. Payment is sent for authorisation.
  8. The shopper receives a response and you receive anorder notification.

Worldpay Device JavaScript Collector (JSC)

Worldpay provide the Device JavaScript Collector within HPP. There's no requirement for integration.

The JSC collects shopper device data for device fingerprinting and IP geo-location insights. Use this data to create a more accurate internal review process and logic that contributes to the decision of authorising or refusing a payment in real time.

Note: Worldpay Device JSC is supported on beforeAuthorisation and afterAuthorisation risk checks. Support on beforeAuthentication risk check is coming soon.

Payment requests

The following examples cover both a standard payment request and payment requests with additional data.

Standard payment request

When you submit thestandard HPP payment requestour Hosted Payment Pages collect the generic data required by FraudSight.

Payment request with additional data

Within the element <FraudSightData> you can provide additional data. Use this data to create a more accurate internal review process and logic. This will contribute to the decision of authorising or refusing a payment in real time.

Copied!
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE paymentService PUBLIC "-//WorldPay//DTD WorldPay PaymentService v1//EN" "http://dtd.worldpay.com/paymentService_v1.dtd">
<paymentService version="1.4" merchantCode="YOUR_MERCHANT_CODE">
  <submit>
    <order orderCode="YOUR_ORDER_CODE" installationId="1015284">
      <description>test order</description>
      <amount value="100" currencyCode="GBP" exponent="2"/>
      <orderContent>
        <![CDATA[]]>
      </orderContent>
      <paymentMethodMask>
        <include code="ALL"/>
      </paymentMethodMask>
      <shopper>
        <shopperEmailAddress>a.shopper@worldpay.com(opens in new tab)</shopperEmailAddress(opens in new tab)>
      </shopper>
      <shippingAddress>
        <address>
          <firstName>A</firstName>
          <lastName>Shopper</lastName>
          <street>The Science Park</street>
          <houseNumber>270</houseNumber>
          <postalCode>CB4 0WE</postalCode>
          <city>Cambridge</city>
          <countryCode>GB</countryCode>
        </address>
      </shippingAddress>
      <FraudSightData>
        <customStringFields>
          <customStringField1>nextDayShipping1</customStringField1>
          <customStringField2>nextDayShipping2</customStringField2>
          <customStringField3>nextDayShipping3</customStringField3>
          <customStringField4>nextDayShipping4</customStringField4>
          <customStringField5>nextDayShipping5</customStringField5>
          <customStringField6>nextDayShipping6</customStringField6>
          <customStringField7>nextDayShipping7</customStringField7>
          <customStringField8>nextDayShipping8</customStringField8>
          <customStringField9>nextDayShipping9</customStringField9>
          <customStringField10>nextDayShipping10</customStringField10>
        </customStringFields>
        <customNumericFields>
          <customNumericField1>111</customNumericField1>
          <customNumericField2>111</customNumericField2>
          <customNumericField3>111</customNumericField3>
          <customNumericField4>111</customNumericField4>
          <customNumericField5>111</customNumericField5>
          <customNumericField6>111</customNumericField6>
          <customNumericField7>111</customNumericField7>
          <customNumericField8>111</customNumericField8>
          <customNumericField9>111</customNumericField9>
          <customNumericField10>111</customNumericField10>
        </customNumericFields>
        <shopperFields>
          <shopperName>shopperName</shopperName>
          <shopperId>shopperId</shopperId>
          <birthDate>
            <date dayOfMonth="01" month="06" year="2000"/>
          </birthDate>
          <shopperAddress>
            <address>
              <firstName>John</firstName>
              <lastName>Smith</lastName>
              <address1>Worldpay</address1>
              <address2>270-289 The Science Park</address2>
              <address3>Milton Road</address3>
              <postalCode>CB4 0WE</postalCode>
              <city>Cambridge</city>
              <countryCode>GB</countryCode>
              <telephoneNumber>1564645646465465</telephoneNumber>
            </address>
          </shopperAddress>
        </shopperFields>
      </FraudSightData>
    </order>
  </submit>
</paymentService>

Additional data

Additional data elements and attributes you can add to your request within <FraudSightData>.

Best practice: Be consistent when you assign values to your custom fields to avoid a mismatch of data for your payments.

ElementChild elementAttributeDescription
<customStringFields>
<customStringField1>Add one to ten lines of customStringFields and provide additional data to support your request.

Format: alpha numeric and special characters.

Max length: 255 characters
<customNumericField>
<customNumericField1>Add one to ten lines of customNumericFields and provide additional data to support your request

Format: numeric characters only.

Max length: 255 characters
<shopperFields>
<shopperName>The shopper's name
<shopperId>Your ID for your shopper
<birthDate>The shopper's birthdate
<date dayOfMonth="xx" month="xx" year="xxxx"/>The shopper's date of birth
<shopperAddress>The address of the shopper on your system.

When you use this element the following child elements must be used:
  • <address1>
  • <city>
<firstName>The first name of the shopper on your system.

Format: alpha numeric and special characters
<lastName>The last name of the shopper on your system.

Format: alpha numeric and special characters
<houseNumber>The shopper's house number for their given address

Format: numeric characters
<houseNumberExtension>For example: Flat A.

Format: alpha numeric and special characters
<address1>The first line of the shopper's address.

Format: alpha numeric and special characters
<address2>The second line of the shopper's address.

Format: alpha numeric and special characters
<address3>The third line of the shopper's address.

Format: alpha numeric and special characters
<postalCode>The shopper's post code.

Format: alpha numeric and special characters
<city>The shopper's city.

Format: alpha numeric and special characters
<countryCode>The shopper's country.

Format: ISO-3166 country code
<telephoneNumber>The shopper's telephone number.

Format: alpha numeric and special characters

Order notifications

Order notifications with FraudSight

If you use order notifications, we can notify you of the FraudSight response.
The notification includes both a <riskScore> and <FraudSight> element. These are optional but you need <riskScore> enabled to receive the <FraudSight> data.
Where a FraudSight response is not available, we still return the <riskScore> from our Risk Management Module (RMM). Ask your Worldpay Relationship Manager or Support Team member to enable them on your account.

Response table for FraudSight

ElementChild elementAttributeDescription
<FraudSight>scoreThe score returned by the FraudSight model
idThe unique identifier generated for the payment event
messageFraudSight risk decision. Values:
  • low-risk
  • review
  • high-risk
  • authenticate
  • review, authenticate
<reasonCodes>Risk reasons triggered by the FraudSight model. Values:
  • Recent unexpected card activity
  • Card unfamiliarity
  • Card type often linked to fraud
  • Unusual transaction for merchant
  • Irregularities in cardholder-entered information
  • High risk email
  • Unusual behaviour for card
  • FRAUD SUSPICION (returned by Risk Management Module only if used as a secondary risk management tool)
<riskScore>providerDescribes the fraud product that assessed the payment. Values:
  • FraudSight
  • Risk Management Module
finalScoreThe score returned by the Risk Management Module
idThe unique identifier generated for the payment event
messageFraudSight risk decision. Values:
  • low-risk
  • review
  • high-risk
  • authenticate
  • review, authenticate

FraudSight decisions and payment flows

beforeAuthentication risk check

MessageRisk check decision
message = 'authenticate' or 'review, authenticate' in the <riskScore> or <FraudSight> element of the xml response.The payment is sent for authentication* based on a set threshold.
message = 'low-risk' or 'review' in the <riskScore> or <FraudSight> element of the xml response.Authentication is skipped when the risk is perceived as low.
message = 'high-risk'The payment is refused when the risk score is perceived as high.

*For eCom payments with 3DS

beforeAuthentication risk check with Exemption Engine

MessageRisk check decision
EE response is result = REJECTED reason=HIGH_RISK and message = 'high-risk' in the <riskScore> or <FraudSight> element of the XML response.The payment is refused before an exemption is applied.
EE response is result=REJECTED reason=FRAUDSIGHT_OVERRIDE and message = 'authenticate' or 'review, authenticate' in the <riskScore> or <FraudSight> element of the XML response.The exemption decision is overridden and authentication enforced*.
message = low-risk or message = review in the <riskScore> or <FraudSight> element of the XML response.FraudSight determines the risk is low and the exemption decision is followed.

*Participation in 3DS is required

beforeAuthentication risk check with dynamic 3DS override

Risk check decisions:

  • When the FraudSight decision is authenticate or review, authenticate and you have dynamic 3DS override set to no3DS, authentication is skipped
  • When the FraudSight decision is low-risk or review and you have dynamic 3DS override set to do3DS, authentication is enforced

beforeAuthorisation risk check

MessageRisk check decision
message = 'high-risk' in the <riskScore> or <FraudSight> element of the XML response.The payment is refused when the risk is high.
message = 'low-risk' or message = 'review' in the <riskScore> or <FraudSight> element of the XML response.The payment is sent for authorisation when the risk is perceived as low, or requires a review.

afterAuthorisation risk check

MessageRisk check decision
message = 'high-risk' in the <riskScore> or <FraudSight> element of the XML response.High-risk: authorisation is cancelled.
message = 'low-risk' or message = 'review' in the <riskScore> or <FraudSight> element of the XML response.When the risk is perceived as low the authorised payment is complete.
None.Card issuer and scheme refused payments are skipped from the afterAuthorisation risk check.

FraudSight response examples

Order notifications with RMM

When FraudSight is unavailable we fallback to our Risk Management Module (RMM).

RMM is included with FraudSight. RMM returns a <riskScore>.

When FraudSight is unavailable at the point of the beforeAuthentication or beforeAuthorisation risk check, the payment falls back to RMM pre and post authorisation risk checks.

When FraudSight is unavailable at the point of the afterAuthorisation risk check, the payment falls back to RMM post-authorisation checks only.

Note: Returning the <riskScore> is optional.
Ask your Worldpay Relationship Manager or Support Team member to enable this on your account.

Response table for RMM

ElementAttributeMandatory/OptionalDescription
<riskScore>OptionalEnabled by default for RMM. <riskScore> is optional for both your RMM and FraudSight response
providerThe risk management tool providing the response
finalScoreThe final score assigned to this transaction by RMM

RMM response examples

Testing

To test your setup, use ourtest environmentas a reference. FraudSight has its ownmagic values. If you're using additional data, use the reference table below.

Payment request reference table

If you make an error in formatting your request you'll receive one of the following responses.

Custom field/Shopper fieldFieldCharacters supportedCould be empty?XML response error codes
Custom field<customStringField1>alpha-numeric and special charactersNo<error code="5"><![CDATA[The tag 'customStringField1' cannot be empty]]></error>
Custom field<customNumericField2>Numeric charactersNo<error code="5"><![CDATA[The tag 'customNumericField2' isn't a valid number]]></error>

<error code="5"><![CDATA[The tag 'customNumericField2' cannot be empty]]></error>
Shopper field<shopperName>alpha-numeric and special charactersNo<error code="5"><![CDATA[The tag 'shopperName' cannot be empty]]></error>
Shopper field<shopperId>alpha-numeric and special charactersNo<error code="5"><![CDATA[The tag 'shopperId' cannot be empty]]></error>
Shopper field<birthDate>should follow the format:
<date dayOfMonth="02" month="06" year="2000">
No<error code="2"><![CDATA[Invalid day : 32]]></error>

<error code="2"><![CDATA[Invalid month : 13]]></error>

<error code="2"><![CDATA[Numeric value expected for year. Actually received: abc2]]></error>
Shopper field - <shopperAddress><firstName>alpha-numeric and special charactersYes
Shopper field - <shopperAddress><lastName>alpha-numeric and special charactersYes
Shopper field – <shopperAddress> (address 1 format)<address1>alpha-numeric and special charactersNo<error code="5"><![CDATA[Invalid address: Address 1/Street is required.]]></error>

<error code="5"><![CDATA[Invalid address: Address 1/Street is required.]]></error>
Shopper field – <shopperAddress> (address 1 format)<address2>alpha-numeric and special charactersYes
Shopper field – <shopperAddress> (address 1 format)<address3>alpha-numeric and special charactersYes
Shopper field – <shopperAddress><postalCode>alpha-numeric and special charactersYes
Shopper field – <shopperAddress><city>alpha-numeric and special charactersNo<error code="5"><![CDATA[Invalid address: City is required]]></error>
Shopper field – <shopperAddress><state>alpha-numeric and special charactersYes
Shopper field – <shopperAddress><telephoneNumber>alpha-numeric and special charactersYes
Shopper field – <shopperAddress><countryCode>Should be a valid ISO-3166 country codeNo<error code="5"><![CDATA[Invalid address: Country code "GBA" is not a valid ISO-3166 country code. ]]></error>

<error code="5"><![CDATA[Invalid address: Country code is null or blank. ]]></error>
Shopper field – <shopperAddress> (address 2 format)<street>alpha-numeric and special charactersNo<error code="5"><![CDATA[Invalid address: Address 1/Street is required.]]></error>
Shopper field – <shopperAddress> (address 2 format)<houseName>alpha-numeric and special charactersYes
Shopper field – <shopperAddress> (address 2 format)<houseNumber>numeric charactersNo<error code="5"><![CDATA[Expecting a numeric value for: houseNumber]]></error>

<error code="5"><![CDATA[Expecting a numeric value for: houseNumber]]></error>
Shopper field – <shopperAddress> (address 2 format)<houseNumberExtension>alpha-numeric and special charactersYes

Payment response magic values

Use the magic values listed below and ourtest card numbersto test the FraudSight response in order notifications.

Magic values

Insert the below values in <address1> of <billingAddress> to simulate the FraudSight risk decision described in the message field:

Magic ValueMessageFraudSight scorePayment status
LOW-RISKlow-risk0.0AUTHORISED
REVIEWreview0.0AUTHORISED
HIGH-RISKhigh-risk1.0REFUSED
Any other valuelow-risk0.0AUTHORISED

Add the below values in <address3> of <billingAddress> to simulate the reason codes. Enter magic values separated by a comma to simulate a list of reason codes returned by FraudSight:

Magic valueReason
RC1Unusual behaviour for card
RC2Unusual transaction for merchant
RC3Recent unexpected card activity
RC4Card unfamiliarity
RC5Card type often linked to fraud
RC6Irregularities in cardholder-entered information
RC7High risk email
Any other valueSUSPECTED FRAUD

Going Live

Before you go live with FraudSight, check the following:

  • You’re aware when the FraudSight Risk Check will trigger and what happens if FraudSight is unavailable
  • You’re sending through the recommended data points
  • You’ve requested the response format from Worldpay that you require
  • You’ve configured your fallback to RMM (if required)