Payment API


Payment Facilitator

Guardian Cybershield®

ProPay recognizes that there is an ever present risk of fraudulent transactions in the ecommerce payments space. We have partnered with an industry leader in cybercrime prevention to offer our partners a solution to this dilemma. ProPay's CyberShield solution utilizes the ThreatMetrix® best in class technology to help prevent a fraudulent transaction from being accepted.

CyberShield differentiates legitimate customers from potential fraudsters by leveraging the rich data and analytics in the ThreatMetrix Global Trust Intelligence Network (The Network). This is the largest trusted identity network of shared intelligence, providing insight into positive and negative behavior and threat intelligence for both online personas and devices using trust-based authentication. The Network monitors more than 500 million monthly transactions and protects more than 160 million active user accounts, 2,500 customers, and 10,000 websites. Simply put, there is no other provider who monitors and reviews as many devices and transactions as ThreatMetrix. That history and behavioral analysis is something each merchant can benefit from.

This solution offers a non-intrusive way for merchants to screen website customers making card-not-present transactions, and acts as an advanced fraud prevention tool providing very effective real-time payment decisioning information. Using historical data and customizable rules engines, merchants have the ability to flag or reject high risk and fraudulent transactions without having to worry about rejecting good sales. Rules can be created to fit a merchant's unique business model and customer base, even including the data elements used to identify negative behavior.

Setting Up ThreatMetrix

  1. Step 1 – Set up ThreatMetrix

    Before you can begin integration to the ThreatMetrix product, you will need to work with ProPay's Risk team to obtain a ThreatMetrix account. (ProPay will provide you with the following):
    • a username
    • a password
    • an Organization ID (see below)
    • an API key
    Once you have obtained this information, you should log in to the ThreatMetrix website and set up the risk profile that dictates which transactions will be considered fraudulent. During your initial integration, you would be well served by defining these rules very simply and with something that you can "force" via a value you will ultimately send.
  2. Step 2 – Generate a unique Session ID and include ThreatMetrix code on your website

    The ThreatMetrix website hosts the download of an invisible iFrame that you will need to place on your website. The code you download is specifically built for you and you should execute it on one of the first pages a shopper will see. Most of this html is a static value that you will get from ThreatMetrix, but you do need to change a portion thereof such that it includes your ThreatMetrix Organization ID and a unique session ID that your system generates. The ThreatMetrix code gathers information from the shopper's browser and associates that info with the session ID you pass to them. It is also important that you persist the Session ID that you generate through to the final checkout page upon which a cardholder will enter his or her payment information.
  3. Step 3– Understand how ThreatMetrix impacts your credit card processing flow

    As payment card data is passed to the ProPay gateway for processing, you will need to include the Session ID in addition to the data you would normally send. You might also consider passing the IP address from which the browser is accessing your website. Passing the IP will help ThreatMetrix establish patterns for you that may become useful in the future.

    Before ProPay sends your transaction through to the appropriate credit card network for processing, we will send information to ThreatMetrix. If the transaction is considered fraud, based on the rules you have established, ProPay will NOT send the transaction through for processing, and you will receive a specific <status> response defining the transaction as fraudulent from the ProPay API. Each ThreatMetrix enabled ProPay account is also configured with a ThreatMetrix timeout value. If ThreatMetrix fails to respond before the configured timeout value is expired, ProPay will continue to authorize the transaction request as if no fraud occurred. You will need to establish a working plan with ProPay's Risk department such that you can be made aware when ThreatMetrix flags a transaction as fraud after your timeout value has passed. This asynchronous paradigm is important because setting a timeout value for too long a duration could lead an increased likelihood of your website timing out waiting on ProPay's response.

When a customer visits a merchant's web-site, the customer's device is identified and profiled via the ThreatMetrix iframe embedded on the merchant's web-site.

How it works

The merchant then submits the authorization request. Merchants pass the necessary transactional information via the fraud object in our payment API. ProPay will then send the information to the ThreatMetrix network. Based upon the information gathered from all of those data points and the rules set by the merchant, the transaction can be rejected or accepted. If the transaction is rejected a message is sent back to the merchant informing them of the result, if the transaction is not rejected, it will continue on to authorization.