Sei sulla pagina 1di 107

CyberSource Decision Manager

Developer Guide
Using the SCMP API

May 2013

CyberSource Corporation HQ | P.O. Box 8999 | San Francisco, CA 94128-8999 | Phone: 800-530-9095
CyberSource Contact Information
For general information about our company, products, and services, go to
http://www.cybersource.com.

For sales questions about any CyberSource Service, email sales@cybersource.com or


call 650-432-7350 or 888-330-2300 (toll free in the United States).

For support information about any CyberSource Service, visit the Support Center at
http://www.cybersource.com/support.

Copyright
© 2013 CyberSource Corporation. All rights reserved. CyberSource Corporation ("CyberSource") furnishes this
document and the software described in this document under the applicable agreement between the reader of
this document ("You") and CyberSource ("Agreement"). You may use this document and/or software only in
accordance with the terms of the Agreement. Except as expressly set forth in the Agreement, the information
contained in this document is subject to change without notice and therefore should not be interpreted in any way
as a guarantee or warranty by CyberSource. CyberSource assumes no responsibility or liability for any errors
that may appear in this document. The copyrighted software that accompanies this document is licensed to You
for use only in strict accordance with the Agreement. You should read the Agreement carefully before using the
software. Except as permitted by the Agreement, You may not reproduce any part of this document, store this
document in a retrieval system, or transmit this document, in any form or by any means, electronic, mechanical,
recording, or otherwise, without the prior written consent of CyberSource.

Restricted Rights Legends


For Government or defense agencies. Use, duplication, or disclosure by the Government or defense agencies
is subject to restrictions as set forth the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and in similar clauses in the FAR and NASA FAR Supplement.
For civilian agencies. Use, reproduction, or disclosure is subject to restrictions set forth in subparagraphs (a)
through (d) of the Commercial Computer Software Restricted Rights clause at 52.227-19 and the limitations set
forth in CyberSource Corporation's standard commercial agreement for this software. Unpublished rights
reserved under the copyright laws of the United States.

Trademarks
CyberSource, The Power of Payment, CyberSource Payment Manager, CyberSource Risk Manager,
CyberSource Decision Manager, CyberSource Connect, Authorize.Net, and ECheck.net are trademarks and/or
service marks of CyberSource Corporation. All other brands and product names are trademarks or registered
trademarks of their respective owners.

2
CONTENTS
Contents

Recent Revisions to This Document 7

About This Guide 8


Audience 8
Purpose 8
Conventions 8
Related Documentation 9

Chapter 1 Introducing Decision Manager and Advanced Fraud Screen 11


Decision Manager 11
Advanced Fraud Screen 11
Service Processing Order 12

Chapter 2 Integrating Decision Manager Services 14


Score Service 14
Requesting the Score Service 14
Setting the Score Threshold 14
Adjusting the Hedge or Category Settings 15
Setting the Global Velocity Tests 15
Sending the Results of Address and Card Verification Tests 16
Scoring a Direct Debit Transaction 17
Interpreting the Reply 18
Score 18
Risk Factor Codes 18
Information Codes 19
Risk Update Service 20
Requesting the Service 21
Specifying Actions 21
Adding Customer Data to Lists 22
Interpreting the Reply 23
Negative List 23
Positive List 23

Decision Manager Developer Guide Using the SCMP API | May 2013 3
Contents

Review List 23
Positive and Negative Lists 24
Duplicate Matches 24
Fraud Update Service 25
Requesting the Service 25
Specifying Actions 25
Adding Optional Data to Your Request 26
Interpreting the Reply 26
Case Management Action Service 27
Requesting the Service 27
Specifying Actions 27
Interpreting the Reply 28

Chapter 3 Testing 29
Requirements for Testing 29
Testing the Services 30

Appendix A API Fields 31


Formatting Restrictions 31
Data Type Definitions 31
Request-Level Fields 32
Offer-Level Fields 47
Reply Fields 51

Appendix B Reply Flags 58

Appendix C Mapping of Order Elements to API Fields 60

Appendix D Decision Manager Use Cases 64


Requesting Decision Manager for all Orders 65
Requesting Decision Manager for Selected Orders 65
Processing Authorizations Outside of CyberSource 65
Processing Orders Containing Travel Data 66
Order Information 66
Request Data 66
Offer-Line Data 67
Reply Information 68

Decision Manager Developer Guide Using the SCMP API | May 2013 4
Contents

Using the Amount Fields 69


Receiving Detailed Information About Each Order 69
Using the Customer’s IP Address to Assess the Level of Risk 70
API Request 70
API Reply 71
IP Address Information 71
Routing Method Information 71
Information and Factor Reply Codes 72
Using Decision Manager to Score Direct Debit Transactions 75

Appendix E Request and Reply Examples 76


Decision Manager 76
Card Authorization 76
Travel Data 77
Score Service 78
Risk Update 79
Adding Data to a List 79
Adding Duplicate Information 80
Fraud Update 81
Mark as Suspect 81
Remove from History 81
Case Management Action 82
Request 82
Reply 82

Appendix F Information and Reply Codes 83


Address Verification Codes 83
Codes for the American Express Phoenix Gateway Only 83
Codes for the International AVS 83
Codes for the Domestic AVS 84
Card Verification Numbers 86
Risk Factor Codes 86
Information Codes 88
Address Information Codes 88
Internet Information Codes 89
Customer Lists Information Codes 90
Phone Information Codes 92
Global Velocity Information Codes 93
Suspicious Data Information Codes 94
Excessive Identity Changes 95
Product Codes 96

Decision Manager Developer Guide Using the SCMP API | May 2013 5
Contents

Appendix G Review Rates 97

Appendix H Required Bank Account Information by Country 101

Appendix I Countries Included in the European Union Risk Model 103

Index 105

Decision Manager Developer Guide Using the SCMP API | May 2013 6
REVISIONS
Chapter 3

Recent Revisions to This


Document

Release Changes
May 2013  Corrected possible values for the "decision_manager_enabled" request field.
April 2013  Added information about testing the Case Management Action service. For more information,
see the Important note in the section "Case Management Action Service," page 27 and in the
section "Testing the Services," page 30.
March 2013  Added information about new behavior for the shipping_method API field when you specify
pickup as the method. For more information, see the description of "shipping_method,"
page 46.
February 2013  Updated the link to the IATA list of airline and airport codes. For more information, see the
descriptions of the following API fields:
 "decision_manager_travel_ complete_route," page 40

 "decision_manager_travel_ leg#_dest," page 41


 "decision_manager_travel_ leg#_orig," page 41
January 2013  Added information about the new Case Management Action service. For more information,
see "Case Management Action Service," page 27.
October 2012  Added the personal ID API field: "personal_id," page 44 to support integration with the third-
party service Credilink.
 Added a note to the customer password API field description. Do not add random strings of
characters to the passwords that are used with this field. See "customer_password," page 38.
September 2012  Added information about the new support for up to 100 merchant-defined data fields. For
more information, see "merchant_defined_data1 to merchant_defined_data100," page 43.

Decision Manager Developer Guide Using the SCMP API | May 2013 7
ABOUT GUIDE
About This Guide

Audience
This guide is written for application developers who want to use the CyberSource SCMP
API to integrate Decision Manager services into their order management system.

Implementing CyberSource Decision Manager Services requires software development


skills. You must write code that uses the API request and reply fields to integrate Decision
Manager Services into your existing order management system.

Purpose
This guide describes tasks you must complete to integrate Decision Manager Services
into your existing order management system.

Conventions
The following special statements are used in this document:

A Note contains helpful suggestions or references to material not contained in


this document.
Note

An Important statement contains information essential to successfully


completing a task or learning a concept.
Important

Decision Manager Developer Guide Using the SCMP API | May 2013 8
About This Guide

The following text conventions are used in this document:

Table 1 Text Conventions

Convention Meaning
boldface  Boldface type indicates graphical user interface elements
that you must act upon.
 API field names.
italic Italic type indicates book titles, first use of special terms, or
placeholder variables for which you supply particular values.
monospace Monospace type indicates XML elements within a paragraph,
URLs, code in examples, text that appears on the screen, or
text that you enter.

Related Documentation
 Getting Started with CyberSource Advanced for the SCMP API describes how to get
started using the SCMP API:

 PDF: http://apps.cybersource.com/library/documentation/dev_guides/Getting_
Started_SCMP/Getting_Started_SCMP_API.pdf

 HTML: http://apps.cybersource.com/library/documentation/dev_guides/Getting_
Started_SCMP/html/

 Credit Card Services Using the SCMP API describes how to integrate CyberSource
payment processing services into your business:

 PDF: http://apps.cybersource.com/library/documentation/dev_guides/CC_Svcs_
SCMP_API/Credit_Cards_SCMP_API.pdf

 HTML: http://apps.cybersource.com/library/documentation/dev_guides/CC_Svcs_
SCMP_API/html/

 Payer Authentication Using the SCMP API describes how to integrate CyberSource
card authentication services with your web store, including Visa Verified by VisaSM,
MasterCard® and Maestro® SecureCode™ (UK domestic and international),
American Express SafeKeySM, and JCB J/Secure™:

 PDF: http://apps.cybersource.com/library/documentation/dev_guides/Payer_
Authentication_SCMP_API/Payer_Authentication_SCMP_API.pdf

 HTML: http://apps.cybersource.com/library/documentation/dev_guides/Payer_
Authentication_SCMP_API/html

Decision Manager Developer Guide Using the SCMP API | May 2013 9
About This Guide

 Verification Services Using the SCMP API describes how to integrate CyberSource
delivery address verification and export compliance services into your business:

 PDF: http://apps.cybersource.com/library/documentation/dev_guides/Verification_
Svcs_SCMP_API/Verification_Svcs_SCMP_API.pdf

 HTML: http://apps.cybersource.com/library/documentation/dev_guides/
Verification_Svcs_SCMP_API/html

 Reporting Developer's Guide describes how to view and configure Business Center
reports:

 PDF: http://apps.cybersource.com/library/documentation/dev_guides/Reporting_
Developers_Guide/reporting_dg.pdf

 HTML: http://apps.cybersource.com/library/documentation/dev_guides/
Reporting_Developers_Guide/html

Decision Manager Developer Guide Using the SCMP API | May 2013 10
CHAPTER
Introducing Decision
Manager and Advanced
1
Fraud Screen

Decision Manager
Decision Manager is a management tool that gives you the flexibility to control your
business practices and policies in real time and to interpret the risk and information codes
based on your business rules. With Decision Manager, you can accurately identify and
review potentially risky transactions while minimizing the rejection of valid orders. Decision
Manager supports these payment methods:
 Personal and corporate credit cards, card association check cards, and some private
label cards
 Direct debit transactions in Austria, Germany, The Netherlands, Spain, and the United
Kingdom
 Electronic checks
 PayEase China Processing services
 PayPal Express Checkout and PayPal services

Advanced Fraud Screen


CyberSource’s Advanced Fraud Screen enhanced by Visa® is a real-time fraud-detection
service that estimates the level of risk associated with each transaction and provides fraud
risk prediction scores, based on an assessment of over 100 risk factors. You can
customize the risk thresholds for each order, which enables you to tailor your business’s
fraud-prevention efforts based on your unique requirements, industry conditions, and
fraud experience. If supported by your processor, you can accept 19-digit Visa cards.

The Advanced Fraud Screen service includes electronic payment, fraud management,
and verification services. To use CyberSource services, you send a request that includes
information about your company, the customer, and the services that you want to use. You
receive a reply with information appropriate to the services you requested. You use the
reply information to interpret the results of your request.

Decision Manager Developer Guide Using the SCMP API | May 2013 11
Chapter 1 Introducing Decision Manager and Advanced Fraud Screen

Service Processing Order


Each service that you request is processed in a predetermined order. Services compatible
with Decision Manager are processed in this order:
1 Address verification service
2 Tax service
3 Export service
4 Decision Manager early processing for Velocity and Managed Customer Lists
5 PayEase China Processing
6 Payer Authentication services
7 PayPal Express Checkout Payment
8 Credit card authorization service
9 Advanced Fraud Screen (Score) service
10 Decision Manager normal processing
Order profiles and custom rules are processed at this stage.
11 Electronic check debit service
12 Direct debit service
13 PayPal button create service

To find out which services are compatible, see the developer guide for your
service(s).
Important

You must always request the Risk Update service separately.


Cookies

Decision Manager Developer Guide Using the SCMP API | May 2013 12
Chapter 1 Introducing Decision Manager and Advanced Fraud Screen

Notice to European Union Merchants


The European Union's Privacy and Electronic Communications Directive (the “Directive”) restricts
the deposit and storage of cookies on the devices of customers of online merchants operating in
the European Union.
The device fingerprint feature of CyberSource Decision Manager is one of more than two hundred
global fraud detectors and tests. This feature enables the deposit and storage on the customer's
computer of a cookie that profiles the specific attributes of the computer used in transactions. This
cookie is used to mitigate fraud.
While we cannot provide legal advice to our merchants, we can provide the following information.
The restrictions under the Directive require, among other things, that you
 provide “clear and comprehensive information” to visitors of your Web site about the storage of
cookies on their computer
 obtain the consent of visitors before depositing and storing cookies on their computer unless
certain exceptions apply.
Your compliance with applicable privacy laws depends on how you use the cookies, on what
information you disclose to customers, and on what consent you obtain from customers. Because
CyberSource has no direct connection to your customers, you are responsible for ensuring that
cookies are used properly to perform the requested CyberSource services. CyberSource believes
that the safest course of action is for you to clearly and conspicuously disclose the use of cookies
to your customers and to obtain their consent before placing cookies on their devices. If you
operate in Europe and use the device fingerprint, you should consult your legal counsel and other
advisors to find out how to comply with the requirements of the Directive and whether an exception
might be available for you. CyberSource cannot take any position on the storage of cookies on the
devices of customers for purposes other than to provide CyberSource services. When used
without the device fingerprint, Decision Manager does not store cookies.

Decision Manager Developer Guide Using the SCMP API | May 2013 13
CHAPTER
Integrating Decision
Manager Services
2

For request and reply examples, see Appendix E, "Request and Reply Examples," on
page 76.

Score Service
When requesting the score service, send only valid and well-formed data in all
fields, especially in the card account number, and billing, email, and IP address
Important fields. For more information, see Appendix A, "API Fields," on page 31.

Requesting the Score Service


Use the ics_score application to access the service. Send as many optional fields as
possible because the additional information provides more accurate risk assessments.

When requesting the Advanced Fraud Screen, do not request any of the following
services or features:

 Risk update (ics_risk_update)


 Authorization (ics_auth) using Bill Me Later
 Authorization reversal (ics_auth_reversal)
 Credit (ics_credit) using Bill Me Later
 Electronic check debit (ics_ecp_debit)
 Electronic check credit (ics_ecp_credit)

For more information about ics_auth, ics_auth_reversal, ics_credit, ics_ecp_debit,


ics_ecp_credit, and Bill Me Later, see Credit Card Services Using the SCMP API.

Setting the Score Threshold


To set the score threshold for the order, use the offer-level field score_threshold. The
default value is 50.

Decision Manager Developer Guide Using the SCMP API | May 2013 14
Chapter 2 Integrating Decision Manager Services

Adjusting the Hedge or Category Settings


Use these offer-level fields to adjust the hedge and category settings:

 score_host_hedge
 score_nonsensical_hedge
 score_obscenities_hedge
 score_phone_hedge
 score_time_hedge
 score_velocity_hedge
 score_category_gift

Setting the Global Velocity Tests


Use these request-level fields to check the specific parameters that you choose to test:

 customer_cc_number
 customer_email
 ship_to_address1
 ship_to_address2
 ship_to_city
 ship_to_country
 ship_to_state
 ship_to_zip

The ship_to_firstname and ship_to_lastname fields are not used in these


tests.
Note

Example Searching for a Repeated Shipping Address


ics_applications=ics_score
ship_to_address1=345 Southland Mall
ship_to_city=Hayward
ship_to_country=US
ship_to_state=CA
ship_to_zip=94545

For more information about Global Velocity, see the Decision Manager User Guide (PDF |
HTML).

Decision Manager Developer Guide Using the SCMP API | May 2013 15
Chapter 2 Integrating Decision Manager Services

Sending the Results of Address and Card Verification


Tests
If you do not use CyberSource for authorization, add the address and card verification
results returned by your authorization provider to the Advanced Fraud Screen request
using the following fields:

Table 2 API Fields for Address and Card Verification Results

For … Use this API field …


Address Verification avs
Card Verification cv_result
Provide the CVN information returned by your authorization service as follows:
 If you received a value that corresponds to any of the card verification rules in the
order profile (I, N, S, U, or 3), send this value so that CyberSource can process the
card verification rules and the order according to your profile settings (ignore, review,
or reject).
 If you received another value, the card verification rules in the profile cannot be run. In
this case, we run only the services that you request, such as score.
 Sending other data, such as a programming error, might cause CyberSource to
process another authorization. If there is a conflict between your card verification
result data and the CyberSource authorization result, the authorization overwrites
your card verification result data. In this case, the rules in the profile are run according
to the CyberSource authorization result data.

Decision Manager uses these results to evaluate orders when you add the values to your
request.

Decision Manager Developer Guide Using the SCMP API | May 2013 16
Chapter 2 Integrating Decision Manager Services

Scoring a Direct Debit Transaction


To use this option, send an ics_score request with the appropriate bank and customer
data.

Depending on the countries in which your business operates, send either the
IBAN (International Bank Account Number) or some or all of the bank fields
Important other than the IBAN. For information about which fields are required and how to
format them, see Appendix H, "Required Bank Account Information by
Country," on page 101.

Table 3 Bank Information API Fields

Bank Location/Data API Field Names


Name bank_name
Address bank_address
City bank_city
Country bank_country
Code bank_code
Branch code branch_code
SWIFT code bank_swiftcode
Check digit bank_check_digit
Customer’s Bank Data
Account name bank_account_name
Account number bank_account_number
IBAN bank_iban

Decision Manager Developer Guide Using the SCMP API | May 2013 17
Chapter 2 Integrating Decision Manager Services

Interpreting the Reply


This section describes the reply information returned by the score service after it
evaluates orders. It is recommended that you store the reply information to use for
calibrating your risk detection processes and activities.

CyberSource reserves the right to add new risk factor codes and information
codes at any time. Write your error handler so that it processes these new
Important codes without problems.

Score
The score of a transaction is sent in the score_score_result reply field. To determine
whether an order should be accepted or rejected, the score for each transaction is
compared to the score threshold that you choose for each product. If the risk score of a
product is at or below the threshold, the order is accepted. Otherwise, the order is
rejected.

Risk Factor Codes


These one-letter codes indicate which parameter contributed to the risk score. You can
receive one or more codes for each order. These codes can help you resolve issues and
process orders by enabling you to:

 Rapidly assist customers whose orders have been declined or marked for review.
 Decide how best to resolve customer inquiries.
 Identify orders that look suspicious but are actually valid.
 Create custom business rules in Decision Manager and process orders differently
based on the outcome of each rule.
If Advanced Fraud Screen rejects the transaction, you receive the reply flag DSCORE and
risk factor codes in the reply field score_factors. Multiple risk factor codes are separated
by carets. For example:

score_factors=G^H^I

For a list of risk factor codes, see "Risk Factor Codes," page 86.

Decision Manager Developer Guide Using the SCMP API | May 2013 18
Chapter 2 Integrating Decision Manager Services

Information Codes
Information codes provide specific information about problems with orders and are more
detailed than risk factor codes. For example, when a risk factor code indicates a problem
with the customer’s phone number, the information code might specify that the phone
number contains an invalid area code.

Information codes can help you resolve problems with orders, and you can use them to
adjust Advanced Fraud Screen settings. Not all problems identified by the information
codes affect the score for the order.

The following reply fields are included in the reply only when an information code is
returned. Blank reply fields are not returned.

 score_address_info
 score_hotlist_info
 score_internet_info
 score_phone_info
 score_suspicious_info
 score_velocity_info

Multiple information codes are separated by carets as shown in the following example:

score_internet_info=UNV-EMBCO^MM-IPEM

For a list of information codes, see "Information Codes," page 88.

Decision Manager Developer Guide Using the SCMP API | May 2013 19
Chapter 2 Integrating Decision Manager Services

Risk Update Service


The ics_risk_update service can add the following data to the negative, positive, and
review lists of List Manager:

 Street address or postal code:


The service attempts to normalize the address before adding it to the list. If the
address cannot be normalized, it is added as is.

 Country:
The service verifies the country with the billing and shipping addresses, email
address, IP address, and the account-issuing country.

 Email address and domain:


Email address example: jdoe@mail.example.com
Domain example: mail.example.com

 Phone number

 Account number and credit card BIN (first six digits of the credit card number)

 Bank account information (for direct debit transactions)

 IP address and IP network address:


IP address example: 10.1.27.63
IP network address example: 10.1.27

 Reason for marking the transaction and notes or comments

To see examples of requests and replies, see Appendix E, "Risk Update," on page 79.

Decision Manager Developer Guide Using the SCMP API | May 2013 20
Chapter 2 Integrating Decision Manager Services

Requesting the Service


To request the Risk Update service, use the ics_risk_update service. Do not include
other applications in your request.

Specifying Actions
The following table contains the values you can use in the action_code field. This field is
required for the Risk Update service. This table also lists the corresponding options in
Decision Manager Case Details and Transaction Details windows of the Business Center.

Table 4 Specifying action_code Field Values

List Add to … Delete from …a Convert to …


Negative Use: add_negative Use: delete_negative Use: convert_to_negative
Business Center option: Business Center option: Business Center option:
Mark as Suspect Remove from History Convert to Negative
Positive Use: add_positive Use: delete_positive —
Business Center option: Business Center option:
Mark as Trusted Remove from History
Review Use: add_review Use: delete_review Use: convert_to_review
Business Center option: Business Center option: Business Center option:
Mark for Review Remove from History Convert to Review
a. Removing from history does not delete a record. Instead, the record is no longer found when the score service
searches the database.

Decision Manager Developer Guide Using the SCMP API | May 2013 21
Chapter 2 Integrating Decision Manager Services

Adding Customer Data to Lists


When you add customer data to a list, your request must contain at least one field. All
other fields are optional.

The account number and street, email, and IP addresses are not linked. For example, if
you add an account number and an email address to a list, a transaction is added to the
list even if the order contains only the account number.

The following table lists the fields you can use to add customer data to lists. Review the
API field requirements in Appendix A, "API Fields," on page 31 before you add these fields
to your request.

Table 5 Using Customer Data Fields

Customer Data Fields to Use


Customer name record_name, customer_firstname, and customer_lastname
Payment information payment_type
 Credit card  customer_cc_number and cc_bin
 bank_account_number, bank_code, bank_country, and bank_iban
 Direct debit
Phone information customer_phone or ship_to_phone
Email information customer_email and domain
IP information customer_ipaddress and customer_ipaddress_class3
Address information: Negative or review list:
 Negative or review list  For adding to the list, use these fields: address1, address2, city, state,
country, and zip
 Positive list
 For converting to or from the lists, use the bill_ fields listed for Positive
lists.
Positive list:
 bill_address1, bill_address2, bill_city, bill_state, bill_country, and
bill_zip
Notes about transactions Negative list:
 marking_notes and marking_reason
Positive list:
 marking_notes
Request ID marking_request_id

Decision Manager Developer Guide Using the SCMP API | May 2013 22
Chapter 2 Integrating Decision Manager Services

Interpreting the Reply


The risk_update_rsmg reply field contains the result of your request. Decision Manager
users can view the additions and deletions to lists in the List Search area of the Business
Center. For a list of fields that might be present in your reply, see "Reply Fields," page 51.

Negative List
If information in your request matches information on your negative list, the following
results are returned:

 The score_factors reply field contains the risk factor code F.


 The score_score_result value is 99.
 Information codes that give more details about the risky aspects of the order. All
negative list information codes start with NEG-.
 The account number, email address, and shipping address from the request are
added to your negative list.

Positive List
If information in your request matches information in your positive list, the following results
are returned:

 The score_factors reply field contains the risk factor code E.


 Information codes that provide more details about the order: POS-TEMP or POS-PERM.

Review List
If information in your request matches information on your review list, information codes
that provide more details about the risky aspects of the order are returned. All review list
information codes start with REV-. However, the following fields are not returned:

 The score_factors reply field does not contain the risk factor code F.
 The score_score_result value is not 99.

Decision Manager Developer Guide Using the SCMP API | May 2013 23
Chapter 2 Integrating Decision Manager Services

Positive and Negative Lists


If information in your request matches information on both lists, the following results are
returned:

 The score_factors reply field includes the risk factor code E because a match with
your positive list takes precedence over a match with your negative list.

 An information code indicating that the customer information is present on both lists:
CON-POSNEG.

Duplicate Matches
If List Manager finds information that is already in either of your lists, an appropriate
message is returned in the risk_update_rmsg field, such as the following example:

Example risk_update_rmsg Message


Request was processed successfully. However, duplicates were found for
78.

Decision Manager Developer Guide Using the SCMP API | May 2013 24
Chapter 2 Integrating Decision Manager Services

Fraud Update Service


Use the ics_ifs_update service to:

 Add known fraudulent data to the fraud history.

 Remove data that was added to history in the Business Center with the Transaction
Marking Tool (the Mark as Suspect link) or by uploading chargeback files.

 Remove chargeback data from history that was automatically added. This service
might be available if you use Chase Paymentech Solutions, GPN, or CyberSource as
your payment processor. For more information about this service, contact your
CyberSource representative.

The Fraud Update and Risk Update services differ as follows:


 The Fraud Update service enables you to mark specific transactions. The data is
Important linked to a transaction. You can mark the request ID of a transaction.
 The Risk Update service enables you to manage your negative and positive lists.
The data is not linked to a transaction. You cannot mark the request ID of a
transaction.

Requesting the Service


To request the Fraud Update service, use the ics_ifs_update service. Do not include
other applications in your request.

Specifying Actions
Use the report_code field. This field can have one of the values listed in the following
table.

Table 6 Specifying report_code Field Values

report_code Values Business Center Equivalence


Value Description Option Marking reason
VT No record is deleted from history. Instead, Remove from History —
the record is no longer found when the
score service searches the database.
ST Add a suspicious transaction that has not Mark as Suspect Non-fraud chargeback
been proven to be fraudulent to the and suspected
database.
CB Adds chargebacks and creditbacks to the Mark as Suspect Fraud chargeback and
fraud history. creditback

Decision Manager Developer Guide Using the SCMP API | May 2013 25
Chapter 2 Integrating Decision Manager Services

Adding Optional Data to Your Request


In addition to adding the transaction, by default the Fraud Update service adds the card
number, email address, and shipping or billing address to the negative list. Specific order
data that you add to your request is ignored by the service. The fields listed in the
following table are optional:

Table 7 Fraud Update Service Optional Fields

Field Name Description


marking_notes and marking_reason Notes about transactions
cb_request_id Request ID

The marking reason does not affect how the transaction is marked, but it is used for
statistical studies.

Interpreting the Reply


The ifs_update_rsmg reply field indicates whether the information you want to add is
already on the lists, or whether the information you want to remove does not appear on the
lists. Decision Manager users can see the results of the addition and deletions in the
Transaction Search area of the Business Center. For a list of fields that can appear in the
reply, see "Reply Fields," page 51.

Decision Manager Developer Guide Using the SCMP API | May 2013 26
Chapter 2 Integrating Decision Manager Services

Case Management Action Service


Use the ics_cm_action service to post decisions to Decision Manager programmatically.
By using this service, you can take advantage of the Decision Manager reports available
through the Business Center while still using your own case management tools.

You can use this service to post the following types of decisions to Decision manager:

 Order accepted for processing


 Order rejected
 Order accepted and settled
 Add a note

To test the Case Management Action service in the CyberSource test


environment, you must use simulated card numbers generated by using the
Important Luhn-10 algorithm. You cannot use standard CyberSource test card numbers
because they do not generate case histories when you use them to test
transactions. To test in the production environment, you must use real card
numbers.

Requesting the Service


To request the Case Management Action Service, set the ics_applications field to ics_
cm_action as follows:

ics_applications=ics_cm_action

Do not include other applications in your request.

Specifying Actions
The following table contains the values you can use in the cm_action_code field. The
cm_action_code and the cm_request_id fields are required for the Case Management
Action service. This table also lists the corresponding options in the Decision Manager
Case Details window of the Business Center. For more information about these request
fields, see "Request-Level Fields," page 32.

Table 8 Specifying cm_action_code Field Values

Case Management
Field Value Description
Details Window Option
Indicates that an order is accepted for
ACCEPT Accept
processing.
REJECT Indicates that an order is rejected. Reject

Decision Manager Developer Guide Using the SCMP API | May 2013 27
Chapter 2 Integrating Decision Manager Services

Table 8 Specifying cm_action_code Field Values (Continued)

Case Management
Field Value Description
Details Window Option
ACCEPT_SETTLE Indicates that an order is accepted and Accept and
that the settlement or debit transaction Perform Settlement
should be sent in.
ADD_NOTE Adds a comment or note to the Add Note
transaction information.

For an example of a request, see Appendix E, "Case Management Action," on page 82.

Interpreting the Reply


The cm_action_rcode reply field indicates whether the action you specified was posted
successfully. For a list of fields that can appear in the reply, see "Reply Fields," page 51.

For an example of a reply, see Appendix E, "Case Management Action," on page 82.

Decision Manager Developer Guide Using the SCMP API | May 2013 28
CHAPTER
Testing
3

After you specify Advanced Fraud Screen settings, build test profiles from past card-not-
present orders, and send the orders to the CyberSource test server to verify the results.

Though the test server has a smaller database of transaction history than the production
server, the test server uses the same score models. As a result, scores obtained on the
test server are not increased significantly by history-related attributes such as address
changes, name changes, and global velocity.

Requirements for Testing


 Use your regular CyberSource merchant ID when you are testing your system.
 Unless otherwise specified, use test credit card numbers, not real ones. See Table 9,
page 30.
 Use a real combination for the city, state, and postal code.
 Use a real combination for the area code and telephone number.
 Use a nonexistent account and domain name for the customer’s email address. For
example: random@example.com.
 When testing the SCMP API, use the CyberSource test server ics2test.ic3.com.

Decision Manager Developer Guide Using the SCMP API | May 2013 29
Chapter 3 Testing

Testing the Services


Use the credit card numbers in the following table to test the implementation of Decision
Manager services. Do not use real credit card numbers. To test card types not listed in the
table, use an account number that is within the card’s BIN range. For best results, try each
test with a different CyberSource service request and with different test credit card
numbers.

 Remove spaces in test account numbers when sending them to CyberSource.


 To test the Case Management Action service in the CyberSource test environment,
Important you must use simulated card numbers generated by using the Luhn-10 algorithm.
You cannot use standard CyberSource test card numbers because they do not
generate case histories when you use them to test transactions. To test in the
production environment, you must use real card numbers.

Table 9 Test Credit Card Numbers

Credit Card Type Test Account Number


American Express 3782 8224 6310 005
Discover 6011 1111 1111 1117
JCB 3566 1111 1111 1113
Laser 6304 9850 2809 0561 515
Maestro (International) 5033 9619 8909 17
5868 2416 0825 5333 38
Maestro (UK Domestic) 6759 4111 0000 0008
6759 5600 4500 5727 054
5641 8211 1116 6669
MasterCard 5555 5555 5555 4444
UATP 1354 1234 5678 911
Visa 4111 1111 1111 1111

Decision Manager Developer Guide Using the SCMP API | May 2013 30
APPENDIX
API Fields
A

This appendix describes the SCMP (Simple Commerce Message Protocol) API fields that
you can use to access Decision Manager services. SCMP API is a legacy name-value pair
API that is supported for merchants who have already implemented it. If you are new to
CyberSource and want to connect to services, use the Simple Order API.

Formatting Restrictions
Unless otherwise noted, all fields are order and case insensitive and the fields accept
special characters such as @, #, and %.

Request-level and offer-level field names and values must not contain carets
(^) or colons (:). However, they can contain embedded spaces and any other
Note printable characters. If you use more than one consecutive space, the extra
spaces are removed.

Data Type Definitions


Data Type Description
Date and time The format is YYYY-MM-DDThhmmssZ. For example, 2012-08-
11T224757Z is equal to August 11, 2012, at 10:45:57 P.M. The T
separates the date and the time. The Z indicates Coordinated Universal
Time (UTC), which is also known as Greenwich Mean Time.
Decimal Number that includes a decimal point. Examples: 23.45, -0.1, 4.0,
90809.0468.
Integer Whole number {…, 03, 02, 01, 0, 1, 2, 3, …}.
Nonnegative integer Whole number greater than or equal to zero {0, 1, 2, 3, …}.
Positive integer Whole number greater than zero {1, 2, 3, …}.
String Sequence of letters, numbers, spaces, and special characters, such as
@ and #.

Decision Manager Developer Guide Using the SCMP API | May 2013 31
Appendix A API Fields

Request-Level Fields
Send only valid and well-formed data in all request fields, especially in the
following fields:
Important  Card account number field: should be a valid number for the card type. For
example, Visa cards start with 4.
 Billing address fields: should be a valid customer's billing address.
 Email address field: should be a valid customer's address.
 IP address field: should follow the proper format for the customer's IP address.

If you process orders from call centers, do not submit IP address information in
the request of those orders.

Table 10 Request-Level Fields

Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
action_code Indicates whether to add to or remove a customer’s ics_risk_update String (20)
identity from the negative or positive list. This field can (R)
contain one of the following values:
 add_negative: Add information to the negative list.
 add_positive: Add information to the positive list.
 add_review: Add information to the review list.
 convert_to_negative: moves the data from the
review to the negative list.
 convert_to_review: moves the data from the
negative to the review list.
 delete_negative: Remove information from the
negative list.
 delete_positive: Remove information from the
positive list.
 delete_review: Remove information from the
review list.
address1 First line of the street address. ics_risk_update String (60)
(O)
address2 Second line of the street address. ics_risk_update String (60)
(O)
avs Value returned for address verification by the payment ics_score (O) String (3)
service ics_auth. If ics_auth and ics_score are
requested at the same time, the value is automatically
passed from ics_auth to ics_score.
For a list of possible values for this field, see "Address
Verification Codes," page 83.

Decision Manager Developer Guide Using the SCMP API | May 2013 32
Appendix A API Fields

Table 10 Request-Level Fields (Continued)

Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
bank_ Name used on the bank account. You can use this field ics_score (O) String (30)
account_name only when scoring a direct debit transaction.
bank_ Customer’s bank account number. You can use this field ics_score (see String (30)
account_ only when scoring a direct debit transaction. Use this field description)
number if you do not or are not allowed to provide the IBAN.
ics_risk_update
Note Do not use the IBAN in this field. Use only the (O)
traditional account number information. For the IBAN, use
bank_iban.
For specific requirements, see "Required Bank Account
Information by Country," page 101.
bank_address Address of the customer’s bank. You may use this field ics_score (O) String (255)
only when scoring a direct debit transaction.
bank_check_ Code used to validate the customer’s account number. ics_score (see String (2)
digit Required for some countries if you do not or are not description)
allowed to provide the IBAN instead. You may use this
field only when scoring a direct debit transaction.
For specific requirements, see "Required Bank Account
Information by Country," page 101.
bank_city City where the bank is located. If you do not send this ics_score (O) String (35)
field, we assume the bank is located in bill_city. Because
some banks validate the bank account information,
consider sending this field if the bank is not located in
bill_city.
You can use this field only when scoring a direct debit
transaction.
bank_code Country-specific code used to identify the customer’s ics_score (see String (15)
bank. Required for some countries if you do not or are not description)
allowed to provide the IBAN instead. You can use this field
ics_risk_update
only when scoring a direct debit transaction. For specific
(O)
requirements, see "Required Bank Account Information
by Country," page 101.
bank_country Country where the bank is located. Use the two-character ics_score (O) String (2)
ISO codes. You can use this field only when scoring a
ics_risk_update
direct debit transaction.
(O)
bank_iban International Bank Account Number (IBAN) for the bank ics_score (see String (30)
account. For some countries you can provide this number description)
instead of the traditional bank account information. You
ics_risk_update
can use this field only when scoring a direct debit
(O)
transaction.
For specific requirements, see "Required Bank Account
Information by Country," page 101.

Decision Manager Developer Guide Using the SCMP API | May 2013 33
Appendix A API Fields

Table 10 Request-Level Fields (Continued)

Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
bank_name Bank’s name. You can use this field only when scoring a ics_score (O) String (40)
direct debit transaction.
bank_ Bank’s SWIFT code. You can use this field only when ics_score (O) String (30)
swiftcode scoring a direct debit transaction. Required only for cross-
border transactions.
bill_address1 Street address of the customer as it appears in the ics_score (R) String (60)
account issuer’s records.
bill_address2 Used for additional address information, for example: ics_score (O) String (60)
Attention: Accounts Payable
bill_city City of the customer. ics_score (R) String (50)
bill_country Country of the customer. ics_score (R) String (2)
Use the two-character country codes located in the
Support Center.
bill_state State or province of the customer. Required for U.S. and ics_score (O) String (2)
Canada. Use the two-character codes located in the
ics_risk_update
Support Center.
(O)
bill_zip Postal code of the billing address. ics_score (O) String (10)
Required only if the billTo_country field is US or CA.
If the billing country is US, the numeric characters follow
these formats:
 5 characters: NNNNN
 9 characters: NNNNN-NNNN
If the billing country is CA, the six alphanumeric
characters follow this format: ANA NAN.
branch_code Code used to identify the branch of the customer’s bank. ics_score (see String (15)
Required for some countries if you do not or are not description)
allowed to provide the IBAN. Use this field only when
scoring a direct debit transaction. For specific
requirements, see "Required Bank Account Information
by Country," page 101.

Decision Manager Developer Guide Using the SCMP API | May 2013 34
Appendix A API Fields

Table 10 Request-Level Fields (Continued)

Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
card_type Type of card to authorize. To see which cards can be ics_score (O) String (3)
handled by each processor, see Credit Card Services
ics_risk_update
Using the SCMP API (PDF | HTML). Omitting the card
(O)
type can cause the transaction to be processed with the
wrong card type. Therefore, CyberSource strongly ** indicates (R)
recommends that you send the card type even if it is
optional for your processor and card type.
 001: Visa
 002: MasterCard, Eurocard ** (European regional
brand of MasterCard)
 003: American Express
 004: Discover
 005: Diners Club
 006: Carte Blanche **
 007: JCB **
 014: EnRoute **
 021: JAL **
 024: Maestro (UK Domestic)**
 031: Delta **(Use this value only for the Global
Payment Service processor. For other processors, use
001.)
 033: Visa Electron **
 034: Dankort **
 035: Laser **
 036: Carte Bleue **
 037: Carta Si **
 039: Encoded account number **
 040: UATP**
 042: Maestro (International) **
 043: GE Money UK card ** (Before setting up your
system for these cards, contact the CyberSource UK
Support Group.).
 045: Style (Streamline only)
cb_request_id Request ID of the transaction that you want to mark as ics_ifs_update String (26)
suspect or remove from history. (O)
cc_bin Credit card BIN (the first six digits of the credit card). ics_risk_update Positive
(O) Integer (6)

Decision Manager Developer Guide Using the SCMP API | May 2013 35
Appendix A API Fields

Table 10 Request-Level Fields (Continued)

Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
city City of the street address. ics_risk_update String (50)
(O)
Required when adding the address to a list.
cm_action_ Sets the action to post to Decision Manager. This field can ics_cm_action String (13)
code be set to one of the following actions: (R)
 ACCEPT
Indicates that an order is accepted for processing.
 REJECT
Indicates that an order is rejected.
 ACCEPT_SETTLE
Indicates that an order is accepted and that the
settlement or debit transaction should be sent in.
 ADD_NOTE
Adds a comment or note to the transaction information.
For more information, see "Case Management Action
Service," page 27.
cm_comments Comments that are added to an action or the note text ics_cm_action String (1000)
when a note is added using the ADD_NOTE action for the (O)
cm_action_code field.
cm_request_id The request ID of the transaction on which the action ics_cm_action String (26)
specified for the cm_action_code field is taken. (R)
comments Brief description of the order or any comment you wish to ics_risk_update String (255)
add to the order. (O)
ics_score (O)
country Country of the street address. ics_risk_update String (2)
(O)
Use the two-character codes located in the Support
Center. Required if address1 is present.
currency Currency used for the order. Use the ISO currency codes. ics_score (R) String (5)

Decision Manager Developer Guide Using the SCMP API | May 2013 36
Appendix A API Fields

Table 10 Request-Level Fields (Continued)

Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
custom_risk_ Name of the risk model used to score your orders. Using ics_score (O) String (20)
model this API field overrides any choice made in the Business
Center. This field can contain one of the following values:
 default: U.S. model
 default_ca: Canada model
 default_eu: European Union model. For a list of
countries in this model, see "Countries Included in the
European Union Risk Model," page 103.
 default_row: All other countries

You can select the customer’s billing country as risk


model only when creating or editing a profile in the
Business Center.
If you enter no value in the request field, the risk model
specified in your configuration is used. This model is
equivalent to Default model in the Business Center
options.
To use a custom model, contact Customer Support.
customer_ Optional customer’s account ID, tracking number, reward ics_score (O) String (50)
account_id number, or other unique number that you assign to the
customer for the purpose that you choose.
customer_cc_ Two-digit month (MM) when the credit card expires. ics_score (O) String (2)
expmo Required if the card number is included.
customer_cc_ Four-digit year (YYYY) that the credit card expires in. ics_score (O) String (4)
expyr Required if the card number is included.
customer_cc_ Number of customer’s account. Non-numeric values are ics_risk_update Non-
number ignored. (O) negative
integer (20)
If supported by your processor, you can accept 19-digit ics_score (O)
Visa cards.
customer_ Whether the customer’s browser accepts cookies. This ics_score (O) String (3)
cookies_ field can contain one of the following values:
accepted
 yes: The customer’s browser accepts cookies.
 no: The customer’s browser does not accept cookies.
customer_ Customer’s email address, including the full domain ics_risk_update String (100)
email name. Use the following format: name@host.domain (O)
(for example, jdoe@example.com).
ics_score (R)
For the Risk Update service, if the email address and the
domain are sent in the request, the domain supersedes
the email address.

Decision Manager Developer Guide Using the SCMP API | May 2013 37
Appendix A API Fields

Table 10 Request-Level Fields (Continued)

Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
customer_ Customer’s first name. For CyberSource applications that ics_score (R) String (60)
firstname involve credit cards, the value should be the same as the
ics_risk_update
one that appears on the card. For the negative list,
(O for negative
record_name, customer_firstname, and customer_
list)
lastname are optional.
customer_gift_ Whether the customer requested gift wrapping for this ics_score (O) String (3)
wrap purchase. This field can contain one of the following
host name
values:
 yes: The customer requested gift wrapping.
 no: The customer did not request gift wrapping.
customer_ Host name reported by the customer’s browser to your ics_score (O) String (60)
hostname Web server identified via the http header.
customer_ Customer’s IP address, such as 10.1.27.63, reported ics_risk_update String (15)
ipaddress by your Web server via socket information. (O)
ics_score (O)
customer_ Network IP address of the customer (for example, ics_risk_update String (11)
ipaddress_ 10.1.27). A network IP address includes up to 256 IP (O)
class3 addresses.
customer_ Customer’s last name as it appears on the card. For the ics_score (R) String (60)
lastname negative list, record_name, customer_firstname, and
ics_risk_update
customer_lastname are optional.
(O for negative
list)
customer_ Customer’s account password. This value is for merchant Decision String (255)
password velocity use only. It is not stored, displayed, or returned. Manager (O)
Note Do not add random strings of characters to
passwords (salting) that are used with this field because
that prevents accurate velocity tests.
customer_ Telephone number of the customer. Long distance codes ics_score (O) String (15)
phone (0 and 1) that precede phone numbers are removed
ics_risk_update
before processing. Do not use dashes, spaces, or
(O)
parentheses. Even though the score of the order is not
affected by the leading digits, they may interfere with the
creation of custom rules, which use the request data as is.
For countries other than US or CA, add the country code
at the beginning of the phone number, if possible.
Otherwise, the billing country is used to determine the
country code. If you use 192.com, do not use the country
code.

Decision Manager Developer Guide Using the SCMP API | May 2013 38
Appendix A API Fields

Table 10 Request-Level Fields (Continued)

Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
cv_result Result of card verification. Returned by the authorization ics_score (O) String (1)
service in the auth_cv_result reply field. If ics_auth and
ics_score are requested at the same time, the value is
automatically passed from ics_auth to ics_score. For
more information on using this field, see "Sending the
Results of Address and Card Verification Tests," page 16.
The field contains one of the following values:
 I: Card verification number failed processor's data
validation check.
 M: Card verification number matched.
 N: Card verification number not matched.
 P: Card verification number not processed.
 S: Card verification number is on the card but was not
included in the request.
 U: Card verification is not supported by the issuing
bank.
 X: Card verification is not supported by the card
association.
 <space>: Deprecated. Ignore this value.
 1: CyberSource does not support card verification for
this processor or card type.
 2: Processor returned value unrecognized for card
verification response.
 3: Processor did not return card verification result
code.
date_of_birth Date of birth of the customer in the format: YYYY-MM-DD ics_score (O) String (10)
or YYYYMMDD.
decision_ By default, Decision Manager evaluates all orders. Use Decision String (5)
manager_ this field only if you do not want to use Decision Manager Manager (O)
enabled to evaluate all orders, for example when you send two
requests for the same order: one request for pre-
authorization and one for the entire amount. For more
information on pre-authorization, see "Decision Manager,"
page 76. This field can contain one of the following
values:
 false: do not use Decision Manager for this order.
 true: (default) use Decision Manager for this order.
decision_ By default, your default profile is the active profile, or the Decision String (30)
manager_ Profile Selector chooses the active profile. Use this field Manager (O)
profile only if you want to specify the name of a different profile.

Decision Manager Developer Guide Using the SCMP API | May 2013 39
Appendix A API Fields

Table 10 Request-Level Fields (Continued)

Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
decision_ Concatenation of individual travel legs in the format ics_score (O) String (255)
manager_ ORIG1-DEST1[:ORIG2-DEST2...:ORIGn-
travel_ DESTn], for example: SFO-JFK:JFK-LHR:LHR-
complete_ CDG. For airport codes, see the IATA Airline and Airport
route Code Search.
Note In your request, send either the complete route or
the individual legs (_leg#_orig and _leg#_dest). If you
send all the fields, the value of _complete_route takes
precedence over that of the _leg# fields.
decision_ Departure date and time of the first leg of the trip. Use one ics_score (O) DateTime
manager_ of the following formats: (25)
travel_
 yyyy-MM-dd HH:mm z
departure_time
 yyyy-MM-dd hh:mm a z
 yyyy-MM-dd hh:mma z
HH = hour in 24-hour format
hh = hour in 12-hour format
a = am or pm (case insensitive)
z = time zone of the departing flight, for example: If the
airline is based in city A, but the flight departs from city
B, z is the time zone of city B at the time of departure.
Important For travel information, use GMT instead of
UTC, or use the local time zone.
Examples
2011-03-20 11:30 PM PDT
2011-03-20 11:30pm GMT
2011-03-20 11:30pm GMT-05:00
Eastern Standard Time: GMT-05:00 or EST
Note When specifying an offset from GMT, the format
must be exactly as specified in the example. Insert no
spaces between the time zone and the offset.
decision_ Type of travel, for example: one way or round trip. ics_score (O) String (32)
manager_
travel_
journey_type

Decision Manager Developer Guide Using the SCMP API | May 2013 40
Appendix A API Fields

Table 10 Request-Level Fields (Continued)

Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
decision_ Airport code for the destination of the leg of the trip ics_score (O) String (3)
manager_ designated by the pound (#) symbol in the field name.
travel_ This code is usually three digits long, for example: SFO =
leg#_dest San Francisco. Do not use the colon (:) or the dash (-).
For airport codes, see the IATA Airline and Airport Code
Search.
Note In your request, send either the complete route or
the individual legs (_leg#_orig and _leg#_dest). If you
send all the fields, the complete route takes precedence
over the individual legs.
decision_ Airport code for the origin of the leg of the trip designated ics_score (O) String (3)
manager_ by the pound (#) symbol in the field name. This code is
travel_ usually three digits long, for example: SFO = San
leg#_orig Francisco. Do not use the colon (:) or the dash (-). For
airport codes, see the IATA Airline and Airport Code
Search.
Note In your request, send either the complete route or
the individual legs (_leg#_orig and _leg#_dest). If you
send all the fields, the complete route takes precedence
over the individual legs.
disable_avs Prevents the service from using the AVS (Address ics_score (O) boolean (5)
Verification Service) information. For example, you can
use this field when you process the score service before
the authorization service. This field can contain one of the
following values:
 true: Ignore AVS results
 false: Use AVS results
distributor_ Product’s identifier code. This field is inserted into the ics_score (O) String (15)
product_sku outgoing message without being parsed or formatted.
This field is included as Distributor product SKU (Offer) in
the list of API fields with which you can create custom
rules
domain Email domain of the customer. The domain of the email ics_risk_update String (100)
address comprises all characters that follow the @ symbol, (O)
such as mail.example.com.
For the Risk Update service, if the email address and the
domain are sent in the request, the domain supersedes
the email address.
grand_total_ Grand total for the order. Your request must include either ics_score (O) Decimal (15)
amount this field or the amount field in one the offer lines.
http_browser_ Email address set in the customer’s browser, which may ics_score (O) String (100)
email differ from customer_email).

Decision Manager Developer Guide Using the SCMP API | May 2013 41
Appendix A API Fields

Table 10 Request-Level Fields (Continued)

Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
http_browser_ Customer’s browser as identified from the HTTP header ics_score (O) String (40)
type data. For example, Mozilla is the value that identifies
the Firefox browser.
ics_ CyberSource applications to process for the request. You ics_direct_debit String (255)
applications must specify at least one application in each request. (R)
ics_ifs_update
(R)
ics_risk_update
(R)
ics_score (R)
marking_notes Notes or details that explain the reasons for adding the ics_risk_update String (255)
transaction to either the positive or negative list. (O)
ics_ifs_update
(O)
marking_ Reason for adding the transaction to the negative list. This ics_risk_update String (25)
reason field can contain one of the following values: (O)
 fraud_chargeback: You have received a fraud- ics_ifs_update
related chargeback for the transaction. (O)
 non_fraud_chargeback: You have received a
non-fraudulent chargeback for the transaction.
 suspected: You believe that you will probably
receive a chargeback for the transaction.
 creditback: You issued a refund to the customer to
avoid a chargeback for the transaction.
marking_ Request ID of the transaction from which data was added ics_risk_update String (26)
request_id to the negative or positive list. (O)

Decision Manager Developer Guide Using the SCMP API | May 2013 42
Appendix A API Fields

Table 10 Request-Level Fields (Continued)

Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
merchant_ Fields that you can use to store information. The value ics_score (O) String (255)
defined_data1 appears in the Case Management Details window in the
to merchant_ Business Center. The first four fields are the same fields
defined_ that are used by the Secure Data services. See request
data100 code examples.
Warning Merchant-defined data fields are not intended
to and must not be used to capture personally identifying
information. Accordingly, merchants are prohibited from
capturing, obtaining, and/or transmitting any personally
identifying information in or via the merchant-defined data
fields. Personally identifying information includes, but is
not limited to, address, credit card number, social security
number, driver's license number, state-issued
identification number, passport number, and card
verification numbers (CVV, CVC2, CVV2, CID, CVN). In
the event CyberSource discovers that a merchant is
capturing and/or transmitting personally identifying
information via the merchant-defined data fields, whether
or not intentionally, CyberSource will immediately
suspend the merchant's account, which will result in a
rejection of any and all transaction requests submitted by
the merchant after the point of suspension.
merchant_ Merchant description that appears on the cardholder's ics_score (O) String (22)
descriptor statement. For more information about merchant
descriptors, including all specific processors
requirements, see Credit Card Services Using the SCMP
API (PDF | HTML).
merchant_id Your CyberSource merchant ID. Use the same ics_risk_update String (30)
merchant_id for evaluation, testing, and production. (R)
ics_score (R)
merchant_ref_ Merchant-generated order reference or tracking number. ics_risk_update String (50)
number (R)
ics_score (R)
offer0...N Offers (line items of the order) for the request. At a ics_score (R) String (50)
minimum, offer0 must be present.

Decision Manager Developer Guide Using the SCMP API | May 2013 43
Appendix A API Fields

Table 10 Request-Level Fields (Continued)

Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
payment_type Method of payment used for the order. This field can ics_score (O) String (10)
contain one of the following values:
 consumer (default): Customer credit card
 corporate: Corporate credit card
 debit: Debit card, such as a Maestro (UK Domestic)
card
 cod: Collect on delivery
 check: Electronic check
 p2p: Person-to-person payment
 private1: Private label credit card
 other: Other payment method
personal_id Personal identifier. This field is supported only for Decision String (26)
CyberSource Latin American Processing. You can use Manager (See
this field for the Cadastro de Pessoas Fisicas (CPF) or the the field
Cadastro Nacional da Pessoa Juridica (CNPJ), which are description.)
required to use Credilink, the third-party service for
validating order data. The CPF number is also required for
the MasterCard AVS check in some countries. Otherwise,
this field is optional.
For more information about the integration of Credilink
services with Decision Manager, see “Appendix B Third-
Party Services” in the Decision Manager User Guide (PDF
| HTML)
record_name Name of the customer’s record entered in the list. ics_risk_update String (120)
(see description)
For the positive list, it is required if action_
code=add_positive. If absent from the request,
ics_risk_update creates the value for this field by
concatenating the customer’s first and last names.
For the negative and the review lists, record_name,
customer_firstname, and customer_lastname are
optional.
report_code Indicates whether to add to or remove order data from the ics_ifs_update String (2)
fraud history. This field can contain one of the following (R)
values:
 ST: Suspicious transaction
 CB: Chargeback and creditback; same action as Mark
as Suspect link in the Business Center
 VT: Remove from history

Decision Manager Developer Guide Using the SCMP API | May 2013 44
Appendix A API Fields

Table 10 Request-Level Fields (Continued)

Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
returns_ Indicates whether returns are accepted for this order. This ics_score (O) String (3)
accepted field can contain one of the following values:
 yes: Returns are accepted for this order.
 no: Returns are not accepted for this order.
ship_to_ First line of the address where the product is shipped. ics_score (O) String (60)
address1 Required if any shipping address information is included.
ship_to_ Second line of the address where the product is shipped. ics_score (O) String (60)
address2
ship_to_city City where the product is shipped. Required if any ics_score (O) String (50)
shipping address information is included.
ship_to_ Country where the product is shipped. Use the two- ics_score (O) String (2)
country character country codes located in the Support Center.
ship_to_ First name of the person receiving the shipment. ics_score (O) String (60)
firstname
ship_to_ Last name of the person receiving the shipment. ics_score (O) String (60)
lastname
ship_to_phone Phone for shipping address. For information on ics_score (O) String (15)
formatting, see "customer_phone," page 38.
ship_to_state State, province, or territory where the product is shipped. ics_score (O) String (2)
Use the two-character codes located in the Support
Center. Required if ship_to_country is CA or US.
ship_to_zip Postal code of the shipping address. ics_score (O) String (10)
Required only if the bill_zip field is US or CA.
If the shipping country is US, the numeric characters
follow these formats:
 5 characters: NNNNN
 9 characters: NNNNN-NNNN
If the shipping country is CA, the six alphanumeric
characters follow this format: ANA NAN.

Decision Manager Developer Guide Using the SCMP API | May 2013 45
Appendix A API Fields

Table 10 Request-Level Fields (Continued)

Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
shipping_ Shipping method for the product. It can contain one of the ics_score (O) String (10)
method following values:
 sameday: Courier or same-day service
 oneday: Next-day or overnight service
 twoday: Two-day service
 threeday: Three-day service
 lowcost: Lowest-cost service
 pickup: Store pick-up
When this value is specified, the shipping address is
not automatically added to the negative list. To add the
shipping address to the negative list, you must explicitly
add it by using the Transaction Marking Tool. To use
the Transaction Marking Tool, see “Marking Order Data
During Order Review” in the Case Management
chapter of the Decision Manager User Guide.
 other: Other shipping method
 none: No shipping method because product is a
service or subscription
Note To use a custom value, create a Decision Manager
custom rule with the shipping method order element.
state State, province, or territory of the street address. Use the ics_risk_update String (2)
two-character codes located in the Support Center. (O)
timeout Number of seconds the system waits before returning a ics_risk_update Positive
time-out error. The default is 110 seconds. (O) integer (3)
ics_score (O)
zip Postal code of the street address. Required when adding ics_risk_update String (10)
the address to a list. (O)

Decision Manager Developer Guide Using the SCMP API | May 2013 46
Appendix A API Fields

Offer-Level Fields
Each offer submitted in a request for CyberSource services contains several fields that
describe the product that the customer ordered. At a minimum, you must provide the
amount field. To accommodate multiple products ordered by the customer in a single
purchase session, a request for CyberSource services can contain one or more offers,
referred to as offer0 through offerN.

The table below lists the offer fields. Unless otherwise noted, all of the fields listed are
order and case insensitive, and the fields accept special characters (for example, @, #,
and %). They also can contain embedded spaces and any other printable characters. If
you use more than one consecutive space, the extra spaces are removed.

Do not use carets (^) and colons (:) in offer fields. In an offer line, carets
separate name-value pairs from one another, and colons separate field names
Note from values: name:value^name:value.

Table 11 Advanced Fraud Screen and Negative List Update Offer-Level Fields

Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
amount Per-item price of the product. You can include a decimal ics_risk_update Decimal
point in this field, but you cannot include any other (R) (15)
special characters. In the request, the amount is
ics_score (R)
truncated to the correct number of decimal places.
distributor_ Product’s identifier code. This field is inserted into the ics_score (O) String (15)
product_sku outgoing message without being parsed or formatted.
merchant_ Merchant’s product ics_score (O) String (255)
product_sku
passenger_ Passenger's first name. ics_score (O) String (60)
firstname
passenger_ Passenger's last name. ics_score (O) String (60)
lastname
passenger_id ID of the passenger to whom the ticket was issued. For ics_score (O) String (32)
example, you can use this field for the frequent flyer
number.
passenger_status Your company's passenger classification, such as with a ics_score (O) String (32)
frequent flyer program. In this case, you might use
values such as standard, gold, or platinum.

Decision Manager Developer Guide Using the SCMP API | May 2013 47
Appendix A API Fields

Table 11 Advanced Fraud Screen and Negative List Update Offer-Level Fields (Continued)

Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
passenger_type Passenger classification associated with the price of the ics_score (O) String (32)
ticket. You can use one of the following values:
 ADT: Adult
 CNN: Child
 INF: Infant
 YTH: Youth
 STU: Student
 SCR: Senior Citizen
 MIL: Military
passenger_email Passenger's email address, including the full domain ics_score (O) String (255)
name, such as jdoe@example.com.
passenger_phone Passenger's phone number. If the order is from outside ics_score (O) String (15)
the U.S., CyberSource recommends that you include
the country code.
product_code Type of product that the offer contains, which is also ics_score (O) String (255)
used to determine the category that the product falls
under (electronic, handling, physical, service, or
shipping). For a list of possible values, see "Product
Codes," page 96.
Multiple product_code values can apply to the same
offer (for example, shipping and handling). The default
value for product_code is default.
product_name Name of the product. ics_score (O) String (255)
product_risk Indicates the level of risk for the product. This field can ics_score (O) String (6)
contain one of the following values:
 low: The product is associated with few
chargebacks.
 normal: The product is associated with a normal
number of chargebacks.
 high: The product is associated with many
chargebacks.
quantity Quantity of the product being purchased. ics_score (O) Non-
negative
integer (10)

Decision Manager Developer Guide Using the SCMP API | May 2013 48
Appendix A API Fields

Table 11 Advanced Fraud Screen and Negative List Update Offer-Level Fields (Continued)

Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
score_category_ Determines whether to assign risk to the order if the ics_score (O) String (3)
gift billing and shipping addresses specify different cities,
states, or countries. This field can contain one of the
following values:
 yes: Orders are assigned only slight additional risk if
billing and shipping addresses are different.
 no (default): Orders are assigned higher additional
risk if billing and shipping addresses are different.
 off: Differences between billing and shipping
addresses do not affect the score.
score_host_ Importance of email and IP addresses of the customer ics_score (O) String (6)
hedge in scoring risk. This field can contain one of the following
values:
 Low: Lower-than-average concern with orders
coming from an unknown email or IP address.
 Normal (default): Average concern.
 High: High concern. A high proportion of orders you
receive from unknown host or email domains are
risky.
 Off: Email and IP address do not affect score.
score_ Importance in scoring risk of the weight of the multiple ics_score (O) String (6)
nonsensical_ tests performed on the text content of customers’
hedge orders. This field can contain one of the following
values:
 Low: Lower-than-average concern about the content
in customers’ orders.
 Normal (default): Average concern.
 High: High concern. A high proportion of orders that
you receive contain nonsensical input.
 Off: The content of orders does not affect the score.
score_ Importance in scoring risk of the weight of the multiple ics_score (O) String (6)
obscenities_ tests performed on the text content of customers’
hedge orders. This field can contain one of the following
values:
 Low: Lower-than-average concern about the content
in customers’ orders.
 Normal (default): Average concern.
 High: High concern. A high proportion of orders that
you receive contain obscenities.
 Off: The content of orders does not affect the score.

Decision Manager Developer Guide Using the SCMP API | May 2013 49
Appendix A API Fields

Table 11 Advanced Fraud Screen and Negative List Update Offer-Level Fields (Continued)

Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
score_phone_ Importance in scoring risk of the weight of the multiple ics_score (O) String (6)
hedge tests performed on phone numbers. This field can
contain one of the following values:
 Low: Lower-than-average concern about phone
numbers in orders.
 Normal (default): Average concern.
 High: High concern. A high proportion of orders that
you receive contain risky phone numbers.
 Off: Phone numbers do not affect the score.
score_threshold Acceptable level of risk for ordering each product. The ics_score (O) Integer (2)
value cannot be negative.
score_time_ Importance of time of day of the customer order in ics_score (O) String (6)
hedge scoring risk. This field can contain one of the following
values:
 Low: Lower-than-average concern with time of day.
 Normal (default): Average concern with time of
day.
 High: High concern with time of day.
 Off: Time of day does not affect score.
score_velocity_ Importance of the number of orders (purchase ics_score (O) String (10)
hedge frequency) from a customer in a certain time period (the
preceding 15 minutes) in scoring risk. This field can
contain one of the following values:
 Low: Low concern about global velocity.
 Normal: (default) Average concern about global
velocity.
 High: High concern about global velocity.
 Off: Global velocity does not affect the score.

Decision Manager Developer Guide Using the SCMP API | May 2013 50
Appendix A API Fields

Reply Fields
The following fields are included in the reply only when a value needs to be returned for
that field. Blank reply fields are not sent.

Table 12 Reply Fields

Data Type
Field Description Returned By
& Length
bin_country Country (two-digit country code) associated with the BIN of ics_score String (2)
the customer’s card used for the payment. Returned if the
information is available. Use this field for additional
information when reviewing orders. This information is also
displayed in the details page of the Business Center.
client_lib_ Information about the client library used to request the ics_ifs_update String (50)
version transaction.
ics_risk_
update
ics_score
cm_action_rcode When the Case Management Action service is used to ics_cm_action Integer (1)
programmatically post decisions to Decision Manager from
third-party case management tools:
One-digit code that indicates whether the entire request
was successful. The field contains one of the following
values:
 -1: An error occurred
 0: The request was declined
 1: The request was successful
For more information, see "Case Management Action
Service," page 27.
cm_action_rflag One-word description of the result of the entire Case ics_cm_action String (50)
Management Action service request. For more information,
see Appendix B, "Reply Flags," on page 58.
cm_action_rmsg Message that explains the reply flag that is returned in ics_cm_action String (255)
response to a Case Management Action service request.
Do not display this message to your customer, and do not
use this field to write an error handler.
decision Summarizes the result of the overall request. This field can Decision String (6)
contain one of the following values: Manager
 ACCEPT
 ERROR
 REJECT
 REVIEW

Decision Manager Developer Guide Using the SCMP API | May 2013 51
Appendix A API Fields

Table 12 Reply Fields (Continued)

Data Type
Field Description Returned By
& Length
decision_active_ When verbose mode is enabled: name of queue where Decision String (30)
profile_ orders that are not automatically accepted are sent. Manager
destination_
queue
decision_active_ When in verbose mode, name of the active profile chosen Decision String (30)
profile by the profile selector. If no profile selector exists, the Manager
default active profile is chosen.
decision_active_ When verbose mode is enabled: name of the profile Decision String (50)
profile_ selector rule that chooses the profile to use for the Manager
selector_rule transaction. If no profile selector exists, the value is
Default Active Profile.
decision_active_ Summarizes the result for the rule specified by the number Decision String (6)
profile_ # according to the setting that you chose in the Profile Manager
rule_#_decision Editor. This field can contain one of the following values:
 IGNORE
 REVIEW
 REJECT
 ACCEPT
decision_active_ Raw evaluation result of the rule specified by the number Decision String (1)
profile_ #. This field contains one of the following values: Manager
rule_#_
 T: The rule is true.
evaluation
 F: The rule is false.
 N: The rule cannot be evaluated because the data is
insufficient.
 E: The rule cannot be evaluated because an error
occurred.
decision_active_ Description of the rule specified by the number # as it Decision String (50)
profile_ appears in the Profile Editor. Manager
rule_#_name
decision_case_ You receive this field only if you subscribe to the Enhanced Decision Integer (1)
priority Case Management service. The priority level ranges from Manager
1 (highest) – 5 (lowest); the default value is 3. If you do not
assign a priority to your rules or to your profiles, the default
value is given to the order.
decision_early_ When early processing is enabled: One-digit code that Decision Integer (1)
rcode indicates whether the entire request was successful. The Manager
field contains one of the following values:
 -1: An error occurred
 0: The request was declined
 1: The request was successful

Decision Manager Developer Guide Using the SCMP API | May 2013 52
Appendix A API Fields

Table 12 Reply Fields (Continued)

Data Type
Field Description Returned By
& Length
decision_rcode One-digit code that indicates whether the entire request Decision Integer (1)
was successful. The field contains one of the following Manager
values:
 -1: An error occurred
 0: The request was declined
 1: The request was successful
decision_rflag One-word description of the result of the entire request. Decision String (50)
Manager
decision_rmsg Message that explains the reply flag. Do not display this Decision String (255)
message to your customer, and do not use this field to Manager
write an error handler.
decision_ List of information codes triggered by the order. These Decision String (255)
velocity_info information codes were generated when you created the Manager
order and product velocity rules and are returned so that
you can associate them with the rules.
ics_rcode One-digit code that indicates whether the entire request ics_ifs_update Integer (1)
was successful. The field contains one of the following
ics_risk_
values:
update
 -1: An error occurred ics_score
 0: The request was declined
 1: The request was successful
ics_rflag One-word description of the result of the entire request. ics_ifs_update String (50)
ics_risk_
update
ics_score
ics_rmsg Message that explains the reply flag ics_rflag. Do not ics_ifs_update String (255)
display this message to your customer, and do not use this
ics_risk_
field to write an error handler.
update
ics_score
ifs_update_rcode One-digit code that indicates whether the ics_ifs_update ics_ifs_update Integer (1)
request was successful. The field will contain one of the
following values:
 -1: An error occurred
 0: The request was declined
 1: The request was successful
ifs_update_rflag One-word description of the result of the ics_ifs_update ics_ifs_update String (50)
request.

Decision Manager Developer Guide Using the SCMP API | May 2013 53
Appendix A API Fields

Table 12 Reply Fields (Continued)

Data Type
Field Description Returned By
& Length
ifs_update_rmsg Message that explains the reply flag ifs_update_rflag. Do ics_ifs_update String (255)
not display this message to your customer, and do not use
this field to write an error handler.
merchant_ref_ Merchant-generated order reference or tracking number. ics_ifs_update String (50)
number
ics_risk_
update
ics_score
request_id Identifier for the request generated by the client. ics_ifs_update String (26)
ics_risk_
update
ics_score
request_token Identifier for the request generated by CyberSource. ics_ifs_update String (256)
ics_risk_
update
ics_score
risk_update_ One-digit code that indicates whether the ics_risk_update ics_risk_ Integer (1)
rcode request was successful. The field will contain one of the update
following values:
 -1: An error occurred
 0: The request was declined
 1: The request was successful
risk_update_rflag One-word description of the result of the ics_risk_update ics_risk_ String (50)
request. update
risk_update_ Message that explains the reply flag risk_update_rflag. ics_risk_ String (255)
rmsg Do not display this message to your customer, and do not update
use this field to write an error handler.
score_address_ Indicates a mismatch between the customer’s billing and ics_score String (255)
info shipping addresses. For a list of possible values, see
"Information Codes," page 88.
score_card_ Type of customer. This field can contain one of the ics_score String (2)
account_type following values:
 CN: (Consumer) private customer
 CP: (Corporate) business customer
score_card_ Name of the bank or entity that issued the card account. ics_score String (128)
issuer

Decision Manager Developer Guide Using the SCMP API | May 2013 54
Appendix A API Fields

Table 12 Reply Fields (Continued)

Data Type
Field Description Returned By
& Length
score_card_ Subtype of card account. This field can contain one of the ics_score String (32)
scheme following values:
 Maestro International
 Maestro UK Domestic
 MasterCard Credit
 MasterCard Debit
 Visa Credit
 Visa Debit
 Visa Electron
score_card_ Subtype of card account. This field can contain one of the ics_score String (32)
scheme following values:
 Maestro International
 Maestro UK Domestic
 MasterCard Credit
 MasterCard Debit
 Visa Credit
 Visa Debit
 Visa Electron
score_factors This field contains information that affected the score of the ics_score String (100)
order. This field will contain one or more codes, separated
by carets (^). For a list of possible values, see "Risk Factor
Codes," page 86.
score_host_ Refers to the risk associated with the customer's email ics_score Non-
severity domain. Returns a number from 0–5, where 0 represents negative
an undetermined risk and 5 represents the highest risk. integer (1)
score_hotlist_ Indicates that customer information is associated with ics_score String (255)
info transactions that are either on the negative or the positive
list. For a list of possible values, see "Information Codes,"
page 88.
score_identity_ Indicates excessive identity changes. The threshold is ics_score String (255)
info variable depending on the identity elements being
compared. This field can contain one or more information
codes, separated by carets (^). For a list of possible
values, see "Information Codes," page 88.
score_internet_ Indicates a problem with the customer’s email address, IP ics_score String (255)
info address, or billing address. For a list of possible values,
see "Information Codes," page 88.
score_ip_city Name of the city decoded from the IP address used directly ics_score String (50)
or indirectly by the customer to send the order.

Decision Manager Developer Guide Using the SCMP API | May 2013 55
Appendix A API Fields

Table 12 Reply Fields (Continued)

Data Type
Field Description Returned By
& Length
score_ip_ Name of the country decoded from the IP address used ics_score String (2)
country directly or indirectly by the customer to send the order.
score_ip_ Routing method decoded from the IP address used directly ics_score String (25)
routing_method or indirectly by the customer to send the order. Routing
method decoded from the IP address used directly or
indirectly by the customer to send the order. For a detailed
description, see "Using the Customer’s IP Address to
Assess the Level of Risk," page 70. This field can contain
one of the following values:
 Anonymizer
 AOL, AOL dial-up, AOL POP, and AOL proxy
 Cache proxy
 Fixed
 International proxy
 Mobile gateway
 POP
 Regional proxy
 Satellite
 SuperPOP
score_ip_state Name of the state decoded from the IP address used ics_score String (255)
directly or indirectly by the customer to send the order.
score_model_ Name of the score model used for the transaction. If you ics_score String (20)
used did not include a custom model in your request, this field
contains the name of CyberSource’s default model.
score_phone_ Indicates a problem with the customer’s phone number. ics_score String (255)
info For a list of possible values, see "Information Codes,"
page 88.
score_rcode One-digit code that indicates whether the ics_score ics_score Integer (1)
request was successful. The field will contain one of the
following values:
 -1: An error occurred
 0: The request was declined
 1: The request was successful
score_rflag One-word description of the result of the ics_score ics_score String (50)
request.
score_rmsg Message that explains the reply flag score_rflag. Do not ics_score String (255)
display this message to your customer, and do not use this
field to write an error handler.

Decision Manager Developer Guide Using the SCMP API | May 2013 56
Appendix A API Fields

Table 12 Reply Fields (Continued)

Data Type
Field Description Returned By
& Length
score_score_ Total score calculated for this order. The value cannot be ics_score Integer (2)
result negative.
score_ Indicates that the customer provided potentially suspicious ics_score String (255)
suspicious_info information. For a list of possible values, see "Information
Codes," page 88.
score_time_local The customer's local time (hh:mm:ss), which is ics_score Time (8)
calculated from the transaction request time and the
customer's billing address.
score_velocity_ Indicates that the customer has a high purchase frequency. ics_score String (255)
info For a list of possible values, see "Information Codes,"
page 88.

Decision Manager Developer Guide Using the SCMP API | May 2013 57
APPENDIX
Reply Flags
B

Reply flags are associated with a request or a service. The flag in the ics_rflag field is
associated with a request. The flag in the <service>_rflag field is associated with a
service.

Table 13 Reply Flags

Services
Reply Flag Description That Can Return
This Flag
DAVSNO The credit card was accepted by the bank but refused by Decision Manager
CyberSource because it did not pass the Address Verification
Service test.
DCALL The transaction is declined. To try to resolve the issue, call the Decision Manager
issuing bank or the customer.
DCARDEXPIRED CyberSource declined the request because the credit card has Decision Manager
expired. You may also receive this reason code if the expiration
date that you provided does not match the date on file at the
issuing bank. If the payment processor allows issuance of credits
to expired cards, CyberSource does not limit this functionality.
DCARDREFUSED The bank declined the transaction. This reply flag includes Decision Manager
declines due to insufficient funds, which cannot be differentiated
from other transactions at the time of authorization.
DCV The credit card was accepted by the bank but refused by Decision Manager
CyberSource because it did not pass the card verification
number check.
DINVALIDADDRESS The customer entered an invalid city, state, country, or postal Decision Manager
code.
DINVALIDCARD The account number does not pass CyberSource basic checks. ics_score

DINVALIDDATA The data provided is not consistent with the request. For ics_cm_action
example, you requested a product with negative cost.
ics_ifs_update
ics_risk_update
ics_score
DINVALIDPROD Not enough information is provided to generate the download Decision Manager
URL.

Decision Manager Developer Guide Using the SCMP API | May 2013 58
Appendix B Reply Flags

Table 13 Reply Flags (Continued)

Services
Reply Flag Description That Can Return
This Flag
DMISSINGFIELD The request is missing a required field. ics_cm_action
ics_ifs_update
ics_risk_update
ics_score
DREJECT This is the Decision Manager default reply flag for the orders that Decision Manager
you want to reject.
DNOAUTH The transaction is declined because the authorization is invalid. Decision Manager

DREVIEW This is the Decision Manager default reply flag for the orders that Decision Manager
you want to review.
DSCORE The score exceeds the threshold that you set for the profile. ics_score

ESYSTEM System error. Wait a few minutes, and try sending your request ics_cm_action
again.
ics_ifs_update
ics_risk_update
ics_score
ETIMEOUT The request timed out. ics_cm_action
ics_ifs_update
ics_risk_update
ics_score
SOK The transaction was successful. ics_cm_action
ics_ifs_update
ics_risk_update
ics_score

Decision Manager Developer Guide Using the SCMP API | May 2013 59
APPENDIX
Mapping of Order Elements
to API Fields
C

This appendix describes the order request and reply elements that you can use to create
custom rules in the Condition Editor in the Business Center. Use this information only if
you need to modify your integration.

Next to each field is the equivalent request or reply field name for the SCMP API. For
details about these fields, see Appendix A, "API Fields," on page 31 of this guide, Credit
Card Services Using the SCMP API (PDF | HTML), Payer Authentication Using the SCMP
API (PDF | HTML), and Verification Services Using the SCMP API (PDF | HTML).

Table 14 Condition Editor Order Element-to-SCMP API Field Mapping

Order Elements in the Condition Editor SCMP API Field Names


Amount (Grand Total) (external) —
Amount (Offer) amount
Amount (Subtotal) —
Authorization amount auth_auth_amount
Authorization AVS code auth_auth_avs
Authorization card verification result auth_cv_result
AVS code (external) avs
Billing city bill_city
Billing country bill_country
Billing first name customer_firstname
Billing last name customer_lastname
Billing phone number customer_phone
Billing postal code bill_zip
Billing state bill_state
Billing street address 1 bill_address1
Billing street address 2 bill_address2
Card account type score_card_account_type
Card BIN country bin_country
Card issuer score_card_issuer
Card scheme score_card_scheme

Decision Manager Developer Guide Using the SCMP API | May 2013 60
Appendix C Mapping of Order Elements to API Fields

Table 14 Condition Editor Order Element-to-SCMP API Field Mapping (Continued)

Order Elements in the Condition Editor SCMP API Field Names


China payment mode payment_mode
Company name company_name
Complete travel route decision_manager_travel_complete_route
Connection method —
Credit card expiration month customer_cc_expmo
Credit card expiration year customer_cc_expyr
Credit card number customer_cc_number
Credit card type card_type
Currency currency
Customer account ID customer_account_id
Customer password customer_password
CV result (external) cv_result
Decline AVS flags decline_avs_flags
Decoded IP city score_ip_city
Decoded IP country score_ip_country
Decoded IP routing method score_ip_routing_method
Decoded IP state score_ip_state
Denied Parties List address match 1 export_match1_address1
Denied Parties List name match 1 export_match1_name1
Disable AVS disable_avs
Distributor product SKU (Offer) distributor_product_sku
E-commerce indicator e_commerce_indicator
Email address customer_email
Export information export_info
Fraud score address information score_address_info
Fraud score customer list information score_hotlist_info
Fraud score factors score_factors
Fraud score host severity score_host_severity
Fraud score identity information score_identity_info
Fraud score Internet information score_internet_info
Fraud score phone information score_phone_info
Fraud score result score_score_result
Fraud score suspicious information score_suspicious_info
Fraud score velocity information score_velocity_info
Gift wrap customer_gift_wrap

Decision Manager Developer Guide Using the SCMP API | May 2013 61
Appendix C Mapping of Order Elements to API Fields

Table 14 Condition Editor Order Element-to-SCMP API Field Mapping (Continued)

Order Elements in the Condition Editor SCMP API Field Names


Host name customer_hostname
IP address customer_ipaddress
Journey type decision_manager_travel_journey_type
Maestro (UK Dom.) card issue number customer_cc_issue_number
Maestro (UK Dom.) card start month customer_cc_startmo
Maestro (UK Dom.) card start year customer_cc_startyr
Merchant descriptor merchant_descriptor
Merchant product SKU (Offer) merchant_product_sku
Merchant reference number merchant_ref_number
Merchant-specific velocity decision_velocity_info
Number of passengers —
PA authentication result pa_validate_pares_status
PA authentication result (raw) pa_validate_authentication_result
PA authentication e-com. indicator pa_validate_e_commerce_indicator
PA enrollment e-com. indicator pa_enroll_e_commerce_indicator
PA enrollment check result pa_enroll_veres_enrolled
Payment Type —
Product code (Offer) product_code
Product name (Offer) product_name
Product risk (Offer) product_risk
Quantity (Offer) quantity
Reason code —
Returns accepted returns_accepted
Shipping city ship_to_city
Shipping country ship_to_country
Shipping first name ship_to_firstname
Shipping last name ship_to_lastname
Shipping method shipping_method
Shipping postal code ship_to_zip
Shipping state ship_to_state
Shipping street address 1 ship_to_address1
Shipping street address 2 ship_to_address2
Sum of offer quantities —
Time to departure —
Total number of offers —

Decision Manager Developer Guide Using the SCMP API | May 2013 62
Appendix C Mapping of Order Elements to API Fields

Table 14 Condition Editor Order Element-to-SCMP API Field Mapping (Continued)

Order Elements in the Condition Editor SCMP API Field Names


Transaction date (UTC) —
Transaction day of week (UTC) —
Transaction time of day (UTC) —

Decision Manager Developer Guide Using the SCMP API | May 2013 63
APPENDIX
Decision Manager Use
Cases
D

This section describes a few API implementation use cases. Follow the use cases that
apply to your implementation:

 Merchants who use Decision Manager:


"Requesting Decision Manager for all Orders"
"Requesting Decision Manager for Selected Orders"
"Processing Authorizations Outside of CyberSource"
"Processing Orders Containing Travel Data"

 Merchants who use the authorization service:


"Using the Amount Fields"

 All merchants:
"Receiving Detailed Information About Each Order"
"Using the Customer’s IP Address to Assess the Level of Risk"

 Merchants who use the direct debit service:


"Using Decision Manager to Score Direct Debit Transactions"

Decision Manager Developer Guide Using the SCMP API | May 2013 64
Appendix D Decision Manager Use Cases

Requesting Decision Manager for all


Orders
Depending on the CyberSource services that you use, you may need to modify your
integration:
 If you use the authorization service, it is unnecessary to change your API integration.
Decision Manager evaluates all orders authorized by the bank.
 If you use the Advanced Fraud Screen and the authorization services (not $1 pre-
authorization) in the same request, it is unnecessary to change your API integration.
Decision Manager evaluates all orders in place of the Advanced Fraud Screen service
even if the request specifies the Advanced Fraud Screen service.
 If you use the authorization and Advanced Fraud Screen services in separate
requests, it is unnecessary to change your API integration. Decision Manager
evaluates all orders submitted to the Advanced Fraud Screen service.

Requesting Decision Manager for


Selected Orders
If you use CyberSource payment services for all orders, the Advanced Fraud Screen for
some orders, and criteria other than Decision Manager to screen your orders, use the API
field that enables or disables Decision Manager: decision_manager_enabled.

Processing Authorizations Outside of


CyberSource
You use Decision Manager part or all of the time, and you want Decision Manager to use
the authorization results that you obtained from a service provider other than
CyberSource.

In addition to changes that you might need to make to your integration in order to use
Decision Manager, you must add the following information that you receive from your
authorization service to your request:
 Address verification code. Use the avs field.
 Card verification result. Use the cv_result field.

Decision Manager uses these results to evaluate orders.

Decision Manager Developer Guide Using the SCMP API | May 2013 65
Appendix D Decision Manager Use Cases

Processing Orders Containing Travel


Data
You can use Decision Manager to screen orders that contain travel data. For examples of
API requests and replies, see Appendix E, "Request and Reply Examples," on page 76.

Order Information
Travel orders need to include request and item or offer fields.

Request Data
Include the basic order, customer, payment, and application fields. To process the
payment, you must also include either the grand total amount or the individual line-item
amounts in your request.

All travel fields are optional. To screen travel data, include either the complete route and/or
the individual legs of the trip. If you include both, the values for the complete route are
used. The departure time applies to the first leg of the travel. Use the following API fields.
For more information on the fields, see the complete descriptions listed in Appendix A,
"API Fields," on page 31.

 decision_manager_travel_complete_route
 decision_manager_travel_departure_time
 decision_manager_travel_journey_type
 decision_manager_travel_leg#_dest
 decision_manager_travel_leg#_orig

Example 1 Travel Request Data That Specifies a Complete Route

Complete travel route: From MSP to SFO, then from SFO to LAX
Departure time: 8 March 2014 at 8:33 A.M. Central Standard Time
Journey type: Round trip

decision_manager_travel_complete_route=MSP-SFO:SFO-LAX

decision_manager_travel_departure_time=2014-03-08 8:33 am CST

decision_manager_travel_journey_type=Round Trip

Decision Manager Developer Guide Using the SCMP API | May 2013 66
Appendix D Decision Manager Use Cases

Example 2 Travel Request Data That Specifies Individual Travel Legs

Departure time: 8 March 2014 at 8:33 A.M. Central Standard Time


Journey type: Round trip
Origin of leg 0: MSP airport
Destination of leg 0: SFO airport
Origin of leg 1: SFO airport
Destination of leg 1: LAX airport

decision_manager_travel_departure_time=2014-03-08 8:33 am CST

decision_manager_travel_journey_type=Round Trip

decision_manager_travel_leg0_orig=MSP

decision_manager_travel_leg0_dest=SFO

decision_manager_travel_leg1_orig=SFO

decision_manager_travel_leg1_dest=LAX

Offer-Line Data
You can use each offer line to contain information about one passenger, including the
amount for that passenger, or other data. Use the following API fields in your request. For
more information on the fields, see the complete descriptions included in Appendix A, "API
Fields," on page 31.

An amount is required in each item or offer line. The amount can be zero. If you
also add a product code to the offer line, additional item or offer fields might be
Note required.

 passenger_firstname
 passenger_lastname
 passenger_id
 passenger_status
 passenger_type
 passenger_email
 passenger_phone
 amount

Decision Manager Developer Guide Using the SCMP API | May 2013 67
Appendix D Decision Manager Use Cases

Example 3 Passenger First Line-item or Offer Data

First and last names: Jane Doe


Status: Reserved
ID 7586
Type: Adult
Phone number: (999) 555-1212
Email address: jdoe@example.com
Amount: 100.00

offer0=passenger_firstname:Jane^passenger_lastname:Doe^passenger_
status:Reserved^passenger_id:7586^passenger_type:ADT^passenger_
phone:9995551212^passenger_email:jdoe@example.com^amount:100.00

Example 4 Passenger Second Line-item or Offer Data

First and last names: John Doe


Status: Reserved
ID: 234
Type: Child
Phone number: (999) 555-1212
Email address: —
Amount: 50.00

offer1=passenger_firstname:Joe^passenger_lastname:Doe^passenger_
status:Reserved^passenger_id:234^passenger_type:CNN^passenger_
phone:9995551212^amount:50.00

Reply Information
You receive the basic order results, the score service results, and Decision Manager
results in the API reply. These results are also available in the case management and
transaction details windows of the Business Center. When reply information contains
travel data, the following information codes are returned if passenger data is on the
negative list:

NEG-ID Customer’s account ID


NEG-PID Passenger’s account ID
NEG-PPH Passenger’s phone number
NEG-PEM Passenger’s email address

Decision Manager Developer Guide Using the SCMP API | May 2013 68
Appendix D Decision Manager Use Cases

Using the Amount Fields


To use order amounts as screening criteria, specify the amounts that Decision Manager
uses to screen orders. The following amounts can be used:
 The authorization amount, including tax and other applicable charges, is used if it is
available.
 The sum of all offers is used if the authorization amount is not sent.

Each offer line must have an amount, which can be zero. If you send the grand total
amount by using grand_total_amount without one or more line items, a line item will be
added to the order. If you create custom rules that use the order element Amount (Offer),
which is the equivalent of a line item in Decision Manager, your custom rule will be
triggered whether or not you send an offer line in your API request. To avoid this,
CyberSource recommends that you always send a line item in your request.

Receiving Detailed Information About


Each Order
To return detailed information about all rules that were triggered by an order, use the
verbose mode in the API reply. Verbose mode returns detailed information about the
profile used and the name and decision of each rule that the order triggered. Rules that
are evaluated as true are returned with the appropriate results and field names, but rules
that are evaluated as false are not returned.

This feature applies to core and custom rules. You can use this information to analyze and
refine your profiles and to evaluate your orders by using API fields. You can see examples
in normal and verbose mode in Appendix E, "Request and Reply Examples," on page 76.

Contact Customer Support to have your account enabled to use verbose mode.

Important

To use the verbose mode, in each request that you want to evaluate in detail you send the
verbose_decision field. After your account is configured, all requests in which Decision
Manager runs return these fields in the reply in addition to the usual reply fields:

 Destination review queue:


decision_active_profile_destination_queue

 Profile selector and active profile selected:


decision_active_profile_selector_rule and decision_active_profile

 For each rule #, the decision, raw evaluation, the ID, and the name:

Decision Manager Developer Guide Using the SCMP API | May 2013 69
Appendix D Decision Manager Use Cases

decision_active_profile_rule_#_decision
decision_active_profile_rule_#_evaluation
decision_active_profile_rule_#_id
decision_active_profile_rule_#_name

For more information about these fields, see Appendix A, "API Fields," on page 31.

Using the Customer’s IP Address to


Assess the Level of Risk
To obtain basic information about the geographical location of a customer, link the IP
address extracted from the customer’s browser to the country and the credit card. When
this information is added to your API request, CyberSource decodes the city, state,
country, and routing method associated with the IP address. The result is returned in the
API reply and on the case management and transaction details windows of the Business
Center.

The degree of risk associated with the order’s routing method varies depending on the
order’s country of origin. The same routing method can have a different level of risk in
different regions.

API Request
The quality of the results depends on the data that you provide in the customer_
ipaddress request field.
 If the IP address field contains an error, such as an invalid or missing field, an entry
appears in the Transaction Exception Detail Report.

 If the IP address field is blank (present but without data), you may not have sent the
address.

 If you provide an IP address from the ranges in the table below, the IP address is
ignored because it is not being used for Internet commerce.

Decision Manager Developer Guide Using the SCMP API | May 2013 70
Appendix D Decision Manager Use Cases

Reserved IP Addresses Purpose


From To
0.0.0.0 10.255.255.255 None
10.0.0.0 127.255.255.255 Private
127.0.0.1 169.254.255.255 Loopback
169.254.0.0 172.31.255.255 Auto-configuration
172.16.0.0 192.168.255.255 Private
192.168.0.0 239.255.255.255 Private
224.0.0.0 Multicast
For more information, see http://www.iana.org/faqs/abuse-faq.htm.

API Reply

IP Address Information
The decoded IP address information is returned in the following fields:
 score_ip_city
 score_ip_country
 score_ip_state

For more information, see Appendix A, "API Fields," on page 31.

Routing Method Information


The routing method is returned in the score_ip_routing_method field, which contains
one of the values listed in the following table.

The proxy methods listed below are public proxies as opposed to anonymous
proxies, which completely hide the customer's IP address.
Note

Table 15 Routing Method Field Values

Field Value Description


Anonymizer IP addresses that are hidden because the customer is extremely cautious,
wants absolute privacy, or is fraudulent.
AOL, AOL dialup, AOL POP, AOL members. In most cases, the country can be identified, but the state and
and AOL proxy city cannot.
Cache proxy Proxy used through either an Internet accelerator or a content distribution
service. The customer may be located in a country different from that indicated
by the IP address.

Decision Manager Developer Guide Using the SCMP API | May 2013 71
Appendix D Decision Manager Use Cases

Table 15 Routing Method Field Values (Continued)

Field Value Description


Fixed IP address is near or at the same location as the user.
International proxy Proxy that contains traffic from multiple countries. The customer may be located
in a country different from that indicated by the IP address. In many cases,
corporate networks are routing the traffic from international offices through a
central point, often the corporate headquarters.
Mobile gateway Gateway to connect mobile devices to the public Internet. Many mobile
operators, especially in Europe, service more than one country and route traffic
through centralized network hubs. The customer may be located in a country
different from that indicated by the IP address.
POP Customer dialing into a regional ISP most likely near the IP location but possibly
across geographical boundaries.
Regional proxy Proxy that contains traffic from multiple states within a single country. The
customer may be located in a state different from that indicated by the IP
address. In many cases, corporate networks are routing the traffic from regional
offices through a central point, often the corporate headquarters.
Satellite Satellite connections. If the uplink and the downlink are registered, the routing
method is considered standard because the sender is known. However, if the
downlink is not registered, the customer can be anywhere within the beam
pattern of the satellite, which may span a continent or more.
SuperPOP Customer is dialing into a multi-state or multi-national ISP that is not likely near
the IP location. The customer may be dialing across geographical boundaries.
No value returned The routing type is unknown.

Information and Factor Reply Codes


If the decoded IP address does not match the customer’s address, one or more of the
following codes that describe the problem are returned:

Table 16 Codes Returned for IP Address-to-Customer Address Mismatch

Reply Code Type Code Description


Factor G Geolocation inconsistencies.
I Internet inconsistencies.
Information MM-IPBC IP address is inconsistent with the billing city.
MM-IPBCO IP address is inconsistent with the billing country.
MM-IPBST IP address is inconsistent with the billing state.
UNV-ADDR Unverifiable IP address.
UNV-NID IP address is from anonymous proxy. Specific to the IP routing method.
UNV-RISK IP address is from a risky source. Specific to the IP routing method.

The order in which tests are performed (Country > State > City) determines which reply
codes you receive. Country tests are performed first. If the country in the customer’s

Decision Manager Developer Guide Using the SCMP API | May 2013 72
Appendix D Decision Manager Use Cases

address matches that in the decoded IP address, the state tests are performed. However,
if the country in the customer’s address does not match the country in the decoded IP
address, one or more codes are returned, and the state and city tests are not performed.
When state tests are performed, if the customer’s address matches the decoded IP
address, the city tests are performed. If the state tests do not pass, codes are returned in
the reply and the city tests are not performed. Billing city tests are performed only if the
state tests pass.

Example 5 Low Risk Order

The following order reply shows that the billing address provided by the customer does not
match the address information obtained from the IP address. The rest of the order
information is not provided here because it is unremarkable. The routing method used for
the order is standard, so the ISP is probably legitimate. The order is marked for review. To
attempt to convert the order into a sale, the reviewer contacts the customer and finds out
that the customer placed the order while travelling in the country that is associated with
the IP address. because the customer appears legitimate, the reviewer accepts the order.

Billing Information
Name John Smith
Address 670 Fairoaks Ave, Sunnyvale, CA, 94086 US
Phone Number 4085551212
Email Address jsmith@myemail.com
IP Address 202.67.64.1
IP Address Information
Country au
State new south wales
City lismore
Routing Method standard
Factor Code I - Internet inconsistencies
Reply Message Review

Decision Manager Developer Guide Using the SCMP API | May 2013 73
Appendix D Decision Manager Use Cases

Example 6 Higher Risk Order

In the following example, the state in the customer’s address does not match the IP
address. Therefore, the reply contains MM-IPBST (customer’s IP address is inconsistent
with state in billing address) but not MM-IPBC (customer’s IP address inconsistent with
city in billing address). Because the routing method indicates an anonymizer and there are
other inconsistencies reported in the reply, this order is marked for review.

Billing Information
Name John Smith
Address 123 Bollinger Avenue, Germantown, MD, 94086 US
Phone Number 4085551212
Email Address jsmith@myemail.com
IP Address 64.83.164.175
IP Address Information
Country us
State wi
City elkhorn
Routing Method anonymizer
Factor Code I - Internet inconsistencies
Information Code MM-IPBST - IP address inconsistent with billing state
UNV-ADDR - Unverifiable address
UNV-NID - IP address from anonymous proxy

Example 7 High Risk Order


An order is placed with a shipping address in Belgium. However, the API reply suggests
that the order may have been placed from Africa or Eastern Europe. If the origin is true,
the order is riskier than in the previous example, and most likely the reviewer would reject
this order.

Decision Manager Developer Guide Using the SCMP API | May 2013 74
Appendix D Decision Manager Use Cases

Using Decision Manager to Score


Direct Debit Transactions
You can use this option whether or not you process your direct debit transactions with
CyberSource. If you process your direct debit transactions with CyberSource, see the
Global Payment Services documentation. If you process your direct debits with a service
provider other than CyberSource, consult with your business manager to ensure that you
use the appropriate fields.

Because the direct debit is processed after Decision Manager, you can send a request
combining the services. The direct debit will be processed only if Decision Manager
succeeds.

To score an order, send your score service request with the appropriate bank and
customer data by using the fields listed in the following table. For more information about
the services and the request fields, see Appendix A, "API Fields," on page 31.

Table 17 Direct Debit Transaction API Fields

Description API Field Name


Bank Location:
Name bank_name
Address bank_address
City bank_city
Country bank_country
Bank Data:
Code bank_code
Branch code branch_code
SWIFT code bank_swiftcode
Check digit bank_check_digit
Customer’s Bank Data:
Account name bank_account_name
Account number bank_account_number
IBAN bank_iban

To update your positive and negative lists of customers, you can use the results of the
score service to provide data for the request fields of the risk update service, or you can
enter the information into your customer lists manually in the Business Center by using
List Manager. For more information, see "Risk Update Service," page 20.

Decision Manager Developer Guide Using the SCMP API | May 2013 75
APPENDIX
Request and Reply
Examples
E

Decision Manager

Card Authorization
Request
This example shows a card authorization that contains four purchased items. The
customer account age is supplied with the merchant-defined data field.

merchant_id=example
merchant_ref_number=833617922960995060
merchant_defined_data22=126
<customer’s name and billing address fields>
customer_ipaddress=24.111.10.202
customer_cc_number=4111xxxxxxxx1111
customer_cc_expmo=11
customer_cc_expyr=2007
currency=USD
ics_applications=ics_auth
offer0=amount:49.95^quantity:1
offer1=amount:30.00^quantity:1
offer2=amount:50.00^quantity:1
offer3=amount:10.00^quantity:1

Decision Manager Developer Guide Using the SCMP API | May 2013 76
Appendix E Request and Reply Examples

Reply

auth_auth_amount=139.95
auth_auth_avs=Y
auth_auth_code=123456
auth_auth_response=0
auth_auth_time=2011-03-28T23:44:27Z
auth_avs_raw=Y
auth_rcode=1
auth_rflag=SOK
auth_rmsg=Request was processed successfully.
merchant_ref_number=833617922960995060
request_id=1224933255120167904565
request_token=Ue2cQcaZrPwo4Yo3yFE24TwnPuHyeDG5tahXRuea0
currency=USD
ics_rcode=1
ics_rflag=SOK
ics_rmsg=Request was processed successfully.

Travel Data
This example shows a travel order placed for two passengers. The time zone associated
with the departure time (EST) is the local time of the city of the first leg of the flight (JFK).
EST can also be represented as GMT–5.

Request

merchant_id=sample merchant
merchant_ref_number=123456
customer_ipaddress=240.7.7.7
<customer’s name and billing address fields>
currency=USD
customer_cc_expmo=04
customer_cc_expyr=09
customer_cc_number=XXXXXXXXXXXX9378
decision_manager_travel_complete_route=JFK-SFO:SFO-LAX
decision_manager_travel_departure_time=2010-04-11 5:30 am EST
decision_manager_travel_journey_type=Round Trip
offer0=passenger_firstname:Jane^passenger_lastname:Doe^passenger_
status:Reserved^passenger_id:758^passenger_type:ADT^passenger_
phone:9995551212^amount:650.00
offer1=passenger_firstname:John^passenger_lastname:Doe^passenger_
status:Reserved^passenger_id:234^passenger_type:ADT^passenger_
phone:9995551212^amount:650.00
ics_applications=ics_score,ics_auth

Decision Manager Developer Guide Using the SCMP API | May 2013 77
Appendix E Request and Reply Examples

Reply
The order is marked for review.

merchant_ref_number=123456
request_token=Ahjz7wSRA3IL7yoxRgpuIAKa92pGEY0gZdxHFrwa61WnZ/AwBNA
request_id=2392962320000167904567
auth_auth_amount=1300.00
auth_rflag=SOK
auth_rcode=1
auth_rmsg=Request was processed successfully.
decision=REVIEW
decision_rcode=0
decision_rflag=DREVIEW
decision_rmsg=Decision is REVIEW.
decision_velocity_info=MVEL-R25^MVEL-R26
ics_rcode=0
ics_rflag=DREVIEW
ics_rmsg=Decision is REVIEW.
score_rcode=1
score_rflag=DSCORE
score_rmsg=Score exceeds threshold.
score_score_result=69
score_factors=Y
score_velocity_info=VEL-ADDR

Score Service
Request

<customer’s name and billing address fields>


customer_cc_expmo=12
customer_cc_expyr=2015
customer_cc_number=4111xxxxxxxx1111
ics_applications=ics_score
merchant_id=testMerchant
merchant_ref_number=10742086
offer0=amount:1.00^score_threshold:40^score_category_time:Late
offer1=amount:10.00^score_threshold:40^score_category_time:Late
offer2=amount:100.00^score_threshold:40^score_category_time:Late

Decision Manager Developer Guide Using the SCMP API | May 2013 78
Appendix E Request and Reply Examples

Reply

ics_rcode=1
ics_rflag=SOK
ics_rmsg=Request was processed successfully.
request_id=9423604739860167904518
request_token=8V7BA07JIFrOVuwvO7pLi1YAdHPVhFFY34Luh
merchant_ref_number=10742086
score_factors=G^I
score_host_severity=3
score_rcode=1
score_rflag=SOK
score_rmsg=score service was successful
score_score_result=34
score_time_local=13:00:00

Risk Update

Adding Data to a List


These examples show how to add an account number, street address, and email address
to the negative list by using the action_code field.

Request

merchant_id=infodev
merchant_ref_number=2D6EDF7573B438294C8822C60
ics_applications=ics_risk_update
action_code=add_negative
address1=1234 Sample St.
city=Mountain View
country=US
customer_cc_number=4111xxxxxxxx1111
customer_email=test@example.com
state=CA
zip=94043

Decision Manager Developer Guide Using the SCMP API | May 2013 79
Appendix E Request and Reply Examples

Reply

ics_rcode=1
ics_rflag=SOK
ics_rmsg=Request was processed successfully.
request_id=0156221030000167905080
request_token=lOLQw6oPx+ViNCC1bng9cafAPqBdrIxYA4AhL4WDs7sRQ0qbQ
merchant_ref_number=2D6EDF7573B438294C8822C60
risk_update_rcode=1
risk_update_rflag=SOK
risk_update_rmsg=ics_risk_update service was successful

Adding Duplicate Information


This example shows what happens when you try to add information that already appears
on the negative list, such as the street address.

Request

action_code=add_negative
address1=1234 Sample St.
city=Mountain View
country=US
customer_cc_number=4111xxxxxxxx1111
customer_email=nobody@example.com
ics_applications=ics_risk_update
merchant_id=infodev
merchant_ref_number=3166C2717BF5F412991EA1D59
state=CA
zip=94043

Reply

ics_rcode=1
ics_rflag=SOK
ics_rmsg=Request was processed successfully.
request_id=0164774960000167905080
request_token=DsxqnMVKpdPxkAGKnumVDCFOitKWIBYrBUItGmKc2MDkQqlk0KV
merchant_ref_number=3166C2717BF5F412991EA1D59
risk_update_rcode=1
risk_update_rflag=SOK
risk_update_rmsg=Request was processed successfully. However, at least
one item was already in the negative list.

Decision Manager Developer Guide Using the SCMP API | May 2013 80
Appendix E Request and Reply Examples

Fraud Update

Mark as Suspect
This example shows the content of a request ID marked suspect.

Request

cb_request_id=2719725130000167904567
ics_applications=ics_ifs_update
merchant_id=example
merchant_ref_number=12345
report_code=st
marking_reason=suspected

Reply

ics_rcode=1
ics_rflag=SOK
ics_rmsg=Request was processed successfully.
ifs_update_rcode=1
ifs_update_rflag=SOK
ifs_update_rmsg=ifs_update service was successful
merchant_ref_number=12345
request_id=123456789012334567
request_token=AhijLwSRKJN1CRUnR8JuKJ9T44Yz6AAgoZNvG2YavwW0QAAA/g55

Remove from History


This example shows the content of a request ID removed from the fraud history.

Request

cb_request_id=2719725130000167904567
ics_applications=ics_ifs_update
merchant_id=example
report_code=vt
marking_reason=suspected
merchant_ref_number=876i876

Decision Manager Developer Guide Using the SCMP API | May 2013 81
Appendix E Request and Reply Examples

Reply

ics_rcode=1
ics_rflag=SOK
ics_rmsg=Request was processed successfully.
ifs_update_rcode=1
ifs_update_rflag=SOK
ifs_update_rmsg=ifs_update service was successful
merchant_ref_number=876i876
request_id=2345678901234565678
request_token=AhijLwSRKJN1CRUnR8JuKJ9T44Yz6AAgoZNvG2YavwW0QAAA/g55
request_id=2345678901234565678

Case Management Action


The following examples show an ACCEPT request sent to Decision Manager and its
corresponding successful reply. The other actions, REJECT, ACCEPT_SETTLE, and ADD_
NOTE follow the same format.

Request
ics_applications=ics_cm_action
merchant_ref_number=cmAction12345
merchant_id=example
cm_action_code=ACCEPT
cm_request_id=9999999999999999999999
cm_comments=Order accepted

Reply
cm_action_rcode=1
cm_action_rflag=SOK
cm_action_rmsg=ics_cm_action service was successful
ics_rcode=1
ics_rflag=SOK
ics_rmsg=Request was processed successfully.
merchant_ref_number=cmAction12345
request_id=3579485371880172492690

Decision Manager Developer Guide Using the SCMP API | May 2013 82
APPENDIX
Information and Reply
Codes
F

Address Verification Codes


Because some codes have the same meaning, and all codes are valid for all merchants,
you should be prepared to receive any of them.

When you populate billing street address 1 and billing street address 2,
CyberSource through VisaNet concatenates the two values. If the
Important concatenated value exceeds 40 characters, CyberSource through VisaNet
truncates the value at 40 characters before sending it to Visa and the issuing
bank. Truncating this value affects AVS results and therefore might impact risk
decisions and chargebacks.

Codes for the American Express Phoenix


Gateway Only
The alphabetic values J, K, L, O, Q, and V are returned only if you are signed up to use
Enhanced AVS or AAV+ for American Express cards processed through the American
Express Phoenix processor. The domestic codes listed below also apply for standard AVS
with this processor.

Codes for the International AVS


For cards issued outside the U.S. (currently Canada and the U.K.), you may receive these
codes:
 Codes specific to international AVS: B, C, D, I, M, and P
 Codes that also apply to domestic AVS: A, E, F, G, H, N, R, S, T, U, W, X, Y, Z, 1, and 2

Decision Manager Developer Guide Using the SCMP API | May 2013 83
Appendix F Information and Reply Codes

Codes for the Domestic AVS


The table below lists the possible result codes for the Address Verification Service. For
more information about AVS, see Credit Card Services Using the SCMP API (PDF |
HTML).

The international and domestic AVS codes listed above and in the table below are the Visa
standard AVS codes, except for codes 1 and 2, which are CyberSource AVS codes. The
standard AVS return codes for other types of credit cards (including American Express
cards) are mapped to the Visa standard codes.

For cards issued by banks within the U.S., you may receive: A, E, F, G, H, N, R, S, T, U, W,
X, Y, Z, 1, and 2. Codes F, H, and T are returned for American Express cards only.

Map the AVS codes as follows:


 You receive the code in the auth_auth_avs reply field for the ics_auth application.
You need to pass the code to the ics_score application in the request-level field avs.

Table 18 AVS Codes

Code Description
A Partial match: street address matches, but 5-digit and 9-digit postal codes do not match.
B Partial match: street address matches, but postal code is not verified. Returned only for
non U.S.-issued Visa cards.
C No match: street address and postal code do not match. Returned only for non U.S.-
issued Visa cards.
D&M Match: street address and postal code match. Returned only for non U.S.-issued Visa
cards.
E Invalid: AVS data is invalid or AVS is not allowed for this card type.
F Partial match: card member’s name does not match, but billing postal code matches.
Returned only for the American Express card type.
G Not supported: non-U.S. issuing bank does not support AVS.
H Partial match: card member’s name does not match, but street address and postal code
match. Returned only for the American Express card type.
I No match: address not verified. Returned only for non U.S.-issued Visa cards.
K Partial match: card member’s name matches, but billing address and billing postal code
do not match. Returned only for the American Express card type.
L Partial match: card member’s name and billing postal code match, but billing address
does not match. Returned only for the American Express card type.
M See the entry for D & M.
N No match: one of the following:
 Street address and postal code do not match.
 Card member’s name, street address, and postal code do not match. Returned only
for the American Express card type.

Decision Manager Developer Guide Using the SCMP API | May 2013 84
Appendix F Information and Reply Codes

Table 18 AVS Codes (Continued)

Code Description
O Partial match: card member’s name and billing address match, but billing postal code
does not match. Returned only for the American Express card type.
P Partial match: postal code matches, but street address not verified. Returned only for
non U.S.-issued Visa cards.
R System unavailable.
S Not supported: U.S.-issuing bank does not support AVS.
T Partial match: card member’s name does not match, but street address matches.
Returned only for the American Express card type.
U System unavailable: address information unavailable for one of these reasons:
 The U.S. bank does not support non-U.S. AVS.
 The AVS in a U.S. bank is not functioning properly.
V Match: card member’s name, billing address, and billing postal code match. Returned
only for the American Express card type.
W Partial match: street address does not match, but 9-digit postal code matches.
X Match: street address and 9-digit postal code match.
Y Match: street address and 5-digit postal code match.
Z Partial match: street address does not match, but 5-digit postal code matches.
1 Not supported: AVS is not supported for this processor or card type.
2 Unrecognized: the processor returned an unrecognized value for the AVS response.
3 Match: address is confirmed. Returned only for PayPal Express Checkout.
4 No match: address is not confirmed. Returned only for PayPal Express Checkout.

Decision Manager Developer Guide Using the SCMP API | May 2013 85
Appendix F Information and Reply Codes

Card Verification Numbers


The following table lists the possible result codes for the Card Verification Number check.
You receive these codes in the auth_cv_result reply field.

Table 19 CVN Codes

Code Description
D The transaction was determined to be suspicious by the issuing bank.
I The CVN failed the processor's data validation check.
M The CVN matched.
N The CVN did not match.
P The CVN was not processed by the processor for an unspecified reason.
S The CVN is on the card but was not included in the request.
U Card verification is not supported by the issuing bank.
X Card verification is not supported by the card association.
1 Card verification is not supported for this processor or card type.
2 An unrecognized result code was returned by the processor for the card
verification response.
3 No result code was returned by the processor.

Risk Factor Codes


The following table lists the factors that can affect the score. You receive these codes in
the score_factors reply field:

Table 20 Risk Factor Codes

Code Description
A Excessive address change. The customer changed the billing address two or more
times in the last six months.
B Card BIN or authorization risk. Risk factors are related to credit card BIN and/or card
authorization checks.
C High number of account numbers. The customer used more than six credit cards
numbers in the last six months.
D Email address impact. The customer uses a free email provider, or the email address
is risky.
E Positive list. The customer is on your positive list.
F Negative list. The account number, street address, email address, or IP address for
this order appears on your negative list.

Decision Manager Developer Guide Using the SCMP API | May 2013 86
Appendix F Information and Reply Codes

Table 20 Risk Factor Codes (Continued)

Code Description
G Geolocation inconsistencies. The customer’s email domain, phone number, billing
address, shipping address, or IP address is suspicious.
H Excessive name changes. The customer changed the name two or more times in the
last six months.
I Internet inconsistencies. The IP address and email domain are not consistent with
the billing address.
N Nonsensical input. The customer name and address fields contain meaningless
words or language.
O Obscenities. The customer’s input contains obscene words.
P Identity morphing. Multiple values of an identity element are linked to a value of a
different identity element. For example, multiple phone numbers are linked to a single
account number.
Q Phone inconsistencies. The customer’s phone number is suspicious.
R Risky order. The transaction, customer, and merchant information show multiple
high-risk correlations.
T Time hedge. The customer is attempting a purchase outside of the expected hours.
U Unverifiable address. The billing or shipping address cannot be verified.
V Velocity. The account number was used many times in the past 15 minutes.
W Marked as suspect. The billing or shipping address is similar to an address
previously marked as suspect.
Y Gift Order. The street address, city, state, or country of the billing and shipping
addresses do not correlate.
Z Invalid value. Because the request contains an unexpected value, a default value
was substituted. Although the transaction can still be processed, examine the
request carefully for abnormalities in the order.

Decision Manager Developer Guide Using the SCMP API | May 2013 87
Appendix F Information and Reply Codes

Information Codes
When more than one value is returned, the values are separated by carets (^).

Address Information Codes


Table 21 Address Information Codes

Codes Description
COR-BA The billing address has corrected elements or can be normalized.
COR-SA The shipping address has corrected elements or can be normalized.
INTL-BA The billing country is outside of the U.S.
INTL-SA The shipping country is outside of the U.S.
MIL-USA The address is a U.S. military address.
MM-A The billing and shipping addresses use different street addresses.
MM-BIN The card BIN (the first six digits of the number) does not match the
country.
MM-C The billing and shipping addresses use different cities.
MM-CO The billing and shipping addresses use different countries.
MM-ST The billing and shipping addresses use different states.
MM-Z The billing and shipping addresses use different postal codes.
UNV-ADDR The address is unverifiable.

Decision Manager Developer Guide Using the SCMP API | May 2013 88
Appendix F Information and Reply Codes

Internet Information Codes


Table 22 Internet Information Codes

Codes Description
FREE-EM The customer’s email address is from a free email provider.
INTL-IPCO The country of the customer’s IP address is outside of the U.S.
INV-EM The customer’s email address is invalid.
MM- The domain in the customer’s email address is not consistent with the country in
EMBCO the billing address.
MM-IPBC The customer’s IP address is not consistent with the city in the billing address.
MM-IPBCO The customer’s IP address is not consistent with the country in the billing address.
MM-IPBST The customer’s IP address is not consistent with the state in the billing address.
However, this information code may not be returned when the inconsistency is
between immediately adjacent states.
MM-IPEM The customer’s email address is not consistent with the customer’s IP address.
RISK-EM The customer's email domain (for example, mail.example.com) is associated
with higher risk.
UNV-NID The customer’s IP address is from an anonymous proxy. These entities
completely hide the IP information.
UNV-RISK The IP address is from a risky source.
UNV- The country of the customer’s email address does not match the country in the
EMBCO billing address.

Decision Manager Developer Guide Using the SCMP API | May 2013 89
Appendix F Information and Reply Codes

Customer Lists Information Codes


Table 23 Customer Lists Information Codes

Codes Description
CON- The order triggered both a positive and negative list match. The result of the
POSNEG positive list match overrides that of the negative list match.
NEG-BA The billing address is on the negative list.
NEG-BCO The billing country is on the negative list.
NEG-BIN The credit card BIN (the first six digits of the number) is on the negative list.
NEG- The country in which the credit card was issued is on the negative list.
BINCO
NEG-BZC The billing postal code is on the negative list.
NEG-CC The credit card number is on the negative list.
NEG-EM The email address is on the negative list.
NEG- The country in which the email address is located is on the negative list.
EMCO
NEG- The email domain (for example, mail.example.com) is on the negative list.
EMDOM
NEG-HIST A transaction was found on the negative list.
NEG-ID The customer’s account ID is on the negative list.
NEG-IP The IP address (for example, 10.1.27.63) is on the negative list.
NEG-IP3 The network IP address (for example, 10.1.27) is on the negative list. A network
IP address includes up to 256 IP addresses.
NEG-IPCO The country in which the IP address is located is on the negative list.
NEG-PEM A passenger’s email address is on the negative list.
NEG-PH The phone number is on the negative list.
NEG-PID A passenger’s account ID is on the negative list.
NEG-PPH A passenger’s phone number is on the negative list.
NEG-SA The shipping address is on the negative list.
NEG-SCO The shipping country is on the negative list.
NEG-SZC The shipping postal code is on the negative list.
POS- The customer is on the temporary positive list.
TEMP
POS- The customer is on the permanent positive list.
PERM
REV-BA The billing address is on the review list.
REV-BCO The billing country is on the review list.
REV-BIN The credit card BIN (the first six digits of the number) is on the review list.
REV- The country in which the credit card was issued is on the review list.
BINCO

Decision Manager Developer Guide Using the SCMP API | May 2013 90
Appendix F Information and Reply Codes

Table 23 Customer Lists Information Codes (Continued)

Codes Description
REV-BZC The billing postal code is on the review list.
REV-CC The credit card number is on the review list.
REV-EM The email address is on the review list.
REV- The country in which the email address is located is on the review list.
EMCO
REV- The email domain (for example, mail.example.com) is on the review list.
EMDOM
REV-ID The customer’s account ID is on the review list.
REV-IP The IP address (for example, 10.1.27.63) is on the review list.
REV-IP3 The network IP address (for example, 10.1.27) is on the review list. A network
IP address includes up to 256 IP addresses.
REV-IPCO The country in which the IP address is located is on the review list.
REV-PEM A passenger’s email address is on the review list.
REV-PH The phone number is on the review list.
REV-PID A passenger’s account ID is on the review list.
REV-PPH A passenger’s phone number is on the review list.
REV-SA The shipping address is on the review list.
REV-SCO The shipping country is on the review list.
REV-SZC The shipping postal code is on the review list.

Decision Manager Developer Guide Using the SCMP API | May 2013 91
Appendix F Information and Reply Codes

Phone Information Codes


Table 24 Phone Information Codes

Codes Description
MM- The customer’s phone number is not consistent with the state in the billing
ACBST address.
RISK-AC The customer's area code is associated with higher risk.
RISK-PH The U.S. or Canadian phone number is incomplete, or one or more parts of the
number are risky.
TF-AC The phone number uses a toll-free area code.
UNV-AC The area code is invalid.
UNV-OC The area code and/or the telephone prefix are/is invalid.
UNV-PH The phone number is invalid.

Decision Manager Developer Guide Using the SCMP API | May 2013 92
Appendix F Information and Reply Codes

Global Velocity Information Codes


The velocity information codes with the suffix -CC refer not only to credit cards
but also to direct debit account numbers.
Important

Table 25 Global Velocity Information Codes

Codes Description
VEL-ADDR Different billing and/or shipping states (U.S. and Canada only) have been used
several times with the credit card number and/or email address.
VEL-CC Different account numbers have been used several times with the same name or
email address.
VEL-NAME Different names have been used several times with the credit card number and/or
email address.
VELS-CC The account number has been used several times during the short tracking
interval.
VELI-CC The account number has been used several times during the medium tracking
interval.
VELL-CC The account number has been used several times during the long tracking
interval.
VELV-CC The account number has been used several times during the very long tracking
interval.
VELS-EM The customer’s email address has been used several times during the short
tracking interval.
VELI-EM The customer’s email address has been used several times during the medium
tracking interval.
VELL-EM The customer’s email address has been used several times during the long
tracking interval.
VELV-EM The customer’s email address has been used several times during the very long
tracking interval.
VELS-IP The IP address has been used several times during the short tracking interval.
VELI-IP The IP address has been used several times during the medium tracking interval.
VELL-IP The IP address has been used several times during the long tracking interval.
VELV-IP The IP address has been used several times during the very long tracking
interval.
VELS-SA The shipping address has been used several times during the short tracking
interval.
VELI-SA The shipping address has been used several times during the medium tracking
interval.
VELL-SA The shipping address has been used several times during the long tracking
interval.
VELV-SA The shipping address has been used several times during the very long tracking
interval.

Decision Manager Developer Guide Using the SCMP API | May 2013 93
Appendix F Information and Reply Codes

Table 25 Global Velocity Information Codes (Continued)

Codes Description
VELS-TIP The true IP address has been used several times during the short interval.
VELI-TIP The true IP address has been used several times during the medium interval.
VELL-TIP The true IP address has been used several times during the long interval.

Suspicious Data Information Codes


Table 26 Suspicious Data Information Codes

Codes Description
BAD-FP The device is risky.
INTL-BIN The credit card was issued outside of the U.S.
MM-TZTLO The device's time zone is inconsistent with the country's time zones.
MUL-EM The customer has used more than four different email addresses.
NON-BC The billing city is nonsensical.
NON-FN The customer’s first name is nonsensical.
NON-LN The customer’s last name is nonsensical.
OBS-BC The billing city contains obscenities.
OBS-EM The email address contains obscenities.
RISK-AVS The combined AVS test result and normalized billing address are risky, such as
when the AVS result indicates an exact match, but the normalized billing address
is not deliverable.
RISK-BC The billing city has repeated characters.
RISK-BIN In the past, this payment card BIN has shown a high incidence of fraud.
RISK-DEV Some of the device characteristics are risky.
RISK-FN The customer’s first and last names contain unlikely letter combinations.
RISK-LN The customer’s middle or last name contains unlikely letter combinations.
RISK-PIP The proxy IP address is risky.
RISK-SD The inconsistency in billing and shipping countries is risky.
RISK-TB The day and time of the order associated with the billing address is risky.
RISK-TIP The true IP address is risky.
RISK-TS The day and time of the order associated with the shipping address is risky.

Decision Manager Developer Guide Using the SCMP API | May 2013 94
Appendix F Information and Reply Codes

Excessive Identity Changes


The codes represent excessive identity changes. You receive an information code when
more than two identity changes occur. You can see the information codes in the risk
services section of the details page.

Customer identity refers to one or more of these elements:

 account and phone numbers


 billing, shipping, email, and IP addresses

Table 27 Codes Returned for Excessive Identity Changes

Codes Description
MORPH-B The same billing address has been used several times with multiple customer
identities.
MORPH-C The same account number has been used several times with multiple customer
identities.
MORPH-E The same email address has been used several times with multiple customer
identities.
MORPH-I The same IP address has been used several times with multiple customer
identities.
MORPH-P The same phone number has been used several times with multiple customer
identities.
MORPH-S The same shipping address has been used several times with multiple customer
identities.

Decision Manager Developer Guide Using the SCMP API | May 2013 95
Appendix F Information and Reply Codes

Product Codes
The following table lists the product codes used by CyberSource services:

Table 28 Product Codes

Product Code Definition


adult_content Adult content.

coupon Coupon applied to the entire order.

default Default value for the product code. CyberSource uses


default when a request message does not include a
value for the product code.
electronic_good Electronic product other than software.

electronic_software Software distributed electronically rather than on disks or


other media.
gift_certificate Gift certificate.

handling_only Fee that you charge your customer to cover your


administrative selling costs.
service Service that you perform for your customer.

shipping_and_handling The shipping portion is the charge for shipping the product to
your customer. The handling portion is the fee you charge
your customer to cover your administrative selling costs.
shipping_only Charge for transporting tangible personal property from your
location to your customer. You must maintain documentation
that clearly establishes the location where the title to the
property passed from you to your customer.
subscription Subscription to a web site or other content.

Decision Manager Developer Guide Using the SCMP API | May 2013 96
APPENDIX
Review Rates
G

These review rates are not current. They are provided for your information only.
To obtain the current set of review rates that you can use in your business,
Warning contact your account representative.

The following table shows the average review rate for each score threshold. The review
rate is the percentage of transactions that receive a higher score than your threshold. The
rates in this table are based on recommended settings for the Advanced Fraud Screen
service. Your review rate may vary according to the score threshold that you set for your
transactions.

Score Threshold Review Rate


0 59.25%
1 57.73%
2 55.86%
3 54.19%
4 52.60%
5 50.75%
6 48.95%
7 46.99%
8 45.33%
9 43.80%
10 42.37%
11 40.86%
12 39.29%
13 37.65%
14 36.08%
15 34.68%
16 33.26%
17 31.78%
18 30.37%

Decision Manager Developer Guide Using the SCMP API | May 2013 97
Appendix G Review Rates

Score Threshold Review Rate


19 29.11%
20 27.72%
21 26.21%
22 24.70%
23 23.30%
24 21.88%
25 20.54%
26 18.85%
27 17.40%
28 16.24%
29 15.17%
30 14.05%
31 13.21%
32 12.47%
33 11.78%
34 11.22%
35 10.86%
36 10.56%
37 10.27%
38 10.00%
39 9.75%
40 9.51%
41 9.26%
42 9.03%
43 8.79%
44 8.57%
45 8.34%
46 8.11%
47 7.88%
48 7.68%
49 7.48%
50 7.31%
51 7.18%
52 7.04%
53 6.91%
54 6.78%

Decision Manager Developer Guide Using the SCMP API | May 2013 98
Appendix G Review Rates

Score Threshold Review Rate


55 6.66%
56 6.52%
57 6.38%
58 6.25%
59 6.11%
60 5.98%
61 5.86%
62 5.73%
63 5.60%
64 5.46%
65 5.33%
66 5.20%
67 5.08%
68 4.95%
69 4.82%
70 4.69%
71 4.56%
72 4.44%
73 4.33%
74 4.21%
75 4.08%
76 3.96%
77 3.84%
78 3.72%
79 3.59%
80 3.48%
81 3.37%
82 3.25%
83 3.14%
84 3.05%
85 2.95%
86 2.86%
87 2.76%
88 2.67%
89 2.58%
90 2.50%

Decision Manager Developer Guide Using the SCMP API | May 2013 99
Appendix G Review Rates

Score Threshold Review Rate


91 2.40%
92 2.30%
93 2.20%
94 2.06%
95 1.91%
96 1.75%
97 1.58%
98 1.29%
99 0.00%

Decision Manager Developer Guide Using the SCMP API | May 2013 100
APPENDIX
Required Bank Account
Information by Country
H

This appendix provides for the listed country the required bank account field names and
the localized name for the account number. Use this information with direct debit
transactions. You must provide either of these numbers:
 The IBAN (International Bank Account Number) if accepted for the country (gray
column).
 The traditional bank account number fields (white columns).
If the IBAN is not accepted for a particular country or if you choose not to provide the
IBAN, you must instead provide the required traditional bank account fields for the
country as detailed in the table.

The maximum length and data types listed will be strictly validated as follows. For
example, 12 an indicates 12 alphanumeric characters. The maximum length does not
include separators such as hyphens or spaces. For example, the bank code for the United
Kingdom is listed with a maximum length of 6 digits, and it is typically formatted as NN-NN-
NN. When providing the values for the fields, you may include the hyphens or any
separators typically used by your customers.

“—” indicates that the field is not required.

Table 29 Required Bank Account Information by Country

IBAN Traditional Bank Account Information


bank_ bank_account_ bank_code branch_code bank_check_
SCMP API
iban number digit
Austria 20 an Kontonummer: 11n Bankleitzahl: 5 n — —
Example: 00234573201 BLZ 19043
Germany 22 an Kontonummer: 10 n Bankleitzahl: 8 n — —
Example: 5320130012 BLZ 37040044
The 18 an Rekeningnummer: 9 n — — —
Netherlands or 10 n if leading zero
Example: 041 71 64 300

Decision Manager Developer Guide Using the SCMP API | May 2013 101
Appendix H Required Bank Account Information by Country

IBAN Traditional Bank Account Information


bank_ bank_account_ bank_code branch_code bank_check_
SCMP API
iban number digit
Spain 24 an Número de cuenta: 10 Código de entidad: Código de oficina: Dígitos de control:
n in positions 11–20 4 n in positions 1–4 4 n in positions 5– 2 n in positions 9–
8 10
Example: 2100 0418 45 0200051332
United Not Account number: 8 n Sort code: 6 n — —
Kingdom accepted
Typically includes
hyphens
Example: 60-16-13 31926819

Decision Manager Developer Guide Using the SCMP API | May 2013 102
APPENDIX
Countries Included in the
European Union Risk Model
I

This list is not strictly limited to countries in Europe. Conversely, entities that are normally
part of Europe are not in this list. If you use the European Union risk model, verify that all
countries where you conduct business are in this list.
Table 30 Countries Included in the European Union Risk Model

Country Country Code


Aland Islands AX
Andorra AD
Austria AT
Belgium BE
Bouvet Island BV
British Indian Ocean Territory IO
Bulgaria BG
Cyprus CY
Czech Republic CZ
Denmark DK
Estonia EE
Faroe Islands FO
Finland FI
France FR
French Southern Territories TF
Germany DE
Gibraltar GI
Greece GR
Greenland GL
Guernsey GG
Hungary HU
Iceland IS
Ireland IE
Isle of Man IM

Decision Manager Developer Guide Using the SCMP API | May 2013 103
Appendix I Countries Included in the European Union Risk Model

Country Country Code


Israel IL
Italy IT
Jersey JE
Latvia LV
Liechtenstein LI
Lithuania LT
Luxembourg LU
Malta MT
Monaco MC
Netherlands NL
Norway NO
Poland PL
Portugal PT
Reunion RE
Romania RO
Saint Helena SH
San Marino SM
Slovakia SK
Slovenia SI
Spain ES
Svalbard & Jan Mayen Islands SJ
Sweden SE
Switzerland CH
Turkey TR
United Kingdom GB
Vatican City VA

Decision Manager Developer Guide Using the SCMP API | May 2013 104
INDEX
Index

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A card verification result


API field 61
account number, displaying 101
external data 65
address information codes 88 reply flag 58
address verification code, API field 60 Case Management Action service 27
Address Verification Service (AVS) 41 testing 27, 30
reply flag 58 checks 11
address verification, external data 65 code examples 76, 78
airline data corporate credit cards 11
offer-line options 67 Credilink integration 44
reply, information codes 68
credit card, API fields 61
airline data, screening 66
currency, API field 61
amount (offer), API fields 60
custom risk model 37
amount in travel data 66
customer account ID, API field 61
API Decisioning. See Case Management Action
customer type reply field 54
service
cv_result 65
API fields names & equivalence 60
API reply, verbose 69
D
authorization by other provider 65
authorization, API fields 60 DAVSNO 58
DCALL 58
avs 65
DCARDEXPIRED 58
B DCARDREFUSED 58
DCV 58
bank account number, displaying 101
Decision Manager 11
billing API fields 60
API fields, equivalence table 60

C decision_velocity_info 53
decline AVS flags, API field 61
card account reply field 54
declined transaction, reply flag 58
card account subtype (scheme) 55
default reply flag
card expired, reply flag 58 reject 59

Decision Manager Developer Guide Using the SCMP API | May 2013 105
Index

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

review 59 information codes 93


default risk model 37 grand total amount in travel data 66
departure time 66
DINVALIDADDRESS reply flag 58 H
DINVALIDCARD reply flag 58 host name, API field 62
DINVALIDDATA reply flag 58
DINVALIDPROD reply flag 58 I
direct debit ics_ifs_update, example code 81
countries 11 ics_risk_update
examples 76 example code 79
order of service 12
implementation use cases 64
scoring with Decision Manager 75
information codes 72
disable AVS, API field 61
insufficient funds, reply flag 58
distributor product SKU (offer) field 61
Internet information codes 89
DMISSINGFIELD reply flag 59
invalid
DNAUTH reply flag 59
address, reply flag 58
DREJECT reply flag 59 authorization, reply flag 59
DREVIEW reply flag 59 card, reply flag 58
DSCORE reply flag 59 data, reply flag 58
product code, reply flag 58
E IP address
determining the level of fraud 70
e-commerce indicator, API field 61 extracting from browser 70
electronic checks 11 IP address-to-customer mismatch codes 72
email address, API field 61 IP routing method field values 71
encoded account numbers 35
ESYSTEM reply flag 59 M
ETIMEOUT reply flag 59 Maestro (UK Domestic) card API fields 62
example code 76 merchant descriptor field 43
merchant, API fields 62
F
mismatch of IP address 72
factor codes 72 missing fields
fields reply flag 59
special characters 47
O
G
offer 47
gift wrap, API field 61 order of services 12
global velocity

Decision Manager Developer Guide Using the SCMP API | May 2013 106
Index

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

P suspicious data information codes 94

PayEase China Processing 11, 12


T
payment processing in travel data 66
PayPal Express Checkout 11 total number of offers, API field 62

PayPal services 11 transaction date, API field 63


transaction declined, reply flag 58
phone information codes 92
processing order of services 12 travel data
offer-line options 67
product codes 96
reply, information codes 68
product, API fields 62
travel data, screening 66
travel legs and complete route 66
R
replies V
code examples 76
verbose API reply 69
reply fields
verbose mode 52
reply flag
list 58
requests, code examples 76, 78
returns accepted, API field 62
review list information codes 90
review rates 97
risk model 37
routing method 71
routing method field values 71
routing method in IP address 70

S
sample code 76
scheme, card account 55
score
API fields 61
score exceeded, reply flag 59
shipping address API fields 62
SOK reply flag 59
successful transaction, reply flag 59
sum of offer quantities, API field 62

Decision Manager Developer Guide Using the SCMP API | May 2013 107

Potrebbero piacerti anche