Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Developer Guide
Using the SCMP API
May 2013
CyberSource Corporation HQ | P.O. Box 8999 | San Francisco, CA 94128-8999 | Phone: 800-530-9095
CyberSource Contact Information
For general information about our company, products, and services, go to
http://www.cybersource.com.
For support information about any CyberSource Service, visit the Support Center at
http://www.cybersource.com/support.
Copyright
© 2013 CyberSource Corporation. All rights reserved. CyberSource Corporation ("CyberSource") furnishes this
document and the software described in this document under the applicable agreement between the reader of
this document ("You") and CyberSource ("Agreement"). You may use this document and/or software only in
accordance with the terms of the Agreement. Except as expressly set forth in the Agreement, the information
contained in this document is subject to change without notice and therefore should not be interpreted in any way
as a guarantee or warranty by CyberSource. CyberSource assumes no responsibility or liability for any errors
that may appear in this document. The copyrighted software that accompanies this document is licensed to You
for use only in strict accordance with the Agreement. You should read the Agreement carefully before using the
software. Except as permitted by the Agreement, You may not reproduce any part of this document, store this
document in a retrieval system, or transmit this document, in any form or by any means, electronic, mechanical,
recording, or otherwise, without the prior written consent of CyberSource.
Trademarks
CyberSource, The Power of Payment, CyberSource Payment Manager, CyberSource Risk Manager,
CyberSource Decision Manager, CyberSource Connect, Authorize.Net, and ECheck.net are trademarks and/or
service marks of CyberSource Corporation. All other brands and product names are trademarks or registered
trademarks of their respective owners.
2
CONTENTS
Contents
Decision Manager Developer Guide Using the SCMP API | May 2013 3
Contents
Review List 23
Positive and Negative Lists 24
Duplicate Matches 24
Fraud Update Service 25
Requesting the Service 25
Specifying Actions 25
Adding Optional Data to Your Request 26
Interpreting the Reply 26
Case Management Action Service 27
Requesting the Service 27
Specifying Actions 27
Interpreting the Reply 28
Chapter 3 Testing 29
Requirements for Testing 29
Testing the Services 30
Decision Manager Developer Guide Using the SCMP API | May 2013 4
Contents
Decision Manager Developer Guide Using the SCMP API | May 2013 5
Contents
Index 105
Decision Manager Developer Guide Using the SCMP API | May 2013 6
REVISIONS
Chapter 3
Release Changes
May 2013 Corrected possible values for the "decision_manager_enabled" request field.
April 2013 Added information about testing the Case Management Action service. For more information,
see the Important note in the section "Case Management Action Service," page 27 and in the
section "Testing the Services," page 30.
March 2013 Added information about new behavior for the shipping_method API field when you specify
pickup as the method. For more information, see the description of "shipping_method,"
page 46.
February 2013 Updated the link to the IATA list of airline and airport codes. For more information, see the
descriptions of the following API fields:
"decision_manager_travel_ complete_route," page 40
Decision Manager Developer Guide Using the SCMP API | May 2013 7
ABOUT GUIDE
About This Guide
Audience
This guide is written for application developers who want to use the CyberSource SCMP
API to integrate Decision Manager services into their order management system.
Purpose
This guide describes tasks you must complete to integrate Decision Manager Services
into your existing order management system.
Conventions
The following special statements are used in this document:
Decision Manager Developer Guide Using the SCMP API | May 2013 8
About This Guide
Convention Meaning
boldface Boldface type indicates graphical user interface elements
that you must act upon.
API field names.
italic Italic type indicates book titles, first use of special terms, or
placeholder variables for which you supply particular values.
monospace Monospace type indicates XML elements within a paragraph,
URLs, code in examples, text that appears on the screen, or
text that you enter.
Related Documentation
Getting Started with CyberSource Advanced for the SCMP API describes how to get
started using the SCMP API:
PDF: http://apps.cybersource.com/library/documentation/dev_guides/Getting_
Started_SCMP/Getting_Started_SCMP_API.pdf
HTML: http://apps.cybersource.com/library/documentation/dev_guides/Getting_
Started_SCMP/html/
Credit Card Services Using the SCMP API describes how to integrate CyberSource
payment processing services into your business:
PDF: http://apps.cybersource.com/library/documentation/dev_guides/CC_Svcs_
SCMP_API/Credit_Cards_SCMP_API.pdf
HTML: http://apps.cybersource.com/library/documentation/dev_guides/CC_Svcs_
SCMP_API/html/
Payer Authentication Using the SCMP API describes how to integrate CyberSource
card authentication services with your web store, including Visa Verified by VisaSM,
MasterCard® and Maestro® SecureCode™ (UK domestic and international),
American Express SafeKeySM, and JCB J/Secure™:
PDF: http://apps.cybersource.com/library/documentation/dev_guides/Payer_
Authentication_SCMP_API/Payer_Authentication_SCMP_API.pdf
HTML: http://apps.cybersource.com/library/documentation/dev_guides/Payer_
Authentication_SCMP_API/html
Decision Manager Developer Guide Using the SCMP API | May 2013 9
About This Guide
Verification Services Using the SCMP API describes how to integrate CyberSource
delivery address verification and export compliance services into your business:
PDF: http://apps.cybersource.com/library/documentation/dev_guides/Verification_
Svcs_SCMP_API/Verification_Svcs_SCMP_API.pdf
HTML: http://apps.cybersource.com/library/documentation/dev_guides/
Verification_Svcs_SCMP_API/html
Reporting Developer's Guide describes how to view and configure Business Center
reports:
PDF: http://apps.cybersource.com/library/documentation/dev_guides/Reporting_
Developers_Guide/reporting_dg.pdf
HTML: http://apps.cybersource.com/library/documentation/dev_guides/
Reporting_Developers_Guide/html
Decision Manager Developer Guide Using the SCMP API | May 2013 10
CHAPTER
Introducing Decision
Manager and Advanced
1
Fraud Screen
Decision Manager
Decision Manager is a management tool that gives you the flexibility to control your
business practices and policies in real time and to interpret the risk and information codes
based on your business rules. With Decision Manager, you can accurately identify and
review potentially risky transactions while minimizing the rejection of valid orders. Decision
Manager supports these payment methods:
Personal and corporate credit cards, card association check cards, and some private
label cards
Direct debit transactions in Austria, Germany, The Netherlands, Spain, and the United
Kingdom
Electronic checks
PayEase China Processing services
PayPal Express Checkout and PayPal services
The Advanced Fraud Screen service includes electronic payment, fraud management,
and verification services. To use CyberSource services, you send a request that includes
information about your company, the customer, and the services that you want to use. You
receive a reply with information appropriate to the services you requested. You use the
reply information to interpret the results of your request.
Decision Manager Developer Guide Using the SCMP API | May 2013 11
Chapter 1 Introducing Decision Manager and Advanced Fraud Screen
To find out which services are compatible, see the developer guide for your
service(s).
Important
Decision Manager Developer Guide Using the SCMP API | May 2013 12
Chapter 1 Introducing Decision Manager and Advanced Fraud Screen
Decision Manager Developer Guide Using the SCMP API | May 2013 13
CHAPTER
Integrating Decision
Manager Services
2
For request and reply examples, see Appendix E, "Request and Reply Examples," on
page 76.
Score Service
When requesting the score service, send only valid and well-formed data in all
fields, especially in the card account number, and billing, email, and IP address
Important fields. For more information, see Appendix A, "API Fields," on page 31.
When requesting the Advanced Fraud Screen, do not request any of the following
services or features:
Decision Manager Developer Guide Using the SCMP API | May 2013 14
Chapter 2 Integrating Decision Manager Services
score_host_hedge
score_nonsensical_hedge
score_obscenities_hedge
score_phone_hedge
score_time_hedge
score_velocity_hedge
score_category_gift
customer_cc_number
customer_email
ship_to_address1
ship_to_address2
ship_to_city
ship_to_country
ship_to_state
ship_to_zip
For more information about Global Velocity, see the Decision Manager User Guide (PDF |
HTML).
Decision Manager Developer Guide Using the SCMP API | May 2013 15
Chapter 2 Integrating Decision Manager Services
Decision Manager uses these results to evaluate orders when you add the values to your
request.
Decision Manager Developer Guide Using the SCMP API | May 2013 16
Chapter 2 Integrating Decision Manager Services
Depending on the countries in which your business operates, send either the
IBAN (International Bank Account Number) or some or all of the bank fields
Important other than the IBAN. For information about which fields are required and how to
format them, see Appendix H, "Required Bank Account Information by
Country," on page 101.
Decision Manager Developer Guide Using the SCMP API | May 2013 17
Chapter 2 Integrating Decision Manager Services
CyberSource reserves the right to add new risk factor codes and information
codes at any time. Write your error handler so that it processes these new
Important codes without problems.
Score
The score of a transaction is sent in the score_score_result reply field. To determine
whether an order should be accepted or rejected, the score for each transaction is
compared to the score threshold that you choose for each product. If the risk score of a
product is at or below the threshold, the order is accepted. Otherwise, the order is
rejected.
Rapidly assist customers whose orders have been declined or marked for review.
Decide how best to resolve customer inquiries.
Identify orders that look suspicious but are actually valid.
Create custom business rules in Decision Manager and process orders differently
based on the outcome of each rule.
If Advanced Fraud Screen rejects the transaction, you receive the reply flag DSCORE and
risk factor codes in the reply field score_factors. Multiple risk factor codes are separated
by carets. For example:
score_factors=G^H^I
For a list of risk factor codes, see "Risk Factor Codes," page 86.
Decision Manager Developer Guide Using the SCMP API | May 2013 18
Chapter 2 Integrating Decision Manager Services
Information Codes
Information codes provide specific information about problems with orders and are more
detailed than risk factor codes. For example, when a risk factor code indicates a problem
with the customer’s phone number, the information code might specify that the phone
number contains an invalid area code.
Information codes can help you resolve problems with orders, and you can use them to
adjust Advanced Fraud Screen settings. Not all problems identified by the information
codes affect the score for the order.
The following reply fields are included in the reply only when an information code is
returned. Blank reply fields are not returned.
score_address_info
score_hotlist_info
score_internet_info
score_phone_info
score_suspicious_info
score_velocity_info
Multiple information codes are separated by carets as shown in the following example:
score_internet_info=UNV-EMBCO^MM-IPEM
Decision Manager Developer Guide Using the SCMP API | May 2013 19
Chapter 2 Integrating Decision Manager Services
Country:
The service verifies the country with the billing and shipping addresses, email
address, IP address, and the account-issuing country.
Phone number
Account number and credit card BIN (first six digits of the credit card number)
To see examples of requests and replies, see Appendix E, "Risk Update," on page 79.
Decision Manager Developer Guide Using the SCMP API | May 2013 20
Chapter 2 Integrating Decision Manager Services
Specifying Actions
The following table contains the values you can use in the action_code field. This field is
required for the Risk Update service. This table also lists the corresponding options in
Decision Manager Case Details and Transaction Details windows of the Business Center.
Decision Manager Developer Guide Using the SCMP API | May 2013 21
Chapter 2 Integrating Decision Manager Services
The account number and street, email, and IP addresses are not linked. For example, if
you add an account number and an email address to a list, a transaction is added to the
list even if the order contains only the account number.
The following table lists the fields you can use to add customer data to lists. Review the
API field requirements in Appendix A, "API Fields," on page 31 before you add these fields
to your request.
Decision Manager Developer Guide Using the SCMP API | May 2013 22
Chapter 2 Integrating Decision Manager Services
Negative List
If information in your request matches information on your negative list, the following
results are returned:
Positive List
If information in your request matches information in your positive list, the following results
are returned:
Review List
If information in your request matches information on your review list, information codes
that provide more details about the risky aspects of the order are returned. All review list
information codes start with REV-. However, the following fields are not returned:
The score_factors reply field does not contain the risk factor code F.
The score_score_result value is not 99.
Decision Manager Developer Guide Using the SCMP API | May 2013 23
Chapter 2 Integrating Decision Manager Services
The score_factors reply field includes the risk factor code E because a match with
your positive list takes precedence over a match with your negative list.
An information code indicating that the customer information is present on both lists:
CON-POSNEG.
Duplicate Matches
If List Manager finds information that is already in either of your lists, an appropriate
message is returned in the risk_update_rmsg field, such as the following example:
Decision Manager Developer Guide Using the SCMP API | May 2013 24
Chapter 2 Integrating Decision Manager Services
Remove data that was added to history in the Business Center with the Transaction
Marking Tool (the Mark as Suspect link) or by uploading chargeback files.
Remove chargeback data from history that was automatically added. This service
might be available if you use Chase Paymentech Solutions, GPN, or CyberSource as
your payment processor. For more information about this service, contact your
CyberSource representative.
Specifying Actions
Use the report_code field. This field can have one of the values listed in the following
table.
Decision Manager Developer Guide Using the SCMP API | May 2013 25
Chapter 2 Integrating Decision Manager Services
The marking reason does not affect how the transaction is marked, but it is used for
statistical studies.
Decision Manager Developer Guide Using the SCMP API | May 2013 26
Chapter 2 Integrating Decision Manager Services
You can use this service to post the following types of decisions to Decision manager:
ics_applications=ics_cm_action
Specifying Actions
The following table contains the values you can use in the cm_action_code field. The
cm_action_code and the cm_request_id fields are required for the Case Management
Action service. This table also lists the corresponding options in the Decision Manager
Case Details window of the Business Center. For more information about these request
fields, see "Request-Level Fields," page 32.
Case Management
Field Value Description
Details Window Option
Indicates that an order is accepted for
ACCEPT Accept
processing.
REJECT Indicates that an order is rejected. Reject
Decision Manager Developer Guide Using the SCMP API | May 2013 27
Chapter 2 Integrating Decision Manager Services
Case Management
Field Value Description
Details Window Option
ACCEPT_SETTLE Indicates that an order is accepted and Accept and
that the settlement or debit transaction Perform Settlement
should be sent in.
ADD_NOTE Adds a comment or note to the Add Note
transaction information.
For an example of a request, see Appendix E, "Case Management Action," on page 82.
For an example of a reply, see Appendix E, "Case Management Action," on page 82.
Decision Manager Developer Guide Using the SCMP API | May 2013 28
CHAPTER
Testing
3
After you specify Advanced Fraud Screen settings, build test profiles from past card-not-
present orders, and send the orders to the CyberSource test server to verify the results.
Though the test server has a smaller database of transaction history than the production
server, the test server uses the same score models. As a result, scores obtained on the
test server are not increased significantly by history-related attributes such as address
changes, name changes, and global velocity.
Decision Manager Developer Guide Using the SCMP API | May 2013 29
Chapter 3 Testing
Decision Manager Developer Guide Using the SCMP API | May 2013 30
APPENDIX
API Fields
A
This appendix describes the SCMP (Simple Commerce Message Protocol) API fields that
you can use to access Decision Manager services. SCMP API is a legacy name-value pair
API that is supported for merchants who have already implemented it. If you are new to
CyberSource and want to connect to services, use the Simple Order API.
Formatting Restrictions
Unless otherwise noted, all fields are order and case insensitive and the fields accept
special characters such as @, #, and %.
Request-level and offer-level field names and values must not contain carets
(^) or colons (:). However, they can contain embedded spaces and any other
Note printable characters. If you use more than one consecutive space, the extra
spaces are removed.
Decision Manager Developer Guide Using the SCMP API | May 2013 31
Appendix A API Fields
Request-Level Fields
Send only valid and well-formed data in all request fields, especially in the
following fields:
Important Card account number field: should be a valid number for the card type. For
example, Visa cards start with 4.
Billing address fields: should be a valid customer's billing address.
Email address field: should be a valid customer's address.
IP address field: should follow the proper format for the customer's IP address.
If you process orders from call centers, do not submit IP address information in
the request of those orders.
Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
action_code Indicates whether to add to or remove a customer’s ics_risk_update String (20)
identity from the negative or positive list. This field can (R)
contain one of the following values:
add_negative: Add information to the negative list.
add_positive: Add information to the positive list.
add_review: Add information to the review list.
convert_to_negative: moves the data from the
review to the negative list.
convert_to_review: moves the data from the
negative to the review list.
delete_negative: Remove information from the
negative list.
delete_positive: Remove information from the
positive list.
delete_review: Remove information from the
review list.
address1 First line of the street address. ics_risk_update String (60)
(O)
address2 Second line of the street address. ics_risk_update String (60)
(O)
avs Value returned for address verification by the payment ics_score (O) String (3)
service ics_auth. If ics_auth and ics_score are
requested at the same time, the value is automatically
passed from ics_auth to ics_score.
For a list of possible values for this field, see "Address
Verification Codes," page 83.
Decision Manager Developer Guide Using the SCMP API | May 2013 32
Appendix A API Fields
Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
bank_ Name used on the bank account. You can use this field ics_score (O) String (30)
account_name only when scoring a direct debit transaction.
bank_ Customer’s bank account number. You can use this field ics_score (see String (30)
account_ only when scoring a direct debit transaction. Use this field description)
number if you do not or are not allowed to provide the IBAN.
ics_risk_update
Note Do not use the IBAN in this field. Use only the (O)
traditional account number information. For the IBAN, use
bank_iban.
For specific requirements, see "Required Bank Account
Information by Country," page 101.
bank_address Address of the customer’s bank. You may use this field ics_score (O) String (255)
only when scoring a direct debit transaction.
bank_check_ Code used to validate the customer’s account number. ics_score (see String (2)
digit Required for some countries if you do not or are not description)
allowed to provide the IBAN instead. You may use this
field only when scoring a direct debit transaction.
For specific requirements, see "Required Bank Account
Information by Country," page 101.
bank_city City where the bank is located. If you do not send this ics_score (O) String (35)
field, we assume the bank is located in bill_city. Because
some banks validate the bank account information,
consider sending this field if the bank is not located in
bill_city.
You can use this field only when scoring a direct debit
transaction.
bank_code Country-specific code used to identify the customer’s ics_score (see String (15)
bank. Required for some countries if you do not or are not description)
allowed to provide the IBAN instead. You can use this field
ics_risk_update
only when scoring a direct debit transaction. For specific
(O)
requirements, see "Required Bank Account Information
by Country," page 101.
bank_country Country where the bank is located. Use the two-character ics_score (O) String (2)
ISO codes. You can use this field only when scoring a
ics_risk_update
direct debit transaction.
(O)
bank_iban International Bank Account Number (IBAN) for the bank ics_score (see String (30)
account. For some countries you can provide this number description)
instead of the traditional bank account information. You
ics_risk_update
can use this field only when scoring a direct debit
(O)
transaction.
For specific requirements, see "Required Bank Account
Information by Country," page 101.
Decision Manager Developer Guide Using the SCMP API | May 2013 33
Appendix A API Fields
Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
bank_name Bank’s name. You can use this field only when scoring a ics_score (O) String (40)
direct debit transaction.
bank_ Bank’s SWIFT code. You can use this field only when ics_score (O) String (30)
swiftcode scoring a direct debit transaction. Required only for cross-
border transactions.
bill_address1 Street address of the customer as it appears in the ics_score (R) String (60)
account issuer’s records.
bill_address2 Used for additional address information, for example: ics_score (O) String (60)
Attention: Accounts Payable
bill_city City of the customer. ics_score (R) String (50)
bill_country Country of the customer. ics_score (R) String (2)
Use the two-character country codes located in the
Support Center.
bill_state State or province of the customer. Required for U.S. and ics_score (O) String (2)
Canada. Use the two-character codes located in the
ics_risk_update
Support Center.
(O)
bill_zip Postal code of the billing address. ics_score (O) String (10)
Required only if the billTo_country field is US or CA.
If the billing country is US, the numeric characters follow
these formats:
5 characters: NNNNN
9 characters: NNNNN-NNNN
If the billing country is CA, the six alphanumeric
characters follow this format: ANA NAN.
branch_code Code used to identify the branch of the customer’s bank. ics_score (see String (15)
Required for some countries if you do not or are not description)
allowed to provide the IBAN. Use this field only when
scoring a direct debit transaction. For specific
requirements, see "Required Bank Account Information
by Country," page 101.
Decision Manager Developer Guide Using the SCMP API | May 2013 34
Appendix A API Fields
Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
card_type Type of card to authorize. To see which cards can be ics_score (O) String (3)
handled by each processor, see Credit Card Services
ics_risk_update
Using the SCMP API (PDF | HTML). Omitting the card
(O)
type can cause the transaction to be processed with the
wrong card type. Therefore, CyberSource strongly ** indicates (R)
recommends that you send the card type even if it is
optional for your processor and card type.
001: Visa
002: MasterCard, Eurocard ** (European regional
brand of MasterCard)
003: American Express
004: Discover
005: Diners Club
006: Carte Blanche **
007: JCB **
014: EnRoute **
021: JAL **
024: Maestro (UK Domestic)**
031: Delta **(Use this value only for the Global
Payment Service processor. For other processors, use
001.)
033: Visa Electron **
034: Dankort **
035: Laser **
036: Carte Bleue **
037: Carta Si **
039: Encoded account number **
040: UATP**
042: Maestro (International) **
043: GE Money UK card ** (Before setting up your
system for these cards, contact the CyberSource UK
Support Group.).
045: Style (Streamline only)
cb_request_id Request ID of the transaction that you want to mark as ics_ifs_update String (26)
suspect or remove from history. (O)
cc_bin Credit card BIN (the first six digits of the credit card). ics_risk_update Positive
(O) Integer (6)
Decision Manager Developer Guide Using the SCMP API | May 2013 35
Appendix A API Fields
Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
city City of the street address. ics_risk_update String (50)
(O)
Required when adding the address to a list.
cm_action_ Sets the action to post to Decision Manager. This field can ics_cm_action String (13)
code be set to one of the following actions: (R)
ACCEPT
Indicates that an order is accepted for processing.
REJECT
Indicates that an order is rejected.
ACCEPT_SETTLE
Indicates that an order is accepted and that the
settlement or debit transaction should be sent in.
ADD_NOTE
Adds a comment or note to the transaction information.
For more information, see "Case Management Action
Service," page 27.
cm_comments Comments that are added to an action or the note text ics_cm_action String (1000)
when a note is added using the ADD_NOTE action for the (O)
cm_action_code field.
cm_request_id The request ID of the transaction on which the action ics_cm_action String (26)
specified for the cm_action_code field is taken. (R)
comments Brief description of the order or any comment you wish to ics_risk_update String (255)
add to the order. (O)
ics_score (O)
country Country of the street address. ics_risk_update String (2)
(O)
Use the two-character codes located in the Support
Center. Required if address1 is present.
currency Currency used for the order. Use the ISO currency codes. ics_score (R) String (5)
Decision Manager Developer Guide Using the SCMP API | May 2013 36
Appendix A API Fields
Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
custom_risk_ Name of the risk model used to score your orders. Using ics_score (O) String (20)
model this API field overrides any choice made in the Business
Center. This field can contain one of the following values:
default: U.S. model
default_ca: Canada model
default_eu: European Union model. For a list of
countries in this model, see "Countries Included in the
European Union Risk Model," page 103.
default_row: All other countries
Decision Manager Developer Guide Using the SCMP API | May 2013 37
Appendix A API Fields
Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
customer_ Customer’s first name. For CyberSource applications that ics_score (R) String (60)
firstname involve credit cards, the value should be the same as the
ics_risk_update
one that appears on the card. For the negative list,
(O for negative
record_name, customer_firstname, and customer_
list)
lastname are optional.
customer_gift_ Whether the customer requested gift wrapping for this ics_score (O) String (3)
wrap purchase. This field can contain one of the following
host name
values:
yes: The customer requested gift wrapping.
no: The customer did not request gift wrapping.
customer_ Host name reported by the customer’s browser to your ics_score (O) String (60)
hostname Web server identified via the http header.
customer_ Customer’s IP address, such as 10.1.27.63, reported ics_risk_update String (15)
ipaddress by your Web server via socket information. (O)
ics_score (O)
customer_ Network IP address of the customer (for example, ics_risk_update String (11)
ipaddress_ 10.1.27). A network IP address includes up to 256 IP (O)
class3 addresses.
customer_ Customer’s last name as it appears on the card. For the ics_score (R) String (60)
lastname negative list, record_name, customer_firstname, and
ics_risk_update
customer_lastname are optional.
(O for negative
list)
customer_ Customer’s account password. This value is for merchant Decision String (255)
password velocity use only. It is not stored, displayed, or returned. Manager (O)
Note Do not add random strings of characters to
passwords (salting) that are used with this field because
that prevents accurate velocity tests.
customer_ Telephone number of the customer. Long distance codes ics_score (O) String (15)
phone (0 and 1) that precede phone numbers are removed
ics_risk_update
before processing. Do not use dashes, spaces, or
(O)
parentheses. Even though the score of the order is not
affected by the leading digits, they may interfere with the
creation of custom rules, which use the request data as is.
For countries other than US or CA, add the country code
at the beginning of the phone number, if possible.
Otherwise, the billing country is used to determine the
country code. If you use 192.com, do not use the country
code.
Decision Manager Developer Guide Using the SCMP API | May 2013 38
Appendix A API Fields
Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
cv_result Result of card verification. Returned by the authorization ics_score (O) String (1)
service in the auth_cv_result reply field. If ics_auth and
ics_score are requested at the same time, the value is
automatically passed from ics_auth to ics_score. For
more information on using this field, see "Sending the
Results of Address and Card Verification Tests," page 16.
The field contains one of the following values:
I: Card verification number failed processor's data
validation check.
M: Card verification number matched.
N: Card verification number not matched.
P: Card verification number not processed.
S: Card verification number is on the card but was not
included in the request.
U: Card verification is not supported by the issuing
bank.
X: Card verification is not supported by the card
association.
<space>: Deprecated. Ignore this value.
1: CyberSource does not support card verification for
this processor or card type.
2: Processor returned value unrecognized for card
verification response.
3: Processor did not return card verification result
code.
date_of_birth Date of birth of the customer in the format: YYYY-MM-DD ics_score (O) String (10)
or YYYYMMDD.
decision_ By default, Decision Manager evaluates all orders. Use Decision String (5)
manager_ this field only if you do not want to use Decision Manager Manager (O)
enabled to evaluate all orders, for example when you send two
requests for the same order: one request for pre-
authorization and one for the entire amount. For more
information on pre-authorization, see "Decision Manager,"
page 76. This field can contain one of the following
values:
false: do not use Decision Manager for this order.
true: (default) use Decision Manager for this order.
decision_ By default, your default profile is the active profile, or the Decision String (30)
manager_ Profile Selector chooses the active profile. Use this field Manager (O)
profile only if you want to specify the name of a different profile.
Decision Manager Developer Guide Using the SCMP API | May 2013 39
Appendix A API Fields
Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
decision_ Concatenation of individual travel legs in the format ics_score (O) String (255)
manager_ ORIG1-DEST1[:ORIG2-DEST2...:ORIGn-
travel_ DESTn], for example: SFO-JFK:JFK-LHR:LHR-
complete_ CDG. For airport codes, see the IATA Airline and Airport
route Code Search.
Note In your request, send either the complete route or
the individual legs (_leg#_orig and _leg#_dest). If you
send all the fields, the value of _complete_route takes
precedence over that of the _leg# fields.
decision_ Departure date and time of the first leg of the trip. Use one ics_score (O) DateTime
manager_ of the following formats: (25)
travel_
yyyy-MM-dd HH:mm z
departure_time
yyyy-MM-dd hh:mm a z
yyyy-MM-dd hh:mma z
HH = hour in 24-hour format
hh = hour in 12-hour format
a = am or pm (case insensitive)
z = time zone of the departing flight, for example: If the
airline is based in city A, but the flight departs from city
B, z is the time zone of city B at the time of departure.
Important For travel information, use GMT instead of
UTC, or use the local time zone.
Examples
2011-03-20 11:30 PM PDT
2011-03-20 11:30pm GMT
2011-03-20 11:30pm GMT-05:00
Eastern Standard Time: GMT-05:00 or EST
Note When specifying an offset from GMT, the format
must be exactly as specified in the example. Insert no
spaces between the time zone and the offset.
decision_ Type of travel, for example: one way or round trip. ics_score (O) String (32)
manager_
travel_
journey_type
Decision Manager Developer Guide Using the SCMP API | May 2013 40
Appendix A API Fields
Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
decision_ Airport code for the destination of the leg of the trip ics_score (O) String (3)
manager_ designated by the pound (#) symbol in the field name.
travel_ This code is usually three digits long, for example: SFO =
leg#_dest San Francisco. Do not use the colon (:) or the dash (-).
For airport codes, see the IATA Airline and Airport Code
Search.
Note In your request, send either the complete route or
the individual legs (_leg#_orig and _leg#_dest). If you
send all the fields, the complete route takes precedence
over the individual legs.
decision_ Airport code for the origin of the leg of the trip designated ics_score (O) String (3)
manager_ by the pound (#) symbol in the field name. This code is
travel_ usually three digits long, for example: SFO = San
leg#_orig Francisco. Do not use the colon (:) or the dash (-). For
airport codes, see the IATA Airline and Airport Code
Search.
Note In your request, send either the complete route or
the individual legs (_leg#_orig and _leg#_dest). If you
send all the fields, the complete route takes precedence
over the individual legs.
disable_avs Prevents the service from using the AVS (Address ics_score (O) boolean (5)
Verification Service) information. For example, you can
use this field when you process the score service before
the authorization service. This field can contain one of the
following values:
true: Ignore AVS results
false: Use AVS results
distributor_ Product’s identifier code. This field is inserted into the ics_score (O) String (15)
product_sku outgoing message without being parsed or formatted.
This field is included as Distributor product SKU (Offer) in
the list of API fields with which you can create custom
rules
domain Email domain of the customer. The domain of the email ics_risk_update String (100)
address comprises all characters that follow the @ symbol, (O)
such as mail.example.com.
For the Risk Update service, if the email address and the
domain are sent in the request, the domain supersedes
the email address.
grand_total_ Grand total for the order. Your request must include either ics_score (O) Decimal (15)
amount this field or the amount field in one the offer lines.
http_browser_ Email address set in the customer’s browser, which may ics_score (O) String (100)
email differ from customer_email).
Decision Manager Developer Guide Using the SCMP API | May 2013 41
Appendix A API Fields
Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
http_browser_ Customer’s browser as identified from the HTTP header ics_score (O) String (40)
type data. For example, Mozilla is the value that identifies
the Firefox browser.
ics_ CyberSource applications to process for the request. You ics_direct_debit String (255)
applications must specify at least one application in each request. (R)
ics_ifs_update
(R)
ics_risk_update
(R)
ics_score (R)
marking_notes Notes or details that explain the reasons for adding the ics_risk_update String (255)
transaction to either the positive or negative list. (O)
ics_ifs_update
(O)
marking_ Reason for adding the transaction to the negative list. This ics_risk_update String (25)
reason field can contain one of the following values: (O)
fraud_chargeback: You have received a fraud- ics_ifs_update
related chargeback for the transaction. (O)
non_fraud_chargeback: You have received a
non-fraudulent chargeback for the transaction.
suspected: You believe that you will probably
receive a chargeback for the transaction.
creditback: You issued a refund to the customer to
avoid a chargeback for the transaction.
marking_ Request ID of the transaction from which data was added ics_risk_update String (26)
request_id to the negative or positive list. (O)
Decision Manager Developer Guide Using the SCMP API | May 2013 42
Appendix A API Fields
Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
merchant_ Fields that you can use to store information. The value ics_score (O) String (255)
defined_data1 appears in the Case Management Details window in the
to merchant_ Business Center. The first four fields are the same fields
defined_ that are used by the Secure Data services. See request
data100 code examples.
Warning Merchant-defined data fields are not intended
to and must not be used to capture personally identifying
information. Accordingly, merchants are prohibited from
capturing, obtaining, and/or transmitting any personally
identifying information in or via the merchant-defined data
fields. Personally identifying information includes, but is
not limited to, address, credit card number, social security
number, driver's license number, state-issued
identification number, passport number, and card
verification numbers (CVV, CVC2, CVV2, CID, CVN). In
the event CyberSource discovers that a merchant is
capturing and/or transmitting personally identifying
information via the merchant-defined data fields, whether
or not intentionally, CyberSource will immediately
suspend the merchant's account, which will result in a
rejection of any and all transaction requests submitted by
the merchant after the point of suspension.
merchant_ Merchant description that appears on the cardholder's ics_score (O) String (22)
descriptor statement. For more information about merchant
descriptors, including all specific processors
requirements, see Credit Card Services Using the SCMP
API (PDF | HTML).
merchant_id Your CyberSource merchant ID. Use the same ics_risk_update String (30)
merchant_id for evaluation, testing, and production. (R)
ics_score (R)
merchant_ref_ Merchant-generated order reference or tracking number. ics_risk_update String (50)
number (R)
ics_score (R)
offer0...N Offers (line items of the order) for the request. At a ics_score (R) String (50)
minimum, offer0 must be present.
Decision Manager Developer Guide Using the SCMP API | May 2013 43
Appendix A API Fields
Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
payment_type Method of payment used for the order. This field can ics_score (O) String (10)
contain one of the following values:
consumer (default): Customer credit card
corporate: Corporate credit card
debit: Debit card, such as a Maestro (UK Domestic)
card
cod: Collect on delivery
check: Electronic check
p2p: Person-to-person payment
private1: Private label credit card
other: Other payment method
personal_id Personal identifier. This field is supported only for Decision String (26)
CyberSource Latin American Processing. You can use Manager (See
this field for the Cadastro de Pessoas Fisicas (CPF) or the the field
Cadastro Nacional da Pessoa Juridica (CNPJ), which are description.)
required to use Credilink, the third-party service for
validating order data. The CPF number is also required for
the MasterCard AVS check in some countries. Otherwise,
this field is optional.
For more information about the integration of Credilink
services with Decision Manager, see “Appendix B Third-
Party Services” in the Decision Manager User Guide (PDF
| HTML)
record_name Name of the customer’s record entered in the list. ics_risk_update String (120)
(see description)
For the positive list, it is required if action_
code=add_positive. If absent from the request,
ics_risk_update creates the value for this field by
concatenating the customer’s first and last names.
For the negative and the review lists, record_name,
customer_firstname, and customer_lastname are
optional.
report_code Indicates whether to add to or remove order data from the ics_ifs_update String (2)
fraud history. This field can contain one of the following (R)
values:
ST: Suspicious transaction
CB: Chargeback and creditback; same action as Mark
as Suspect link in the Business Center
VT: Remove from history
Decision Manager Developer Guide Using the SCMP API | May 2013 44
Appendix A API Fields
Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
returns_ Indicates whether returns are accepted for this order. This ics_score (O) String (3)
accepted field can contain one of the following values:
yes: Returns are accepted for this order.
no: Returns are not accepted for this order.
ship_to_ First line of the address where the product is shipped. ics_score (O) String (60)
address1 Required if any shipping address information is included.
ship_to_ Second line of the address where the product is shipped. ics_score (O) String (60)
address2
ship_to_city City where the product is shipped. Required if any ics_score (O) String (50)
shipping address information is included.
ship_to_ Country where the product is shipped. Use the two- ics_score (O) String (2)
country character country codes located in the Support Center.
ship_to_ First name of the person receiving the shipment. ics_score (O) String (60)
firstname
ship_to_ Last name of the person receiving the shipment. ics_score (O) String (60)
lastname
ship_to_phone Phone for shipping address. For information on ics_score (O) String (15)
formatting, see "customer_phone," page 38.
ship_to_state State, province, or territory where the product is shipped. ics_score (O) String (2)
Use the two-character codes located in the Support
Center. Required if ship_to_country is CA or US.
ship_to_zip Postal code of the shipping address. ics_score (O) String (10)
Required only if the bill_zip field is US or CA.
If the shipping country is US, the numeric characters
follow these formats:
5 characters: NNNNN
9 characters: NNNNN-NNNN
If the shipping country is CA, the six alphanumeric
characters follow this format: ANA NAN.
Decision Manager Developer Guide Using the SCMP API | May 2013 45
Appendix A API Fields
Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
shipping_ Shipping method for the product. It can contain one of the ics_score (O) String (10)
method following values:
sameday: Courier or same-day service
oneday: Next-day or overnight service
twoday: Two-day service
threeday: Three-day service
lowcost: Lowest-cost service
pickup: Store pick-up
When this value is specified, the shipping address is
not automatically added to the negative list. To add the
shipping address to the negative list, you must explicitly
add it by using the Transaction Marking Tool. To use
the Transaction Marking Tool, see “Marking Order Data
During Order Review” in the Case Management
chapter of the Decision Manager User Guide.
other: Other shipping method
none: No shipping method because product is a
service or subscription
Note To use a custom value, create a Decision Manager
custom rule with the shipping method order element.
state State, province, or territory of the street address. Use the ics_risk_update String (2)
two-character codes located in the Support Center. (O)
timeout Number of seconds the system waits before returning a ics_risk_update Positive
time-out error. The default is 110 seconds. (O) integer (3)
ics_score (O)
zip Postal code of the street address. Required when adding ics_risk_update String (10)
the address to a list. (O)
Decision Manager Developer Guide Using the SCMP API | May 2013 46
Appendix A API Fields
Offer-Level Fields
Each offer submitted in a request for CyberSource services contains several fields that
describe the product that the customer ordered. At a minimum, you must provide the
amount field. To accommodate multiple products ordered by the customer in a single
purchase session, a request for CyberSource services can contain one or more offers,
referred to as offer0 through offerN.
The table below lists the offer fields. Unless otherwise noted, all of the fields listed are
order and case insensitive, and the fields accept special characters (for example, @, #,
and %). They also can contain embedded spaces and any other printable characters. If
you use more than one consecutive space, the extra spaces are removed.
Do not use carets (^) and colons (:) in offer fields. In an offer line, carets
separate name-value pairs from one another, and colons separate field names
Note from values: name:value^name:value.
Table 11 Advanced Fraud Screen and Negative List Update Offer-Level Fields
Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
amount Per-item price of the product. You can include a decimal ics_risk_update Decimal
point in this field, but you cannot include any other (R) (15)
special characters. In the request, the amount is
ics_score (R)
truncated to the correct number of decimal places.
distributor_ Product’s identifier code. This field is inserted into the ics_score (O) String (15)
product_sku outgoing message without being parsed or formatted.
merchant_ Merchant’s product ics_score (O) String (255)
product_sku
passenger_ Passenger's first name. ics_score (O) String (60)
firstname
passenger_ Passenger's last name. ics_score (O) String (60)
lastname
passenger_id ID of the passenger to whom the ticket was issued. For ics_score (O) String (32)
example, you can use this field for the frequent flyer
number.
passenger_status Your company's passenger classification, such as with a ics_score (O) String (32)
frequent flyer program. In this case, you might use
values such as standard, gold, or platinum.
Decision Manager Developer Guide Using the SCMP API | May 2013 47
Appendix A API Fields
Table 11 Advanced Fraud Screen and Negative List Update Offer-Level Fields (Continued)
Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
passenger_type Passenger classification associated with the price of the ics_score (O) String (32)
ticket. You can use one of the following values:
ADT: Adult
CNN: Child
INF: Infant
YTH: Youth
STU: Student
SCR: Senior Citizen
MIL: Military
passenger_email Passenger's email address, including the full domain ics_score (O) String (255)
name, such as jdoe@example.com.
passenger_phone Passenger's phone number. If the order is from outside ics_score (O) String (15)
the U.S., CyberSource recommends that you include
the country code.
product_code Type of product that the offer contains, which is also ics_score (O) String (255)
used to determine the category that the product falls
under (electronic, handling, physical, service, or
shipping). For a list of possible values, see "Product
Codes," page 96.
Multiple product_code values can apply to the same
offer (for example, shipping and handling). The default
value for product_code is default.
product_name Name of the product. ics_score (O) String (255)
product_risk Indicates the level of risk for the product. This field can ics_score (O) String (6)
contain one of the following values:
low: The product is associated with few
chargebacks.
normal: The product is associated with a normal
number of chargebacks.
high: The product is associated with many
chargebacks.
quantity Quantity of the product being purchased. ics_score (O) Non-
negative
integer (10)
Decision Manager Developer Guide Using the SCMP API | May 2013 48
Appendix A API Fields
Table 11 Advanced Fraud Screen and Negative List Update Offer-Level Fields (Continued)
Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
score_category_ Determines whether to assign risk to the order if the ics_score (O) String (3)
gift billing and shipping addresses specify different cities,
states, or countries. This field can contain one of the
following values:
yes: Orders are assigned only slight additional risk if
billing and shipping addresses are different.
no (default): Orders are assigned higher additional
risk if billing and shipping addresses are different.
off: Differences between billing and shipping
addresses do not affect the score.
score_host_ Importance of email and IP addresses of the customer ics_score (O) String (6)
hedge in scoring risk. This field can contain one of the following
values:
Low: Lower-than-average concern with orders
coming from an unknown email or IP address.
Normal (default): Average concern.
High: High concern. A high proportion of orders you
receive from unknown host or email domains are
risky.
Off: Email and IP address do not affect score.
score_ Importance in scoring risk of the weight of the multiple ics_score (O) String (6)
nonsensical_ tests performed on the text content of customers’
hedge orders. This field can contain one of the following
values:
Low: Lower-than-average concern about the content
in customers’ orders.
Normal (default): Average concern.
High: High concern. A high proportion of orders that
you receive contain nonsensical input.
Off: The content of orders does not affect the score.
score_ Importance in scoring risk of the weight of the multiple ics_score (O) String (6)
obscenities_ tests performed on the text content of customers’
hedge orders. This field can contain one of the following
values:
Low: Lower-than-average concern about the content
in customers’ orders.
Normal (default): Average concern.
High: High concern. A high proportion of orders that
you receive contain obscenities.
Off: The content of orders does not affect the score.
Decision Manager Developer Guide Using the SCMP API | May 2013 49
Appendix A API Fields
Table 11 Advanced Fraud Screen and Negative List Update Offer-Level Fields (Continued)
Used By:
Data Type
Field Description Required (R)
& Length
or Optional (O)
score_phone_ Importance in scoring risk of the weight of the multiple ics_score (O) String (6)
hedge tests performed on phone numbers. This field can
contain one of the following values:
Low: Lower-than-average concern about phone
numbers in orders.
Normal (default): Average concern.
High: High concern. A high proportion of orders that
you receive contain risky phone numbers.
Off: Phone numbers do not affect the score.
score_threshold Acceptable level of risk for ordering each product. The ics_score (O) Integer (2)
value cannot be negative.
score_time_ Importance of time of day of the customer order in ics_score (O) String (6)
hedge scoring risk. This field can contain one of the following
values:
Low: Lower-than-average concern with time of day.
Normal (default): Average concern with time of
day.
High: High concern with time of day.
Off: Time of day does not affect score.
score_velocity_ Importance of the number of orders (purchase ics_score (O) String (10)
hedge frequency) from a customer in a certain time period (the
preceding 15 minutes) in scoring risk. This field can
contain one of the following values:
Low: Low concern about global velocity.
Normal: (default) Average concern about global
velocity.
High: High concern about global velocity.
Off: Global velocity does not affect the score.
Decision Manager Developer Guide Using the SCMP API | May 2013 50
Appendix A API Fields
Reply Fields
The following fields are included in the reply only when a value needs to be returned for
that field. Blank reply fields are not sent.
Data Type
Field Description Returned By
& Length
bin_country Country (two-digit country code) associated with the BIN of ics_score String (2)
the customer’s card used for the payment. Returned if the
information is available. Use this field for additional
information when reviewing orders. This information is also
displayed in the details page of the Business Center.
client_lib_ Information about the client library used to request the ics_ifs_update String (50)
version transaction.
ics_risk_
update
ics_score
cm_action_rcode When the Case Management Action service is used to ics_cm_action Integer (1)
programmatically post decisions to Decision Manager from
third-party case management tools:
One-digit code that indicates whether the entire request
was successful. The field contains one of the following
values:
-1: An error occurred
0: The request was declined
1: The request was successful
For more information, see "Case Management Action
Service," page 27.
cm_action_rflag One-word description of the result of the entire Case ics_cm_action String (50)
Management Action service request. For more information,
see Appendix B, "Reply Flags," on page 58.
cm_action_rmsg Message that explains the reply flag that is returned in ics_cm_action String (255)
response to a Case Management Action service request.
Do not display this message to your customer, and do not
use this field to write an error handler.
decision Summarizes the result of the overall request. This field can Decision String (6)
contain one of the following values: Manager
ACCEPT
ERROR
REJECT
REVIEW
Decision Manager Developer Guide Using the SCMP API | May 2013 51
Appendix A API Fields
Data Type
Field Description Returned By
& Length
decision_active_ When verbose mode is enabled: name of queue where Decision String (30)
profile_ orders that are not automatically accepted are sent. Manager
destination_
queue
decision_active_ When in verbose mode, name of the active profile chosen Decision String (30)
profile by the profile selector. If no profile selector exists, the Manager
default active profile is chosen.
decision_active_ When verbose mode is enabled: name of the profile Decision String (50)
profile_ selector rule that chooses the profile to use for the Manager
selector_rule transaction. If no profile selector exists, the value is
Default Active Profile.
decision_active_ Summarizes the result for the rule specified by the number Decision String (6)
profile_ # according to the setting that you chose in the Profile Manager
rule_#_decision Editor. This field can contain one of the following values:
IGNORE
REVIEW
REJECT
ACCEPT
decision_active_ Raw evaluation result of the rule specified by the number Decision String (1)
profile_ #. This field contains one of the following values: Manager
rule_#_
T: The rule is true.
evaluation
F: The rule is false.
N: The rule cannot be evaluated because the data is
insufficient.
E: The rule cannot be evaluated because an error
occurred.
decision_active_ Description of the rule specified by the number # as it Decision String (50)
profile_ appears in the Profile Editor. Manager
rule_#_name
decision_case_ You receive this field only if you subscribe to the Enhanced Decision Integer (1)
priority Case Management service. The priority level ranges from Manager
1 (highest) – 5 (lowest); the default value is 3. If you do not
assign a priority to your rules or to your profiles, the default
value is given to the order.
decision_early_ When early processing is enabled: One-digit code that Decision Integer (1)
rcode indicates whether the entire request was successful. The Manager
field contains one of the following values:
-1: An error occurred
0: The request was declined
1: The request was successful
Decision Manager Developer Guide Using the SCMP API | May 2013 52
Appendix A API Fields
Data Type
Field Description Returned By
& Length
decision_rcode One-digit code that indicates whether the entire request Decision Integer (1)
was successful. The field contains one of the following Manager
values:
-1: An error occurred
0: The request was declined
1: The request was successful
decision_rflag One-word description of the result of the entire request. Decision String (50)
Manager
decision_rmsg Message that explains the reply flag. Do not display this Decision String (255)
message to your customer, and do not use this field to Manager
write an error handler.
decision_ List of information codes triggered by the order. These Decision String (255)
velocity_info information codes were generated when you created the Manager
order and product velocity rules and are returned so that
you can associate them with the rules.
ics_rcode One-digit code that indicates whether the entire request ics_ifs_update Integer (1)
was successful. The field contains one of the following
ics_risk_
values:
update
-1: An error occurred ics_score
0: The request was declined
1: The request was successful
ics_rflag One-word description of the result of the entire request. ics_ifs_update String (50)
ics_risk_
update
ics_score
ics_rmsg Message that explains the reply flag ics_rflag. Do not ics_ifs_update String (255)
display this message to your customer, and do not use this
ics_risk_
field to write an error handler.
update
ics_score
ifs_update_rcode One-digit code that indicates whether the ics_ifs_update ics_ifs_update Integer (1)
request was successful. The field will contain one of the
following values:
-1: An error occurred
0: The request was declined
1: The request was successful
ifs_update_rflag One-word description of the result of the ics_ifs_update ics_ifs_update String (50)
request.
Decision Manager Developer Guide Using the SCMP API | May 2013 53
Appendix A API Fields
Data Type
Field Description Returned By
& Length
ifs_update_rmsg Message that explains the reply flag ifs_update_rflag. Do ics_ifs_update String (255)
not display this message to your customer, and do not use
this field to write an error handler.
merchant_ref_ Merchant-generated order reference or tracking number. ics_ifs_update String (50)
number
ics_risk_
update
ics_score
request_id Identifier for the request generated by the client. ics_ifs_update String (26)
ics_risk_
update
ics_score
request_token Identifier for the request generated by CyberSource. ics_ifs_update String (256)
ics_risk_
update
ics_score
risk_update_ One-digit code that indicates whether the ics_risk_update ics_risk_ Integer (1)
rcode request was successful. The field will contain one of the update
following values:
-1: An error occurred
0: The request was declined
1: The request was successful
risk_update_rflag One-word description of the result of the ics_risk_update ics_risk_ String (50)
request. update
risk_update_ Message that explains the reply flag risk_update_rflag. ics_risk_ String (255)
rmsg Do not display this message to your customer, and do not update
use this field to write an error handler.
score_address_ Indicates a mismatch between the customer’s billing and ics_score String (255)
info shipping addresses. For a list of possible values, see
"Information Codes," page 88.
score_card_ Type of customer. This field can contain one of the ics_score String (2)
account_type following values:
CN: (Consumer) private customer
CP: (Corporate) business customer
score_card_ Name of the bank or entity that issued the card account. ics_score String (128)
issuer
Decision Manager Developer Guide Using the SCMP API | May 2013 54
Appendix A API Fields
Data Type
Field Description Returned By
& Length
score_card_ Subtype of card account. This field can contain one of the ics_score String (32)
scheme following values:
Maestro International
Maestro UK Domestic
MasterCard Credit
MasterCard Debit
Visa Credit
Visa Debit
Visa Electron
score_card_ Subtype of card account. This field can contain one of the ics_score String (32)
scheme following values:
Maestro International
Maestro UK Domestic
MasterCard Credit
MasterCard Debit
Visa Credit
Visa Debit
Visa Electron
score_factors This field contains information that affected the score of the ics_score String (100)
order. This field will contain one or more codes, separated
by carets (^). For a list of possible values, see "Risk Factor
Codes," page 86.
score_host_ Refers to the risk associated with the customer's email ics_score Non-
severity domain. Returns a number from 0–5, where 0 represents negative
an undetermined risk and 5 represents the highest risk. integer (1)
score_hotlist_ Indicates that customer information is associated with ics_score String (255)
info transactions that are either on the negative or the positive
list. For a list of possible values, see "Information Codes,"
page 88.
score_identity_ Indicates excessive identity changes. The threshold is ics_score String (255)
info variable depending on the identity elements being
compared. This field can contain one or more information
codes, separated by carets (^). For a list of possible
values, see "Information Codes," page 88.
score_internet_ Indicates a problem with the customer’s email address, IP ics_score String (255)
info address, or billing address. For a list of possible values,
see "Information Codes," page 88.
score_ip_city Name of the city decoded from the IP address used directly ics_score String (50)
or indirectly by the customer to send the order.
Decision Manager Developer Guide Using the SCMP API | May 2013 55
Appendix A API Fields
Data Type
Field Description Returned By
& Length
score_ip_ Name of the country decoded from the IP address used ics_score String (2)
country directly or indirectly by the customer to send the order.
score_ip_ Routing method decoded from the IP address used directly ics_score String (25)
routing_method or indirectly by the customer to send the order. Routing
method decoded from the IP address used directly or
indirectly by the customer to send the order. For a detailed
description, see "Using the Customer’s IP Address to
Assess the Level of Risk," page 70. This field can contain
one of the following values:
Anonymizer
AOL, AOL dial-up, AOL POP, and AOL proxy
Cache proxy
Fixed
International proxy
Mobile gateway
POP
Regional proxy
Satellite
SuperPOP
score_ip_state Name of the state decoded from the IP address used ics_score String (255)
directly or indirectly by the customer to send the order.
score_model_ Name of the score model used for the transaction. If you ics_score String (20)
used did not include a custom model in your request, this field
contains the name of CyberSource’s default model.
score_phone_ Indicates a problem with the customer’s phone number. ics_score String (255)
info For a list of possible values, see "Information Codes,"
page 88.
score_rcode One-digit code that indicates whether the ics_score ics_score Integer (1)
request was successful. The field will contain one of the
following values:
-1: An error occurred
0: The request was declined
1: The request was successful
score_rflag One-word description of the result of the ics_score ics_score String (50)
request.
score_rmsg Message that explains the reply flag score_rflag. Do not ics_score String (255)
display this message to your customer, and do not use this
field to write an error handler.
Decision Manager Developer Guide Using the SCMP API | May 2013 56
Appendix A API Fields
Data Type
Field Description Returned By
& Length
score_score_ Total score calculated for this order. The value cannot be ics_score Integer (2)
result negative.
score_ Indicates that the customer provided potentially suspicious ics_score String (255)
suspicious_info information. For a list of possible values, see "Information
Codes," page 88.
score_time_local The customer's local time (hh:mm:ss), which is ics_score Time (8)
calculated from the transaction request time and the
customer's billing address.
score_velocity_ Indicates that the customer has a high purchase frequency. ics_score String (255)
info For a list of possible values, see "Information Codes,"
page 88.
Decision Manager Developer Guide Using the SCMP API | May 2013 57
APPENDIX
Reply Flags
B
Reply flags are associated with a request or a service. The flag in the ics_rflag field is
associated with a request. The flag in the <service>_rflag field is associated with a
service.
Services
Reply Flag Description That Can Return
This Flag
DAVSNO The credit card was accepted by the bank but refused by Decision Manager
CyberSource because it did not pass the Address Verification
Service test.
DCALL The transaction is declined. To try to resolve the issue, call the Decision Manager
issuing bank or the customer.
DCARDEXPIRED CyberSource declined the request because the credit card has Decision Manager
expired. You may also receive this reason code if the expiration
date that you provided does not match the date on file at the
issuing bank. If the payment processor allows issuance of credits
to expired cards, CyberSource does not limit this functionality.
DCARDREFUSED The bank declined the transaction. This reply flag includes Decision Manager
declines due to insufficient funds, which cannot be differentiated
from other transactions at the time of authorization.
DCV The credit card was accepted by the bank but refused by Decision Manager
CyberSource because it did not pass the card verification
number check.
DINVALIDADDRESS The customer entered an invalid city, state, country, or postal Decision Manager
code.
DINVALIDCARD The account number does not pass CyberSource basic checks. ics_score
DINVALIDDATA The data provided is not consistent with the request. For ics_cm_action
example, you requested a product with negative cost.
ics_ifs_update
ics_risk_update
ics_score
DINVALIDPROD Not enough information is provided to generate the download Decision Manager
URL.
Decision Manager Developer Guide Using the SCMP API | May 2013 58
Appendix B Reply Flags
Services
Reply Flag Description That Can Return
This Flag
DMISSINGFIELD The request is missing a required field. ics_cm_action
ics_ifs_update
ics_risk_update
ics_score
DREJECT This is the Decision Manager default reply flag for the orders that Decision Manager
you want to reject.
DNOAUTH The transaction is declined because the authorization is invalid. Decision Manager
DREVIEW This is the Decision Manager default reply flag for the orders that Decision Manager
you want to review.
DSCORE The score exceeds the threshold that you set for the profile. ics_score
ESYSTEM System error. Wait a few minutes, and try sending your request ics_cm_action
again.
ics_ifs_update
ics_risk_update
ics_score
ETIMEOUT The request timed out. ics_cm_action
ics_ifs_update
ics_risk_update
ics_score
SOK The transaction was successful. ics_cm_action
ics_ifs_update
ics_risk_update
ics_score
Decision Manager Developer Guide Using the SCMP API | May 2013 59
APPENDIX
Mapping of Order Elements
to API Fields
C
This appendix describes the order request and reply elements that you can use to create
custom rules in the Condition Editor in the Business Center. Use this information only if
you need to modify your integration.
Next to each field is the equivalent request or reply field name for the SCMP API. For
details about these fields, see Appendix A, "API Fields," on page 31 of this guide, Credit
Card Services Using the SCMP API (PDF | HTML), Payer Authentication Using the SCMP
API (PDF | HTML), and Verification Services Using the SCMP API (PDF | HTML).
Decision Manager Developer Guide Using the SCMP API | May 2013 60
Appendix C Mapping of Order Elements to API Fields
Decision Manager Developer Guide Using the SCMP API | May 2013 61
Appendix C Mapping of Order Elements to API Fields
Decision Manager Developer Guide Using the SCMP API | May 2013 62
Appendix C Mapping of Order Elements to API Fields
Decision Manager Developer Guide Using the SCMP API | May 2013 63
APPENDIX
Decision Manager Use
Cases
D
This section describes a few API implementation use cases. Follow the use cases that
apply to your implementation:
All merchants:
"Receiving Detailed Information About Each Order"
"Using the Customer’s IP Address to Assess the Level of Risk"
Decision Manager Developer Guide Using the SCMP API | May 2013 64
Appendix D Decision Manager Use Cases
In addition to changes that you might need to make to your integration in order to use
Decision Manager, you must add the following information that you receive from your
authorization service to your request:
Address verification code. Use the avs field.
Card verification result. Use the cv_result field.
Decision Manager Developer Guide Using the SCMP API | May 2013 65
Appendix D Decision Manager Use Cases
Order Information
Travel orders need to include request and item or offer fields.
Request Data
Include the basic order, customer, payment, and application fields. To process the
payment, you must also include either the grand total amount or the individual line-item
amounts in your request.
All travel fields are optional. To screen travel data, include either the complete route and/or
the individual legs of the trip. If you include both, the values for the complete route are
used. The departure time applies to the first leg of the travel. Use the following API fields.
For more information on the fields, see the complete descriptions listed in Appendix A,
"API Fields," on page 31.
decision_manager_travel_complete_route
decision_manager_travel_departure_time
decision_manager_travel_journey_type
decision_manager_travel_leg#_dest
decision_manager_travel_leg#_orig
Complete travel route: From MSP to SFO, then from SFO to LAX
Departure time: 8 March 2014 at 8:33 A.M. Central Standard Time
Journey type: Round trip
decision_manager_travel_complete_route=MSP-SFO:SFO-LAX
decision_manager_travel_journey_type=Round Trip
Decision Manager Developer Guide Using the SCMP API | May 2013 66
Appendix D Decision Manager Use Cases
decision_manager_travel_journey_type=Round Trip
decision_manager_travel_leg0_orig=MSP
decision_manager_travel_leg0_dest=SFO
decision_manager_travel_leg1_orig=SFO
decision_manager_travel_leg1_dest=LAX
Offer-Line Data
You can use each offer line to contain information about one passenger, including the
amount for that passenger, or other data. Use the following API fields in your request. For
more information on the fields, see the complete descriptions included in Appendix A, "API
Fields," on page 31.
An amount is required in each item or offer line. The amount can be zero. If you
also add a product code to the offer line, additional item or offer fields might be
Note required.
passenger_firstname
passenger_lastname
passenger_id
passenger_status
passenger_type
passenger_email
passenger_phone
amount
Decision Manager Developer Guide Using the SCMP API | May 2013 67
Appendix D Decision Manager Use Cases
offer0=passenger_firstname:Jane^passenger_lastname:Doe^passenger_
status:Reserved^passenger_id:7586^passenger_type:ADT^passenger_
phone:9995551212^passenger_email:jdoe@example.com^amount:100.00
offer1=passenger_firstname:Joe^passenger_lastname:Doe^passenger_
status:Reserved^passenger_id:234^passenger_type:CNN^passenger_
phone:9995551212^amount:50.00
Reply Information
You receive the basic order results, the score service results, and Decision Manager
results in the API reply. These results are also available in the case management and
transaction details windows of the Business Center. When reply information contains
travel data, the following information codes are returned if passenger data is on the
negative list:
Decision Manager Developer Guide Using the SCMP API | May 2013 68
Appendix D Decision Manager Use Cases
Each offer line must have an amount, which can be zero. If you send the grand total
amount by using grand_total_amount without one or more line items, a line item will be
added to the order. If you create custom rules that use the order element Amount (Offer),
which is the equivalent of a line item in Decision Manager, your custom rule will be
triggered whether or not you send an offer line in your API request. To avoid this,
CyberSource recommends that you always send a line item in your request.
This feature applies to core and custom rules. You can use this information to analyze and
refine your profiles and to evaluate your orders by using API fields. You can see examples
in normal and verbose mode in Appendix E, "Request and Reply Examples," on page 76.
Contact Customer Support to have your account enabled to use verbose mode.
Important
To use the verbose mode, in each request that you want to evaluate in detail you send the
verbose_decision field. After your account is configured, all requests in which Decision
Manager runs return these fields in the reply in addition to the usual reply fields:
For each rule #, the decision, raw evaluation, the ID, and the name:
Decision Manager Developer Guide Using the SCMP API | May 2013 69
Appendix D Decision Manager Use Cases
decision_active_profile_rule_#_decision
decision_active_profile_rule_#_evaluation
decision_active_profile_rule_#_id
decision_active_profile_rule_#_name
For more information about these fields, see Appendix A, "API Fields," on page 31.
The degree of risk associated with the order’s routing method varies depending on the
order’s country of origin. The same routing method can have a different level of risk in
different regions.
API Request
The quality of the results depends on the data that you provide in the customer_
ipaddress request field.
If the IP address field contains an error, such as an invalid or missing field, an entry
appears in the Transaction Exception Detail Report.
If the IP address field is blank (present but without data), you may not have sent the
address.
If you provide an IP address from the ranges in the table below, the IP address is
ignored because it is not being used for Internet commerce.
Decision Manager Developer Guide Using the SCMP API | May 2013 70
Appendix D Decision Manager Use Cases
API Reply
IP Address Information
The decoded IP address information is returned in the following fields:
score_ip_city
score_ip_country
score_ip_state
The proxy methods listed below are public proxies as opposed to anonymous
proxies, which completely hide the customer's IP address.
Note
Decision Manager Developer Guide Using the SCMP API | May 2013 71
Appendix D Decision Manager Use Cases
The order in which tests are performed (Country > State > City) determines which reply
codes you receive. Country tests are performed first. If the country in the customer’s
Decision Manager Developer Guide Using the SCMP API | May 2013 72
Appendix D Decision Manager Use Cases
address matches that in the decoded IP address, the state tests are performed. However,
if the country in the customer’s address does not match the country in the decoded IP
address, one or more codes are returned, and the state and city tests are not performed.
When state tests are performed, if the customer’s address matches the decoded IP
address, the city tests are performed. If the state tests do not pass, codes are returned in
the reply and the city tests are not performed. Billing city tests are performed only if the
state tests pass.
The following order reply shows that the billing address provided by the customer does not
match the address information obtained from the IP address. The rest of the order
information is not provided here because it is unremarkable. The routing method used for
the order is standard, so the ISP is probably legitimate. The order is marked for review. To
attempt to convert the order into a sale, the reviewer contacts the customer and finds out
that the customer placed the order while travelling in the country that is associated with
the IP address. because the customer appears legitimate, the reviewer accepts the order.
Billing Information
Name John Smith
Address 670 Fairoaks Ave, Sunnyvale, CA, 94086 US
Phone Number 4085551212
Email Address jsmith@myemail.com
IP Address 202.67.64.1
IP Address Information
Country au
State new south wales
City lismore
Routing Method standard
Factor Code I - Internet inconsistencies
Reply Message Review
Decision Manager Developer Guide Using the SCMP API | May 2013 73
Appendix D Decision Manager Use Cases
In the following example, the state in the customer’s address does not match the IP
address. Therefore, the reply contains MM-IPBST (customer’s IP address is inconsistent
with state in billing address) but not MM-IPBC (customer’s IP address inconsistent with
city in billing address). Because the routing method indicates an anonymizer and there are
other inconsistencies reported in the reply, this order is marked for review.
Billing Information
Name John Smith
Address 123 Bollinger Avenue, Germantown, MD, 94086 US
Phone Number 4085551212
Email Address jsmith@myemail.com
IP Address 64.83.164.175
IP Address Information
Country us
State wi
City elkhorn
Routing Method anonymizer
Factor Code I - Internet inconsistencies
Information Code MM-IPBST - IP address inconsistent with billing state
UNV-ADDR - Unverifiable address
UNV-NID - IP address from anonymous proxy
Decision Manager Developer Guide Using the SCMP API | May 2013 74
Appendix D Decision Manager Use Cases
Because the direct debit is processed after Decision Manager, you can send a request
combining the services. The direct debit will be processed only if Decision Manager
succeeds.
To score an order, send your score service request with the appropriate bank and
customer data by using the fields listed in the following table. For more information about
the services and the request fields, see Appendix A, "API Fields," on page 31.
To update your positive and negative lists of customers, you can use the results of the
score service to provide data for the request fields of the risk update service, or you can
enter the information into your customer lists manually in the Business Center by using
List Manager. For more information, see "Risk Update Service," page 20.
Decision Manager Developer Guide Using the SCMP API | May 2013 75
APPENDIX
Request and Reply
Examples
E
Decision Manager
Card Authorization
Request
This example shows a card authorization that contains four purchased items. The
customer account age is supplied with the merchant-defined data field.
merchant_id=example
merchant_ref_number=833617922960995060
merchant_defined_data22=126
<customer’s name and billing address fields>
customer_ipaddress=24.111.10.202
customer_cc_number=4111xxxxxxxx1111
customer_cc_expmo=11
customer_cc_expyr=2007
currency=USD
ics_applications=ics_auth
offer0=amount:49.95^quantity:1
offer1=amount:30.00^quantity:1
offer2=amount:50.00^quantity:1
offer3=amount:10.00^quantity:1
Decision Manager Developer Guide Using the SCMP API | May 2013 76
Appendix E Request and Reply Examples
Reply
auth_auth_amount=139.95
auth_auth_avs=Y
auth_auth_code=123456
auth_auth_response=0
auth_auth_time=2011-03-28T23:44:27Z
auth_avs_raw=Y
auth_rcode=1
auth_rflag=SOK
auth_rmsg=Request was processed successfully.
merchant_ref_number=833617922960995060
request_id=1224933255120167904565
request_token=Ue2cQcaZrPwo4Yo3yFE24TwnPuHyeDG5tahXRuea0
currency=USD
ics_rcode=1
ics_rflag=SOK
ics_rmsg=Request was processed successfully.
Travel Data
This example shows a travel order placed for two passengers. The time zone associated
with the departure time (EST) is the local time of the city of the first leg of the flight (JFK).
EST can also be represented as GMT–5.
Request
merchant_id=sample merchant
merchant_ref_number=123456
customer_ipaddress=240.7.7.7
<customer’s name and billing address fields>
currency=USD
customer_cc_expmo=04
customer_cc_expyr=09
customer_cc_number=XXXXXXXXXXXX9378
decision_manager_travel_complete_route=JFK-SFO:SFO-LAX
decision_manager_travel_departure_time=2010-04-11 5:30 am EST
decision_manager_travel_journey_type=Round Trip
offer0=passenger_firstname:Jane^passenger_lastname:Doe^passenger_
status:Reserved^passenger_id:758^passenger_type:ADT^passenger_
phone:9995551212^amount:650.00
offer1=passenger_firstname:John^passenger_lastname:Doe^passenger_
status:Reserved^passenger_id:234^passenger_type:ADT^passenger_
phone:9995551212^amount:650.00
ics_applications=ics_score,ics_auth
Decision Manager Developer Guide Using the SCMP API | May 2013 77
Appendix E Request and Reply Examples
Reply
The order is marked for review.
merchant_ref_number=123456
request_token=Ahjz7wSRA3IL7yoxRgpuIAKa92pGEY0gZdxHFrwa61WnZ/AwBNA
request_id=2392962320000167904567
auth_auth_amount=1300.00
auth_rflag=SOK
auth_rcode=1
auth_rmsg=Request was processed successfully.
decision=REVIEW
decision_rcode=0
decision_rflag=DREVIEW
decision_rmsg=Decision is REVIEW.
decision_velocity_info=MVEL-R25^MVEL-R26
ics_rcode=0
ics_rflag=DREVIEW
ics_rmsg=Decision is REVIEW.
score_rcode=1
score_rflag=DSCORE
score_rmsg=Score exceeds threshold.
score_score_result=69
score_factors=Y
score_velocity_info=VEL-ADDR
Score Service
Request
Decision Manager Developer Guide Using the SCMP API | May 2013 78
Appendix E Request and Reply Examples
Reply
ics_rcode=1
ics_rflag=SOK
ics_rmsg=Request was processed successfully.
request_id=9423604739860167904518
request_token=8V7BA07JIFrOVuwvO7pLi1YAdHPVhFFY34Luh
merchant_ref_number=10742086
score_factors=G^I
score_host_severity=3
score_rcode=1
score_rflag=SOK
score_rmsg=score service was successful
score_score_result=34
score_time_local=13:00:00
Risk Update
Request
merchant_id=infodev
merchant_ref_number=2D6EDF7573B438294C8822C60
ics_applications=ics_risk_update
action_code=add_negative
address1=1234 Sample St.
city=Mountain View
country=US
customer_cc_number=4111xxxxxxxx1111
customer_email=test@example.com
state=CA
zip=94043
Decision Manager Developer Guide Using the SCMP API | May 2013 79
Appendix E Request and Reply Examples
Reply
ics_rcode=1
ics_rflag=SOK
ics_rmsg=Request was processed successfully.
request_id=0156221030000167905080
request_token=lOLQw6oPx+ViNCC1bng9cafAPqBdrIxYA4AhL4WDs7sRQ0qbQ
merchant_ref_number=2D6EDF7573B438294C8822C60
risk_update_rcode=1
risk_update_rflag=SOK
risk_update_rmsg=ics_risk_update service was successful
Request
action_code=add_negative
address1=1234 Sample St.
city=Mountain View
country=US
customer_cc_number=4111xxxxxxxx1111
customer_email=nobody@example.com
ics_applications=ics_risk_update
merchant_id=infodev
merchant_ref_number=3166C2717BF5F412991EA1D59
state=CA
zip=94043
Reply
ics_rcode=1
ics_rflag=SOK
ics_rmsg=Request was processed successfully.
request_id=0164774960000167905080
request_token=DsxqnMVKpdPxkAGKnumVDCFOitKWIBYrBUItGmKc2MDkQqlk0KV
merchant_ref_number=3166C2717BF5F412991EA1D59
risk_update_rcode=1
risk_update_rflag=SOK
risk_update_rmsg=Request was processed successfully. However, at least
one item was already in the negative list.
Decision Manager Developer Guide Using the SCMP API | May 2013 80
Appendix E Request and Reply Examples
Fraud Update
Mark as Suspect
This example shows the content of a request ID marked suspect.
Request
cb_request_id=2719725130000167904567
ics_applications=ics_ifs_update
merchant_id=example
merchant_ref_number=12345
report_code=st
marking_reason=suspected
Reply
ics_rcode=1
ics_rflag=SOK
ics_rmsg=Request was processed successfully.
ifs_update_rcode=1
ifs_update_rflag=SOK
ifs_update_rmsg=ifs_update service was successful
merchant_ref_number=12345
request_id=123456789012334567
request_token=AhijLwSRKJN1CRUnR8JuKJ9T44Yz6AAgoZNvG2YavwW0QAAA/g55
Request
cb_request_id=2719725130000167904567
ics_applications=ics_ifs_update
merchant_id=example
report_code=vt
marking_reason=suspected
merchant_ref_number=876i876
Decision Manager Developer Guide Using the SCMP API | May 2013 81
Appendix E Request and Reply Examples
Reply
ics_rcode=1
ics_rflag=SOK
ics_rmsg=Request was processed successfully.
ifs_update_rcode=1
ifs_update_rflag=SOK
ifs_update_rmsg=ifs_update service was successful
merchant_ref_number=876i876
request_id=2345678901234565678
request_token=AhijLwSRKJN1CRUnR8JuKJ9T44Yz6AAgoZNvG2YavwW0QAAA/g55
request_id=2345678901234565678
Request
ics_applications=ics_cm_action
merchant_ref_number=cmAction12345
merchant_id=example
cm_action_code=ACCEPT
cm_request_id=9999999999999999999999
cm_comments=Order accepted
Reply
cm_action_rcode=1
cm_action_rflag=SOK
cm_action_rmsg=ics_cm_action service was successful
ics_rcode=1
ics_rflag=SOK
ics_rmsg=Request was processed successfully.
merchant_ref_number=cmAction12345
request_id=3579485371880172492690
Decision Manager Developer Guide Using the SCMP API | May 2013 82
APPENDIX
Information and Reply
Codes
F
When you populate billing street address 1 and billing street address 2,
CyberSource through VisaNet concatenates the two values. If the
Important concatenated value exceeds 40 characters, CyberSource through VisaNet
truncates the value at 40 characters before sending it to Visa and the issuing
bank. Truncating this value affects AVS results and therefore might impact risk
decisions and chargebacks.
Decision Manager Developer Guide Using the SCMP API | May 2013 83
Appendix F Information and Reply Codes
The international and domestic AVS codes listed above and in the table below are the Visa
standard AVS codes, except for codes 1 and 2, which are CyberSource AVS codes. The
standard AVS return codes for other types of credit cards (including American Express
cards) are mapped to the Visa standard codes.
For cards issued by banks within the U.S., you may receive: A, E, F, G, H, N, R, S, T, U, W,
X, Y, Z, 1, and 2. Codes F, H, and T are returned for American Express cards only.
Code Description
A Partial match: street address matches, but 5-digit and 9-digit postal codes do not match.
B Partial match: street address matches, but postal code is not verified. Returned only for
non U.S.-issued Visa cards.
C No match: street address and postal code do not match. Returned only for non U.S.-
issued Visa cards.
D&M Match: street address and postal code match. Returned only for non U.S.-issued Visa
cards.
E Invalid: AVS data is invalid or AVS is not allowed for this card type.
F Partial match: card member’s name does not match, but billing postal code matches.
Returned only for the American Express card type.
G Not supported: non-U.S. issuing bank does not support AVS.
H Partial match: card member’s name does not match, but street address and postal code
match. Returned only for the American Express card type.
I No match: address not verified. Returned only for non U.S.-issued Visa cards.
K Partial match: card member’s name matches, but billing address and billing postal code
do not match. Returned only for the American Express card type.
L Partial match: card member’s name and billing postal code match, but billing address
does not match. Returned only for the American Express card type.
M See the entry for D & M.
N No match: one of the following:
Street address and postal code do not match.
Card member’s name, street address, and postal code do not match. Returned only
for the American Express card type.
Decision Manager Developer Guide Using the SCMP API | May 2013 84
Appendix F Information and Reply Codes
Code Description
O Partial match: card member’s name and billing address match, but billing postal code
does not match. Returned only for the American Express card type.
P Partial match: postal code matches, but street address not verified. Returned only for
non U.S.-issued Visa cards.
R System unavailable.
S Not supported: U.S.-issuing bank does not support AVS.
T Partial match: card member’s name does not match, but street address matches.
Returned only for the American Express card type.
U System unavailable: address information unavailable for one of these reasons:
The U.S. bank does not support non-U.S. AVS.
The AVS in a U.S. bank is not functioning properly.
V Match: card member’s name, billing address, and billing postal code match. Returned
only for the American Express card type.
W Partial match: street address does not match, but 9-digit postal code matches.
X Match: street address and 9-digit postal code match.
Y Match: street address and 5-digit postal code match.
Z Partial match: street address does not match, but 5-digit postal code matches.
1 Not supported: AVS is not supported for this processor or card type.
2 Unrecognized: the processor returned an unrecognized value for the AVS response.
3 Match: address is confirmed. Returned only for PayPal Express Checkout.
4 No match: address is not confirmed. Returned only for PayPal Express Checkout.
Decision Manager Developer Guide Using the SCMP API | May 2013 85
Appendix F Information and Reply Codes
Code Description
D The transaction was determined to be suspicious by the issuing bank.
I The CVN failed the processor's data validation check.
M The CVN matched.
N The CVN did not match.
P The CVN was not processed by the processor for an unspecified reason.
S The CVN is on the card but was not included in the request.
U Card verification is not supported by the issuing bank.
X Card verification is not supported by the card association.
1 Card verification is not supported for this processor or card type.
2 An unrecognized result code was returned by the processor for the card
verification response.
3 No result code was returned by the processor.
Code Description
A Excessive address change. The customer changed the billing address two or more
times in the last six months.
B Card BIN or authorization risk. Risk factors are related to credit card BIN and/or card
authorization checks.
C High number of account numbers. The customer used more than six credit cards
numbers in the last six months.
D Email address impact. The customer uses a free email provider, or the email address
is risky.
E Positive list. The customer is on your positive list.
F Negative list. The account number, street address, email address, or IP address for
this order appears on your negative list.
Decision Manager Developer Guide Using the SCMP API | May 2013 86
Appendix F Information and Reply Codes
Code Description
G Geolocation inconsistencies. The customer’s email domain, phone number, billing
address, shipping address, or IP address is suspicious.
H Excessive name changes. The customer changed the name two or more times in the
last six months.
I Internet inconsistencies. The IP address and email domain are not consistent with
the billing address.
N Nonsensical input. The customer name and address fields contain meaningless
words or language.
O Obscenities. The customer’s input contains obscene words.
P Identity morphing. Multiple values of an identity element are linked to a value of a
different identity element. For example, multiple phone numbers are linked to a single
account number.
Q Phone inconsistencies. The customer’s phone number is suspicious.
R Risky order. The transaction, customer, and merchant information show multiple
high-risk correlations.
T Time hedge. The customer is attempting a purchase outside of the expected hours.
U Unverifiable address. The billing or shipping address cannot be verified.
V Velocity. The account number was used many times in the past 15 minutes.
W Marked as suspect. The billing or shipping address is similar to an address
previously marked as suspect.
Y Gift Order. The street address, city, state, or country of the billing and shipping
addresses do not correlate.
Z Invalid value. Because the request contains an unexpected value, a default value
was substituted. Although the transaction can still be processed, examine the
request carefully for abnormalities in the order.
Decision Manager Developer Guide Using the SCMP API | May 2013 87
Appendix F Information and Reply Codes
Information Codes
When more than one value is returned, the values are separated by carets (^).
Codes Description
COR-BA The billing address has corrected elements or can be normalized.
COR-SA The shipping address has corrected elements or can be normalized.
INTL-BA The billing country is outside of the U.S.
INTL-SA The shipping country is outside of the U.S.
MIL-USA The address is a U.S. military address.
MM-A The billing and shipping addresses use different street addresses.
MM-BIN The card BIN (the first six digits of the number) does not match the
country.
MM-C The billing and shipping addresses use different cities.
MM-CO The billing and shipping addresses use different countries.
MM-ST The billing and shipping addresses use different states.
MM-Z The billing and shipping addresses use different postal codes.
UNV-ADDR The address is unverifiable.
Decision Manager Developer Guide Using the SCMP API | May 2013 88
Appendix F Information and Reply Codes
Codes Description
FREE-EM The customer’s email address is from a free email provider.
INTL-IPCO The country of the customer’s IP address is outside of the U.S.
INV-EM The customer’s email address is invalid.
MM- The domain in the customer’s email address is not consistent with the country in
EMBCO the billing address.
MM-IPBC The customer’s IP address is not consistent with the city in the billing address.
MM-IPBCO The customer’s IP address is not consistent with the country in the billing address.
MM-IPBST The customer’s IP address is not consistent with the state in the billing address.
However, this information code may not be returned when the inconsistency is
between immediately adjacent states.
MM-IPEM The customer’s email address is not consistent with the customer’s IP address.
RISK-EM The customer's email domain (for example, mail.example.com) is associated
with higher risk.
UNV-NID The customer’s IP address is from an anonymous proxy. These entities
completely hide the IP information.
UNV-RISK The IP address is from a risky source.
UNV- The country of the customer’s email address does not match the country in the
EMBCO billing address.
Decision Manager Developer Guide Using the SCMP API | May 2013 89
Appendix F Information and Reply Codes
Codes Description
CON- The order triggered both a positive and negative list match. The result of the
POSNEG positive list match overrides that of the negative list match.
NEG-BA The billing address is on the negative list.
NEG-BCO The billing country is on the negative list.
NEG-BIN The credit card BIN (the first six digits of the number) is on the negative list.
NEG- The country in which the credit card was issued is on the negative list.
BINCO
NEG-BZC The billing postal code is on the negative list.
NEG-CC The credit card number is on the negative list.
NEG-EM The email address is on the negative list.
NEG- The country in which the email address is located is on the negative list.
EMCO
NEG- The email domain (for example, mail.example.com) is on the negative list.
EMDOM
NEG-HIST A transaction was found on the negative list.
NEG-ID The customer’s account ID is on the negative list.
NEG-IP The IP address (for example, 10.1.27.63) is on the negative list.
NEG-IP3 The network IP address (for example, 10.1.27) is on the negative list. A network
IP address includes up to 256 IP addresses.
NEG-IPCO The country in which the IP address is located is on the negative list.
NEG-PEM A passenger’s email address is on the negative list.
NEG-PH The phone number is on the negative list.
NEG-PID A passenger’s account ID is on the negative list.
NEG-PPH A passenger’s phone number is on the negative list.
NEG-SA The shipping address is on the negative list.
NEG-SCO The shipping country is on the negative list.
NEG-SZC The shipping postal code is on the negative list.
POS- The customer is on the temporary positive list.
TEMP
POS- The customer is on the permanent positive list.
PERM
REV-BA The billing address is on the review list.
REV-BCO The billing country is on the review list.
REV-BIN The credit card BIN (the first six digits of the number) is on the review list.
REV- The country in which the credit card was issued is on the review list.
BINCO
Decision Manager Developer Guide Using the SCMP API | May 2013 90
Appendix F Information and Reply Codes
Codes Description
REV-BZC The billing postal code is on the review list.
REV-CC The credit card number is on the review list.
REV-EM The email address is on the review list.
REV- The country in which the email address is located is on the review list.
EMCO
REV- The email domain (for example, mail.example.com) is on the review list.
EMDOM
REV-ID The customer’s account ID is on the review list.
REV-IP The IP address (for example, 10.1.27.63) is on the review list.
REV-IP3 The network IP address (for example, 10.1.27) is on the review list. A network
IP address includes up to 256 IP addresses.
REV-IPCO The country in which the IP address is located is on the review list.
REV-PEM A passenger’s email address is on the review list.
REV-PH The phone number is on the review list.
REV-PID A passenger’s account ID is on the review list.
REV-PPH A passenger’s phone number is on the review list.
REV-SA The shipping address is on the review list.
REV-SCO The shipping country is on the review list.
REV-SZC The shipping postal code is on the review list.
Decision Manager Developer Guide Using the SCMP API | May 2013 91
Appendix F Information and Reply Codes
Codes Description
MM- The customer’s phone number is not consistent with the state in the billing
ACBST address.
RISK-AC The customer's area code is associated with higher risk.
RISK-PH The U.S. or Canadian phone number is incomplete, or one or more parts of the
number are risky.
TF-AC The phone number uses a toll-free area code.
UNV-AC The area code is invalid.
UNV-OC The area code and/or the telephone prefix are/is invalid.
UNV-PH The phone number is invalid.
Decision Manager Developer Guide Using the SCMP API | May 2013 92
Appendix F Information and Reply Codes
Codes Description
VEL-ADDR Different billing and/or shipping states (U.S. and Canada only) have been used
several times with the credit card number and/or email address.
VEL-CC Different account numbers have been used several times with the same name or
email address.
VEL-NAME Different names have been used several times with the credit card number and/or
email address.
VELS-CC The account number has been used several times during the short tracking
interval.
VELI-CC The account number has been used several times during the medium tracking
interval.
VELL-CC The account number has been used several times during the long tracking
interval.
VELV-CC The account number has been used several times during the very long tracking
interval.
VELS-EM The customer’s email address has been used several times during the short
tracking interval.
VELI-EM The customer’s email address has been used several times during the medium
tracking interval.
VELL-EM The customer’s email address has been used several times during the long
tracking interval.
VELV-EM The customer’s email address has been used several times during the very long
tracking interval.
VELS-IP The IP address has been used several times during the short tracking interval.
VELI-IP The IP address has been used several times during the medium tracking interval.
VELL-IP The IP address has been used several times during the long tracking interval.
VELV-IP The IP address has been used several times during the very long tracking
interval.
VELS-SA The shipping address has been used several times during the short tracking
interval.
VELI-SA The shipping address has been used several times during the medium tracking
interval.
VELL-SA The shipping address has been used several times during the long tracking
interval.
VELV-SA The shipping address has been used several times during the very long tracking
interval.
Decision Manager Developer Guide Using the SCMP API | May 2013 93
Appendix F Information and Reply Codes
Codes Description
VELS-TIP The true IP address has been used several times during the short interval.
VELI-TIP The true IP address has been used several times during the medium interval.
VELL-TIP The true IP address has been used several times during the long interval.
Codes Description
BAD-FP The device is risky.
INTL-BIN The credit card was issued outside of the U.S.
MM-TZTLO The device's time zone is inconsistent with the country's time zones.
MUL-EM The customer has used more than four different email addresses.
NON-BC The billing city is nonsensical.
NON-FN The customer’s first name is nonsensical.
NON-LN The customer’s last name is nonsensical.
OBS-BC The billing city contains obscenities.
OBS-EM The email address contains obscenities.
RISK-AVS The combined AVS test result and normalized billing address are risky, such as
when the AVS result indicates an exact match, but the normalized billing address
is not deliverable.
RISK-BC The billing city has repeated characters.
RISK-BIN In the past, this payment card BIN has shown a high incidence of fraud.
RISK-DEV Some of the device characteristics are risky.
RISK-FN The customer’s first and last names contain unlikely letter combinations.
RISK-LN The customer’s middle or last name contains unlikely letter combinations.
RISK-PIP The proxy IP address is risky.
RISK-SD The inconsistency in billing and shipping countries is risky.
RISK-TB The day and time of the order associated with the billing address is risky.
RISK-TIP The true IP address is risky.
RISK-TS The day and time of the order associated with the shipping address is risky.
Decision Manager Developer Guide Using the SCMP API | May 2013 94
Appendix F Information and Reply Codes
Codes Description
MORPH-B The same billing address has been used several times with multiple customer
identities.
MORPH-C The same account number has been used several times with multiple customer
identities.
MORPH-E The same email address has been used several times with multiple customer
identities.
MORPH-I The same IP address has been used several times with multiple customer
identities.
MORPH-P The same phone number has been used several times with multiple customer
identities.
MORPH-S The same shipping address has been used several times with multiple customer
identities.
Decision Manager Developer Guide Using the SCMP API | May 2013 95
Appendix F Information and Reply Codes
Product Codes
The following table lists the product codes used by CyberSource services:
shipping_and_handling The shipping portion is the charge for shipping the product to
your customer. The handling portion is the fee you charge
your customer to cover your administrative selling costs.
shipping_only Charge for transporting tangible personal property from your
location to your customer. You must maintain documentation
that clearly establishes the location where the title to the
property passed from you to your customer.
subscription Subscription to a web site or other content.
Decision Manager Developer Guide Using the SCMP API | May 2013 96
APPENDIX
Review Rates
G
These review rates are not current. They are provided for your information only.
To obtain the current set of review rates that you can use in your business,
Warning contact your account representative.
The following table shows the average review rate for each score threshold. The review
rate is the percentage of transactions that receive a higher score than your threshold. The
rates in this table are based on recommended settings for the Advanced Fraud Screen
service. Your review rate may vary according to the score threshold that you set for your
transactions.
Decision Manager Developer Guide Using the SCMP API | May 2013 97
Appendix G Review Rates
Decision Manager Developer Guide Using the SCMP API | May 2013 98
Appendix G Review Rates
Decision Manager Developer Guide Using the SCMP API | May 2013 99
Appendix G Review Rates
Decision Manager Developer Guide Using the SCMP API | May 2013 100
APPENDIX
Required Bank Account
Information by Country
H
This appendix provides for the listed country the required bank account field names and
the localized name for the account number. Use this information with direct debit
transactions. You must provide either of these numbers:
The IBAN (International Bank Account Number) if accepted for the country (gray
column).
The traditional bank account number fields (white columns).
If the IBAN is not accepted for a particular country or if you choose not to provide the
IBAN, you must instead provide the required traditional bank account fields for the
country as detailed in the table.
The maximum length and data types listed will be strictly validated as follows. For
example, 12 an indicates 12 alphanumeric characters. The maximum length does not
include separators such as hyphens or spaces. For example, the bank code for the United
Kingdom is listed with a maximum length of 6 digits, and it is typically formatted as NN-NN-
NN. When providing the values for the fields, you may include the hyphens or any
separators typically used by your customers.
Decision Manager Developer Guide Using the SCMP API | May 2013 101
Appendix H Required Bank Account Information by Country
Decision Manager Developer Guide Using the SCMP API | May 2013 102
APPENDIX
Countries Included in the
European Union Risk Model
I
This list is not strictly limited to countries in Europe. Conversely, entities that are normally
part of Europe are not in this list. If you use the European Union risk model, verify that all
countries where you conduct business are in this list.
Table 30 Countries Included in the European Union Risk Model
Decision Manager Developer Guide Using the SCMP API | May 2013 103
Appendix I Countries Included in the European Union Risk Model
Decision Manager Developer Guide Using the SCMP API | May 2013 104
INDEX
Index
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
C decision_velocity_info 53
decline AVS flags, API field 61
card account reply field 54
declined transaction, reply flag 58
card account subtype (scheme) 55
default reply flag
card expired, reply flag 58 reject 59
Decision Manager Developer Guide Using the SCMP API | May 2013 105
Index
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Decision Manager Developer Guide Using the SCMP API | May 2013 106
Index
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
S
sample code 76
scheme, card account 55
score
API fields 61
score exceeded, reply flag 59
shipping address API fields 62
SOK reply flag 59
successful transaction, reply flag 59
sum of offer quantities, API field 62
Decision Manager Developer Guide Using the SCMP API | May 2013 107