PayPal Payflow Pro - 2008 User Manual

Payflow Pro Fraud Protection Services User’s Guide

For Professional Use Only Currently only available in English.

A usage Professional Uniquement Disponible en Anglais uniquement pour l’instant.

Last updated: June 2008

Payflow Pro Fraud Protection Services User’s Guide

Document Number: 200011.en_US-200806

© 2008 PayPal, Inc. All rights reserved. PayPal is a registered trademark of PayPal, Inc. The PayPal logo is a trademark of PayPal, Inc. Other trademarks and brands are the property of their respective owners. The information in this document belongs to PayPal, Inc. It may not be used, reproduced or disclosed without the written approval of PayPal, Inc. Copyright © PayPal. All rights reserved. PayPal S.à r.l. et Cie, S.C.A., Société en Commandite par Actions. Registered office: 22-24 Boulevard Royal, L2449, Luxembourg, R.C.S. Luxembourg B 118 349 Consumer advisory: The PayPal™ payment service is regarded as a stored value facility under Singapore law. As such, it does not require the approval of the Monetary Authority of Singapore. You are advised to read the terms and conditions carefully.

Notice of non-liability: PayPal, Inc. is providing the information in this document to you “AS-IS” with all faults. PayPal, Inc. makes no warranties of any kind (whether express, implied or statutory) with respect to the information contained herein. PayPal, Inc. assumes no liability for damages (whether direct or indirect), caused by errors or omissions, or resulting from the use of this document or the information contained in this document or resulting from the application or use of the product or service described herein. PayPal, Inc. reserves the right to make changes to any information herein without further notice.

Content

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Document Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Customer Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Chapter 1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . .11

Growing Problem of Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Reducing the Cost of Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 2 How Fraud Protection Services Protect You . . . . . . . .13

The Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Credit Card Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Protection Against the Threats—Fraud Filters . . . . . . . . . . . . . . . . . . . . . . . . 13

Example Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Configuring the Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Reviewing Suspicious Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Special Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Merchants With an Instant Fulfillment Model . . . . . . . . . . . . . . . . . . . . . . 14

Merchants using the Recurring Billing Service . . . . . . . . . . . . . . . . . . . . . 14

Chapter 3 Configuring the Fraud Protection Services Filters . . . . . 15

Phase 1: Run Test Transactions Against Filter Settings on Test Transaction Security Servers . 16

Phase 2: Run Live Transactions on Live Transaction Servers in Observe Mode . . . . . . 17

Phase 3: Run All Transactions Through the Live Transaction Security Servers Using Active

Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Chapter 4 Assessing Transactions that Triggered Filters . . . . . . .19

Reviewing Suspicious Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Content

Acting on Transactions that Triggered Filters . . . . . . . . . . . . . . . . . . . . . . 22

Rejecting Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Fine-tuning Filter Settings—Using the Filter Scorecard . . . . . . . . . . . . . . . . . . . 22

Ensuring Meaningful Data on the Filter Scorecard . . . . . . . . . . . . . . . . . . . 23

Re-running Transactions That Were Not Screened . . . . . . . . . . . . . . . . . . . . . 24

Chapter 5 Activating and Configuring the Buyer Authentication Service

Building Customer Confidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Enrolling for the Buyer Authentication Service . . . . . . . . . . . . . . . . . . . . . . . . 25

Downloading the Payflow (Including APIs and API Documentation). . . . . . . . . . . . . 25

Configuring Buyer Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Generate Transaction Request Software . . . . . . . . . . . . . . . . . . . . . . . . 27

Testing and Activating the Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Chapter 6 Performing Buyer Authentication Transactions Using the

SDK31

Testing the Buyer Authentication Service . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Buyer Authentication Transaction Overview . . . . . . . . . . . . . . . . . . . . . . . . . 31

Buyer Authentication Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Buyer Authentication Server URLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Detailed Buyer Authentication Transaction Flow. . . . . . . . . . . . . . . . . . . . . . . 33

Call 1: Verify that the cardholder is enrolled in the 3-D Secure program . . . . . . . . 33

Call 2: POST the authentication request to and redirect the customer’s browser to the ACS

URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Call 3: Validate the PARES authentication data returned by the ACS server . . . . . . 36

Call 4: Submit the intended transaction request to the Payflow server . . . . . . . . . 36

Example Buyer Authentication Transactions. . . . . . . . . . . . . . . . . . . . . . . . . 37

Example Verify Enrollment Transaction . . . . . . . . . . . . . . . . . . . . . . . . . 38

Example Verify Enrollment Response . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Example Validate Authentication Transaction . . . . . . . . . . . . . . . . . . . . . . 38

Example Payflow Authorization or Sale Transaction . . . . . . . . . . . . . . . . . . 39

Buyer Authentication Transaction Parameters and Return Values . . . . . . . . . . . . . 40

Transaction Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Verify Enrollment Transaction Name-Value Pairs . . . . . . . . . . . . . . . . . . . . 40

Validate Authentication Transaction Name-Value Pairs . . . . . . . . . . . . . . . . . 42

Standard Payflow Sale or Authorization Transaction . . . . . . . . . . . . . . . . . . 43

ECI Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Content

Logging Transaction Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Audit Trail and Transaction Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Chapter 7 Screening Transactions Using the Payflow SDK . . . . . . 49

Downloading the Payflow SDK (Including APIs and API Documentation) . . . . . . . . . . 49

Transaction Data Required by Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Transaction Parameters Unique to the Filters . . . . . . . . . . . . . . . . . . . . . . . . 52

Existing Payflow Parameters Used by the Filters . . . . . . . . . . . . . . . . . . . . . . 53

Response Strings for Transactions that Trigger Filters . . . . . . . . . . . . . . . . . . . 54

RESULT Values Specific to Fraud Protection Services . . . . . . . . . . . . . . . . . 57

Changing the Verbosity Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Example Response for an Authentication Transaction With Verbosity=Low . . . . . . 58

Example Response for an Authentication Transaction With Verbosity=Medium . . . . 58

Accepting or Rejecting Transactions That Trigger Filters . . . . . . . . . . . . . . . . . . 62

Logging Transaction Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Chapter 8 Responses to Credit Card Transaction Requests . . . . . .65

An Example Response String . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Contents of a Response to a Credit Card Transaction Request . . . . . . . . . . . . . . . 66

PNREF Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

PNREF Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

RESULT Codes and RESPMSG Values . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

RESULT Values for Transaction Declines or Errors . . . . . . . . . . . . . . . . . . . 68

RESULT Values for Communications Errors . . . . . . . . . . . . . . . . . . . . . . 73

Appendix A Fraud Filter Reference. . . . . . . . . . . . . . . . . . . .77

Filters Included with the Fraud Protection Services . . . . . . . . . . . . . . . . . . . . . 77

Filters Included with the Basic Fraud Protection Services Option . . . . . . . . . . . . 77

Filters Included with the Advanced Fraud Protection Services Option . . . . . . . . . 78

Special Case: Buyer Authentication Failure Filter . . . . . . . . . . . . . . . . . . . . 78

About the Fraud Risk Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Filters Applied After Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Transaction Data Required by Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Unusual Order Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Total Purchase Price Ceiling Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Total Item Ceiling Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Shipping/Billing Mismatch Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Content

Product Watch List Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

High-risk Payment Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

AVS Failure Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Card Security Code Failure Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Buyer Authentication Failure Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

BIN Risk List Match Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Account Number Velocity Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

High-risk Address Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

ZIP Risk List Match Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Freight Forwarder Risk List Match Filter . . . . . . . . . . . . . . . . . . . . . . . . . 87

USPS Address Validation Failure Filter . . . . . . . . . . . . . . . . . . . . . . . . . 87

IP Address Match Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Email Service Provider Risk List Match Filter . . . . . . . . . . . . . . . . . . . . . . 88

Geo-location Failure Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

IP Address Velocity Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

High-risk Customer Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Bad Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

International Order Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Country Risk List Match Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

International Shipping/Billing Address Filter . . . . . . . . . . . . . . . . . . . . . . . 91

International IP Address Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

International AVS Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Accept Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Good Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Total Purchase Price Floor Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Custom Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Appendix B Testing the Transaction Security Filters . . . . . . . . . .95

Good and Bad Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

AVS Failure Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

BIN Risk List Match Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Country Risk List Match Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Email Service Provider Risk List Match Filter . . . . . . . . . . . . . . . . . . . . . . . . 98

Freight Forwarder Risk List Match Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Geo-location Failure Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

International AVS Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

International IP Address Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100

International Shipping/Billing Address Filter . . . . . . . . . . . . . . . . . . . . . . . . .101

Content

IP Address Match Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102

Shipping/Billing Mismatch Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102

Total Item Ceiling Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

Total Purchase Price Ceiling Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

Total Purchase Price Floor Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104

USPS Address Validation Failure Filter . . . . . . . . . . . . . . . . . . . . . . . . . . .104

ZIP Risk List Match Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105

Appendix C Testing Buyer Authentication Transactions Using the Payflow

SDK 107

Testing Buyer Authentication Transactions . . . . . . . . . . . . . . . . . . . . . . . . .107

Buyer Authentication Test Server . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

Payflow Test Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

Test Case Descriptions and Account Numbers . . . . . . . . . . . . . . . . . . . . . . .107

Test Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108

Expected Result Codes for Buyer Authentication . . . . . . . . . . . . . . . . . . . . . .109

Buyer Authentication Testing Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Perform the Verify Enrollment Transaction . . . . . . . . . . . . . . . . . . . . . . .110

Verify Enrollment Transaction Test Cases . . . . . . . . . . . . . . . . . . . . . . . 111

Example Return Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Validate Authentication Transaction Test Cases . . . . . . . . . . . . . . . . . . . . 113

Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113

Example Return Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Appendix D Deactivating Fraud Protection Services . . . . . . . . . . 117

Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Content

Preface

This document describes Fraud Protection Services and explains how you can use the Payflow SDK to perform transactions that will be screened by Fraud Protection Services filters.

For details on how to configure and use Fraud Protection Services and to generate Buyer Authentication reports through PayPal Manager, see PayPal Manager online help.

Intended Audience

This document is intended for Payflow Pro merchants who subscribe to any Fraud Protection Services options.

Document Conventions

This document uses the term fraudster to represent an entity (typically a person) attempting fraudulent activity.

Document Organization

z Chapter 1, “Overview,” presents the Fraud Protection Services suite.

z Chapter 2, “How Fraud Protection Services Protect You,” describes the security tools that

make up the Fraud Protection Services.

z Chapter 3, “Configuring the Fraud Protection Services Filters,” describes how to configure

Fraud Protection Services.

z Chapter 4, “Assessing Transactions that Triggered Filters,” makes recommendations on

how to set up and fine-tune filters.

z Chapter 5, “Activating and Configuring the Buyer Authentication Service,” describes

activating and configuring the Buyer Authentication service.

z Chapter 6, “Performing Buyer Authentication Transactions Using the SDK,” describes and

provides an example of how to use Buyer Authentication.

z Chapter 7, “Screening Transactions Using the Payflow SDK,”describes how to screen

transactions for fraud using the Payflow SDK.

z Chapter 8, “Responses to Credit Card Transaction Requests,” describes the responses to a

credit card transaction request.

Fraud Protection Services User’s Guide 9

Preface

Customer Service

z Appendix A, “Fraud Filter Reference,” describes the Transaction filters that make up part

of the Fraud Protection Services.

z Appendix B, “Testing the Transaction Security Filters,” provides Payflow SDK

transactions that you can use to test the filters.

z Appendix C, “Testing Buyer Authentication Transactions Using the Payflow SDK,

provides examples of testing Buyer Authentication transactions.

z Appendix D, “Deactivating Fraud Protection Services,” describes the process of

deactivating Fraud Protection Services.

Customer Service

If you are having problems with Fraud Protection Services, contact Customer Service at:

Email: payflow-support@paypal.com.

Telephone: 1 800 505-4916

Revision History

TABLE 2.1 Revision History

Date Description

June 2008 Updated Payflow server test and live URLs.

February 2008 Updated test and live URLs.

August 2007 AU Enhancements

April 2007 Updated guide to include PayPal Manager User Interface changes.

February 2007 Updated AVS responses rules.

December 2006 Updated buyer auth test URL to pilot-buyerauth.verisign.com

Updated Customer Service information.

Minor edits for technical accuracy.

Added return codes: 51, 110, 119, 120, 121, 132, 133, 200, 201, 402, 403, 404, 600, and 601.

Minor corrections for technical accuracy

10 Fraud Protection Services User’s Guide

Overview

This chapter discusses how fraud can affect you the merchant and provides an overview of Fraud Protection Services.

In This Chapter

z “Growing Problem of Fraud” on page 11

z “Reducing the Cost of Fraud” on page 11

Growing Problem of Fraud

Online fraud is a serious and growing problem. While liability for fraudulent card-present or in-store transactions lies with the credit card issuer, liability for card-not-present transactions, including transactions conducted online, falls to the merchant. As you probably know, this means that a merchant that accepts a fraudulent online transaction (even if the transaction is approved by the issuer) does not receive payment for the transaction and additionally must often pay penalty fees and higher transaction rates. (One notable exception, Buyer Authentication, is described in this document.)

Reducing the Cost of Fraud

Fraud Protection Services, in conjunction with your Payflow Pro service’s standard security tools, can help you to significantly reduce these costs and the resulting damage to your business.

NOTE: Merchants must meet the following eligibility requirements to enroll in and use the

Fraud Protection Services products: – Merchant must have a current, paid-in-full Payflow Pro service account. – Merchant Payflow Pro service account must be activated (in Live mode). – Merchant must have its business operations physically based in the United States of

America.

– Merchant must use one of the following terminal-based processors: American

Express Phoenix, FDMS Nashville, FDMS North, FDMS South, Global Payments East, Nova, Paymentech New Hampshire, or Vital.

Fraud Protection Services User’s Guide 11

Overview

Reducing the Cost of Fraud

12 Fraud Protection Services User’s Guide

This chapter describes the security tools that make up the Fraud Protection Services.

In This Chapter

z “The Threats” on page 13

z “Protection Against the Threats—Fraud Filters” on page 13

z “Special Considerations” on page 14

The Threats

There are two major types of fraud—hacking and credit card fraud.

Hacking

How Fraud Protection Services Protect You

Fraudsters hack when they illegally access your customer database to steal card information or to take over your Payflow Pro account to run unauthorized transactions (purchases and credits). Fraud Protection software filters minimize the risk of hacking by enabling you to place powerful constraints on access to and use of your PayPal Manager and Payflow Pro accounts.

Credit Card Fraud

Fraudsters can use stolen or false credit card information to perform purchases at your Web site, masking their identity to make recovery of your goods or services impossible. To protect you against credit card fraud, the Fraud Protection filters identify potentially fraudulent activity and let you decide whether to accept or reject the suspicious transactions.

Protection Against the Threats—Fraud Filters

Configurable filters screen each transaction for evidence of potentially fraudulent activity. When a filter identifies a suspicious transaction, the transaction is marked for review.

Fraud Protection Services offers two levels of filters: Basic and Advanced. The filters are described in Appendix B, “Fraud Filter Reference.”

For detailed descriptions of the filter levels, the order and logic of the screening process, and for specific variations from the simple flow described here, see Appendix A, “How Filters

Work .”

Fraud Protection Services User’s Guide 13

How Fraud Protection Services Protect You

Special Considerations

Example Filter

The Total Purchase Price Ceiling filter compares the total amount of the transaction to a maximum purchase amount (the ceiling) that you specify. Any transaction amount that exceeds the specified ceiling triggers the filter.

Configuring the Filters

Through PayPal Manager, you configure each filter by specifying the action to take whenever the filter identifies a suspicious transaction (either set the transaction aside for review or reject it). See PayPal Manager online help for detailed filter configuration procedures.

Typically, you specify setting the transaction aside for review. For transactions that you deem extremely risky (for example, a known bad email address), you might specify rejecting the transaction outright. You can turn off any filter so that it does not screen transactions.

For some filters, you also set the value that triggers the filter—for example the dollar amount of the ceiling price in the Total Purchase Price Ceiling filter.

Reviewing Suspicious Transactions

As part of the task of minimizing the risk of fraud, you review each transaction that triggered a filter through PayPal Manager to determine whether to accept or reject the transaction. See PayPal Manager online help for details.

Special Considerations

Merchants With an Instant Fulfillment Model

For businesses with instant fulfillment business models (for example, software or digital goods businesses), the Review option does not apply to your business—you do not have a period of delay to review transactions before fulfillment to customers. Only the Reject and Accept options are applicable to your business model.

In the event of server outage, Fraud Protection Services is designed to queue transactions for online processing. This feature also complicates an instant fulfillment business model.

Merchants using the Recurring Billing Service

To avoid charging you to filter recurring transactions that you know are reliable, Fraud Protection Services filters do not screen recurring transactions.

To screen a prospective recurring billing customer, submit the transaction data using PayPal Manager’s Virtual Terminal. The filters screen the transaction in the normal manner. If the transaction triggers a filter, then you can follow the normal process to review the filter results.

14 Fraud Protection Services User’s Guide

Configuring the Fraud Protection Services Filters

This chapter describes how to configure the Fraud Filters for your Payflow Pro account. The chapter explains a phased approach to implementing the security of transactions. You are not required to use the approach described in this chapter. However it enables you to fine tune your use of filters before you actually deploy them in a live environment.

You first make and fine-tune filter settings in a test environment. Then you move to a live transaction environment to fine-tune operation in an Observe-only mode. Finally, when you are fully satisfied with your settings, you move to live Active mode to begin screening all live transactions for fraud.

Filter operation is fully described in Appendix A, “Fraud Filter Reference.”

IMPORTANT:Upon completing the configuration procedures within each of the phases

described below, you must click the Deploy button to deploy the filter settings. Filter settings take effect only after you deploy them.

Filter setting changes are updated hourly (roughly on the hour). This means that you might have to wait up to an hour for your changes to take effect. This waiting period only occurs when you move from one mode to the next.

z Phase 1: Run test transactions in Test mode using test transaction servers

In the test phase of implementation, you configure fraud filter settings for test servers that do not affect the normal flow of transactions. You then run test transactions against the filters and review the results offline to determine whether the integration was successful. Once you are happy with the filter settings, you move to the next phase and the settings that you decided upon in the test phase are transferred to the live servers.

z Phase 2: Run live transactions on live transaction security servers using Observe mode

When you deploy to Observe mode, the settings that you decided upon in the test phase are automatically transferred to the live servers.

In Observe mode, the filters examine each live transaction and mark the transaction with each triggered filter’s action. You can then view the actions that would have been taken on the live transactions had the filters been active. Regardless of the filter actions, all transactions are submitted for processing in the normal fashion.

z Phase 3: Run live transactions on live transaction security servers using Active mode

Once you have set all filters to the optimum settings, you deploy the filters to Active mode. In Active mode, filters on the live servers examine each live transaction and take the specified action when triggered.

NOTE: Remember that you can test a new filter setting using the test servers at any time

(even if your account is in Active mode), and then, if desired, make an adjustment to the live filter settings.

Fraud Protection Services User’s Guide 15

Configuring the Fraud Protection Services Filters

Phase 1: Run Test Transactions Against Filter Settings on Test Transaction Security Servers

Phase 1: Run Test Transactions Against Filter Settings on Test

Transaction Security Servers

In this phase of implementation, you configure filter settings for test servers that do not affect the normal flow of live transactions. You then run test transactions against the filters and review the results offline to determine whether the integration was successful. Continue modifying and testing filters as required.

NOTE: There is no per-transaction fee when you use the test servers.

1. In the Service Summary section of the PayPal Manager home page, click the Basic or Advanced Fraud Protection link.

Click Service Settings > Fraud Protection >Test Setup.

2. Click Edit Standard Filters. The Edit Standard Filters page appears.

3. For each filter:

– Click the filter check box to enable it and click-to-clear the check box to disable it. – Select the filter action that should take place when the filter is triggered.

For some filters, you set a trigger value. For example, the Total Purchase Price Ceiling filter trigger value is the transaction amount that causes the filter to set a transaction aside.

NOTE: To make decisions about how the filters work, see Appendix B, “Fraud Filter

Reference.”

NOTE: If you have not enrolled for the Buyer Authentication Service, then the Buyer

Authentication Failure filter is grayed-out and you cannot configure it.

Items that you enter in the Test Good, Bad, or Product Watch lists are not carried over to your configuration for the live servers, so do not spend time entering a complete list for the test configuration. For details on the Good, Bad, or Product

Watch list filters, see Appendix B, “Fraud Filter Reference.”

4. Once you complete editing the page, click Deploy.

IMPORTANT:If you do not deploy the filters, then your settings are not saved.

5. All filters are now configured, and you can begin testing the settings by running test transactions. Follow the guidelines outlined in Appendix B, “Testing the Transaction

Security Filters.” To run test transactions, you can use PayPal Manager’s Virtual Terminal.

See PayPal Manager for online help instructions.

6. Review the filter results by following the instructions in Chapter 4, “Assessing

Transactions that Triggered Filters.”

7. Based on your results, you may want to make changes to the filter settings. Simply return to the Edit Filters page, change settings, and redeploy them. Once you are happy with your filter settings, you can move to Phase 2.

16 Fraud Protection Services User’s Guide

Configuring the Fraud Protection Services Filters

Phase 2: Run Live Transactions on Live Transaction Servers in Observe Mode

Phase 2: Run Live Transactions on Live Transaction Servers in

Observe Mode

In this phase, you configure filters on live servers to the settings that you had fine-tuned on the test servers. In Observe mode, filters examine each live transaction and mark the transaction with the filter results. The important difference between Observe and Active mode is that, regardless of the filter actions, all Observe mode transactions are submitted for processing in the normal fashion.

Observe mode enables you to view filter actions offline to assess their impact (given current settings) on your actual transaction stream.

NOTE: You are charged the per-transaction fee to use the live servers in either Observe or

Active mode.

1. Click Service Settings > Fraud Protection >Test Setup. Click Move Test Filter Settings to Live. The Move Test Filter Setting to Live page appears. Remember that in this phase,

you are configuring the live servers.

2. Click Move Test Filter Settings to Live. On the page that appears, click Move Test Filter Settings to Live again.

3. The Move Test Filter Settings to Live page prompts whether to deploy the filters in Observe modeor in Active mode. Click Deploy to Observe Mode.

Once you deploy the filters, all transactions are sent to the live servers for screening by the live filters. In Observe mode, each transaction is marked with the filter action that would have occurred (Review, Reject, or Accept) had you set the filters to Active mode

This enables you to monitor (without disturbing the flow of transactions) how actual customer transactions would have been affected by active filters.

IMPORTANT:Deployed filter setting changes are updated hourly (roughly on the hour).

This means that you might have to wait up to an hour for your changes to take effect. This waiting period only occurs when you move from one mode to the next.

4. Perform testing of the filters. Follow the procedures outlined in Appendix B, “Testing the

Transaction Security Filters.”

5. Review the filter results by following the instructions in Chapter 4, “Assessing

Transactions that Triggered Filters.” The Filter Scorecard (described on page 22) will be

particularly helpful in isolating filter performance that you should monitor closely and in ensuring that a filter setting is not set so strictly so as to disrupt normal business.

6. Once you are happy with your filter settings, you can move to Phase 3.

Fraud Protection Services User’s Guide 17

Configuring the Fraud Protection Services Filters

Phase 3: Run All Transactions Through the Live Transaction Security Servers Using Active Mode

Phase 3: Run All Transactions Through the Live Transaction

Security Servers Using Active Mode

Once you have configured all filters to optimum settings, you convert to Active mode. Filters on the live servers examine each live transaction and take the specified action.

7. Click Move Test Filter Settings to Live. On the page that appears, click Move Test Filter Settings to Live again.

8. On the Move Test Filter Settings to Live page, click Deploy to Active Mode.

At the top of the next hour, all live transactions will be inspected by the filters.

9. Use the instructions in Chapter 4, “Assessing Transactions that Triggered Filters,” to detect and fight fraud.

IMPORTANT:Remember that you can make changes to fine-tune filter settings at any time.

After changing a setting, you must re-deploy the filters so that the changes take effect.

18 Fraud Protection Services User’s Guide

Assessing Transactions that Triggered Filters

As part of the task of minimizing the risk of fraud, you review each transaction that triggered a filter. You decide, based on the transaction’s risk profile, whether to accept or reject the transaction. This chapter describes how to review transactions that triggered filters, and provides guidance on deciding on risk.

NOTE: The Fraud Protection Services package (Basic or Advanced) to which you subscribe

determines the number of filters that screen your transactions. Basic subscribers have access to a subset of the filters discussed in this chapter. Advanced subscribers have full access. See “Filters Included with the Fraud Protection Services” on page 83 for complete lists of Basic and Advanced filters.

In This Chapter

z “Reviewing Suspicious Transactions” on page 19

z “Fine-tuning Filter Settings—Using the Filter Scorecard” on page 22

z “Re-running Transactions That Were Not Screened” on page 24

Reviewing Suspicious Transactions

Transactions that trigger filters might or might not represent attempted fraud. It is your responsibility to analyze the transaction data and then to decide whether to accept or reject the transaction. Accepting a transaction requires no further action. To reject a transaction, a separate void of the transaction is required.

The first step in reviewing filtered transactions is to list the transactions.

1. Click Reports > Fraud Protection > Fraud Transactions

The Fraud Transactions Report page appears.

Payflow Link Fraud Protection Services User’s Guide 19

Assessing Transactions that Triggered Filters

Reviewing Suspicious Transactions

FIGURE 4.1 Fraud Transactions Report page

2. Specify the date range of the transactions to review.

3. Specify a Transa ction Type :

TABLE 4.1 Transaction types

Transaction Type Description

Reject Transactions that the filters rejected. These transactions cannot be settled.

The type of filter that took this action is called a Reject filter.

Review Transactions that the filters set aside for your review. The type of filter that

took this action is called a Review filter.

Accept Transactions that the filters allowed through the normal transaction

submission process. The type of filter that took this action is called an Accept filter.

Not Screened by Filters

Transactions that were not screened by any filter. This condition (Result Code

127) indicates that an internal server error prevented the filters from examining transactions. This conditional occurs only in Test mode or Live mode. In Observe mode all results codes are always 0.

You can re-screen any of these transactions through the filters as described in

“Re-running Transactions That Were Not Screened” on page 24.

Screened by Filters All transactions that were screened by filters, regardless of filter action or

whether any filter was triggered.

4. Specify the Transaction Mode, and click Run Report.

The Fraud Transactions Report page displays all transactions that meet your search criteria.

20 Payflow Link Fraud Protection Services User’s Guide

Assessing Transactions that Triggered Filters

Reviewing Suspicious Transactions

NOTE: If filters are deployed in Observe mode, then all transactions have been submitted for

processing and are ready to settle. Transactions are marked with the action that the filter would have taken had the filters been deployed in Active mode.

The following information appears in the report:

TABLE 4.2 Transactions Report field descriptions

Heading Description

Report Type The type of report created.

Date Date and time range within which the transactions in this report were

run.

Time Zone Time zone represented in this report.

Transaction Mode Test, Observe, or Active

Transaction ID Unique transaction identifier. Click this value to view the Transaction

Detail page.

Transaction Time Time and date that the transaction occurred.

Transaction Type The transaction status that resulted from filter action, as described in

Table 4. 1.

Card Type MasterCard or Visa.

Amount Amount of the transaction.

The following transaction status values can appear in the report:

ABLE 4.3 Transaction status values

Report in Which

Transaction

Stage of Review

Screened by filters Pass 0 Approved Approved report

Screened by filters Review 126 Under Review by Fraud Service Approved report

Screened by filters Reject 125 Declined by Fraud Service Declined report

Screened by filters Accept 0 Approved Approved report

Screened by filters Service Outage 127 Unprocessed by Fraud Service Approved report

Status

Result Code Result Message

the Transaction Appears

After review by merchant

Payflow Link Fraud Protection Services User’s Guide 21

Accepted 0 Approved Approved report

Rejected 128 Declined by Merchant Declined report

Assessing Transactions that Triggered Filters

Fine-tuning Filter Settings—Using the Filter Scorecard

Click the Transaction ID of the transaction of interest.

The Fraud Details page appears, as discussed in the next section.

Acting on Transactions that Triggered Filters

The Fraud Details page displays the data submitted for a single transaction. The data is organized to help you to assess the risk types and to take action (accept, reject, or continue in the review state).

The following notes describe data in the Fraud Details page shown in the figure.

1. This transaction was set aside because it triggered the AVS Failure filter.

2. The transaction was not screened by any of the filters in the Skipped Filters section because

the data required by these filters did not appear in the transaction data or was badly formatted. In special cases, all filters appear here. See “Re-running Transactions That Were

Not Screened” on page 24

3. Specify the action to take on the transaction:

– Review: Take no action. You can return to this page at any time or reject or accept the

transaction. The transaction remains unsettleable.

– Reject: Do not submit the transaction for processing. See “Rejecting Transactions” on

page 22.

– Accept: Submit the transaction for normal processing.

4. You can enter notes regarding the disposition of the transaction or the reasons for taking a particular action. Do not use the & < > or = characters.

5. Click Submit to save the notes, apply the action, and move to the next transaction.

NOTE: You can also view the Fraud Details page for transactions that were rejected or

accepted. While you cannot change the status of such transactions, the page provides insight into filter performance.

Rejecting Transactions

If you decide to reject a transaction, you should notify the customer that you could not fulfill the order. Do not be explicit in describing the difficulty with the transaction because this provides clues for performing successful fraudulent transactions in the future. Rejected transactions are never settled.

Fine-tuning Filter Settings—Using the Filter Scorecard

The Filter Scorecard displays the number of times that each filter was triggered and the percentage of all transactions that triggered each filter during a specified time period.

22 Payflow Link Fraud Protection Services User’s Guide

Assessing Transactions that Triggered Filters

Fine-tuning Filter Settings—Using the Filter Scorecard

This information is especially helpful in fine-tuning your risk assessment workflow. For example, if you find that you are reviewing too many transactions, then use the Filter Scorecard to determine which filters are most active. You can reduce your review burden by relaxing the settings on those filters (for example, by setting a higher amount for the Purchase Price Ceiling filter).

1. Click Reports > Filter Scorecard. The Filter Scorecard Report page appears.

FIGURE 4.2 Filter Scorecard Report page

2. Specify the date range of the transactions to review.

3. In the Transaction Mode field, specify transactions screened by the live or the test servers.

4. Click Run Report.

The Filter Scorecard Report page displays the number of times that each filter was triggered and the percentage of all transactions that triggered each filter during the time span that you specified.

Ensuring Meaningful Data on the Filter Scorecard

The Scorecard shows the total number of triggered transactions for the time period that you specify, so if you had changed a filter setting during that period, the Scorecard result for the filter might reflect transactions that triggered the filter at several different settings.

Say, for example, you changed the Total Purchase Price Ceiling on August 1 and again on August 7. You then run a Filter Scorecard for July 1 to August 31. Between July 1 to August

Payflow Link Fraud Protection Services User’s Guide 23

Assessing Transactions that Triggered Filters

Re-running Transactions That Were Not Screened

31, three different price ceiling settings caused the filter to trigger, yet the Scorecard would not indicate this fact.

To ensure meaningful results in the Filter Scorecard, specify a time period during which the filter settings did not change.

Re-running Transactions That Were Not Screened

Perform the following steps if you wish to re-run a transaction that was not screened by filters (transactions with Result Code 127):

1. Navigate to Reports > Fraud Protection > Fraud Transaction Report. The Fraud Transaction Report page appears.

2. Select the appropriate time period for the search, and select the “Not Screened by Filters” option for Transaction Type.

3. Click RunView Report. The Fraud Transaction Report Results page appears. It contains all the transactions that were not screened by filters.

4. Click on the Transaction ID of the transaction you would like to re-run. The Confirm Rerun page appears.

5. Click Ye s to re-run that transaction. The Success page appears if your transaction was successful.

NOTE: If multiple attempts at screening fail, then the transaction may have data formatting

problems. Validate the data, and contact Customer Service.

If you encounter 50 or more transactions with Result Code 127, then contact Customer Service, who can resubmit them as a group.

24 Payflow Link Fraud Protection Services User’s Guide

Activating and Configuring the

Buyer Authentication Service

This chapter describes how to enroll, configure, test, and activate the Buyer Authentication Service.

In This Chapter

z “Building Customer Confidence” on page 25

z “Enrolling for the Buyer Authentication Service” on page 25

z “Downloading the Payflow (Including APIs and API Documentation)” on page 25

z “Configuring Buyer Authentication” on page 26

z “Testing and Activating the Service” on page 28

Building Customer Confidence

Buyer Authentication reduces your risk and builds your customers' confidence. The card brands make marketing resources available to you to promote your Web site and logos you can build into your checkout process.

For more information, visit:

z http://usa.visa.com/business/accepting_visa/ops_risk_management/vbv_marketing_support.html

z http://www.securecodemerchant.com

Enrolling for the Buyer Authentication Service

To enroll for the Buyer Authentication Service, click the Buyer Authentication banner on the PayPal Manager main page. Follow the on-screen instructions to determine whether both your processor and your acquiring bank support the Buyer Authentication service. If they both support the service, then you can follow the on-screen instructions to enroll.

Downloading the Payflow (Including APIs and API

Documentation)

The Payflow software development kit (SDK) is available from the PayPal Manager Downloads page as a .NET or Java library, or you can build your own API by posting directly to the Payflow servers via HTTPS.

Fraud Protection Services User’s Guide 25

Activating and Configuring the Buyer Authentication Service

Configuring Buyer Authentication

IMPORTANT:Full API documentation is included with each SDK.

Configuring Buyer Authentication

To enable Buyer Authentication processing on your site, you will need to construct two transaction requests (messages) and construct a frameset. You can accomplish the tasks in a few hours.

In the standard Payflow Pro implementation, when the customer submits a purchase request, your website sends a single Sale transaction request with all purchase details (message with transaction type S) to the server. With Buyer Authentication, you must submit two additional transaction requests (types E— Verify Enrollment and Z—validate PARES response) before the Sale.

Follow these steps:

1. Log in to PayPal Manager at

2. Click Service Settings > Fraud Protection > Buyer Authentication. The Buyer

Authentication Setup page appears.

3. Enter Registration information (complete all fields for both MasterCard and Visa).

– Select your Acquirer (Acquirer Support) for MasterCard and Visa and click Activate to

activate the Acquirer you selected. – Enter your Business Name. – Enter the fully qualified URL (be sure to include http:// or https://) of your business. – Select your Country Code from the drop-down menu.

4. Click Submit. A gray notification box appears towards the top of the page confirming the changes. If there are any errors, a yellow box appears towards the top of the page stating the problem.

5. On the main PayPal Manager page click the Download link.

6. Read chapters 5 through 7 and Appendix D of this document

7. Download the Payflow SDK (Software Developer’s Kit) appropriate for your software

environment.

8. Download Payflow Pro Developer’s Guide (PDF format document). Read as much of Payflow Pro Developer’s Guide as you need.

https://paypal.manager.com.

9. Configure the Payflow SDK as described in the developer’s guide.

26 Fraud Protection Services User’s Guide

Activating and Configuring the Buyer Authentication Service

Generate Transaction Request Software

1. Submit a Verify Enrollment transaction request (type E) to determine whether the cardholder is enrolled in either the Verified by Visa or MasterCard SecureCode service. See the example on page 38.

2. The response is either Enrolled or Not Enrolled. See the example responses on page 38.

3. If the customer is enrolled, you populate the response data into a form page (hosted on your

server) and post it to the URL of the card issuing bank (ACS) indicated in the response. Make sure the TermUrl field is properly specified, as this is where the ACS will post the response. See “Example ACS Redirect Code” on page 35.

4. The ACS responds to the post by presenting an Authentication window to the customer.

By Visa/MasterCard requirements, the HTML page for displaying the ACS form must be presented in-line (within the same browser session as the e-commerce transaction), preferably as framed-inline.

The ACS form should be displayed in a frame set, as shown in the following example. The message across the top of the frame is required.

Configuring Buyer Authentication

NOTE: You should not employ pop-up windows. They will be blocked by pop-up blocking

software.

Fraud Protection Services User’s Guide 27

Activating and Configuring the Buyer Authentication Service

Testing and Activating the Service

5. When the customer enters their password and clicks Submit, the ACS verifies the password and posts a response to the TermURL (the page on your site that is configured to receive ACS responses).

6. Submit a Validate Authentication Response transaction request (type Z) to validate (ensure that the message has not been falsified or tampered with) and decompose the Authentication Response from the card-issuing bank (ACS). See “Example Validate

Authentication Response” on page 39.

7. The response contains the following data elements:

–XID – Authentication Status – ECI. E-commerce Indicator – Visa: CAVV. Cardholder Authentication Verification Value

— or —

MasterCard: AAV. Accountholder Authentication Value

Submit these values, along with the standard transaction data, in a standard Sale or Authorization transaction request, as described in “Call 4: Submit the intended transaction

request to the Payflow server” on page 36.

Testing and Activating the Service

1. Make these other required UI modifications:

Payment page pre-messaging. The example text shown below and in the red boxes in the

figure must appear on your payment page to advise the customer that authentication may take place.

Example text in “Learn More” box on the left:

z Why am I being asked for a password to use my credit card?

z Can I purchase a car rantal for someone else using my credit or debit card?

z Can I add drivers to my reservation?