Sections in this page:
The Risk Inquiry Service (RIS) joins device data provided from the data collector process with the customer order data sent from the merchant. Once the device data and the order data are combined, RIS evaluates and scores each transaction. After the evaluation, RIS returns a response string back to the merchant to be used by the merchant to approve, decline or hold the order for review. Each transaction will continue to be evaluated and dynamically scored for up to fourteen days. The following section describes how to implement the Risk Inquiry Service.
- 1. Customer initiates purchase
- 2. Merchant initiates RIS request to Kount via HTTPS URL encoded post
- 3. Kount evaluates transaction
- 4. Kount returns evaluation response to merchant
- 5. Notification is displayed to customer
Risk Inquiry Service Payment Types
Kount supports multiple payment types and depending upon the payment type chosen by the customer certain payment tokens are required. If the PayPal Payer ID or Google Checkout Account ID is not sent in the inquiry mode, then it must be sent in the update mode related to the transaction otherwise the order details will not be displayed in the Agent Web Console.
Kount can add arbitrary payment types rapidly to support an international market. To view the current list of supported payment types, use the API endpoint: (https://api.kount.net/rpc/support/payments.html)
RIS Encryption Types
When using the Kount SDK all credit card information, by default, uses the KHASH encryption method where the credit card information is irreversibly hashed prior to transmission from the merchant to Kount.
When using the JAVA or .Net SDKs (due to the compiled nature of the languages) KHASH is the only option for payment encryption. JAVA or .Net environments must use a direct post (outside of the SDK) method if MASK encryption is chosen.
If not using the SDK the following encryption options are available.
Kount proprietary hash used to hash the credit card number before passing it to Kount. The hashing algorithm source code can be found in each one of the SDKs or can be requested from Kount.
- PTYP=CARD PENC=KHASH
Output - BIN + 14 alpha-numeric characters. Example - 123456A12C34E56G7DFG
Ability to pass the first six and last four of a credit card filled in with XXXs. PENC=MASK is only valid with PTYP=CARD
- PTYP=CARD PENC=MASK
Output BIN + 10 capital “X” characters + Last 4 of credit card. Example - 123456XXXXXXXXXX7890
NOTE: The “X” characters must all be capital “X”.
IMPORTANT: The above example value is just for purposes of illustration. The PTOK should be the samelength as the original card number. You can use the card number with the first 6 and last 4 numerals present and the rest of the numbers in the card masked by “Xs” but the number of characters must be the same as those of the actual card number.
Risk Inquiry Service Requirements
RIS data posted to Kount must be URL encoded and submitted as key-value pairs. Much of the work can be simplified by utilizing a Kount provided SDK, including URL encoding. Kount provides a Software Development Kit (SDK) for Java, .NET, PHP, Perl, and Mobile environments.
Recommendations regarding each development environment and their supported versions, configuration, logging, and paths are found in the README file located in the “docs“ directory in each respective SDK, please read the documentation associated with each SDK.
- Port 443 must be available to post and receive data from Kount.
- API Keys are used to authenticate the RIS HTTPS submission to Kount, (similar to a password). A single API Key will be used for RIS submissions, the key is not subject to expiration date and does not require re-issuance. To generate an API Key, navigate to the ADMIN tab -> API Keys. See the RIS API Keys section of this document for more detailed instructions. Note: API Keys can only be used with Kount version 0630 and newer.
- SSL support is required for the RIS process. TLS version 1.2 is currently supported.
- The session identifier created during the data collector process must be passed as the session identifier for the RIS transaction. This identifier must be unique for at least 30 days. If a single session ID were to be used on multiple transactions, those transactions would link together and erroneously affect the persona information in the risk score.
- RIS posts are limited to a total of 40,960 characters or bytes.
- To utilize the various SDKs, several required static settings must be configured. Please refer to the README files included in each of the SDKs.
- PHP settings.ini
- .NET App.config
- Java All settings are included in inquiry
Required static settings found in the SDK
|Merchant_ID||6||Six-digit identifier issued by Kount.||999999|
|COMPANY_SERVER_URL||N/A||HTTPS URL path to the company’s servers provided in boarding documentation from Kount.||https://risk.test.kount.net|
|LOGGER||N/A||Specifies which logger to use: SIMPLE or NOP.||SIMPLE|
|SIMPLE_LOG_LEVEL||N/A||If SIMPLE logging is enabled, this lists logging levels in order of decreasing severity: FATAL, ERROR, WARN, INFO,DEBUG||WARN|
|SIMPLE_LOG_FILE||N/A||Name of the log file for SIMPLE logging||company-sdk-ris.log|
|SIMPLE_LOG_PATH||N/A||Path to where log file will be written. (Must be a valid path)||/some/path/to/log|
|APIKEY||Varies||API Key value copied from clipboard - originating from API Key page within Agent Web Console||Alpha/Numeric hashed value provided by Kount|
|Client Certificate (deprecated field for legacy certificates)||N/A||Depending on the SDK environment certain client certificate information will be required.||company-ris- certificate.p12|