Risk Inquiry Service (RIS)

Sections in this page:


The Risk Inquiry Service (RIS) joins device data provided from the data collector process with the customer order data sent from the merchant. Once the device data and the order data are combined, RIS evaluates and scores each transaction. After the evaluation, RIS returns a response string back to the merchant to be used by the merchant to approve, decline or hold the order for review. Each transaction will continue to be evaluated and dynamically scored for up to fourteen days. The following section describes how to implement the Risk Inquiry Service.

Alt for image
RIS Implementation

RIS process

  • 1. Customer initiates purchase
  • 2. Merchant initiates RIS request to Kount via HTTPS URL encoded post
  • 3. Kount evaluates transaction
  • 4. Kount returns evaluation response to merchant
  • 5. Notification is displayed to customer

Risk Inquiry Service Payment Types

Kount supports multiple payment types and depending upon the payment type chosen by the customer certain payment tokens are required. If the PayPal Payer ID or Google Checkout Account ID is not sent in the inquiry mode, then it must be sent in the update mode related to the transaction otherwise the order details will not be displayed in the Agent Web Console.

Kount can add arbitrary payment types rapidly to support an international market. To view the current list of supported payment types, use the API endpoint: (https://api.kount.net/rpc/support/payments.html)

RIS Encryption Types

When using the Kount SDK all credit card information, by default, uses the KHASH encryption method where the credit card information is irreversibly hashed prior to transmission from the merchant to Kount.

When using the JAVA or .Net SDKs (due to the compiled nature of the languages) KHASH is the only option for payment encryption. JAVA or .Net environments must use a direct post (outside of the SDK) method if MASK encryption is chosen.

If not using the SDK the following encryption options are available.


Kount proprietary hash used to hash the credit card number before passing it to Kount. The hashing algorithm source code can be found in each one of the SDKs or can be requested from Kount.


Output - BIN + 14 alpha-numeric characters. Example - 123456A12C34E56G7DFG


Ability to pass the first six and last four of a credit card filled in with XXXs. PENC=MASK is only valid with PTYP=CARD


Output BIN + 10 capital “X” characters + Last 4 of credit card. Example - 123456XXXXXXXXXX7890

NOTE: The “X” characters must all be capital “X”.

IMPORTANT: The above example value is just for purposes of illustration. The PTOK should be the samelength as the original card number. You can use the card number with the first 6 and last 4 numerals present and the rest of the numbers in the card masked by “Xs” but the number of characters must be the same as those of the actual card number.

Risk Inquiry Service Requirements

RIS data posted to Kount must be URL encoded and submitted as key-value pairs. Much of the work can be simplified by utilizing a Kount provided SDK, including URL encoding. Kount provides a Software Development Kit (SDK) for Java, .NET, PHP, Perl, and Mobile environments.

Recommendations regarding each development environment and their supported versions, configuration, logging, and paths are found in the README file located in the “docs“ directory in each respective SDK, please read the documentation associated with each SDK.

  1. Port 443 must be available to post and receive data from Kount.
  2. API Keys are used to authenticate the RIS HTTPS submission to Kount, (similar to a password). A single API Key will be used for RIS submissions, the key is not subject to expiration date and does not require re-issuance. To generate an API Key, navigate to the ADMIN tab -> API Keys. See the RIS API Keys section of this document for more detailed instructions. Note: API Keys can only be used with Kount version 0630 and newer.
  3. SSL support is required for the RIS process. TLS version 1.2 is currently supported.
  4. The session identifier created during the data collector process must be passed as the session identifier for the RIS transaction. This identifier must be unique for at least 30 days. If a single session ID were to be used on multiple transactions, those transactions would link together and erroneously affect the persona information in the risk score.
  5. RIS posts are limited to a total of 40,960 characters or bytes.
  6. To utilize the various SDKs, several required static settings must be configured. Please refer to the README files included in each of the SDKs.
    • PHP settings.ini
    • .NET App.config
    • Python
    • Java All settings are included in inquiry

Required static settings found in the SDK

Data Size Description Example
Merchant_ID 6 Six-digit identifier issued by Kount. 999999
COMPANY_SERVER_URL N/A HTTPS URL path to the company’s servers provided in boarding documentation from Kount. https://risk.test.kount.net
LOGGER N/A Specifies which logger to use: SIMPLE or NOP. SIMPLE
SIMPLE_LOG_LEVEL N/A If SIMPLE logging is enabled, this lists logging levels in order of decreasing severity: FATAL, ERROR, WARN, INFO,DEBUG WARN
SIMPLE_LOG_FILE N/A Name of the log file for SIMPLE logging company-sdk-ris.log
SIMPLE_LOG_PATH N/A Path to where log file will be written. (Must be a valid path) /some/path/to/log
APIKEY Varies API Key value copied from clipboard - originating from API Key page within Agent Web Console Alpha/Numeric hashed value provided by Kount
Client Certificate (deprecated field for legacy certificates) N/A Depending on the SDK environment certain client certificate information will be required. company-ris- certificate.p12

Native iOS and Android SDKs
Invoking the Risk Inquiry Service

Related Docs