Device fingerprint

A device fingerprint is a method of identifying device details to facilitate a digital transaction. It collects and analyzes the device's characteristics to determine its unique fingerprint, helping you to fully or partially specify devices to prevent online identity theft and payment fraud.

Benefits

Reduced fraud risks based on device trustworthiness
Detection of spoofed data used to create a fake fingerprint
Transparent and seamless user experience
Detection of replay and bot attacks
Ability to collect data even if a consumer has cookies/JavaScript disabled

We partnered with Visa to collect important device identification information. You can combine fingerprint capability with Cybersource Decision Manager to increase the accuracy of detecting suspicious transactions. The device fingerprint is used in the transaction risk assessment to track and link events for identifying fraud patterns within the fraud data network. Once you implement device fingerprinting as part of your fraud strategy, you're enabling Cybersource Decision Manager to collect required data:

Device attributes such as installed plugins, processor class
Operating system attributes, such as OS information
Browser-related attributes, if applicable, such as browser language, font, etc.
Network attributes, such as IP address, etc.

How does it work

Device fingerprinting is a multi-step process where the first step involves Visa collecting the device information that gets linked to a transaction, providing you with additional fraud signals. With the help of JavaScript SDK, information is passed to Cybersource Decision Manager. From the device profiling, the device fingerprint is created which consists unique set of identifiers.

Device-Fingerprint-Process-Flow diagram

Consumer selects a payment product and creates a transaction with you.
You send a request to verify if the selected payment product is enabled for device fingerprinting. You'll receive a response from us and will need to check for the property deviceFingerprintEnabled=true.
Once you have established that the payment product is enabled, you need to send us a request to generate the deviceFingerprintTransactionIdand run the device fingerprint JavaScript on your checkout page. The JavaScript must be placed to the body on the payment page.
The script will collect the device data from the consumer's browser and pass it together with deviceFingerprintTransactionId to Cybersource Decision Manager.
You send us the transaction to process your payment, including the deviceFingerprintTransactionId.
We'll send the transaction details and the deviceFingerprintTransactionId to Cybersource Decision Manager for risk assessment. Then we'll receive the fraud result along with device attributes from Cybersource Decision Manager.
Based on the fraud result, the transaction will be passed to the acquiring bank for authorization, and the results will be returned to you. The response will include details about your risk assessment and the device details.

The collection and analysis of device fingerprints are integrated into MyCheckout hosted payment pages (picking this option spares you from making any changes yourself). The service is also available for integration on your own checkout pages through the Server API.

Our solution can still collect a device's fingerprint even if the consumer disabled cookies and/or JavaScript. However, it's your responsibility to inform the customer of the data you collect and how it's processed using third-party solutions.

The collection of device fingerprints from web clients (using browser software) relies on JavaScript or similar client-side scripting language to harvest a suitably large number of parameters.

The device feature allows for the placement and storage of a cookie on the consumer's device that captures the particular characteristics of the device used during a payment transaction. This cookie helps in reducing fraud. Additionally, our system can still gather a device's fingerprint even if the user has disabled cookies and/or JavaScript.

It is your responsibility to inform the consumer of the data you collect and how it's processed using third-party solutions. As a guideline, please ensure you:

Provide clear and comprehensive information about the storage of cookies on their devices
Obtain the consent before placement and storage of a cookie on the customer's device unless certain exceptions apply

Technical integration

Irrespective of the checkout page type you opted for (MyCheckout hosted payment pages or your own checkout page), the first integration step is ensuring that the device fingerprint service and Cybersource Decision Manager have been enabled for each payment product in your account. To get that information, please contact your account manager.

Using the MyCheckout hosted payment pages

The fingerprint service is seamlessly integrated into MyCheckout hosted payment pages. You don't need to deal manually with the service integration — just let us know if you'd like to enable it in your account. The service output is automatically included in the messaging towards Cybersource Decision Manager and can be used to create additional fraud rules.

Using your own checkout page

To use the device fingerprint, you'll need to add some code to your payment pages for collecting the required device information. The code is transaction-specific and can be retrieved dynamically using an API call that returns the following:

html script to be added to the body of your checkout page (this is a crucial requirement)
deviceFingerprintTransactionId to be included in your Create payment API request

The further processing can differ depending on the configured payment products. By calling the API for each transaction, you're sure to use the correct device fingerprint collection code, including the proper indicators to gather the device data and a unique deviceFingerprintTransactionId

Determine for which payment products device fingerprint is enabled

Make GET https://{domainname}/v1/{merchantId}/products API call so the system informs you of the payment products enabled for the device fingerprint service. This API call is available both in the Server and the Client API.

Check the GET Payment product API response

In the response, you need to look for the deviceFingerprintEnabled property. For each payment product, we can call the GET Payment product API call, so its status is always "true" (in case the consumer is using this payment product in their current checkout). The example below shows that the response for the device fingerprint service has been enabled for Visa and Mastercard but not for i DEAL.

Get Payment Products Response

{
  "paymentProducts": [
    {
      "deviceFingerprintEnabled": true,
      "allowsInstallments": false,
      "allowsRecurring": true,
      "allowsTokenization": true,
      "authenticationIndicator": {
        "name": "AUTHENTICATIONINDICATOR",
        "value": "1"
      },
      "autoTokenized": false,
      "displayHints": {
        "displayOrder": 1,
        "label": "Visa",
        "logo": "templates/master/global/css/img/ppimages/pp_logo_1_v2.png"
      },
      "id": 1,
      "maxAmount": 999999999999,
      "minAmount": 0,
      "mobileIntegrationLevel": "OPTIMISED_SUPPORT",
      "paymentMethod": "card",
      "paymentProductGroup": "cards",
      "usesRedirectionTo3rdParty": false
    },
    {
      "deviceFingerprintEnabled": true,
      "allowsInstallments": false,
      "allowsRecurring": true,
      "allowsTokenization": true,
      "authenticationIndicator": {
        "name": "AUTHENTICATIONINDICATOR",
        "value": "0"
      },
      "autoTokenized": false,
      "displayHints": {
        "displayOrder": 4,
        "label": "MasterCard",
        "logo": "templates/master/global/css/img/ppimages/pp_logo_3_v3.png"
      },
      "id": 3,
      "maxAmount": 1000000,
      "minAmount": 0,
      "mobileIntegrationLevel": "OPTIMISED_SUPPORT",
      "paymentMethod": "card",
      "paymentProductGroup": "cards",
      "usesRedirectionTo3rdParty": false
    }
  ]
}
}

Call the GET Device fingerprint API

Once you have specified which payment product your consumer uses and the device fingerprint available for it, you can call the GET Device fingerprint API. It should be done on your checkout page before you submit the transaction: this is a call to trigger a device fingerprint profiling service.

Obtain details from the response

The response from the profiling service returns the information needed to collect the Fraud Protection device data. The two returned properties, html and deviceFingerprintTransactionId, each serve their own purpose. More detailed information on this API and SDK-specific code example can be found in our API Reference on the Get Device Fingerprint response.

Get Device Fingerprint Response

{
    "html" : "",
    "deviceFingerprintTransactionId" : "2f6a0ceb-4ab4-44e0-b76b-cf4b8f2afcdd"
}

Add the device fingerprint script to your checkout page body

The script from the html property needs to be added to the body of your checkout page, where you have the final submit button.

It's crucial to have the script incorporated into the body of the page, not to the header.

When executed, this script will collect the required information and send it to Cybersource Decision Manager. The script will only be performed when it already contains all the correct settings, the deviceFingerprintTransactionId, and when the consumer clicks the submit button.

You should not include it in your other pages: every executed script counts, affecting your invoice.

Call the Create payment API

When a user presses the button, you normally have all the payment information collected to perform the Create payment API call. To make sure this device fingerprint data will be taken into account, you'll need to include the deviceFingerprintTransactionId that was returned in the Get Device fingerprint API call. This will link the generated device fingerprint with the transaction being assessed within the Cybersource Decision Manager.

Create Payment Request

{
  "cardPaymentMethodSpecificInput": {
    "threeDSecure": {
      "challengeCanvasSize": "full-screen",
      "challengeIndicator": "challenge-requested",
      "redirectionData": {
        "returnUrl": "https://example.org/return"
      }
    },
    "paymentProductId": 1,
    "card": {
      "cardNumber": "4111111111111111",
      "expiryDate": "0630",
      "cardholderName": "John Doe",
      "cvv": "204"
    }
  },
  "order": {
    "amountOfMoney": {
      "amount": 100,
      "currencyCode": "EUR"
    },
    "customer": {
      "billingAddress": {
        "countryCode": "NL"
      },
      "device": {
        "deviceFingerprintTransactionId": "788646ba-2a5e-459d-a381-6f33f185a4bf"
      }
    }
  }
}

Create Payment Response

{
  "creationOutput": {
    "additionalReference": "00000145120000000193",
    "externalReference": "000001451200000001930000100001"
  },
  "payment": {
    "id": "000001451200000001930000100001",
    "paymentOutput": {
      "amountOfMoney": {
        "amount": 100,
        "currencyCode": "EUR"
      },
      "references": {
        "paymentReference": "0"
      },
      "paymentMethod": "card",
      "cardPaymentMethodSpecificOutput": {
        "paymentProductId": 1,
        "fraudResults": {
          "cybersourceDecisionManager": {
            "fraudScore": 53,
            "policyApplied": "E2E Merchant Testing",
            "reasonCodes": [
              "B - Card_BIN_Or_Authorization_Risk",
              "F - Negative_List_Or_Negative_History",
              "G - Geolocation_Inconsistencies"
            ]
          },
          "fraudServiceResult": "accepted",
          "avsResult": "0",
          "cvvResult": "0"
        },
        "card": {
          "cardNumber": "************1111",
          "cardholderName": "John Doe",
          "expiryDate": "0630"
        }
      }
    },
    "status": "PENDING_APPROVAL",
    "statusOutput": {
      "isCancellable": true,
      "isRetriable": false,
      "statusCategory": "PENDING_MERCHANT",
      "statusCode": 600,
      "statusCodeChangeDateTime": "20250613163251",
      "isAuthorized": true,
      "isRefundable": false
    }
  }
}