Release Notes

cairis1921caint
CA Identity Risk Insight Service is a hosted solution that enables an enterprise to provide continuous and contextual authentication to customers and employees. For an overview of CA Identity Risk Insight Service, see Overview.
This page describes the updates that have been implemented since release 19.2 (June 2019).
The following topics provide high-level information about CA Identity Risk Insight Service 19.2.1:
 
 
New Features
The following new features have been introduced in this release:
No.
New Feature or Enhancement
1
 
Support for the TRANSFER User Action
 
In the earlier release, CA Flow Manager supported the following actions and asset types:
  • LOGIN action
  • CHANGE action for the following asset types:
    • SECRET
    • EMAIL
    • ADDRESS
    • PHONE
  • ADD action for the AUTH_APP asset type
In the current release, CA Flow Manager also supports the Funds Transfer action. In the context of the CA solution, this is denoted as the TRANSFER action.
For more information, see:
 
Note:
 In the current release, the Risk Evaluation API can send only one advice for the TRANSFER action. By default, this is the INCREASEAUTH advice. It can be changed to ALLOW, ALERT, or DENY. Also, risk evaluation rules cannot be configured for the TRANSFER action. In an upcoming release, the Risk Evaluation API can send any of the four advices and risk evaluation rules can be configured for the TRANSFER action.
2
 
Integration of the Case Management Module of CA Risk Analytics with the DRM Administration Console
 
From this release, the Case Management module of CA Risk Analytics is integrated with DRM. The Cases tab has been added on the DRM Administration Console. A Customer Service Representative (CSR) can use the Cases tab to create and manage cases related to both 3-D Secure transactions and non-3-D Secure actions.
For more information, see Managing Cases.
3
 
Support for Auto Enrollment of Replacement Card Accounts
 
A replacement card is a card that is issued to replace an existing card. From this release, CA Strong Authentication supports auto enrollment of replacement card accounts.
On the user's mobile, the auto enrollment process takes place when the user uses the replacement card to perform a transaction. For more information, see the following topics:
The following SDK API updates have been made as part of this feature:
  • autoEnrollAccount API has been introduced
  • autoEnrollId variable has been introduced in the TransactionDetailsResponse class
  • AutoEnrollmentResponse class has been introduced
For information about these updates, see:
Enhancements
The following enhancements have been introduced in this release:
No.
Enhancement
1
 
Enhancements for Tenants That Support Secondary Cardholders
 
A portfolio group can consist of both 3-D Secure tenants and non-3-D Secure tenants. A 3-D Secure tenant might support secondary cardholders for a card. For such a card, both card number and cardholder name are required to uniquely identify a user who performs a given 3-D Secure transaction.
While creating or updating a portfolio group, you can now specify one of the following account identification criteria for card accounts of a 3-D Secure tenant. This criteria is applied when processing API calls sent by the tenant.
 
Note:
 For non-3-D Secure tenants, the account number is the default criteria for identifying accounts.
  •  
    Card Number Only:
     Only the card number is used to identify a user of this tenant who performs a 3-D Secure transaction.
  •  
    Card Number and Cardholder Name:
     If a secondary cardholder is associated with a card, then both card number and cardholder name are used to identify a user of this tenant who performs a 3-D Secure transaction.
 
Important!
 A 3-D Secure tenant associated with a portfolio group for which this criteria has been specified can use the Add Link and Linked Accounts APIs. At the same time, a 3-D Secure tenant that is not associated with a portfolio group can still use the Linked Accounts.
This enhancement has an impact on the following APIs:
2
 
Native Rule Writing Support for the BANKING Channel
 
Some of the data elements used in rules are collected by the Risk Evaluation API
 
call with the help of extensible data structures. In previous releases, administrators could only create custom elements using rule tags for the IRIS elements. From this release, Risk Analytics provides these rule elements on the Rule Builder for both browser and mobile devices. These rule elements have been introduced for the LOGIN and CHANGE actions. 
For the description of the new rule elements and the corresponding operators, see "Transaction Elements" in Configuring Risk Analysis for the BANKING Channel.
3
 
Displaying User Account IDs and Card Numbers in Decrypted Format
 
When a CSR opens a user’s account details on the DRM Administration Console, the CSR can specify whether he wants to display account IDs and card numbers in decrypted format (that is, clear text). To do this, in the Search User dialog, the CSR selects the Decrypt Sensitive Information check box.
If the CSR does not select this check box, then account IDs and card numbers are displayed in masked format. If the CSR does not have the privilege required to display information in clear text, then the check box is not available and account IDs and card numbers are displayed in masked format.
This also applies to all reports (including downloaded reports) for this user.
For more information, see Viewing Information About Accounts.
 
Note:
 The check box is displayed to a CSR only if the CSR account has been assigned the RF.DECRYPTSENSITIVEINFO privilege. If the CSR account does not have this privilege, then the check box is not displayed and all account IDs and card numbers are displayed in masked format.
4
 
Enabling CSRs to 
Unenroll Authenticating Devices
The term 
authenticating device
 refers to the mobile device on which a user has enrolled her bank accounts and card accounts for CA Strong Authentication. The CSR can unenroll this device from the Administration Console.
For more information, see Unenrolling Authenticating Devices.
5
 
Enabling CSRs to Download the Transaction Report
 
While viewing a user's Transactions report, a CSR can now download the report in CSV format. The downloaded report can contain information about transactions that have taken place up to 180 days in the past.
For more information, see Viewing Information About Accounts.
6
 
Changes in the Risk Evaluation and Authentication APIs
 
The following updates have been made in the Risk Evaluation API:
  • The CA_atn_newAdressType parameter has been renamed to "CA_atn_newAddrType."
  • The CA_atn_oldAdressType parameter has been renamed to "CA_atn_oldAddrType."
  • The following parameters are now marked OPTIONAL:
    • AL_com_source
    • AL_com_destination
    • AL_com_messageType
    • AL_com_phase
    • CA_atn_oldRegion
    • CA_atn_oldAddrLine2
    • CA_atn_newRegion
    • CA_atn_newAddrLine2
The following updates have been made in the Post-Evaluation API:
  • The CA_com_isExemptionClaimed request parameter has been renamed to "CA_com_isExemptionOverride."
  • The CA_com_isFinalSCA request parameter has been changed from OPTIONAL to REQUIRED.
  • The following parameters are now marked OPTIONAL:
    • AL_com_source
    • AL_com_destination
    • AL_com_messageType
    • AL_com_phase
The following updates have been made in the Advice API:
  • The CA_atn_newAdressType parameter has been renamed to "CA_atn_newAddrType."
  • The CA_atn_oldAdressType parameter has been renamed to "CA_atn_oldAddrType."
  • The CA_com_isExemptionClaimed request parameter has been renamed to "CA_com_isExemptionOverride."
  • The CA_com_isFinalSCA request parameter has been changed from OPTIONAL to REQUIRED.
  • The following parameters are now marked OPTIONAL:
    • AL_com_source
    • AL_com_destination
    • AL_com_messageType
    • AL_com_phase
    • CA_atn_oldRegion
    • CA_atn_oldAddrLine2
    • CA_atn_newRegion
    • CA_atn_newAddrLine2
In addition, there are changes in the error codes. For information about these changes, see "Changes in the Error Codes" in Error Codes Returned by the Risk and Authentication APIs.
7
 
Changes in the Enrollment APIs
 
The following updates have been made in the Enrollment APIs:
8
 
Changes in the APIs for Managing Accounts and User Factors
 
The following updates have been made in the APIs for managing accounts and user factors:
  • There is a new portfolio-group-level property for specifying the Account Identification Criteria. The value of that property has a bearing on the following API parameters:
    • accounts.account_holder_name parameter in the Add Link API
    • accounts.account_holder_name parameter in the Delete Link API
    • account._name parameter in the Linked Accounts API
  • There are changes in the error codes returned by the APIs for managing accounts and user factors. For information about these changes, see Error Codes Returned by APIs for Managing Accounts and User Factors.
9
 
Support for New Parameters of the TRANSFER Action
 
The Risk Evaluation API and Advice API now support the following new (that is, additional) values:
 
API Parameter
 
 
New/Additional Value
 
CA_atn_fromAccountType
REVOLVING_CREDIT
CA_atn_fromInstitutionType
ISSUER
CA_atn_toAccountType
UNKNOWN
Fixed Defects
The following defects have been fixed in this release:
No.
Fixed Defect
Tracking ID
1
For the Authentication API, values of the CA_com_action, CA_com_serviceType, and CA_atn_assetType parameters were not validated.
This issue has been resolved. These parameters are now validated.
-
2
The following issues were observed with the Enrollment API and Unenrollment API:
  • The x-ca-sessionid header is marked as REQUIRED in the Wiki. However, it was not mandated by the APIs.
  • The channel parameter is marked as REQUIRED in the Wiki. However, its value was not validated.
These issues have been resolved.
DE419256
3
The following issue was observed with the Authentication Selection API for the PUSH scenario:
An error was encountered if the txnData parameter is left empty.
This error is not encountered anymore.
DE419942
4
The following issue was observed with the CA Flow Manager APIs:
If the CA_com_action parameter was empty or invalid, then the system fell back to the enterprise-level Authentication profile. However, no error message was displayed for the empty or invalid value of the CA_com_action parameter.
In addition, in the OTP Generate API, the value of the CA_atn_assetType parameter was not validated against the value of the CA_com_action parameter.
These issues have been resolved.
DE419244
5
For the Authentication Status API, if authType was PUSH and a flowstate generated for the OTP flow was provided, then the flowstate was not validated.
This issue has been resolved. The flowstate is now validated even if authType is PUSH and a flowstate generated for the OTP flow is provided.
DE419247
6
If the same OTP was sent multiple times to the OTP Verify API for verification, then the error details returned in release 19.2 were not the same as the error details returned in release 19.1.1.
This issue has been resolved. The error details returned for this scenario is the same in releases 19.1.1 and 19.2.1.
DE419946
7
The following issue was observed with the Authentication Selection API for the PUSH scenario:
An error was encountered if the txnData parameter was left empty.
This issue has been resolved.
DE419942
8
The following defects of the CA Strong Authentication SDKs have been addressed:
  • In the earlier release, the setPIN API returned a NULL object. This issue has been resolved. The setPIN API now returns a SUCCESS or FAILURE response. 
  • In the earlier release, TRANSACTION_AVAILABLE was one of the statuses returned by the getTransaction API. This issue has been resolved. The getTransaction API now returns only SUCCESS or FAILURE.
  • In the earlier release, the authenticateUsingUserPin iOS API did not return an error code if the user submitted an incorrect PIN.
    This issue has been resolved. If the user submits an incorrect PIN, then the API now returns the invalid_credentials error code.
DE423848, DE423863, DE426369
9
In the earlier release, it was mandatory to specify a value for the AccountHolderName XML file element in the XML files for the following operations:
  • Uploading non-3-D-Secure records
  • Upserting factors for 3-D-Secure and non-3-D-Secure records
This issue has been resolved. Now, it is optional to specify a value for the AccountHolderName XML file element for these operations.
For more information, see:
10
In the earlier release, in the XML file for linking non-3-D secure and 3-D secure accounts, only NETBANKING was accepted as the value of the Channel element under the <PivotAccount> element.
From this release, the Channel element accepts either NETBANKING or BANKING as the value of the Channel element.
-
11
In the earlier release, a case-sensitive check was conducted on the value of the AccountId XML file element in the XML files for the following operations:
  • Uploading non-3-D-Secure records
  • Upserting factors for 3-D-Secure and non-3-D-Secure records
This issue has been resolved. Now, the system is case-agnostic about the value of the AccountId XML file element.
For more information, see:
DE411965
12
In the earlier release, in the XML file for adding non-3-D secure accounts, the system expected the Factors tags (<Factors></Factors>) even if no factors were sent.
This issue has been resolved. From this release, the system accepts the XML file for adding non-3-D secure accounts even if the Factors tag is empty or is not included at all.
DE377054
13
In earlier releases, the CA_atn_oldEmail and CA_atn_oldPhone parameters were marked as CONDITIONAL parameters in the Risk Evaluation API and Advice API.
From this release, CA_atn_oldEmail and CA_atn_oldPhone are marked as OPTIONAL parameters.
Note:
 The API does not support an empty or NULL value for any parameter, regardless of whether the parameter is REQUIRED, CONDITIONAL, or OPTIONAL. Therefore, if you include the CA_atn_oldEmail parameter or CA_atn_oldPhone parameter in the API payload, then specify a value for the parameter.
DE431564
Documentation Updates
The following documentation-specific updates have been made in this release:
 
No.
 
 
Documentation Update
 
1
On the Sharing XML Files to Upload Non-3-D Secure Account Data page, for the Add operation, AccountHolderName is now marked as a mandatory XML file element.
2
On the Sharing XML Files to Upload Non-3-D Secure Account Data page, for the Upsert operation, the value of the Operation XML file element has been corrected to 
Upsert.
3
On the Post-Evaluation API page, 
TRANSFER
 has been added as a possible value of the CA_com_action parameter.
4
In the sample response given on the Get Factors API page, the home_phones parameter has been corrected to 
home_phone_numbers.
5
On the Error Codes Returned by APIs for Managing Accounts and User Factors page, the following error code has been added:
 
Error Code
 
 
Error Description
 
invalid_token
Invalid Authorization Token
Explanation:
 The JWT token sent as the value of the Authorization header is invalid.
6
On the Token API page, the Content-Type and CA_com_apiVersion headers are now marked OPTIONAL.
7
The following updates have been made in the API Reference for Android:
  • For the setPin API, activation_acknowledgment_failed has been added as an error code that can be returned by the API.
  • The updateAuthenticationTypes API has been removed.
  • For the updateAuthenticationType API, the return type has been corrected.
  • A section has been added for the UpdateAuthenticationResponse class.
The following updates have been made in the API Reference for iOS:
  • For the setPin API, activation_acknowledgment_failed has been added as an error code that can be returned by the API.
  • For the updateAuthenticationType API, the return type has been corrected.
8
On the Authentication Status API page, the description of the status response parameter has been corrected.
9
On the API Reference for Android page, the Interfaces section has been added.
10
On the OTP Generate API page, ADD and TRANSFER have been added as possible values of the action request parameter.
11
On the API Reference for iOS page, a section has been added for the authenticateUsingTouchID API.
12
On the Authentication API page, TRANSFER has been added as a possible value of the CA_com_action request parameter.
13
The following error code is applicable only to the Token API. The required correction has been made in Error Codes Returned by APIs for Managing Accounts and User Factors.
 
Error Code
 
 
Error Description
 
unauthorized_access
Invalid credentials
Explanation:
 The credentials of the administrator account sent in the Token API payload were incorrect.
14
The following corrections have been made in Error Codes Returned by the Risk and Authentication APIs:
 
Error Code
 
 
Correction
 
FM00000004
Not applicable to the Authentication Status API. Also, the description has been updated.
FM000000040
Not applicable to the Authentication Status API.
FM000000201
Not applicable to the Authentication Status API.
FM000000500
Not applicable to the Authentication Status API.
FM000000807
Not applicable to the Authentication Selection API.
FM000000055
Not applicable.
FM000000501
Not applicable.
FM000000808
Applicable to the Authentication Status API only in certain scenarios. For more information, see Error Codes Returned by the Risk and Authentication APIs.
FM000000809
Applicable to the Authentication Status API only in certain scenarios. For more information, see Error Codes Returned by the Risk and Authentication APIs..
15
On the Risk Evaluation API - LOGIN Action page and Advice API - LOGIN Action page, "CA_atn_pwdHash" has been corrected to "CA_atn_secretHash."
16
  • Error codes that do not apply to the Enrollment APIs have been removed.
  • For FM000000028, FM000000045, FM00000006, and FM00000007, the Action to Be Taken column has been updated.
17
  • FM00000005 and FM000000010 have been removed.
  • For FM000000028, FM000000045, FM00000006, and FM00000007, the Action to Be Taken column has been updated.
18
x-ca-user has been removed from the list of headers of the Post-Evaluation API.
19
On the Risk Evaluation API page and Authentication API page, an Important note has been added about the validity period of the flowState parameter returned in the API response.
20
For the Enrollment API, the list of error codes for accounts that could not be enrolled has been added. To see this list, see the “Enrollment - Response Parameters” section on that page.
Similarly, for the Unenrollment API, the list of error codes for accounts that could not be unenrolled has been added. To see this list, see the “Unenrollment - Response Parameters” section on that page.
21
On the Error Codes Returned by the Risk and Authentication APIs page, the following error codes have been added:
  • FM000000615
  • FM000000616
  • FM000000617
22
On the Error Codes Returned by the Risk and Authentication APIs page, the following error codes also apply to the Authentication Selection API:
  • FM000000201
  • FM000000500
23
The CA_atn_isSilentEnroll parameter is not needed in the ADD action payload of the Risk Evaluation API and Advice API. This parameter is replaced by an enterprise-level property in the system.
24
For the Risk Evaluation API and Advice API, CA_atn_effectiveDT has been added as a CONDITIONAL parameter for the ADD action.
25
On the Error Codes Returned by the Risk and Authentication APIs page, the following error code has been removed:
  • FM000000614
2
In API Reference for iOS, a section has been added for the 
setPin (for multiple accounts)
 method.
Known Issues and Limitations
The following are known issues and limitations in the Risk, Authentication, and Enrollment APIs:
No.
Known Issue or Limitation
Tracking ID
1
The following issue is observed with the Risk Evaluation API and Advice API:
An error is encountered if the value of the CA_com_deviceProxyId parameter is not valid.
DE417474
2
Although CA_com_apiVersion is marked as REQUIRED in the Wiki, an API call is processed even when CA_com_apiVersion is not provided. The current version is used as the default value.
DE419255
3
In the Post-Evaluation API, if the x-ca-flowstate is not passed, then the system does not validate the x-ca-user header.
DE421483
4
The Enrollment API and Unenrollment API do not support enrollment or unenrollment of a card account with which secondary cardholders are associated.
-
The following are known issues and limitations in the DRM Administration Console:
No.
Known Issue or Limitation
Tracking ID
1
The following issue is observed in the downloaded Transactions report:
The Organization label and field show the organization to which the user account belongs. It should display the CSR’s username and organization.
DE423598
2
On the Cases tab, long labels such as "Savings Account Number" and "Release case" are displayed on two lines.
DE423873
3
When the Reports page is refreshed, the date range entered by a CSR is reset to the default date.
DE423860
4
On the reports pages, when the CSR selects tenants using the Select Tenant widget, the filter labels show the correct number of tenants selected. However, when the Select Tenant widget is opened again, check marks are not displayed next to the selected tenants.
DE423784
5
When a CSR logs in to the DRM Administration Console, the following Content Security Policy (CSP) error message may be recorded in the console logs of the browser. This error message can be safely ignored.
 
"The Content Security Policy 'worker-src 'self' blob:;' was delivered via a <meta> element outside the document's <head>, which is disallowed. The policy has been ignored."
 
-
6
The DRM tab and Devices tab do not show any information for a secondary cardholder.
DE424147
7
The following issue is observed with the Risk Evaluation API and Advice API:
The CA_atn_effectiveDT parameter is marked as a CONDITIONAL parameter, which must be sent if the value of CA_com_action is ADD, TRANSFER, or CHANGE. However, for backward-compatibility purposes, the code does not mandate the inclusion of the CA_atn_effectiveDT parameter in the payload.
DE432980
Bill of Materials
This release includes the following SDK packages. Contact the CA Technologies Support team to start using these SDKs.
 
Item
 
 
File Name
 
 
MD5 Hash
 
CA Strong Authentication SDKs
For information about downloading this SDK package, see "Downloading the CA Strong Authentication SDK Package" in Integrating the CA Strong Authentication SDK.
StrongAuth_SDK_ClientPackages.zip
eda4ca2bca2c3195300f4255a6841b4d