Fraud Analysts Analyzing Transactions

Analyzing transactions is a multi-step process that can involve:
cara
Only GAs, OAs, and Fraud Analysts (FAs) can analyze the user transactions for the organizations that are in their scope. The MA, UAs, and CSRs cannot perform this task.
Analyzing transactions is a multi-step process that can involve:
While looking at all the transactions based on the criteria that you specified in the Transactions Summary page, if you locate one or more suspect transactions, then you can further look into the details of these transactions (Viewing Case Details). You can further locate a pattern by viewing similar transactions (Viewing Similar Transactions and Viewing Related Transactions). After you have analyzed the details and discovered patterns, you can mark suspect transactions for further investigation by the CSRs (Marking Transactions for Further Investigation).
How to View Transactions Summary
Transactions can be filtered based on two criteria:
What are the Fields in the Transaction Summary Page explains the fields that are displayed in a typical transaction summary.
How to Search for Transactions Based on Search Criteria
To search for transactions based on search criteria:
  1. Ensure that you are logged in with proper credentials (GA, OA, or Fraud Analyst.)
  2. Activate the
    Case Management
    tab in the main menu.
  3. Under the
    Case Management
    section, click the
    Analyze Transactions
    link.
  4. From the
    Select Organization
    list, select the organization whose data you want to filter in the report.
    When the administrator has access to multiple perspectives in the system, the
    ALL ISSUERS
    and
    ALL ACQUIRERS
    options are available in the
    Select Organization
    drop-down list. Otherwise, you see the
    ALL
    organizations option.
    The Analyze Transactions page for criteria-based search appears.
  5. From the
    Select Channel
    drop-down list, select the channel for which you want to view the transactions. Possible values are:
    • All Channels
    • Default
    • 3D Secure
    • ATM
    • POS
    • ECOM
    • IMPS Beneficiary
    • IMPS Remitter
  6. Enter the user identification information.The field differs based on the channel configured for the organization, as follows:
    • Default, ATM, POS, ECOM:
      Enter User Name
    • 3D Secure:
      Enter Card Number
    • IMPS:
      Enter User Name
    • Acquirer Organization ATM and POS:
      Enter Terminal ID
      If you selected
      ALL ISSUERS
      ,
      ALL ACQUIRERS
      , or
      ALL
      organizations in Step 4, this field is not enabled.
    If you do not specify any user details, then all the transactions for the specified
    Organization
    are displayed.
  7. To filter the transactions based on specific criteria, perform either of the following steps:
    1. Select the pre-defined date range based on which you want to filter the transaction data in the
      Transaction Date From
      and
      To
      fields
    2. Select the
      Last Transactions
      option and then select the time interval (in minutes) for which you want to see the latest transactions that were performed.
  8. From the
    Risk Advice
    list, select the advices based on which you would like to filter the data.
  9. From the
    Secondary Authentication Status
    list, select the statuses based on which you would like to filter the data.
  10. From the
    Fraud Status
    list, select the statuses based on which you would like to filter the data.
  11. From the
    Rule
    list, select the rule based on which you would like to filter the transaction data.
    If you want to see the transactions for all rules that matched, then ensure that the default
    All Rules
    option is selected.
  12. (Only for 3D Secure)
    Enter the merchant name in the
    Merchant
    field, and select the criteria (
    Exact
    ,
    Starts with
    ,
    Ends with
    ,
    Contains
    ) based on which you want to filter the transaction data.
  13. Enter the
    Device ID
    of the device for which you would like to filter the transaction data.
    This field is displayed only if you selected an Issuer Organization.
  14. Select
    Decrypt Sensitive Information
    if you want to display the data in clear text.
  15. Click
    Submit
    to generate the Transactions Summary page.
    You can export the information directly to a CSV file by clicking the
    Export
    button.
    For a description of the fields on the Transactions Summary page, see What Are the Fields in the Transaction Summary Page.
How to Search for Transactions Based on Transaction ID
To search for transactions based on Transaction ID:
  1. Ensure that you are logged in with proper credentials (GA, OA, or Fraud Analyst.)
  2. Activate the
    Case Management
    tab in the main menu.
  3. Under the
    Case Management
    section, click the
    Analyze Transactions
    link.
  4. From the
    Select Organization
    list, select the organization whose data you want to filter in the report.
    When the administrator has access to multiple perspectives in the system, the
    ALL ISSUER
    ,
    ALL ACQUIRER
    and
    ALL BENEFICIARY
    options are available in the
    Select Organization
    drop-down list. Otherwise, you see the 
    ALL
    organizations option.
  5. Click
    Switch to Transaction ID Based Search
    .
    The Analyze Transactions page for transaction ID based search appears.
  6. From the
    Select Channel
    drop-down list, select the channel for which you want to view the transactions.
  7. Enter the
    Transaction ID
    of the transaction that you want to analyze.
  8. Select
    Decrypt Sensitive Information
    if you want to display the data in clear text.
  9. Click
    Submit
    to generate the Transactions Summary page
    You can export the information directly to a CSV file by clicking the Export button.
    You can view transactions specific to a channel by clicking the specific channel tabs.
For a description of the fields on the Transactions Summary page, see What Are the Fields in the Transaction Summary Page.
What Are the Fields in the Transaction Summary Page
The following table describes the fields listed in the Transactions Summary page for the
Default
channel.
Fields
Description
Details
Click the
detail
link to look into the details of the transaction.
User Name
The name of the user performing the transaction.
Fraud Status
The fraud status of the case. This field can have one of the following statuses:
  • Assumed Fraud
  • Assumed Genuine
  • Confirmed Fraud
  • Confirmed Genuine
  • Undetermined
Fraud Type
The type of fraud.
Country
Based on the IP Address, the country from which the transaction was performed.
IP Address
The IP address of the system or device used for the purchase transaction.
Matched Rule
The rule that matched and for which RA flagged the transaction as risky.
Transaction Date
The timestamp when the transaction was performed.
Risk Score
The overall risk score returned by RA for the corresponding transaction. This is a value between 0 and 100.
Risk Advice
The action suggested by RA after evaluating the Risk Score of the transaction. The possible actions are:
  • ALLOW
  • ALERT
  • DENY
  • INCREASE AUTHENTICATION
Device ID
The ID of the device used for the transaction.
Model Score
The risk score returned by the Model for the transaction. This is a value between 0 and 100.
Secondary Auth Status
If the Risk Advice is
INCREASE AUTHENTICATION
, then this column specifies the result of the additional authentication that your application returned as feedback to RA.
Account Type
The account type associated with the transaction.
This column is displayed only if you have configured account types for the organization.
Rule Results
The result of all the rules for the transaction. The result is
Y
or
N
.
Account ID
If there is an account ID associated with the user, then this column specifies the account ID that was used to perform the transaction.
Device Type
The type of device involved in the transaction.
Transaction ID
The unique ID generated for each user transaction.
OS
The operating system on the device that was used to perform the transaction.
Browser
The browser that was used to perform the transaction.
Device ID Status
The status of the Device ID:
  • READ
    : The Device ID was read from the device.
  • NEW
    : The Device ID was assigned to the device.
  • REVERSE LOOKUP
    : The Device ID was determined by matching the input device signature against the device signatures that were successfully associated with the user.
Action
The type of transaction performed by the user, which can be:
  • Login
  • Wire Transfer
  • Any other value that you specify through your application
AFPN Advice
Displays the AFPN advice if AFPN was invoked during the transaction or later.
Organization
The organization to which the user belongs.
Note:
This field is displayed only if you selected ALL organizations in your search.
The following table describes the fields listed in the Transactions Summary page for the
3D Secure
channel.
Fields
Description
Details
Click the
detail
link to look into the details of the transaction.
Card Number
The card number of the user performing the transaction.
Fraud Status
The fraud status of the case. This field can have one of the following statuses:
  • Assumed Fraud
  • Assumed Genuine
  • Confirmed Fraud
  • Confirmed Genuine
  • Undetermined
Fraud Type
The type of fraud.
Country
Based on the IP Address, the country from which the transaction was performed.
IP Address
The IP address of the system or device used for the purchase transaction.
Merchant
The merchant involved in the transaction.
Currency
The currency used in the transaction.
Amount
The total transaction amount.
Organization's Base Currency
The base currency defined for the organization.
Amount in Organization's Base Currency
The transaction amount converted to the organization base currency.
Matched Rule
The rule that matched and for which RA flagged the transaction as risky.
Transaction Date
The timestamp when the transaction was performed.
Risk Score
The overall risk score returned by RA for the corresponding transaction. This is a value between 0 and 100.
Risk Advice
The action suggested by RA after evaluating the Risk Score of the transaction. The possible actions are:
  • ALLOW
  • ALERT
  • DENY
  • INCREASE AUTHENTICATION
Device ID
The ID of the device used for the transaction.
Model Score
The risk score returned by the Model for the transaction. This is a value between 0 and 100.
Secondary Auth Status
If the Risk Advice is
INCREASE AUTHENTICATION
, then this column specifies the result of the additional authentication that your application returned as feedback to RA.
Transaction Status
The status of the transaction.
Rule Results
The result of all the rules for the transaction. The result is
Y
or
N
.
Device Type
The type of device involved in the transaction.
Transaction ID
The unique ID generated for each user transaction.
OS
The operating system on the device that was used to perform the transaction.
Browser
The browser that was used to perform the transaction.
Device ID Status
The status of the Device ID:
  • READ
    : The Device ID was read from the device.
  • NEW
    : The Device ID was assigned to the device.
  • REVERSE LOOKUP
    : The Device ID was determined by matching the input device signature against the device signatures that were successfully associated with the user.
Action
The type of transaction performed by the user, which can be:
  • Login
  • Wire Transfer
  • Any other value that you specify through your application
AFPN Advice
Displays the AFPN advice if AFPN was invoked during the transaction or later.
Organization
The organization to which the user belongs.
Note:
This field is displayed only if you selected ALL organizations in your search.
The following table describes the fields listed in the Transactions Summary page for the
ATM
and
POS
channels.
Field
Description
Details
Click the detail link to look into the details of the transaction.
TXID
The unique ID generated for each transaction.
USERNAME/Terminal ID
The card number of the user performing the transaction (in the case of Issuer organizations) or the Terminal ID from where the transaction was performed (in the case of Acquirer organizations).
Fraud Status
The status of the fraud.
Fraud Type
The type of fraud.
Processing Code
A series of digits that describes the type of transaction and the accounts affected by the transaction.
PAN
Primary Account Number that indicates the valid cardholder account number.
Datetime Local Txn
The local time at the ATM from where the transaction originated.
Transaction Datetime
Time (Hours-Mins) extracted from the date/time when the ISO 8583 message was constructed in, represented in GMT/UTC.
Transaction Amount
Amount involved in the transaction.
Reversal Amount
Amount reversed during the transaction.
Action
The type of transaction performed by the user, which can be:
ATM:
  • WITHDRAWAL
  • FINANCIALINQUIRY
  • PINCHANGE
POS:
PURCHASE
Transaction Status
The status of the transaction.
Reversal Status
The status of the reversal transaction.
Transaction Action Code
The code assigned to the transaction action.
MTI
Message Type Identifier. This is a 4-digit field that classifies the high-level function of the ISO 8583 message (consisting of Message Version, Message Class, Message Function, and Message Origin).
Matched Rule
The rule that matched and for which RA flagged the transaction as risky.
Score
The overall risk score returned by RA for the corresponding transaction. This is a value between 0 and 100.
Merchant Category
Category code of the merchant involved in the transaction.
POS Entry Mode
Indicates the method used to enter the account number.
Acceptor Address
Address of the card acceptor.
Acceptor City
City from which the transaction originated.
Acceptor State
State from which the transaction originated.
Card Accept Country
The code identifying the country of the acquiring institution.
Acquirer Country
Country where the acquiring institution for the POS is located.
Acceptor Terminal Id
Code that identifies a card acceptor terminal or a POS.
Acceptor Id
ID of the card acceptor (merchant) operating the POS.
ACQ Bin
Acquirer BIN of the merchant where the transaction was made.
POS Condition Code
(Only POS) Indicates the transaction conditions at the POS.
RRN
Retrieval Reference Number that helps identify and track all messages related to a given cardholder transaction.
Response Code
The response to a request for a transaction.
Advice
The action suggested by RA after evaluating the Risk Score of the transaction. The possible values are:
  • ALLOW
  • ALERT
  • INCREASEAUTH
  • DENY
AFPN Advice
Displays the AFPN advice if AFPN was invoked during the transaction or later.
Organization
The organization to which the user belongs.
Note:
This field is displayed only if you selected ALL organizations in your search.
The following table describes the fields listed in the Transactions Summary page, specific to the
IMPS Beneficiary
and
IMPS Remitter
channel. All other fields are the same as those in ATM or POS channels.
Field
Description
Beneficiary Account Number
The bank account number of the Beneficiary. This field is applicable for transactions of type Person to Account (P2A). This value is a combination of IFSC-code and bank account number.
Beneficiary IMPSID
The user name used to identify the Beneficiary.
Beneficiary Mobile Number
The mobile number of the Beneficiary.
IMPS Mode
A 2-digit value that denotes the IMPS transaction type.
Remitter IMPSID
The user name used to identify the Remitter.
Remitter Mobile Number
The mobile number of the Remitter.
The following table describes the fields listed in the Transactions Summary page, specific to the ECOM channel.
All other fields are the same as those in ATM or POS channels.
Field
Description
ECI Indicator
A 2-digit value that denotes how the eCommerce transaction was authenticated.
Shopper country
The shopper's country.
How to View Case Details
The Transactions Summary page can also be used to view details of any specific transaction or case.
To view details of a specific case, in the Transactions Summary page, click the required
detail
link in the corresponding
Details
column. The transaction details are displayed on the resulting (Transaction Details) page. This page lists the details of the selected transaction, and also allows you to further filter transactions on the basis of available parameters.
The following table describes the fields listed in the Transaction Details page.
Fields
Description
Basic Transaction Details (Default and 3D Secure)
 
Transaction ID
The unique identifier of the transaction.
Transaction Date
The timestamp when the transaction was performed.
Action
The type of transaction performed by the user, which can be:
  • Login
  • Wire Transfer
  • Any other value that you specify through your application
User Name
(Only Default) The name of the user who performed the transaction.
Card Number
(Only 3D Secure) The card number of the user who performed the transaction.
Fraud Status
The current status of the fraud. Possible values are:
  • Undetermined
  • Assumed Fraud
  • Assumed Genuine
  • Confirmed Fraud
  • Confirmed Genuine
Device ID
The ID of the device used for the transaction.
Risk Advice
An action suggested by the Risk Assessment module after evaluating the risk score of the selected transaction. The possible actions are:
  • ALLOW
  • ALERT
  • DENY
  • INCREASEAUTH
Matched Rule
The rule that matched and for which RA flagged the transaction as risky.
Secondary Auth Status
If the Risk Advice is
INCREASE AUTHENTICATION
, then this column specifies the result of the additional authentication that your application returned as feedback to RA. The possible values are Success and Failure.
Transaction Status
(Only 3D Secure) The status of the transaction.
Model Score
The risk score returned by the Model for the transaction.
Risk Score
The overall risk score returned by RA for the corresponding transaction. This is a value from 0 through 100.
User State
The state assigned to the user by the Customer Support Representative (CSR). Possible values are:
  • UNDEFINED
  • Positive
  • Suspect
  • BlackListed
Basic Transaction Details (ATM and POS)
TXID
The unique ID generated for each transaction.
USERNAME/Terminal ID
The card number of the user performing the transaction (in the case of Issuer organizations) or the Terminal ID from where the transaction was performed (in the case of Acquirer organizations).
Fraud Status
The current status of the fraud. Possible values are:
  • Undetermined
  • Assumed Fraud
  • Assumed Genuine
  • Confirmed Fraud
  • Confirmed Genuine
Transaction Amount
Amount involved in the transaction.
Reversal Amount
The reversal amount involved in the transaction.
Action
The type of transaction performed by the user, which can be:
ATM:
  • WITHDRAWAL
  • FINANCIALINQUIRY
  • PINCHANGE
POS:
PURCHASE
Transaction Status
The status of the transaction.
Reversal Status
The status of the reversal transaction.
Matched Rule
The rule that matched and for which RA flagged the transaction as risky.
Score
The overall risk score returned by RA for the corresponding transaction.
This is a value between 0 and 100.
Merchant Category
(Only POS) Category code of the merchant involved in the transaction.
POS Entry Mode
(Only POS) Indicates the method used to enter the account number.
Acquirer Country
Country where the acquiring institution for the POS is located.
Acceptor Terminal ID
Code that identifies a card acceptor terminal or a POS.
Acceptor ID
ID of the card acceptor (merchant) operating the POS.
ACQ Bin
Acquirer BIN of the merchant where the transaction was made.
POS Condition Code
Indicates the transaction conditions at the POS.
Advice
The action suggested by RA after evaluating the Risk Score of the transaction.
User State
The state assigned to the user by the Customer Support Representative (CSR). Possible values are:
  • UNDEFINED
  • Positive
  • Suspect
  • BlackListed
Other Transaction Details (Only 3D Secure)
Merchant ID
Unique identifier of the merchant involved in the transaction.
Merchant
Name of the merchant involved in the transaction
Merchant URL
URL of the merchant involved in the transaction.
Currency
The currency in which the transaction was performed.
Amount
The total transaction amount.
Organization's Base Currency
The base currency defined for the organization.
Amount in Organization's Base Currency
The transaction amount converted to the organization base currency.
Location Details (Only Default and 3D Secure)
IP Address
The IP address of the system or device used for the purchase transaction.
City
The city where the transaction was performed by the user.
State
The state to which the user belongs.
Country
The country to which the user belongs.
Connection Type
The connection type between the user’s device and their Internet Service Provider. The possible values are:
  • Satellite
  • OCX
  • Frame Relay
  • TX
  • Dialup
  • Cable
  • DSL
  • ISDN
  • Fixed Wireless
  • Mobile Wireless
Line Speed
The speed of the user’s internet connection. This is based on the Connection Type.
IP Routing Type
The IP routing method used for the connection. The possible values are:
  • Fixed: Cable, DSL, OCX
  • AOL: AOL users
  • POP: Dial up to regional ISP
  • Super POP: Dial up to multi-state ISP
  • Cache Proxy: Accelerator proxy, content distribution service
  • Regional Proxy: Proxy for multiple states in a country
  • Anonymizer: Anonymizing proxy
  • Satellite: Consumer satellite or backbone satellite ISP
  • International Proxy: Proxy funneling international traffic
  • Mobile Gateway: Mobile device gateway to Internet
  • Unknown: Cannot currently be determined
Anonymizer Type
The type of anonymizer, if any, used for the connection. The possible values are:
  • Private:
    Anonymous proxies that are not publicly accessible. These type of anonymizers typically belong to commercial ventures.
  • Active
    : Anonymous proxies that tested positive within the last six months.
  • Suspect
    : Anonymous proxies that tested positive within the last two years, but not the last six months.
  • Inactive
    : Anonymous proxies that did not test positive in the last two years.
  • Unknown
    : Anonymous proxies for which no positive test results are currently available.
Risk Assessment Details
MFP Match %
The match percentage of the incoming Machine FingerPrint (MFP) with the value stored in the RA database.
This is a numeric value.
User Known
Whether the User Known rule matched. The possible values are:
  • Yes:
    If the rule matched.
  • No:
    If the rule did not match.
  • N/A:
    If the information was not available during risk evaluation.
Exception User Check
Whether the Exception User Check rule matched. The possible values are:
  • Yes:
    If the rule matched.
  • No:
    If the rule did not match.
  • N/A:
    If the information was not available during risk evaluation.
Negative Country Check
Whether the Negative Country Check rule matched. The possible values are:
  • Yes:
    If the rule matched.
  • No:
    If the rule did not match.
  • N/A:
    If the information was not available during risk evaluation.
Device MFP Match
Whether the Device MFP Match rule matched. The possible values are:
  • Yes:
    If the rule matched.
  • No:
    If the rule did not match.
  • N/A:
    If the information was not available during risk evaluation.
Trusted IP/Aggregator Check
Whether the Trusted IP/Aggregator Check rule matched. The possible values are:
  • Yes:
    If the rule matched.
  • No:
    If the rule did not match.
  • N/A:
    If the information was not available during risk evaluation.
Untrusted IP Check
Whether the Untrusted IP Check rule matched. The possible values are:
  • Yes:
    If the rule matched.
  • No:
    If the rule did not match.
  • N/A:
    If the information was not available during risk evaluation.
User Velocity Check
Whether the User Velocity Check rule matched. The possible values are:
  • Yes:
    If the rule matched.
  • No:
    If the rule did not match.
  • N/A:
    If the information was not available during risk evaluation.
DeviceID Known
Whether the Device ID Known rule matched. The possible values are:
  • Yes:
    If the rule matched.
  • No:
    If the rule did not match.
  • N/A:
    If the information was not available during risk evaluation.
Device Velocity Check
Whether the Device Velocity Check rule matched. The possible values are:
  • Yes:
    If the rule matched.
  • No:
    If the rule did not match.
  • N/A:
    If the information was not available during risk evaluation.
Zone Hopping Check
Whether the Zone Hopping Check rule matched. The possible values are:
  • Yes:
    If the rule matched.
  • No:
    If the rule did not match.
  • N/A:
    If the information was not available during risk evaluation.
User Associated with DeviceID
 
Whether the User-Device Association was found in the RA database. The possible values are:
  • Yes:
    If the rule matched.
  • No:
    If the rule did not match.
  • N/A:
    If the information was not available during risk evaluation.
Device Details
Device Type
Type of device involved in the transaction.
OS
The operating system on the device that was used to perform the transaction.
Browser
The browser that was used to perform the transaction.
Device ID Status
The status of the Device ID:
  • READ: The Device ID was read from the device.
  • NEW: The Device ID was assigned to the device.
  • REVERSE LOOKUP: The Device ID was determined by matching the input device signature against the device signatures that were successfully associated with the user.
How to View Similar Transactions
The small table at the end of the transaction details enables you to specify filter criteria to extract fine-grained data for similar transactions from the RA database.
Transactions can be further filtered on the basis of the following parameters:
  • Same User Name
    : (Only Default) By selecting this option, you can extract all transactions that belong to the same user whose data you are currently viewing.
  • Same Device ID
    : (Default and 3D Secure) By selecting this option, you can extract all transactions done by using the same device that is used for the current transaction details that you are viewing.
  • Same IP Address
    : (Default and 3D Secure) By selecting this option, you can extract all transactions that have the same IP address as the current transaction details that you are viewing.
  • Same Card Number:
    (Only 3D Secure) By selecting this option, you can extract all transactions that have been made using the same card number as the current transaction details that you are viewing.
  • Same Merchant:
    (Only 3D Secure) By selecting this option, you can extract all transactions that have been made at the same merchant as the current transaction details that you are viewing.
  • Same PAN:
    (Only ATM and POS for Issuer organizations) By selecting this option, you can extract all transactions that belong to the same PAN as the current transaction details that you are viewing.
  • Same Terminal ID:
    (Only ATM and POS for Acquirer organizations) By selecting this option, you can extract all transactions that were performed from the same terminal as the current transaction details that you are viewing.
  • Transaction Date
    : By specifying a date range (using the
    From
    and
    To
    fields), you can further filter all transactions that were performed in the specified time period.
  • Last Transactions:
    By selecting the required time interval (in minutes), you can further filter all the latest transactions that were performed in the specified interval.
How to View Related Transactions
To view the related transactions:
  1. In the Transaction Details page, select from the following options depending on the channel:
    • Same User Name
    • Same Device ID
    • Same IP Address
    • Same Card Number
    • Same Terminal ID
    • Same Merchant
    • Same PAN
  2. Perform either of the following steps:
    • Enter a date range in the
      Transaction Date From
      and
      To
      fields.
    • Select the
      Last Transactions
      option and then select latest time interval for which you want to see the related transactions.
  3. Click
    Show
    .
    The Transactions Summary page appears, displaying the records that matched the criteria.
How to Mark Transactions for Further Investigation
After you have analyzed the details of suspect transactions or discovered patterns, you can mark suspect transactions for further investigation by the CSRs. To do so:
  1. Ensure that you are logged in with the required privileges (GA, OA, or Fraud Analyst.)
  2. Display the Transactions Summary page, as discussed in How to View Transactions Summary.
  3. Review the transactions that are displayed based on the criteria that you specified.
    See How to View Case Details.
  4. If you want to display similar patterns, follow the steps in How to View Similar Transactions.
  5. Scroll back to the Transactions Summary table.
  6. Select the transactions that you suspect by selecting the check boxes corresponding to the transaction in the table.
  7. Click the
    Mark for Investigation
    button to generate cases for the transactions you marked.
    These cases will now appear in the case lists for the CSRs to work on.