Risk-team icon

Data collection to detect fraud

Learn more about the types of data you can collect using Web integrations, and how Protect uses that data to detect and mitigate fraud.

Learn how data collection works, what data is collected and how this data is used to help detect fraud. Find out what you need to consider depending on which type of Web integration you have built, and how to optionally add the data collection SDK to other pages in your website.

Requirements

Before you begin, take into account the following requirements and limitations.

Requirement Description
Integration type Make sure that you have built an online payments integration for Web.
Supported integrations where data is collected and sent automatically: Supported integrations that require additional configuration:
  • Web API only
  • Any Web integration where you want to collect data from pages other than your checkout page.
Limitations If you use an API-only integration for Web, and process raw card data, you must make sure that you have met the additional PCI compliance requirements.
Setup steps Before you begin, make sure that you are familiar with the type of Web integration you are using, and that you have considered data privacy.

Data privacy

Because personal data is processed to detect fraudulent payment activity, you have to consider data privacy and adhere to privacy laws.

Before processing any shopper data, make sure that you:

  • Comply with obligations under the applicable privacy laws and regulations. Consult your legal department or an accredited third-party company to understand the data privacy regulations of the countries/regions that you operate in.
  • Understand the requirements. Different jurisdictions may require different actions. For example, under European regulations, you are required to ask for your customer’s consent to process their data, and you have to be transparent about the use of that data. You can clarify how data is processed in your privacy and cookie statement. For example, when a shopper lands on the checkout page, your company's privacy policy could pop up and show a consent checkbox or button. It is your responsibility to keep track of the shoppers who have given consent.

How it works

Adyen collects data about how shoppers interact with and use the payment form. Protect then uses this data to detect fraudulent payment activity, analyze usage patterns, and mitigate fraud.

When you use our Web Drop-in or Components or the Custom Card Component for Web to build your checkout experience, or when you are using Hosted Checkout, data is automatically collected from the checkout page and sent to Adyen.

When you have built an API-only integration for Web, and have created your own checkout page, you can add a script that calls our standalone data collection SDK to collect the same data, retrieve the data, and then send it to Adyen in the payment request. See Configure data collection for API only for more details.

For all Web integrations, you can optionally add the data collection script to other pages than your checkout page, collecting even more data.

How Protect uses the data

To detect fraud, and to mitigate the effects of potential fraudulent activity, our latest risk engine uses the data that is collected.

This includes the following data:

  • Device characteristics: for example the shopper's browser type, screen size, and device type.
  • Activity information: for example if credit card details were copied and pasted into the payment form, and the time between payment requests.

The anonymized data may be used across customers to determine if a transaction is legitimate. Adyen does not use this data for anything else than to detect and mitigate fraud, and does not share or use this information for marketing purposes. For more details, see Adyen's privacy statement.

This data is one of the sources to help detect and mitigate fraud. To use Protect, you have to set up risk, and configure at least one risk profile.

Data collected by the SDK

The following data is collected:

Data category Example Domain Purpose Lifetime
Cookie _RP_UID checkoutshopper-live.adyen.com This cookie is used to track users, and helps identify suspicious browsing and/or purchasing activity. 30 days in the browser
Device information Attributes about the users' device. For example Browser Type, Device Model, IP Address, Operating System, User Agent and other information. Checkout API Collecting device information helps identify suspicious user behavior or transaction patterns. Indefinite
Behavior information How much time a shopper spent on the checkout page, if they copied and pasted payment details, and how long it took the shopper to complete certain actions like filling in a field. Checkout API Collecting behavior information lets Adyen analyze and identify suspicious user behavior and transaction patterns. Indefinite

Configure data collection for Drop-in and Components

Risk data collection is included in the Adyen checkout configuration, and is turned on by default when you build your integration with Web Drop-in or Components, the Custom Card Component or Hosted Checkout. It is a separate setting that is independent of your Protect configuration.

It is possible to turn off risk data collection, but this increases the chance that you will be exposed to and experience fraud.

To configure risk data collection, include the following in the AdyenCheckout configuration:

Parameter Description
risk.enabled Indicates if you are collecting and sending risk data to Adyen. Default: true.
Configuration for risk data collection on Web
Expand view
Copy link to code block
Copy code
Copy code
const configuration = {
  environment: 'test',
  clientKey: 'test_...',
  risk: {
    enabled: true // Set to false to not send potential fraud detection data to Adyen.
  }
  // Other global configuration...
};

Collect additional data outside of the checkout page

In addition to the data that you send when the shopper checks out, you can also optionally collect data to detect fraud outside of the checkout page. We recommend that you collect data about the shopper's activity on every page of your site.

To do this, add the following script to any of your web pages.

Data collection script
Expand view
Copy link to code block
Copy code
Copy code
<script src="https://checkoutshopper-live.adyen.com/checkoutshopper/assets/js/datacollection/datacollection.js"></script>

When the shopper checks out, Drop-in or the Component sends all of the data collected by the script to Adyen. This includes the data from the checkout page as well as any data collected from other web pages that contain the script.

Configure data collection for API only

When you have built an API-only integration for Web, and built your own checkout page, you can collect data by following these steps:

  1. Add the script that loads the data collection SDK to the checkout page on your website.
    When a shopper interacts with your checkout page, the SDK is loaded and collects data. The collected data is included in the client data when the shopper pays.
  2. Send the data in the payment request.

Add the script to your checkout page

To add the data collection SDK, add a reference to the following script in your checkout page:

Environment Refer to
Test https://checkoutshopper-test.adyen.com/checkoutshopper/assets/js/datacollection/datacollection.js
Live https://checkoutshopper-live.adyen.com/checkoutshopper/assets/js/datacollection/datacollection.js

Add the reference in the iframe of the page where the shopper enters their payment details.

Example checkout page configuration
Expand view
Copy link to code block
Copy code
Copy code
<html>
  <head>
    <title>Your website</title>
  </head>
  <body><p>Your checkout page.</p>
    <script type="text/javascript" src="https://checkoutshopper-live.adyen.com/checkoutshopper/assets/js/datacollection/datacollection.js"></script>
    <form action="http://www.yourdomain.com/checkout" method="POST">
      <!--
      Your other payment related fields
      -->
      <input type="submit" value="Submit" />
    </form>
  </body>
</html>

The data is automatically collected and continuously updated. You can optionally add the same reference to the script to other pages in your website and collect data from multiple pages.

To send the data to Adyen, continue with the next step.

Send the data to Adyen

After the data is collected and submitted to your server, you have to include the data in the payment request.

  1. Call the adyenGetData() method to get the data. This method is included in the SDK.
  2. When you make the /payments request, include the data in riskData.clientData.

For example:

Example /payments request
Expand view
Copy link to code block
Copy code
Copy code
curl https://checkout-test.adyen.com/checkout/v71/payments \
-H 'X-API-key: ADYEN_API_KEY' \
-H 'content-type: application/json' \
-d '{
      "amount":{
        "currency":"USD",
        "value":1000
      },
      "reference":"YOUR_ORDER_NUMBER",
      "paymentMethod": {
        "type": "scheme",
        "encryptedCardNumber": "adyenjs_0_1_18$MT6ppy0FAMVMLH...",
        "encryptedExpiryMonth": "adyenjs_0_1_18$MT6ppy0FAMVMLH...",
        "encryptedExpiryYear": "adyenjs_0_1_18$MT6ppy0FAMVMLH...",
        "encryptedSecurityCode": "adyenjs_0_1_18$MT6ppy0FAMVMLH...",
        "holderName": "S. Hopper"
      },
      "riskData": {
        "clientData": adyenGetData()
      },
      "returnUrl": "https://your-company.com/...",
      "merchantAccount":"YOUR_MERCHANT_ACCOUNT"
     }'

See also