How does it work ?

The process is divided in 2 steps:

  1. Getting custom DCB Protect kit
  2. Checking if a transaction is authentic

For each step, you need to sign your call with 2  parameters named ts and s.

As you can see, DCB Protect follows a KISS principle.

Getting custom DCB Protect kit

You can choose between two ways to get our DCB Protect Kit installed on pages to protect.

1/ By generating the full script to insert it directly in the page’s source code.

Or

2/ By generating a token and loading the script as an external resource.

Solution 1 is advised to maximise security and to address all kind of services including those running through Android Webviews.

Moreover, with the first solution, you can add 3 custom parameters which can be found later on your dashboard.

Custom parameters are named :

  • arg1
  • arg2
  • arg3

If you want to use these parameters, you have to set the BEFORE including the DCBProtect Kit in your web page (as done in the example).

By generating the full script to insert it directly in the page’s source code

URL: https://api.dcbprotect.com/<your_username>/script
HTTPS is recommended for security reasons, if latency is a main concern HTTP can be used

Parameters :

  • ti (aka transaction id): A unique identifier of transaction that allows you to identify the transaction (128 characters maximum). This information has to be saved for the next steps.
  • ru (aka redirect url): The url used to redirect when it’s ok
  • rfu (aka redirect fraud url): The url used to redirect when it’s fraud
  • ts (aka timestamp): Current timestamp
  • s (aka signature): The signature following this process

In return, you’ll receive, in JSon format:

  • t (aka token): A unique identifier of the kit used related to your transaction identifier.
  • s (aka script): The Javascript which has to be added in your web page between <script></script> tags

Example

:: call ::

http://api.dcbprotect.com/evina/script?ti=MyUniqueTransactionId&ts=484610400&ru=http%3A%2F%2Fgoogle.fr&rfu=http%3A%2F%2Flemonde.fr&s=c3ec302ed3d8334951fbbce0f55e0cd1c24c20b6

:: answer ::

{
"t": "39624416359cd4d722e4f8899243865",
"s": "......"
}
N.B.: Now, you can add your anti-fraud kit into your web page easily:
<script type="text/javascript">// -- SCRIPT HERE -- </script>

By generating a token and loading the script as an external resource

URL: https://api.dcbprotect.com/<your_username>/token
HTTPS is recommended for security reasons, if latency is a main concern HTTP can be used

Parameters:

  • ti (aka transaction id): A unique identifier of transaction that allows you to identify the transaction (128 characters maximum). This information has to be saved for the next step.
  • ru (aka redirection url): The url use to redirection when it’s ok
  • rfu (aka redirection fraud url): The url use to redirection when it’s fraud
  • ts (aka timestamp):  Current timestamp
  • s (aka signature): The signature following this process

In return, you’ll receive, in JSon format:

  • t (aka token): A unique identifier of the kit used related to your transaction identifier.

Example

:: call ::

https://api.dcbprotect.com/evina/token?ti=MyUniqueTransactionId&ts=484610400&te=.secured-billing-button&s=c3ec302ed3d8334951fbbce0f55e0cd1c24c20b6

:: answer ::

{
"t": "39624416359cd4d722e4f8899243865"
}
N.B.: Now, you can add your anti-fraud kit into your web page easily:
<script src="http://script.dcbprotect.com/39624416359cd4d722e4f8899243865/kit.js"></script>

Checking if a transaction is authentic

URL: https://api.dcbprotect.com/<your_username>/check
HTTPS is recommended for security reasons, if latency is a main concern HTTP can be used

Parameters :

  • ti (aka transaction id): Same parameter sent to the token API
  • ts (aka timestamp): Current timestamp
  • s (aka signature): The signature following this process

In return, you’ll receive in JSon format:

  • as (aka authenticity score):  A Authenticity detection score valued between 0 and 100 (0=not authentic, 100=fully authentic)
  • ft (aka fraud type): There is multiple form of fraud detected by our kit.  You can find fraud codes in annex
  • oo (aka our opinion): Can be 0 (not authentic) or 1 (authentic)

Example

:: call ::

http://api.dcbprotect.com/evina/check?ti=MyUniqueTransactionId&ts=1436133600&s=4d0d7ec5df0c9b46e3671d3c97b67bc98628ca88

:: answer ::

{
"as": "10",
"ft": "2006",
"oo": "0",
}

Signature

Your API calls need to be signed.
The signature has to be set in lowercase in the parameter s.
Details on how the signature is created are provided during the integration phase.