Implementing ThreatMetrix for a Silent Post Order

ThreatMetrix is a service that anonymously profiles your website visitor’s computer in real time to determine its unique fingerprint – based on over 150 attributes including the TCP/IP packets, operating system, fonts, language, time zone, operating system and browser; it then matches the profile against a global collection of data from the transactions of previously profiled computers.

ThreatMetrix protects merchants by reducing:

  • Lost sales from false negatives
  • Fraud chargebacks and associated fees
  • The number of transactions sent for manual review and, hence, fraud management expense.

To implement ThreatMetrix for a Silent Post order:

  1. Set up an order and extract the session_id from the Paysafe response (see Order Response for the id).
  2. Insert the session_id, along with the org_id from Paysafe, into the profiling HTML.
  3. Insert the profiling HTML into one or more pages of your e-commerce site. For the HTML to be effective, you must insert it into a page that your customer will view for at least 5 seconds.
  4. Because some browsers try to block third-party domains, configure a web server URL redirect so that the objects in the profiling code on can be referenced in your local domain. This enables the maximum number of attributes to be collected. See Redirecting the profile server URL for details.
  5. When your customer visits the page containing the profiling HTML, the ThreatMetrix process is launched, and the resulting profile and score are integrated into the Paysafe risk assessment for that transaction.

Profiling HTML

You can insert the profiling HTML, below, into the pages of your e-commerce site. If you place it at the beginning of the page, profiling can begin sooner, but the page may take longer to render. If you place it at the end of the page, profiling may take slightly longer, but the time taken to render the page will be unaffected.

The profiling HTML contains the dynamic variables: org_id and session_id.

Variable Description
org_id Uniquely identity of the Paysafe account used by ThreatMetrix. Paysafe provides you with this parameter value.
session_id The id in the response to the initial order for which you want to implement ThreatMetrix profiling. See the Order Response for details. For how to use your own session_id value, see the threatMetrixSessionId key in the extendedOptions Object.

Below is an example of the HTML you could insert in your e-commerce site (after you have included actual values for the org_id and session_id).

ThreatMetrix Profiling Tags
Replace 'my_org_id' with your organization id and my_session_id' with a uniquely generated handle
'PAGEID' is only needed for TDCloud, replace 'PAGEID' with a unique ID for that page, if omitted, the default is 1
For production, replace '' with a local URL and configure your web server to redirect to ''
<img src=";session_id=my_session_id&amp;m=2" />
<script src=";session_id=my_session_id&amp;pageid=##PAGEID##">
<object type="application/x-shockwave-flash" data=";session_id=my_session_id" width="1" height="1">
<param name="movie" value=";session_id=my_session_id" />
<param name="wmode" value="transparent" />
<!-- End profiling tags -->

Redirecting the Profile Server URL

In the sample HTML above, all objects refer to the DNS name of the ThreatMetrix profiling server, As a visitor could disable profiling by configuring their web browser to block the domain, in your production environment you should use a local URL instead, and configure your web server to redirect to Many customers also prefer that all objects in their web pages refer only to their own domain.

Configuring redirection is web server–specific, but here are two ways of doing it using Apache (tested with Apache 2.2). Both methods cause the Apache Web server to send an HTTPS REDIRECT reply for any URL path beginning with /fp/ on the host name it is configured for. The calling page remains the same in the customer’s browser; only the URL appearing in the profiling HTML is changed. This reply tells the HTTP client to fetch the new URL instead of the one embedded in the HTML page. Users who view the source of the HTML page itself will not notice that the links are actually redirected to another server. However, tracing tools will still show that a call was being made to an external server.


Ensure that mod_alias is enabled in the Apache configuration. To do so, ensure that the following line is included in the main Apache configuration file (/etc/httpd/conf/httpd.conf on RHEL5):

LoadModule alias_module modules/

On most standard Apache configurations this is the default.

Add the following line to the relevant VirtualHost:

RedirectMatch ^/(fp/.*)$1

Rewrite Module

Ensure that mod_rewrite is enabled in the Apache configuration. To do so, make sure the following line is included in the main Apache configuration file (/etc/httpd/conf/httpd.conf on RHEL5):

LoadModule rewrite_module modules/

On most standard Apache configurations this is the default.

Add the following to the relevant VirtualHost:

RewriteEngine On RewriteRule ^/(fp/.*)$1 [L,R]

Did you find this page useful?