Body

What is Device Fingerprint? 
For over a decade, Cybersource has supported Device Fingerprint (DF) collection natively in Decision Manager. This technology provides dozens of data points that allow merchants to better detect device and network anomalies and improve overall fraud detection capabilities. This technology is easy to use, fast, and reliable; but there are certain changes that are necessary to carry the technology for another ten years. 


What are the benefits of the coming changes?
The upcoming changes to the Cybersource Device Fingerprinting technology will improve device collection accuracy, support more browsers/mobile devices, and ensure a solid technology foundation for the future. Since device collection is often based on a merchant’s customer’s web browser (there are dozens of browsers) or mobile operating system (there are several), external changes and shifts in the industry over the past few years have made device collection more challenging. For example, it’s now popular for browsers to block delivery of third-party cookies, or, has the Flash technology disabled/unsupported by default. These and other similar changes have affected the device collection space, and Cybersource and our partners have identified various changes that need to be updated to ensure future compatibility.

Overview of the changes 
Device Fingerprinting is integrated in different ways, across different platforms, and it’s important to understand if one, all, or some of these changes are needed for a merchant’s checkout experience(s): 

1. Browser-based collection (non-app, non-SDK) 
   • Overview 
     • Merchants will need the latest version of the collection tags.
     • While there are no recent changes to the Device Fingerprint profiling tags, we recommend that merchants review their implementation to ensure they are using the latest versions.
   • Do merchants have to implement the latest JavaScript collection tags?
     • No, but this is highly recommended to ensure best compatibility, troubleshooting, and to leverage future innovations in data collection.  The older, Flash-based tags will continue to function.
   • By when does this need to be done?
     • While there is no date by which this must be completed, it is strongly recommended.
   • What are the benefits?
     • The benefits for the single JavaScript include the reduced calls for specific collection attributes such as “Flash” and “Cookies”. The JavaScript tags do not reference any particular technology, which reduces interaction with the end user’s browser, or the end user’s browsers default security settings.
   • What will happen if merchants do nothing?
     • From a collection perspective in Cybersource’s products, there could be limited information gathered due to specific web technologies being blocked or limited by the end user’s browser. From an end user perspective, certain browsers may push a pop-up or a message to the end user during collection (typically in shopping cart).
   • How can merchants learn more? 
     • Please reference the Device Fingerprint Implementation Guide, which can be accessed through the Business Center and follow the integration steps.
2. SDK based collection (ie. iOS, Android) 
   • Overview
     • Merchants should upgrade to the latest SDK versions (6.0+) to ensure compatibility with certain device vendor mandates.
       • The pre-6.0 versions of the iOS SDK contain an API call (WebUIView) that will no longer be allowed in the Apple App Store.
       • New apps containing WebUIView were not allowed in the App Store after April 2020.
       • Updates to apps containing WebUIView will not be allowed in the App store after December 2020.
       • The announcement on apple.com: https://developer.apple.com/news/?id=12232019b 
     • Do merchants have to upgrade to the newer iOS and Android SDK versions?
       • No. The older versions will continue to function.  However, after December 2020, the AppStore will no longer allow upgrades to apps containing the WebUIView API call, which is present in pre 6.0 versions of the iOS SDK.
     • What are the benefits?
       • The new SDK is designed to be modular, which allows users to choose just the features and capabilities needed for their business.  The result of this design is a lighter-weight version, with a 50-70% size reduction. For example, new sizes would be approx 4MB for iOS SDK and approx 2.2MB for Android, and only a small portion of this needs to be installed on the customer devices.
       • Enhanced Device ID Technology (this is the new device profiling called Strong ID, which leverages cryptographic cookies). 
       • Added attributes surrounding device behavior, including copy/paste, auto-fill, auto-complete, and more.
       • IP6 Support (the new internet protocol developed to deal with the long-anticipated problem of IPv4 address exhaustion). https://en.wikipedia.org/wiki/IPv6
       • The new SDK will have the ability to collect new data such as app install and build Times, whether the app has been modified, and time zone names. 
     • What will happen if merchants do nothing?
       • The older versions will continue to function.  However, after December 2020, the AppStore will no longer allow upgrades to apps containing the WebUIView API call, which is present in pre 6.0 versions of the iOS SDK.
     • How can merchants learn more?
       • See the Device Fingerprint mobile SDK Andoid and iOS Guides, which can be accessed through the Business Center.
3. Enhanced Profiling (utilize SSL Certificates) 
   • Overview
     • With Enhanced Profiling (EP), all profiling requests from the visitor’s browser will be made to a domain that is secured by the merchant’s SSL digital certificates 
   • Do merchants have to implement the Enhanced Profiling?
     • For browser-based collection, it is optional but recommended.
     • For SDK-based collection, it is required.
   • By when does this need to be done?
     • For browser-based collection, there is no date by which this must be completed, although it is strongly recommended.
     • For SDK-based collection, EP is required.
   • What are the benefits?
     • Increases the accuracy of device profiling.
     • Reduces visitor’s potential concerns about third-party content on your website, or requests to a third-party domain.
     • Helps prevent fraudsters from blocking device profiling (fraudsters often write scripts to block 3rd party requests, which prevents profiling. This domain is now the merchant’s and does not appear to be a 3rd party which would trigger the fraudsters’ blocking tactics).
     • Allows merchants to take advantage of the new Strong ID profiling (which uses cryptographic cookies).
   • What will happen if merchants do nothing?
     • Browsers are starting to block device profiling requests which come from a 3rd party (I.e. coming from entities other than the merchant/owner of the site.) Mozilla/firefox has already begun blocking requests, but we are hearing Chrome and others will follow suit shortly.
     • Here is a link to an article about Firefox blocking 3rd party profiling requests: https://blog.mozilla.org/security/2020/01/07/firefox-72-fingerprinting/ 
   • How can merchants learn more?
     • See the section on Enhanced Profiling in the DM or DME/ATP User Guides