Frequently Asked Questions

Definitions

• What is a device?
• What is device recognition?
• What is device reputation?
• What is device risk?
• What is the difference between fraud and abuse?
• What does real-time mean?

What is a device?

In the context of iovation’s device reputation service, a device is any Internet-enabled device that can be used to connect to the online business of one of our customers. Primarily this is a PC running Windows, Linux or MacOS, but it could also be one of a variety of mobile internet devices like a Blackberry, Android or iPhone.

What is device recognition?

Device recognition (commonly referred to as device identification or device fingerprinting) is the technology used to identify and then re-recognize an individual device. Our device print software results in a unique ID that allows our customers to build associations between devices and account information for the purpose of mitigating online fraud and abuse. iovation device print software does not collect PII (personally identifiable information) from the device.

What is device reputation?

Once a device has been uniquely identified, a device reputation can be established based on that device’s positive or negative online activity along with the activity of associated devices. Our device reputation service, iovation ReputationManager 360, combines customizable business rules, fraud and abuse events, risk profiles, device anomalies, and the shared experiences of more than 2,000 fraud analysts worldwide.

What is device risk?

Device risk is different than device reputation. Device reputation indicates a device’s actual history of fraud and abuse, while device risk assesses how likely it is that a device will commit fraud or abuse. In other words, device reputation is fact-based: the result of evidence being placed by a subscriber. Risk is inferential.

What is the difference between fraud and abuse?

Fraud is typically associated with a negative financial impact such as credit card fraud, chargebacks, ACH fraud, debit fraud, loan default and others, while abuse often refers to a negative social, interpersonal impact. Abuse covers cases such as site policy violations, spam, chat abuse, harassment or bullying, profile misrepresentation, scams and solicitions. In all cases abuse can negatively affect the reputation of the online business and iovation customers report these acts so that they can identify and keep repeat offenders off their site for good.

What does real-time mean?

Using iovation ReputationManager 360, real-time means that we provide our customers with the reputation of a device in milliseconds.

Our Solution

• What’s the difference between authentication and fraud management?
• How are you different from the IP Geolocation services that I presently have?
• Are you just a black list?
• Why do we need an additional tool?
• How does iovation help online businesses combat fraud?
• Will my prospects/customers know that I am using iovation?
• Is there any change to the user experience?
• What is the iovation policy on software changes?
• What is the iovation policy on data collection?
• How are the iovation services delivered?

What’s the difference between authentication and fraud management?

Authentication helps verify the identities of users accessing an online service. It is just one component of an effective Fraud Management approach that also includes device recognition, pattern matching, risk scoring, and reputation sharing. Together with Authentication, these capabilities are important parts of a defense-in-depth strategy for fraud and abuse mitigation.

How are you different from the IP Geolocation services that I presently have?

Standard IP Geolocation services report on the country of origin for a given IP address and can also provide risk scores for certain IPs, but they do not identify unique devices or their histories of fraud and abuse. IP Geolocation may be used as an element in device identification in some cases, and is used in an inferential manner to help identify device risk and suspicious activity. iovation's Real IP service, which is a standard component of ReputationManager 360, bypasses proxy IP addresses and goes directly to the source to learn the true IP and geolocation.

Are you just a black list?

No. We are a sophisticated device reputation service that tracks device histories of fraud and abuse as well as associations between devices, accounts and/or transactions. Customers can configure ReputationManager 360 based on fact-based evidence (fraud and abuse types and the subscriber who placed it), integration points (applying unique rule sets at specific website or application touch points such as login, account creation, deposit or withdrawal, checkout, account change, etc.). Our customers can also customize velocity, geography and evidence-based business rules to further help determine transaction risk.

Why do we need an additional tool?

Identity theft is increasingly more common, with a growing black market for stolen credit and identity information. This reduces the effectiveness of traditional fraud detection methods that rely mainly on credit and identity information. Knowing if a bad device is touching your website upfront can often reduce the need for time-consuming and costly additional checks. Device reputation provides an additional method of identifying fraud, using information independent of PII, and provides unique uplift to existing identity-based fraud management tools.

How does iovation help online businesses combat fraud?

With iovation ReputationManager 360, online businesses can:

Identify when a known bad device touches their site

Uncover related accounts and transactions

Evaluate risk based on transaction anomalies

Evaluate risk based on shared experience

Assess risk based on device characteristics and behavior

Customize business rules to deliver optimal results

Will my prospects/customers know that I am using iovation?

We do not change the customer’s experience in any meaningful or visible way.

Is there any change to the user experience?

No, the customer experience does not change.

What is the iovation policy on software changes?

iovation ReputationManager™ development procedures are compliant with the following PCI DSS change control requirements:

6.4.2 Management sign-off by appropriate parties

6.4.3 Testing of operational functionality

6.4.4 Back-out procedures

We do not formally adhere to PCI DSS section 6.4.1, “Documentation of impact”; however, customer impact is carefully considered in regression and functional testing, management sign-off, and implementation and testing of back-out procedures. Further, our Client Integration (CI) environment is always available for subscriber testing. Changes and enhancements to the ReputationManager 360 system are deployed to the CI environment before being deployed to our Production servers. iovation subscribers are notified in advance of upcoming changes so they have an opportunity to test changes in the CI environment.

What is the iovation policy on data collection?

iovation ReputationManager 360 client-side device recognition components, including our JavaScript and Flash elements, do not collect any end-user Personally Identifiable Information (PII) or Nonpublic Personal Information (NPI). Our client-side components do not gather data from existing web form fields or other page elements that might expose non-device transaction details. Only device properties useful for device recognition are collected and returned to iovation through our web service APIs.

How are the iovation Services delivered?

iovation ReputationManager 360 is available as Software as a Service.

Company

• How long have you been in business and what is your global reach?
• How is iovation funded?

How long have you been in business and what is your global reach?

iovation began in 2004 and was founded in the United States. We have over 300 major online brands using iovation ReputationManager 360 across a variety of online vertical markets. More than half of our customers are from financial services, online retail, massively multi-player online gaming (MMO), and online communities such as internet dating sites and social networks.

We have performed 5 billion reputation checks for devices in all countries, process more than 7 million reputation checks per day, and stop 150,000 fraudulent activities every single day.

How is iovation funded?

iovation is a privately-held company. We have received growth capital from Intel Capital, SAP Ventures, EPIC Ventures and European Founders.