Guides
Status Page
Start typing to search…

Antifraud Parameters

Learn how to implement antifraud parameters for card transactions in Uruguay. Includes Device Fingerprint setup for Totalnet and OCA, and CVV verification flow requirements.

Suggest Edit

Some Uruguayan acquirers require additional antifraud parameters during the payment process to validate card transactions. This section describes how to implement Device Fingerprint and CVV verification flows required by Totalnet and OCA.


Totalnet: Device Fingerprint

For merchants integrating with Totalnet, collecting the Device Fingerprint on the checkout page is mandatory. This fingerprint identifies the device and session used during the payment, helping Totalnet’s antifraud system validate transactions before authorization.


📘

The generated fingerprint must be sent in the field
AntifraudData.AntifraudFingerprintId of the Purchase request.


Environment and Org ID

Environmentorg_id
TEST1snn5n9w
PRODUCTIONk8vif92e

HTML implementation example

Insert the following code into the <head> section of your checkout page.
It creates a unique session_id that you must also include in the purchase request.

<head>
  <script
    type="text/javascript"
    src="https://h.online-metrix.net/fp/tags.js?org_id=1snn5n9w&session_id=merchantID123456789">
  </script>
</head>

<body>
  <noscript>
    <iframe
      style="width: 100px; height: 100px; border: 0; position:absolute; top:-5000px;"
      src="https://h.online-metrix.net/fp/tags?org_id=1snn5n9w&session_id=merchantID123456789">
    </iframe>
  </noscript>
</body>

Sending the session ID

Once the fingerprint is generated, send the same session_id value in your purchase request:

{
  "TrxToken": "OT__uy_AJrM-jq7nqEZUiuiTpUzImdM_6Cp7rxT4jiYpVJ8SzQ_",
  "Capture": true,
  "Order": "UY-TOTALNET-001",
  "Amount": 10000,
  "Currency": "USD",
  "TargetCountryISO": "UY",
  "AntifraudData": {
    "AntifraudFingerprintId": "merchantID123456789"
  }
}

Implementation notes

Replace merchantID123456789 with your Totalnet Merchant ID, formatted as visanetuy_pw_### followed by a unique identifier generated for each transaction.
Example: visanetuy_pw_200812311111111

The session_id must be unique for each purchase. Do not reuse it across multiple transactions.

Make sure to place the tags at the beginning of the <head> section of your checkout page.
If the script is loaded later in the HTML or after other scripts, device data collection may fail.



OCA: Device & CVV Flow

For merchants processing transactions through OCA, certain antifraud validations are required to confirm cardholder authenticity and device integrity. These validations can include Device Fingerprint collection and CVV verification, depending on the transaction type and card brand.

OCA’s antifraud system uses the fingerprint to associate the payment attempt with the customer’s device, while the CVV ensures card ownership validation during the first transaction.


Device Fingerprint (for Mastercard)

When processing Mastercard transactions through OCA, it is recommended to collect the Device Fingerprint during checkout. This fingerprint allows OCA’s antifraud system to identify the device used for the transaction and reduce fraud risk.

Include the following function in your checkout form to automatically generate the fingerprint value:

<script type="text/javascript">
  PWCheckout.SetDeviceFingerprint();
</script>

The function returns a fingerprint identifier that you must include in the purchase request. This value is used by OCA to correlate the device with the payment attempt.



Using the fingerprint with tokens

After the fingerprint is generated in your checkout, you must send that value in the purchase request so OCA can associate the device with the transaction. Whether it’s required or not depends on the type of token and payment flow you’re using.

The following table explains each case:

ScenarioToken TypeRequired?Description
One-time purchaseOneTimeToken✅ YesSend the Device Fingerprint value together with the OT token.
Recurring purchase (without CVV)CommerceToken✅ YesInclude both the Recurring token and the Device Fingerprint value.
Purchase with CVVCommerceToken❌ NoThe fingerprint is not required. It will be automatically captured when the customer enters the CVV on the OCA verification page.

💡

OCA automatically generates a fingerprint when the CVV entry form is displayed to the customer.
Merchants only need to send the fingerprint manually for non-CVV or recurring transactions.



CVV requirement

OCA requires CVV validation when a card is used for the first time, or when it is required by the acquirer configuration. After a successful CVV verification, the resulting CommerceToken can be used for subsequent payments without CVV, according to the acquirer’s setup.


CVV flow:

  1. The purchase is created (using TrxToken or CommerceToken).
  2. The API responds with Result = ACTION_REQUIRED and an Action.URL.
  3. The customer is redirected to Action.URL, hosted by OCA, where the CVV is entered.
  4. On that page, OCA automatically captures the device fingerprint; no manual action is required for this flow.
  5. Once the CVV is submitted, OCA validates the transaction and updates the status (APPROVED or REJECTED). Bamboo notifies the merchant through a webhook or via Get Purchase.

🔒

Security note: The CVV is collected only on OCA’s hosted page.
It must never be captured, stored, or transmitted by merchant systems.

Updated about 16 hours ago