LexisNexis Risk Solutions

ThreatMetrix

ThreatMetrix provides best-in-class fraud, identity and authentication services to help digital businesses better distinguish good customers from potential fraudsters in real time, without adding unnecessary friction. Leveraging global intelligence from the Digital Identity Network, ThreatMetrix enables businesses to make more informed fraud and risk decisions.

Features

  • Access crowdsourced, digital Identity intelligence to make better risk decisions
  • End-to-end decision analytics platform for integrated, holistic decisioning
  • Combining risk-based authentication with Strong Customer Authentication strategies
  • Operating on multiple touchpoints across the customer journey
  • Write simple and/or complex rules tailored to individual business needs
  • Advanced device identifiers: cookie-based and algorithmic-based approaches
  • Advanced behavioural analytics to identify behavioural anomalies per user
  • Clear-box approach to machine learning for richer context
  • Case Management tool to segment and prioritize workflow
  • Single portal covering forensics, investigations, rules/models, administration etc

Benefits

  • Recognize up to 95% of returning customers without unnecessary friction
  • Differentiate between trusted and high-risk behaviour in real time
  • Reduce false positives while detecting more fraud
  • Model good customer behaviour on a per user basis
  • Reduce manual review rates
  • Meet evolving regulatory requirements with minimal friction
  • Access integrated step-up authentication solutions for seamless decisioning
  • Harness global, contributory intelligence from multiple industries / geographies
  • Understand the context behind risk decisions
  • Manage complex case-loads with ease and efficiency

Pricing

£0.00 to £0.35 a transaction

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ukenquiry@lexisnexis.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

9 1 1 0 7 9 6 9 8 7 6 3 9 5 4

Contact

LexisNexis Risk Solutions UK Enquiries
Telephone: 02920678555
Email: ukenquiry@lexisnexis.com

Service scope

Software add-on or extension
No
Cloud deployment model
Private cloud
Service constraints
TMX communicates with its customers via RESTful APIs.

Customers are notified in advanced for all scheduled maintenance.
System requirements
TMX is a SaaS model customers require minimal hardware investment.

User support

Email or online ticketing support
Email or online ticketing
Support response times
SLA for support is part of T & C's
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
TMX provides a single support level available 24x7x365.

Support cost is part of T&Cs.

TMX provides both Cloud Support Engineer (included in Support cost) and Technical Account Manager (additional cost).
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Experienced technical consultants are key to assist in design and effective onboarding. Online documentation, Online training, Onsite training are available.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
With every TMX risk assessment, TMX provides an API response in a key-value pair or JSON format. Typically, customers store TMX responses locally as TMX has a data retention period of recent six months.

Upon contract expiry, customers are able to Export events from the TMX Dashboard up to recent six months.
End-of-contract process
To be discussed with the client

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Support is available for Android and iOS.

Both desktop and mobile channels operate silently with the exception that mobile users may be prompted for user permission to gather additional datapoints e.g. Location Services (optional). The end-user's view is the customer's environment and end-users have no access to TMX service.

TMX Javascript tags are deployed on the customer's webpages and TMX SDK libraries are uploaded into the customer's mobile app. Both implementations are required to make a backend API call to TMX for risk assessment. Customers have access to TMX service to influence the risk assessment of the end user's session.
Service interface
Yes
Description of service interface
TMX communicates with its customers via RESTful APIs. Available APIs include:
- Session Query API - used to trigger a risk assessment of a specific event performed by a user
- Attribute Query API - used to obtain information and perform a risk assessment for an entity
- Query API - enables customers to fetch information regarding an event or entity
- Update API - enables customers to provide feedback regarding an event or entity
- Consortium API - used to add, remove and check items to a shared list within a consortium that the customer belongs to
Accessibility standards
None or don’t know
Description of accessibility
N/A
Accessibility testing
N/A
API
Yes
What users can and can't do using the API
TMX communicates with its customers via RESTful APIs.

Customers are required to implement TMX Javascript tags on their webpage/upload TMX SDK libraries into their mobile app, and to make a backend API call to TMX. The customer has full control over which fields are sent via the backend API call to TMX which includes provisions for custom fields.

TMX will provide an API response back to the customer with a TMX risk score, recommended action and TMX reason codes in key-value pair or JSON format.

Once the event has completed, the customer makes a follow-up backend API call to TMX to provide an updated event outcome. TMX will automatically update its system to improve future risk assessments.
API documentation
Yes
API documentation formats
Other
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
TMX communicates with its customers via RESTful APIs.

Within the TMX API call, there are provisions of up to 600+ fields which includes custom fields.

With every engagement, TMX will enter a consulting period with the customer to understand the suitability of fields to be shared. The customer has full control over which fields are sent via the API call to TMX which includes provisions for custom fields.

Scaling

Independence of resources
The TMX architecture is horizontally scaleable and utilises big data components in a live-live configuration across data centres.

Today, the TMX network processes over 40b events annually. The TMX Operations team continuously monitor utilisation with provisions to accommodate peak periods. With every new customer on-boarding, TMX ensures there is adequate headroom for growth with the extension of additional hardware where required.

To date, TMX has achieved 99.9% uptime log over the past 5 years with failover mechanisms of N+2 level redundancy with physical environments, server infrastructure and network systems.

Analytics

Service usage metrics
Yes
Metrics types
Self Service reports are available for administrators
Reporting types
Reports on request

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Ability to export to PDF and/or CSV file formats. There are provisions for SFTP downloads.
Data export formats
  • CSV
  • Other
Other data export formats
PDF
Data import formats
Other
Other data import formats
To be passed via API call

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Target Availability is 99.9%

SLA on availability and refunds are part of T & Cs.
Approach to resilience
Available on request.
Outage reporting
Email alerts.

Identity and authentication

User authentication needed
Yes
User authentication
Username or password
Access restrictions in management interfaces and support channels
Available on request
Access restriction testing frequency
At least once a year
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
SOC 2 Type 1

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
No
Security governance approach
An information security management system/framework has been built based on the requirements of ISO27001/2, as well as aligning with general best industry practice. A full suite of information security policies, processes, and procedures are in place covering all applicable areas of physical and logical security and are regularly reviewed internally and externally.
Information security policies and processes
The Information Assurance Data Protection team (“IADP”) for RELX Group (parent company to LexisNexis Risk Solutions UK Ltd) has responsibility for setting enterprise-wide policies and procedures pertaining to privacy, compliance, customer credentialing and information security which includes the documentation of the roles and responsibilities of LexisNexis users.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Available on request.
Vulnerability management type
Undisclosed
Vulnerability management approach
Available on request.
Protective monitoring type
Undisclosed
Protective monitoring approach
Available on request.
Incident management type
Undisclosed
Incident management approach
Processes are in place. Available on request

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
No

Pricing

Price
£0.00 to £0.35 a transaction
Discount for educational organisations
No
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ukenquiry@lexisnexis.com. Tell them what format you need. It will help if you say what assistive technology you use.