LEXISNEXIS RISK SOLUTIONS UK LIMITED

LexisNexis® ThreatMetrix

ThreatMetrix provides best-in-class fraud, identity and authentication services to help digital businesses better distinguish good customers from potential fraudsters in real time, without adding unnecessary friction. Leveraging global intelligence from the Digital Identity Network, ThreatMetrix enables businesses to make more informed fraud and risk decisions.

Features

• Access crowdsourced, digital Identity intelligence to make better risk decisions.
• End-to-end decision analytics platform for integrated, holistic decisioning.
• Combining risk-based authentication with Strong Customer Authentication strategies.
• Operating on multiple touchpoints across the customer journey.
• Write simple and/or complex rules tailored to individual business needs.
• Advanced device identifiers: cookie-based and algorithmic-based approaches.
• Advanced behavioural analytics to identify behavioural anomalies per user.
• Clear-box approach to machine learning for richer context.
• Case Management tool to segment and prioritise workflow.
• Single portal covering forensics, investigations, rules/models, administration etc.

Benefits

• Recognize up to 95% of returning customers without unnecessary friction.
• Differentiate between trusted and high-risk behaviour in real time.
• Reduce false positives while detecting more fraud.
• Model good customer behaviour on a per user basis.
• Reduce manual review rates.
• Meet evolving regulatory requirements with minimal friction.
• Access integrated step-up authentication solutions for seamless decisioning.
• Harness global, contributory intelligence from multiple industries / geographies.
• Understand the context behind risk decisions.
• Manage complex case-loads with ease and efficiency.

£0.01 a transaction

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at kirsten.tedder@lexisnexisrisk.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

345394560341576

Contact

UK Enquiries
02920678555
kirsten.tedder@lexisnexisrisk.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: ThreatMetrix communicates with its customers via RESTful APIs.; ; Customers are notified in advanced for all scheduled maintenance.
• System requirements: ThreatMetrix is a SaaS model customers require minimal hardware investment.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: SLA for support is part of T & C's
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Support is available 24x7x365 and cost is included in the Ts & Cs.; We provide both Cloud Support Engineer (included in Support cost) and a Technical Account Manager (additional cost).
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Experienced technical consultants are key to assist in design and effective onboarding. Online documentation, Online training, Onsite training are available.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: With every ThreatMetrix risk assessment, ThreatMetrix provides an API response in a key-value pair or JSON format. Typically, customers store responses locally as ThreatMetrix has a data retention period of recent six months. ; ; Upon contract expiry, customers are able to Export events from the ThreatMetrix Dashboard up to recent six months.
• End-of-contract process: To be discussed with the client.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Support is available for Android and iOS. ; ; Both desktop and mobile channels operate silently with the exception that mobile users may be prompted for user permission to gather additional datapoints e.g. Location Services (optional). The end-user's view is the customer's environment and end-users have no access to the ThreatMetrix service.; ; ThreatMetrix Javascript tags are deployed on the customer's webpages and SDK libraries are uploaded into the customer's mobile app. Both implementations are required to make a backend API call to ThreatMetrix for risk assessment. Customers have access to ThreatMetrix service to influence the risk assessment of the end user's session.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: ThreatMetrix communicates with its customers via RESTful APIs. Available APIs include:; - Session Query API - used to trigger a risk assessment of a specific event performed by a user; - Attribute Query API - used to obtain information and perform a risk assessment for an entity ; - Query API - enables customers to fetch information regarding an event or entity; - Update API - enables customers to provide feedback regarding an event or entity; - Consortium API - used to add, remove and check items to a shared list within a consortium that the customer belongs to
• Accessibility standards: None or don’t know
• Description of accessibility: N/A
• Accessibility testing: N/A
• API: Yes
• What users can and can't do using the API: ThreatMetrix communicates with its customers via RESTful APIs.; ; Customers are required to implement ThreatMetrix Javascript tags on their webpage/upload SDK libraries into their mobile app, and to make a backend API call to ThreatMetrix . The customer has full control over which fields are sent via the backend API call to ThreatMetrix which includes provisions for custom fields. ; ; ThreatMetrix will provide an API response back to the customer with a risk score, recommended action and reason codes in key-value pair or JSON format. ; ; Once the event has completed, the customer makes a follow-up backend API call to ThreatMetrix to provide an updated event outcome. ThreatMetrix will automatically update its system to improve future risk assessments.
• API documentation: Yes
• API documentation formats: Other
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: ThreatMetrix communicates with its customers via RESTful APIs. ; ; Within the API call, there are provisions of up to 600+ fields which includes custom fields. ; ; With every engagement, we will enter a consulting period with the customer to understand the suitability of fields to be shared. The customer has full control over which fields are sent via the API call to ThreatMetrix which includes provisions for custom fields.

Scaling

• Independence of resources: The ThreatMetrix architecture is horizontally scalable and utilises big data components in a live-live configuration across data centres. ; ; Today, the ThreatMetrix network processes over 96b events annually. The Operations team continuously monitor utilisation with provisions to accommodate peak periods. With every new customer on-boarding, we ensure there is adequate headroom for growth with the extension of additional hardware where required.; ; ThreatMetrix has failover mechanisms of N+2 level redundancy with physical environments, server infrastructure and network systems.

Analytics

• Service usage metrics: Yes
• Metrics types: Self Service reports are available for administrators
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Physical access control, complying with SSAE-16 / ISAE 3402
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Ability to export to PDF and/or CSV file formats. There are provisions for SFTP downloads.
• Data export formats:
  • CSV
  • Other
• Other data export formats: PDF
• Data import formats: Other
• Other data import formats: To be passed via API call

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Target Availability is 99.9%
• Approach to resilience: Our data centres operate in a hot-active setup, providing failover capability for resilience and service continuity.
• Outage reporting: Email alerts.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: A Least Privilege principle is in place and governs how an individual should only be granted access to those objects, resources, and data that are necessary for the user to do their job.
• Access restriction testing frequency: At least once a year
• Management access authentication: Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Avertium, LLC
• PCI DSS accreditation date: 27/10/2023
• What the PCI DSS doesn’t cover: Threatmetrix is covered by PCI DSS certification.
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: SOC 2 Type 2

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: SOC 2 Type 2
• Information security policies and processes: An information security management system/framework has been built based on the requirements of ISO27001/2, as well as aligning with general best industry practice. A full suite of information security policies, processes, and procedures are in place covering all applicable areas of physical and logical security and are regularly reviewed internally and externally.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: LexisNexis maintains strict policies and procedures for change control and management of computer hardware and software. Prudent configuration management and change control processes must be followed for all software and systems development and maintenance activities performed on Company computer systems and networks. Proper configuration management and change control are essential to ensure that high levels of reliability, availability and serviceability are maintained within Company computer systems and networks and that security controls cannot be circumvented.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: To help mitigate the risk associated with vulnerabilities on external and internal computer systems, LexisNexis Information Security will perform a range of vulnerability assessment services. Vulnerability scans for networked systems occur frequently. Information Security will oversee the assessment and reporting process.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Security event log monitors alert our systems staff of suspicious events. Logs are directed to a Security information and Event manager (SIEM) and used for reporting, correlation, and analysis. Time is synchronized across computer and network systems so that events may be correlated. LexisNexis has a dedicated Security Operations Centre (SOC) who are available 24/7 to respond to real-time events and investigate or escalate as appropriate.
• Incident management type: Supplier-defined controls
• Incident management approach: There are documented corporate information security incident response procedures in place to guide response activities in the event of a security incident and breach response. Policies and procedures are in place to ensure timely and appropriate consumer and customer notifications.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  At LexisNexis Risk Solutions (LNRS), a wholly owned subsidiary of RELX Group plc, we're committed to reducing our environmental footprint and achieving carbon neutrality. RELX are a signatory to the Climate Pledge net zero commitment, rated as “A-“ in the CDP climate programme, named as a Climate Leader by the Financial Times, rated “AAA” in the MSCI ESG index and ranked first in our sector for ESG by Sustainalytics. LNRS is externally certified to the ISO14001 environmental management system standard. Additionally, RELX have set ambitious environmental goals, aiming to achieve 17 United Nations Sustainable Development Goals by 2030 and net zero emissions by 2040. ; In delivering our products and services, we recognise our environmental impact in areas such as carbon emissions, energy and water usage. To address these challenges, we’ve implemented strategies to consolidate our office spaces and promote sustainable travel. We've made significant strides in reducing emissions throughout our value chain which resulted in a 17% decrease in Scope 1 emissions in FY23. Within our organisation we are actively promoting educational initiatives around net zero carbon events and improve recycling of electronic goods. ; For more information, please see: ; https://www.relx.com/corporate-responsibility/being-a-responsible-business/environment; https://stories.relx.com/relx-environmental-challenge/index.html; https://www.relx.com/~/media/Files/R/RELX-Group/documents/reports/annual-reports/2023-ar-sections/relx-2023-corporate-responsibility.pdf

  Covid-19 recovery

  LexisNexis Risk Solutions (LNRS) business continuity programme includes plans to ensure readiness through disruptions including pandemics. During the Covid-19 pandemic 97% of LNRS staff worked remotely with no appreciable impact on the delivery of products and services. As a global organisation with different locations around the world, many of the employees in our workforce routinely work remotely either full-time or part-time. We ensure that our remote colleagues remain integrated and connected, avoiding silos in our communication and collaboration efforts.

  Tackling economic inequality

  At LexisNexis Risk Solutions, we recognise the importance of tackling economic inequality and our impact on the communities we serve. Our products and services align with SDG 16 (Peace, Justice and Strong Institutions) and SDG 10 (Reduced Inequalities), among others. Our solutions facilitate access to essential government benefits for citizens, combat fraud across various sectors and government levels, and aid law enforcement in ensuring community safety. ; ; We take pride in our people, and in cultivating an inclusive workplace with diversity that reflects our customers and communities. We are a UK living wage accredited employer, and we ensure all employees receive fair wages. We are committed to equal pay and have policies in place to pay employees fairly for the role they do, irrespective of their gender, race, or any other protected characteristic as governed by law. ; ; Our corporate social responsibility report highlights our commitment to implementing strategies and initiatives aimed at creating fair opportunities and promoting financial empowerment for all employees. We also recognise the importance of facilitating the growth of future talent and offer internships in partnership with Brunel University and a sales apprenticeship programme aimed at nurturing diverse talent from ethnically diverse and lower socioeconomic backgrounds. ; ; For more information, please see:; https://www.relx.com/~/media/Files/R/RELX-Group/documents/responsibility/additional-resources/2023/2022-23-B4SI-assurance-statement.pdf; ; https://www.relx.com/~/media/Files/R/RELX-Group/documents/responsibility/additional-resources/2023/2023-24-cr-objectives.pdf

  Equal opportunity

  At LexisNexis Risk Solutions (LNRS), we are passionate about making a positive impact on society and customers. We understand that people value a sense of real purpose at work: knowing that their actions are contributing toward something positive for themselves, their colleagues, their customers, the environment, and society. Our group strives to be a great place to work, where people feel valued and have equal access to opportunities and pay balance, regardless of gender or gender identity, national origin, race, ethnicity, religion, sexual orientation, age and/or disability status. We do not tolerate discrimination, prejudice or hate on any level, and consistently evaluate our processes and procedures to ensure that we perpetuate a mosaic culture. Inclusion and diversity are important to our future. We value diverse perspectives and recognise the importance of collaboration to achieve real innovation for our customers around the world, and to be more resilient, adaptable and successful. Inclusion and diversity are important to our future. As an equal opportunity employer, we are committed to freedom of association and treating all employees and applicants with respect and dignity.; Please see:; https://www.relx.com/corporate-responsibility/being-a-responsible-business/people; https://www.relx.com/~/media/Files/R/RELX-Group/documents/responsibility/policies/relx-inclusion-diversity-2022.pdf

  Wellbeing

  At LexisNexis Risk Solutions (LNRS), we prioritise wellbeing by taking a holistic approach to mental health and overall wellness. We provide various resources and tools to support our colleagues, including an employee assistance programme, mindfulness training and resources, and access to wellbeing toolkits and programmes. Our Thrive Wellbeing programme has been running since 2017 and supports employees in various aspects of their lives. Our programme encompasses topics associated with physical health, mental health, finances and community. We have expanded the scope of the programme and now address more sensitive subjects such as baby loss, suicide prevention, menopause awareness with the aim of reducing associated stigma.; Creating a culture that values mental health requires efforts at all levels of the organisation. We train our leaders to be aware of mental health issues so they can identify signs of poor mental health among their teams and have open conversations.; We believe that work-life balance is essential for overall wellbeing. Our goal is to create a meaningful workplace where individuals can pursue their career goals while maintaining harmony in their personal lives. Through purposeful conversations between leaders and employees about challenges both at work and in personal life (circumstances impacting work performance); we strive to strike this balance effectively. ; We have over 130 Employee Resource Groups (ERGs) which encourage colleagues to collaborate, advocate and engage communities, furthering wellbeing through building relationships and driving a sense of purpose. We also provide an opportunity for employees to take two days paid time-off per year for ERG-sponsored activities.

Pricing

• Price: £0.01 a transaction
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at kirsten.tedder@lexisnexisrisk.com. Tell them what format you need. It will help if you say what assistive technology you use.