BIN Length

Passing six-digit Bank Identification Numbers BIN(s) can result in no match being generated when there are multiple possible matches. We recommend that you update your systems to pass eight-digit BINs as soon as possible.

REST and Simple Order API Security Updates

There are three security requirements that are mandated for completion beginning February 28th, 2024. To avoid service interruptions, ensure that your systems are up to date to comply with these requirements:
  • REST API Digest Parentheses Removal (REST HTTP Signature)
    : Cybersource API calls using HTTP Signature authentication must adhere to industry standards and will no longer support the use of parentheses within the HTTP header.
    This requirement will be implemented in Production by Mar 22, 2024.
  • Default Password p12 Keys (Simple Order API, REST JWT, Batch Upload, Account Updater Batch Upload)
    : All Cybersource issued P12 keys created after the implementation date will be secured with a password set by the user during key generation within the Cybersource Business Center. This password will not be stored within Cybersource systems and must be securely stored by the user to open the key file or for use with your API implementation.
    This requirement will be implemented in Production on February 28, 2024.
  • SHA 256 Envelope p12 Keys (Simple Order API, REST JWT)
    : P12 keys will be generated with an enhanced HmacPBESHA-256 algorithm. This may cause older SDKs or operating systems to be unable to access the key.
    This requirement will be implemented in Production on February 28, 2024.
For more information on these updates, read the Support Center article here.

Payer Authentication | New Visa Secure Mandate

Beginning February 12, 2024, an update to the Visa Secure program will affect users of the Payer Authentication REST and Simple Order APIs. The update is designed to enhance data quality monitoring and fraud dispute rights. There are no changes to API validation rules at this time. Failure to send these fields will not result in transaction failure, however, Visa Secure will consider them missing data.
Key Changes
  • The
    Visa Secure Program Guide
    , which supplements the core Visa rules, will require users of Payer Authentication to include additional data fields in the authentication request message, also known as the enrollment request. These fields, which are already supported and recommended, were previously labeled as
    required conditional
    , and will now be mandatory.
  • The
    Visa Secure Program Guide
     will be amended to assess only authorization data to determine fraud dispute rights, effective April 15, 2024.

Required Browser Fields

These fields are required for browser-based transactions.
REST API
  • deviceInformation.httpBrowserScreenHeight
  • deviceInformation.httpBrowserScreenWidth
  • deviceInformation.ipAddress
Simple Order API
  • billTo_httpBrowserScreenHeight
  • billTo_httpBrowserScreenWidth
  • billTo_ipAddress
IP Address applies only to transactions that are sent using Software Development Kit (SDK) . When you send the device IP address using the SDK, Cardinal collects that information automatically.

Cardholder Fields

These fields are required, except in countries for which they do not exist.
REST API Fields
  • orderInformation.billTo.address1
  • orderInformation.billTo.administrativeArea
  • orderInformation.billTo.country
  • orderInformation.billTo.email
  • orderInformation.billTo.firstName
  • orderInformation.billTo.lastName
  • orderInformation.billTo.locality
  • orderInformation.billTo.postalCode
Simple Order API Fields
  • billTo_street1
  • billTo_state
  • billTo_country
  • billTo_email
  • billTo_firstName
  • billTo_lastName
  • billTo_city
  • billTo_postalCode

Phone Fields

These fields are required, when available, unless the market or regional mandate restricts sending this information.
REST API Fields
  • orderInformation.billTo.phoneNumber
  • buyerInformation.mobilePhone
  • buyerInformation.workPhone
Simple Order API Fields
  • billTo_phoneNumber
  • payerAuthEnrollService_mobilePhone
  • payerAuthEnrollService_workPhone

Merchant Data Quality Best Practices

The following practices are recommended for best results.
  • Ensure that the checkout page is designed to collect the required and priority EMV 3-D Secure data elements and to take required actions to populate any missing data fields.
  • Ensure that data sent through EMV 3-D Secure is authentic and accurate at the time of the transaction.
  • Ensure that the 3-D Secure method URL is invoked and completed before sending an authentication request.

Payer Authentication Data Collection Implications

The required browser fields are collected by Device Data Collection (DDC). Payer Authentication already requires the cardholder name, email address, and billing address. The common device identification parameters are handled by the Cardinal SDK.
Merchants must include the cardholder phone number in enrollment requests in order to satisfy the mandate. If the cardholder phone number is not included in a transaction the transaction will not fail, but the Visa Secure Program will monitor it as having missing data.