Passing six-digit BINs can result in no match being generated when there are multiple possible matches. We recommend that you update your systems to pass eight-digit BINs as soon as possible.

Security Updates
 | REST and Simple Order API

Three security requirements are mandated for completion beginning February 28, 2024. To avoid service interruptions, ensure that your systems are up to date to comply with these requirements:
  • REST API Digest Parentheses Removal (REST HTTP Signature)
    : Cybersource API calls using HTTP Signature authentication must adhere to industry standards and will no longer support the use of parentheses within the HTTP header.
    This requirement will be implemented in Production by April 22, 2024.
  • Default Password p12 Keys (Simple Order API, REST JWT, Batch Upload, Account Updater Batch Upload)
    : All Cybersource issued P12 keys created after the implementation date will be secured with a password set by the user during key generation within the Cybersource Business Center. This password will not be stored within Cybersource systems and must be securely stored by the user to open the key file or for use with your API implementation.
    This requirement will be implemented in Production on February 28, 2024.
  • SHA 256 Envelope p12 Keys (Simple Order API, REST JWT)
    : P12 keys will be generated with an enhanced HmacPBESHA-256 algorithm. This can cause older SDKs or operating systems to be unable to access the key.
    This requirement will be implemented in Production on February 28, 2024.
For more information on these updates, read the Support Center article here.

Payer Authentication
 | New Visa Secure Mandate

Beginning August 12, 2024, an update to the Visa Secure program requires additional data fields and will affect users of the Payer Authentication REST and Simple Order APIs. The update is designed to enhance data quality monitoring and fraud dispute rights. There are no changes to API validation rules at this time. Failure to send these fields will not result in transaction failure; however, Visa Secure will consider them missing data.
The newly required data fields only apply to standard Visa Secure EMV® 3-D Secure payment transactions. Non-payment transactions and 3DS requestor-initiated transactions will not require these additional data fields as part of the mandate. Note that while some of the mandated Visa Secure data fields also apply to the Digital Authentication Framework (DAF), the DAF data requirements are managed separately.
Key Changes:
  • The
    Visa Secure Program Guide
    , which supplements the core Visa rules, will require users of Payer Authentication to include additional data fields in the authentication request message, also known as the enrollment request. These fields, which are already supported and recommended, were previously labeled as
    required conditional
    , and will now be mandatory.
  • The
    Visa Secure Program Guide
     will be amended to assess only authorization data to determine fraud dispute rights, effective April 15, 2024.
Required Browser Fields
These fields are required for browser-based transactions.
REST API
  • deviceInformation.httpBrowserScreenHeight
  • deviceInformation.httpBrowserScreenWidth
Simple Order API
  • billTo_httpBrowserScreenHeight
  • billTo_httpBrowserScreenWidth
Required In-App Field
This field applies only to transactions that are sent using Software Development Kit (SDK). When you send this field using the SDK, Cardinal Commerce collects that information automatically.
REST API
  • deviceInformation.ipAddress
Simple Order API
  • billTo_ipAddress
Required Cardholder Fields
These fields are required, except in countries for which they do not exist.
REST API Fields
  • orderInformation.billTo.email
  • orderInformation.billTo.firstName
  • orderInformation.billTo.lastName
Simple Order API Fields
  • billTo_email
  • billTo_firstName
  • billTo_lastName
Recommended Cardholder Fields
These fields are recommended, except in countries for which they do not exist.
REST API Fields
  • orderInformation.billTo.address1
  • orderInformation.billTo.administrativeArea
  • orderInformation.billTo.country
  • orderInformation.billTo.locality
  • orderInformation.billTo.postalCode
Simple Order API Fields
  • billTo_country
  • billTo_city
  • billTo_postalCode
  • billTo_street1
  • billTo_state
Required Phone Fields
At least one of the following fields is required.
REST API Fields
  • orderInformation.billTo.phoneNumber
  • buyerInformation.mobilePhone
  • buyerInformation.workPhone
Simple Order API Fields
  • billTo_phoneNumber
  • payerAuthEnrollService_mobilePhone
  • payerAuthEnrollService_workPhone
Merchant Data Quality Best Practices
The following practices are recommended for best results.
  • Ensure that the checkout page is designed to collect the required and priority EMV 3-D Secure data elements and to take required actions to populate any missing data fields.
  • Ensure that data sent through EMV 3-D Secure is authentic and accurate at the time of the transaction.
  • Ensure that the 3-D Secure method URL is invoked and completed before sending an authentication request.
Payer Authentication Data Collection Implications
The required browser fields are collected by Device Data Collection (DDC). Payer Authentication already requires the cardholder name, email address, and billing address. The common device identification parameters are handled by the Cardinal SDK.
Merchants must include the cardholder phone number in enrollment requests in order to satisfy the mandate. If the cardholder phone number is not included in a transaction the transaction will not fail, but the Visa Secure Program will monitor it as having missing data.