On This Page

Announcements

Passing six-digit BINs can result in no match being generated when there are multiple possible matches. We recommend that you update your systems to pass eight-digit BINs as soon as possible.

JSON Web Token 120-Second Mandate

Merchants who secure their REST API transactions with JSON Web Tokens have 120 seconds after the issued-at time (IAT) to submit the transaction. Transactions sent after 120 seconds will fail.

REST HTTP Signature Best Practices Mandate

Merchants who secure their REST API transactions with HTTP Signature must include all of the required elements. If the required elements are not present, the transactions will fail.

Payer Authentication
 | New Visa Secure Mandate

Beginning August 12, 2024, an update to the Visa Secure program requires additional data fields and will affect users of the Payer Authentication REST and Simple Order APIs. The update is designed to enhance data quality monitoring and fraud dispute rights. There are no changes to API validation rules at this time. Failure to send these fields will not result in transaction failure; however, Visa Secure will consider them missing data.
The newly required data fields apply only to standard Visa Secure EMV® 3-D Secure payment transactions. Non-payment transactions and 3-D Secure requestor-initiated transactions will not require these additional data fields as part of the mandate. Note that while some of the mandated Visa Secure data fields also apply to the Digital Authentication Framework (DAF), the DAF data requirements are managed separately.
Key Changes:
  • The
    Visa Secure Program Guide
    , which supplements the core Visa rules, will require users of Payer Authentication to include additional data fields in the authentication request message, also known as the enrollment request. These fields, which are already supported and recommended, were previously labeled as
    required conditional
     and will now be mandatory.
  • The
    Visa Secure Program Guide
     is amended to assess only authorization data to determine fraud dispute rights, effective April 15, 2024.

Required Browser Fields

These fields are required for browser-based transactions. If you use Secure Acceptance Hosted Checkout, you do not need to send the browser fields. Hosted Checkout collects them automatically.
REST API Fields
  • deviceInformation.httpBrowserScreenHeight
  • deviceInformation.httpBrowserScreenWidth
Simple Order API Fields
  • billTo_httpBrowserScreenHeight
  • billTo_httpBrowserScreenWidth

Required In-App Field

This field applies only to transactions that are sent using the Software Development Kit (SDK). When you send this field using the SDK, Cardinal Commerce collects that information automatically.
REST API Fields
  • deviceInformation.ipAddress
Simple Order API Fields
  • billTo_ipAddress

Required Cardholder Fields

These fields are required except in countries for which they do not exist. An email address is required only when a phone number is not provided.
REST API Fields
  • orderInformation.billTo.email
  • orderInformation.billTo.firstName
  • orderInformation.billTo.lastName
Simple Order API Fields
  • billTo_email
  • billTo_firstName
  • billTo_lastName

Recommended Cardholder Fields

These fields are recommended except in countries for which they do not exist.
REST API Fields
  • orderInformation.billTo.address1
  • orderInformation.billTo.administrativeArea
  • orderInformation.billTo.country
  • orderInformation.billTo.locality
  • orderInformation.billTo.postalCode
Simple Order API Fields
  • billTo_country
  • billTo_city
  • billTo_postalCode
  • billTo_street1
  • billTo_state

Required Phone Fields

At least one of the following fields is required. A phone number is required only when an email address is not provided.
REST API Fields
  • orderInformation.billTo.phoneNumber
  • buyerInformation.mobilePhone
  • buyerInformation.workPhone
Simple Order API Fields
  • billTo_phoneNumber
  • payerAuthEnrollService_mobilePhone
  • payerAuthEnrollService_workPhone

Merchant Data Quality Best Practices

The following practices are recommended for best results.
  • Ensure that the checkout page is designed to collect the required and priority EMV 3-D Secure data elements and to take required actions to populate any missing data fields.
  • Ensure that data that is sent through EMV 3-D Secure is authentic and accurate at the time of the transaction.
  • Ensure that the 3-D Secure method URL is invoked and completed before you send an authentication request.

Payer Authentication Data Collection Implications

The required browser fields are collected by device data collection. Payer Authentication already requires the cardholder name, email address, and billing address. The common device identification parameters are handled by the Cardinal SDK.