Visa Account Updater Merchant Enrollment API

Enables acquirers to automate the manual merchant enrollments and speed up the process.

Authentication Method for VAU Merchant Enrollment API

Security and Authentication Requirements

VAU Merchant Enrollment API uses Two-Way SSL (Mutual SSL) authentication and channel encryption, which requires you to provide a username and password as well as install an X509 security certificate issued by Visa. Test credentials can be obtained online in your Project Dashboard for sandbox testing. Production credentials will be supplied to you as part of production on-boarding. Contact [email protected] for more information or to begin the production on-boarding process.

VAU Merchant Enrollment API is Message Level Encryption (MLE) enabled on VDP.  As this API request/response body has PAN information,  the client must need to encrypt the API request body and then call the API.  The client must then need to decrypt the API response body to see the updated PANs information.

More detail and steps about MLE can be find in VDP link : https://developer.visa.com/pages/encryption_guide

Two-Way SSL

As one of the security protocols, Visa Developer sandbox secures its connections with clients by means of Two-Way SSL (Mutual Authentication) method. Refer to the link below to quickly learn about how to get credentials to start building with Two-Way SSL.

Visit the Two-way SSL Guide to learn more.

Data Encryption for VAU Merchant Enrollment API request/response

For clients using the VAU Merchant Enrollment API, it is important to understand that some of the sensitive information (e.g. PAN, consumer name) are encrypted by Visa in the outgoing message from Visa to the client. This encryption is done using a key ID and shared secret assigned to the client during onboarding. All the data elements in the payload that have the prefix "enc" are encyrpted, for e.g. 'encMerchantPan'.

Clients need to follow these steps in order to decrypt these fields:

  • Get the necessary software library that supports AES GCM mode encryption in client preferred programming languages (e.g. Java, PHP, C#, etc.) for software development. E.g. download and install Java Cryptography Extension (JCE) unlimited strength jurisdiction policy files.   
  • When the request payload data from Visa is received,
    • Identify the data field that requires decryption, i.e field name starts with prefix "enc"
    • Parse the encrypted value using the software library and extract “Key ID”
    • Use “Key ID” to fetch the corresponding shared secret required for decryption. Note: client may have more than one “Key ID” and “shared secret” from Visa stored in their system due to key management
    • Decrypt the encrypted data field using the shared secret to get the field value.

There is no need to perform encryption of the response payload data as there is no sensitive data field in the response payload.