The VisaNet Connect – Issuing APIs provide issuers with simplified RESTful APIs for payments processing.
Issuers participating in VisaNet Connect – Issuing APIs may subscribe to Visa’s Hardware Security Module-as-a-Service (HSMaaS). HSMaaS is a Visa value-added on-behalf-of service that provides cryptographic validations required in card payment processing on behalf of the issuer. Through this service, Visa will validate CVV, CVV2, iCVV, CAAV, and a variety of other cardholder security features. Visa will then include the results of the validations to the issuer in API request message. The issuer will use these results to determine whether to approve or decline the payment request message.
Issuers may also use a subscription to Visa's HSMaaS to peform various card management tasks, including but not limited to new card credential generation, card expiration date updates, and new PIN generation.
The following table lists the regional availability for VisaNet Connect - Issuing APIs. To view availability of all products, refer to the Availability Matrix.
North America | Asia-Pacific | Europe | CEMEA | LAC | Notes |
---|---|---|---|---|---|
All VisaNet Connect - Issuing implementations for clients that are non-members require a sponsorship by a licensed Visa member. The member is responsible for their sponsored endpoints’ access and use of the VisaNet Connect - Issuing APIs. Endpoints are responsible for maintaining ongoing compliance with the Payment Card Industry Data Security Standard (PCI DSS) and other security standards, as defined by the Visa Cardholder Information Security Program. Endpoints will be required to undergo a risk and business review satisfactory to Visa in its sole discretion.
Issuers can quickly integrate with VisaNet Connect – Issuing APIs and have access to the Visa Developer Sandbox environment to prove connectivity. Issuers that wish to promote an integration into production will need to work with their Visa representative to open an implementation project. Issuers are required to be PCI Level 1 compliant. For clients new to Visa, additional requirements may apply. Issuers that are not Visa members will require BIN sponsorship from a Visa licensed financial institution to use the VisaNet Connect – Issuing APIs. Additionally, issuers will need to pass a Global Endpoint Review process before proceeding with onboarding to the VisaNet Connect – Issuing APIs. Please contact [email protected] with any additional questions.
Issuers are encouraged to implement risk management best practices for payment transactions processed via the APIs, just as they would for any Visa payment transactions.
· Issuers are required to complete Know Your Customer on their cardholders. KYC must be performed in accordance with local laws and regulations.
· Set up and maintain a card issuing program that complies with all applicable regulatory requirements, including procedures for customer verification, recordkeeping, and retention requirements.
· Support procedures for determining whether the cardholder appears on any government sanctions lists before issuing cards, and periodically thereafter.
· Track continuously their key performance metrics as part of their fraud monitoring efforts.
· Track and review daily exception reports to detect cardholder activity that could expose the issuer to losses.
· Track and reconcile settlement reports on a daily basis.
· Issue cards in an inactive state and require that an activation process be initiated by the cardholder.
· Support a Multi-Factor Authentication method such as a One-Time Password (OTP) to positively identify cardholders requesting account changes, ordering a new card, activating a card, or changing a PIN.
· Evaluate request for any change of address that occurs within 30 days of account opening. · Establish enhanced controls over changes to account profiles initiated online or via customer service representatives.
Issuers have the responsibility to make approval decisions using appropriate risk management strategies. Payment requests may be declined for a variety of legitimate reasons. To ensure a positive cardholder experience, effective processing and to comply with Visa Rules, issuers should consider the following in their payment handling processes, among other things:
· Establish thresholds for new or dormant accounts to monitor for unusual payment patterns.
· Ensure that all lost/stolen accounts are listed with Visa Account Screen consistently and promptly.
· Detecting changes in account credentials followed by out of pattern payment activity.
· Monitor accounts that may have historical suspicious activity with enhanced due-diligence.