Visa Transaction Controls Documentation

Ready to start coding?

Availability

Visa Transaction Controls is available globally.

What's New - Release Notes

April 2018

  1. Display Aggregate spend in VOL VTC Program Admin Tool: Allows issuer customer service representatives to view and manage a cardholder’s aggregate spend settings.  Cardholders can set daily, weekly, or monthly spend limits.
  2. Removed TCT_FUNDS_TRANSFER Control Type:  Integrated the FUNDS_TRANSFER card control functionality with the ATM_WITHDRAWAL control type.   The ATM_WITHDRAWAL card control is used to monitor and block all ATM activity (withdrawals, funds transfers and balance inquiries – deposits are not impacted). 
  3. Removed MCT_RECREATION Control Type: Reassociated the MCT_RECREATION merchant control categories with the MCT_SPORTS_AND_RECREATION control type.   
  4. Alert History: Allows issuers to retrieve an account’s alert history based on the documentId, decisionId or notificationId. 

Getting Started

Consumers want complete visibility and control to track their spending. Visa supports you in creating next gen banking experiences that put your cardholders at the center of your mobile app.

Key Features

  • Offer blocks and alerts for the following transaction types 
  • Available on mobile banking app or online website
  • Available for all cards regardless of brand or network routing
  • Visa's On Behalf Of (OBO) service reduces your work-effort and costs for all Visa processed transactions

How it Works

Customer Enrollment Flow

  1. The customer selects their card and configures the controls the issuer has made available.
  2. A secure communication channel is established between the issuer’s mobile gateway and the Customer Rules API on the Visa Developer Platform.  The PAN is encrypted in transmission.
  3. VTC verifies the account number is within the issuer’s prescribed BIN range and the application is authorized by the issuer.  VTC then checks if a “document” already exists for this combination of account number and appID.  If so, it returns the existing documentID; otherwise, VTC will create a new control document

Visa On-Behalf-Of Service Flow 

  1. Merchant submits an authorization request (0100)
  2. Visa sees the account participates in VTC (using whitelist).  Sends authorization data to VTC for a decision.  If the transaction violates a VTC setting,  then it will be declined in STIP.  NOTE: VTC rules are applied after all other Visa risk and processing rules are applied.
  3. Visa sends the decline response back to the merchant.  Visa also notifies the issuer #4 of the VTC STIP Decline
  4. Visa sends an Advice msg (120) to the issuer with a new STIP Reason Code “9037” which means declined due to VTC settings.   The issuer processor will have to update their authorization platform to accept this new value in an existing field.
  5. If the cardholder’s VTC setting indicates an alert should be triggered;  then VTC will send the notification information to the issuer’s Notification Service for final delivery to the cardholder
  6. The Notification Service will use the VTC information to identify the cardholder and to send the cardholder notification based on the customer’s communication preferences (SMS, email or Push-Notification).

APIs Included

Customer Rules

The Customer Rules API is used to register, retrieve, modify and delete an account's card-control settings. 

Notification Callback

The Notification Callback API sends VTC alert information to the issuer's notification service provider to create the customer facing message they then deliver via email, SMS or Push notification.  

Alert History and Customer Profiles 

The Alert History and Customer Profiles API is used to retrieve an account's VTC notification history. For issuers who participate in the VTC Alert Delivery service this API is also used to create and manage cardholder Customer Profiles.       

Authorization Decision

The Authorization Decision API is used to retrieve an account's VTC transaction history.  It can also be used to submit non-Visa transaction to VTC for a decision recommendation -  please ask your local Visa representative to learn more.  

Enrollment Callback

The Enrollment Callback API is not applicable to most development programs.  It is used in conjunction with the Authorization API when solving for non-Visa transactions.  It notifies the issuer’s authorization platform(s) of active VTC accounts so it can begin sending transaction data to VTC for a decision recommendation.  
.

Program Administration

The Program Administration API enables issuers to hide any card controls they do not want made available in the Sandbox.
Note: Visa will configure the issuer’s selected card controls in the Certification and Production environments. 

Types of Controls

VTC offers issuers a variety of block and alert capabilities, the exact features and functionality of which they can then select, configure and present to their cardholders. VTC blocks and alerts are extremely flexible and designed to work together or be used independent of each other, as standalone features, with different thresholds triggering their use.

For example, an issuer may allow cardholders to block all internet transactions or only internet transactions over a certain purchase amount. An alert may accompany these transactions that is triggered at a lower dollar amount than is used for declines (e.g. trigger an alert for all internet purchases over $100 and decline all internet purchases over $1000). Similarly, the issuer may not want to offer transaction blocking seeking to avoid unintentional declines and only allow use of VTC alerts.

Each VTC alert contains important transaction details, such as the amount, time, date, alert type and the type of purchase. Alerts allow cardholders to take immediate action at the first sign of potential fraud. Alerts are sent to the issuer’s existing alert platform to notify the customer.

Type of Blocks and Alerts
Description
Global

Card-level rules, imposed on all transactions  (e.g. Card On/Off).    

Cross Border

Used when the merchant and issuer’s country code do not match for a card-present transaction.

E-Commerce

Used for card-not-present transactions performed at e-commerce and mail order/telephone order (MOTO) merchants

ATM Withdrawal

Used for ATM cash withdrawals.

Brick and Mortar 

Used for card present transactions.

Auto Pay 

Used for recurring or installment payment transactions.

Contactless 

Used for contactless purchases in a card present environment.

 

 

Merchant 

VTC supports a number of merchant control catagories (see Customer Rules API MerchantControls child attributes.  Enabling a merchant card control will trigger a VTC response whenever a purchase is made at a merchant with a corresponding MCC. 

Using the Customer Rules API

Use the Customer Rules API to register a consumer's account to the service and establish the payment rules and thresholds that will define the types of transactions that the consumer wants to block or for which they would like to be alerted.

The Customer Rules API supports the following functions:

  • Enrolling and un-enrolling a card in the service
  • Adding, updating, retrieving, and removing consumer transaction controls for a card
  • Retrieving the list of control types that are available for a specific card
  • Retrieving the list of transaction type controls that can be configured for a specific card
  • Retrieving the list of merchant type controls that can be configured for a specific card
  • Retrieving the project configuration data for callback notification settings

The technical details of each operation can be found on the Documentation tab.

Using the Notification Delivery Callback API

Used to send purchase notifications to the issuer who will then create the cardholder-facing message and deliver it via email, SMS or push.   The issuer is responsible for creating and delivering the notification based on the data provided.  Note: future product enhancments can result in new data elements being available in the Notification Delivery Callback API payload.  The client should be flexible enough to review these new data elements without adversly impacting their existing notification process.   

Using the Alert History and Customer Profiles API

The Alerts Preference Management API captures the cardholder's mobile number, email and/or device ID that Visa will use to send all Alert notifications.  Issuers must enroll in the VTC on-behalf-of Alert Delivery Service to use this API.

Using the Authorization Decision API

The Authorization Decision API is used to send transaction data for non-Visa processed transactions to VTC.  VTC will respond with a recommendation to "Decline" or "Decision Accordingly" based on the cardholder's VTC settings.  The issuer is responsible for making the authorization decision and then sending that back to VTC for use in alert messaging. 

The Transaction Controls Authorization Decision API supports the following functions:

  • Requests a decision on a pending transaction.
  • Updates the state of a decision based on the actual authorization decision made by the issuer.
  • Retrieves the details of a specific decision.
  • Retrieves a paginated list of previous decisions filtered by card.
  • Retrieves a paginated list of the most recent decisions.

The technical details of each operation can be found on the Documentation tab.

Using the Enrollment Callback API

The Enrollment Callback API notifies the client that a cardholder has activated or deactivated their rules settings.

  • Notifies when a customer enables the first control rule or first set of control rules on a registered card.
  • Notifies when a customer disables the last active control rule or the entire set of active control rules on a registered card.
  • Notifies when a customer re-enables the first active control rule or first set of active control rules on a registered card.
  • Notifies when a customer deletes the last remaining control rule or last set of active control rules on a registered card.

The Notification Delivery Callback API notifies the client that an alert message has been generated and should be delivered to the cardholder. The issuer host is responsible for communicating the alert to the customer using the issuer's or customer's choice of channel.  Note: future product enhancments can result in new data elements being available in the Notification Delivery Callback API payload.  The client should be flexible enough to revieve these new data elements without adversly impacting their existing notification process.   

The Alerts Preference Management API captures the cardholder's mobile number, email and/or device ID that Visa will use to send all Alert notifications. 

Program Administration API

The Program Administration API allows issuers to limit the VTC card controls available for use in the Sandbox.  By default, all VTC card controls are exposed and available for use in the Sandbox. 

The Program Administration API supports the following functions:

  • Limit which VTC card controls are available for use in the sandbox. 
  • Expose any card controls that were previously hidden. 

The technical details of each operation can be found on the Documentation tab.