How to Use Visa B2B Payment Controls

There are different steps for inital usage and ongoing usage.

Onboarding Card Portfolio

This section lists the steps you must follow to begin using Visa B2B Payment Controls. 

  • Register your cards in Visa B2B Payment Controls. 
  • Set controls on your card account as per business use case. 
  • Set up notifications. Optionally, set up email or SMS contacts for each card to receive ongoing notifications related to payment control decisions.

Note:  Prior to using APIs, the Visa implementation manager will work with you to set up the issuer and preferred configuration selections in Visa systems.  

Ongoing Usage and Management

This section lists the activities you must perform to use and manage Visa B2B Payment Controls.

  • Manage card account information as needed for your companies.
  • Manage payment controls for cards based on the business need in near-real time. Rule selection includes Spending Rules for payment protection, Merchant Category Rules, Location, Channel, and Business Hours.
  • Leverage Get functionality to retrieve details about your company and card accounts:
    • Pull details on the card accounts.
    • Retrieve details on existing rules set on a card and see spend usage with Spend Velocity and Spend Policy Controls.
    • View all decline and authorization data including decline reason and merchant details.
    • View actual email and SMS decline notifications, rule, and merchant details.

Note:  API fields sent in the message requests are not case sensitive.  All required fields must be present, but the order of sending fields is flexible.

Account Management Service

Use the Account Management Service to create accounts within the ranges specified during the onboarding of an Issuer or a Commercial Client. This service also allows users to add payment controls, manage account contacts, update company information, delete accounts, and access account details from the system.

The following APIs will be available to the Client:

  • Create Account – Use this operation to register your existing cards with VPC, which is required before you can set any rules, other than the Block Rule (this will be available to add while creating the account). You can enroll both a physical or a Visa virtual card. While registering your card, you can specify phone numbers and email addresses to receive SMS and email notifications.
  • Get Account – Use this operation to retrieve a particular Account's details along with its current contact information. 
  • Update Account – Use this operation to update your existing cards registered with VPC. You can modify any of the details that were provided during the initial account setup.
  • Delete Account – Use this operation to remove account from VPC when it is no longer needed. Deleting an account will also remove all associated rules and notifications from VPC.

Rules Management Service

After you have registered your card to VPC, you are ready to begin setting rules on the said card. The Rules Management Service has five operations: set, delete, get, block, and disable/enable rules. These will let you set rules on your cards, delete rules you no longer need, get rules to see your existing rule configurations, block the account, and temporarily disable rules and enable rules at a later time.

The following APIs will be available to the Client:

  • Set Rules – Use this operation to set rules that you want to apply to an individual card.  This operation is also used as a full refresh (full replacement of existing rules), so you must send ALL the rules that you want applied to the card within the single request. These dynamic rules are applied in near real-time. 
    • The rule table in "Rules Code" section provides the full list of available payment control rules and the specific parameters applicable for each rule. Some of the rules require you to send a single value and others have multiple parameters which require additional values. 
    • For example, some merchant rules only require that you send an alphabetic value, “HOT” where other spending rules, like Exact Match Rule “VPAS”, require that you send amount and currency parameters as well.
    • Rule Notes:
      • Multiple rules can be applied to a card account as long as they do not contradict each other.
      • Each account can have a certain number of rules as long as the bandwidth of the payload doesnt go beyond a certain limit.  
      • Rules are applied immediately unless the rules are set for a future start date.
      • By default, the system uses GMT time zone while setting the rules. You can set the rules in different time zones by providing the time zone in set rules request.
      • When setting a spending rule, currency code should be specified in the request. 
  • Delete Rules – Use this operation to remove all current and/or future rules from a card. You can clear all rules at once, or use the set rules operation to replace existing rules with new ones. Please note that individual rules cannot be deleted separately.
    Note: If all rules are removed, you can use Block Account API at the account level to block card usage. 
  • Get Rules – Use this operation to fetch all the controls set on an account. This API also provides the consumed spending amount and authorization count for the Spend Velocity (SPV) and Spend Policy (SPP) rules. 
  • Block Account – Use this operation to block an existing account from processing any transactions and to remove all rules currently applied to that account.
  • Disable Enable Rules – Use this operation to temporarily disable all rules on an account. You can also use the same endpoint to re-enable previously disabled rules when needed. Additionally, the disable rule feature allows you to block the account if required.

Reporting Management Service

The Reporting Management Service allows users to retrieve both transaction and notification details for a card.  

The following APIs will be available to the Client:

  • Get Notification History – Use this operation when you have configured notifications for cards and want to see the message level details.  You can view the exact message shared with the configured contact via email and or SMS.  For example, see message detail: “card xxxx was declined at merchant ABC for a purchase of $x.xx due to VPC rule abc.”
  • Get Transaction History – Use this operation to see the transaction decline details for the respective card account. There is no notification setup required to use this operation. It will provide the status of the transaction, merchant details, and the VPC reason the transaction was declined. 

Notification Service

The Notification Service lets issuers, fintechs, or users choose how they receive optional alerts—by email or SMS—when VPC blocks or approves a transaction authorization request. These notifications are delivered to the contacts specified when the card account is created through Account Management Service. 

This service needs to be enabled as part of Issuer and Fintech onboarding to Visa B2B Payment Controls (VPC).

Intelligent Payment Controls (Gen-AI) Service

The Intelligent Payment Controls System evaluates user prompts to recommend suitable controls for payment Transactions. This AI-powered system provides recommendations and establishes appropriate controls based on the business use case specified by the user. Users have the option to review, adjust, and confirm these suggested controls to implement them. It offers a collection of APIs for submitting prompts, receiving recommendations, and implementing the suggested controls.

The following APIs will be available to the Client:

  • Get Suggested Rules API - This API accepts a prompt outlining the client’s use case and responds with a list of recommended controls.
  • Set Suggested Rules API - This API allows users to establish rules by providing a ‘Rule Set Id’ from the ‘Get Rules Suggestion’ API response. Users can apply the suggested controls directly to an account or customize the controls as needed before applying them.

Note: Before using this APIs, card account should be added. You can use Account Management APIs to add the account and Rule Managements APIs to view the rules. 

Supplier Validation

The Trusted Supplier Validation solution allows clients to efficiently identify and trust suppliers. Clients may search for and retrieve trusted supplier information, including Acquirer ID and CAID, which can then be used to establish or update payment controls through existing B2B Payment Controls APIs or B2B Payables APIs. This solution supports fraud mitigation in virtual commercial transactions by ensuring that payments are authorized exclusively for verified, trusted suppliers.

The following APIs will be available to the Client:

  • Register Trusted Supplier API – This API enables clients to request Visa to create a new Trusted Supplier. Visa will create the supplier and provide all pertinent Acquirer BIN/CAID trust information in the response.
  • Update Trusted Supplier API – This API permits clients to make changes to the attributes of an already existing Trusted Supplier. Moreover, it includes an option for clients to remove the trust at the Supplier or at the Acquirer BIN/CAID level.
  • Retrieve Trusted Supplier API – This API allows clients to retrieve information regarding Trusted Suppliers.

Note: Trusted Suppliers Acquirer BIN and CAID values can be used to set VPC CAID control through Account and Rules Management Services.

Related Payment Needs

The Visa B2B Payment Controls API provides rule-setting capabilities to protect commercial payments and supports small business use cases that need payment controls to limit spending.  It is targeted for those clients with existing card accounts to set dynamic rules at the card level.

If you have more robust payment needs, such as requesting a virtual account for on demand purchasing, or more comprehensive payment and reconciliation options, please consider using the B2B Virtual Account Payment Method API.  This Visa Commercial Solutions API solution provides payment and on-demand virtual account solutions, and also includes VPC protection.  

Codes and Supplemental Information

There are several code pages provided for your reference. These codes can be populated as needed based on the specific API and are explained in the field level specification. 

  • Error Codes – This page  displays all common and service-specific error codes that Visa B2B Payment Controls may provide in the response. This page also includes all the response codes you can receive from Visa B2B Payment Controls when making a request.  Use this information to correct the request and resend for processing.
  • Rule Codes – This page contains the rule code details and parameters that can be populated in the Set Controls request.  It includes sample formatting and field parameters for all payment controls.
  • Master Codes – This page includes several other useful code tables for best practices.
    • Supported Languages – These codes are used in the Contact Management Service to define end-user language preferences for messages.
    • Supported Time Zones – These codes are used to define the time zone for international use.
    • Supported Currency Codes – This is a list of supported currencies with ISO codes that are used in spending rule requests.
      Note:  For a given account, all spending rules must be sent with the same currency while in use.
    • Supported Country Codes
    • Supported State Codes