| 3D Secure - An authentication protocol that provides an additional layer of security for online credit and debit card transactions. In Visa Click to Pay, 3DS authentication uses EMV 3DS 2.x standards and may involve OTP, biometric, or issuer challenges. | |
| Advanced Encryption Standard 256-bit Galois/Counter Mode - A symmetric encryption algorithm used in JWE encryption for securing sensitive data in Click to Pay API communications. | |
| Application Programming Interface - A set of protocols and tools for building software applications. The Click to Pay API provides endpoints for secure remote commerce transactions. | |
| Authentication method using unique biological characteristics such as fingerprints, facial recognition, or voice patterns. Used in Visa Payment Passkey authentication and some 3DS challenges. | |
| Visa payment card or credential. | |
| A service that allows merchants to store payment credentials for future transactions with consumer consent. | |
| The process of linking related data or events across multiple API calls. In SRC, correlation IDs (srcCorrelationId) maintain session continuity throughout transaction flows. | |
A unique value generated for each transaction that provides cryptographic proof of transaction authenticity. Used in payment processing to verify transaction integrity. Visa Click to Pay API include the following EMVCo cryptogram types:
|
|
| Card Verification Value - A security feature on payment cards used to verify that the person making the transaction has physical possession of the card. CVV2 challenges may be used as step-up authentication in SRC. | |
| The process of converting encrypted data back to its original form using cryptographic keys. SRCis must decrypt JWE payloads to access payment credentials and consumer data. | |
| Any payment-enabled application that facilitates a payment between the acceptance environment and a consumer using a payment card within an SRC ecosystem. | |
| Data Security Standard - Refers to PCI DSS (Payment Card Industry Data Security Standard), a set of security standards designed to ensure that companies that accept, process, store, or transmit credit card information maintain a secure environment. | |
| Electronic Commerce Indicator - A value that indicates the security level of a transaction. Common values include 05 (authenticated via 3DS) and 07 (CVV2 verified). | |
| Europay, Mastercard, and Visa - A global standard for payment cards equipped with computer chips and the technology used to authenticate chip-card transactions. EMV 3DS 2.x is used for 3D Secure authentication in SRC. | |
| A global technical body that facilitates worldwide interoperability and acceptance of secure payment transactions by managing and evolving the EMV Specifications and related testing processes. | |
| Data that has been converted into a coded format to prevent unauthorized access. In Visa Click to Pay, sensitive consumer and card data is transmitted as JWE-encrypted payloads for security. | |
| The process of registering Visa payment cards into the SRC system. Enrollment can include identity verification, consent capture, and card validation. | |
| A Federated ID Token (idToken) represents digitally signed attestation that a consumer has been identified by an SRC system. The token contains an identity claim which allows other SRC systems to identify the corresponding Visa Click to Pay profile. As JWT tokens, they have an expiration period of 8 minutes and may be used across multiple API calls within a session. | |
| Fast Identity Online - An open standard for passwordless authentication. FIDO2/WebAuthn is used in Visa Payment Passkey authentication, enabling biometric authentication using fingerprints, Face ID, or device PINs. | |
| Hypertext Transfer Protocol Secure - A secure version of HTTP that uses TLS/SSL encryption. All Click to Pay API communications must use HTTPS with TLS 1.2 or higher for data transmission security. | |
| JSON Web Encryption - A standard for encrypting JSON data. Used in Visa Click to Pay to encrypt sensitive consumer and card data using RSA-OAEP algorithm with A256GCM encryption according to RFC 7516. | |
| JSON Web Signature - A standard for digitally signing JSON data. Used in SRC for encryptedSignedPayload where data is first signed (JWS) then encrypted (JWE) to ensure both integrity and confidentiality. | |
| JSON Web Token - A compact, URL-safe means of representing claims between two parties. JWT tokens expire after 8 minutes for security. | |
| Data that has been partially hidden or obscured for security purposes. In Visa Click to Pay, consumer and card data is returned in masked format (e.g., showing only the last four digits of a card number) to protect sensitive information. | |
| One-Time Passcode - A password that is valid for only one login session or transaction. In Visa Click to Pay, OTP is used for identity validation, delivered via email or SMS to the consumer during the identity validation process. | |
| Primary Account Number - The unique identifier for a payment card, typically 13-19 digits long. In SRC, PAN data is encrypted and handled according to PCI DSS requirements. | |
| The data content of an API request or response. In Visa Click to Pay, payloads contain payment credentials, consumer information, and transaction data, often delivered as encrypted JWE payloads for security. | |
| Payment Card Industry - Refers to the payment card industry and its security standards. PCI DSS (Data Security Standard) compliance is required for all Visa Click to Pay implementations that handle card data. | |
| Request for Comments - A publication series that describes Internet standards and protocols. RFC 7516 defines the JWE encryption standard used in Visa Click to Pay for securing sensitive data. | |
| Rivest-Shamir-Adleman - A public-key cryptographic algorithm. RSA-OAEP is used in SRC for JWE encryption and decryption of sensitive consumer and payment data. | |
| The SRC Standards means the EMV Secure Remote Commerce Technical Framework, version 1.0, and the EMV Secure Remote Commerce Specification, version 1.0, and all new versions and updates thereto. | |
| A role that initiates SRC transactions, typically merchants or payment facilitators. An SRCi is the participant in the Secure Remote Commerce (SRC) ecosystem responsible for initiating SRC transactions and interacting directly or indirectly with the Visa Click to Pay System on behalf of its participating Digital Payment Applications (DPAs). | |
| A temporary interaction between a user and a system. In Visa Click to Pay, sessions are identified by correlation IDs and session IDs that maintain continuity across multiple API calls within a transaction flow. | |
| A technical platform defined within the EMV Secure Remote Commerce Technical Framework and Specifications that securely facilitates remote card payments between consumers, digital payment applications, and SRCis on behalf of one or more SRC programs. | |
| Complete Visa Click to Pay checkout journey, from recognizing the consumer and selecting cards to authenticating and producing the final payment payload. | |
| Transport Layer Security - A cryptographic protocol that provides secure communication over a network. SRC requires TLS 1.2 or higher for all HTTPS communications to ensure data transmission security. | |
| An implementation of EMV Tokenization Specifications; a secure representation of a PAN. | |
| An entity that may request network payment tokens from Visa. In Visa Click to Pay, Payment SRCIs as Token Requestors may request DPA-specific CoF tokens and partner-specific eCom tokens for payment processing. | |
| Universally Unique Identifier - A 128-bit identifier used to uniquely identify information. In SRC, UUIDs are used for session IDs, correlation IDs, and other unique identifiers throughout the API. | |
| Visa's 3DS offering. | |
| Visa's implementation of Secure Remote Commerce that enables one-click checkout experiences. SRC System that is compliant with the Standards for SRC Systems for Click to Pay or Visa's implementation of the Standards for Click to Pay. | |
| In Visa Click to Pay, a consumer's set of enrolled cards and their associated identities used for SRC transactions. | |
| A FIDO-based authentication method that uses biometric verification (fingerprint, Face ID) or device PINs. | |
| Web Authentication - A web standard for passwordless authentication that is part of the FIDO2 specification. Used in Visa Payment Passkey authentication to enable biometric and device-based authentication in web browsers. |
Start a Project
API Overview
API Reference