This section covers how to use the Visa Click to Pay API endpoints.
In the Use Cases section, we’ll show you what you can do with them.
The Card Enrollment capability allows an SRC Initiator (SRCi) to submit a consumer payment credential to Visa Click to Pay for enrollment. Using POST /cards, the SRCi provides the required consumer and card data, and Visa Click to Pay determines whether a consumer profile already exists. Visa Click to Pay then creates or updates the consumer profile, associates the payment credential, and returns the enrollment result.
Both Payment SRCis and Non‑Payment SRCis may invoke the Card Enrollment capability. The SRCi is responsible for collecting consumer information, validating the consumer identity, and presenting the Visa Terms of Service and Privacy Notice prior to initiating enrollment. The SRCi must obtain the consumer’s explicit consent to the Visa Terms of Service and Privacy Notice before sending any enrollment data to Visa Click to Pay.
Consumer identity for card enrollment consists of a consumer email address and a mobile phone number. The SRCi must validate the consumer’s identity using these identifiers prior to calling the Card Enrollment endpoint. Visa Click to Pay does not perform consumer identity validation as part of card enrollment.
Once identity validation and consent collection are complete, the SRCi submits the enrollment request to Visa Click to Pay. Visa Click to Pay determines whether a consumer profile already exists and handles profile creation, card association, and card verification status.
Card verification status established during enrollment directly impacts the consumer’s first checkout experience. Providing CVV2 at enrollment may enable frictionless checkout on first use, while omitting CVV2 may require step‑up authentication during the initial transaction.
Key Requirements:
Workflow:
1. Cardholder provides consumer and card data
The Cardholder provides consumer information and card details to the SRC Initiator (SRCi).
2. SRCi presents Visa Terms of Service and Privacy Notice
The SRCi presents the Visa Terms of Service and Privacy Notice to the Cardholder.
3. Cardholder provides consent
The Cardholder reviews and accepts the Visa Terms of Service and Privacy Notice.
4. SRCi enrolls the card
The SRCi calls the Card Enrollment endpoint (POST /cards) with consumer data, card data, and captured consent.
5. Visa Click to Pay checks whether a consumer profile exists
Visa Click to Pay determines whether a Visa Click to Pay profile already exists for the consumer.
6. Card is added to an existing profile
If a Visa Click to Pay profile exists, the card is added to the existing profile.
7. Consumer profile is created
If a Visa Click to Pay profile does not exist, Visa Click to Pay creates a new consumer profile.
8. Card is added to the new profile
The card is added to the newly created consumer profile.
9. Card verification status is set to VERIFIED
If CVV2 is provided, Visa Click to Pay sets the card verification status to VERIFIED, enabling frictionless checkout on first use.
10. Card verification status is set to UNVERIFIED
If CVV2 is not provided, Visa Click to Pay sets the card verification status to UNVERIFIED, requiring step‑up authentication at first use.
11. Enrollment response is returned
12. SRCi displays the enrollment result
The SRCi displays the enrollment result (success or failure) to the cardholder.
Endpoint Name: Enroll Card
Method: POST
Endpoint: /cards
Refer to the API specifications for the complete request and response and any additional details.
// Unencrypted consumer data object
{
"firstName": "<first name>",
"lastName": "<last name>",
"fullName": "<full name>",
"consumerIdentity": { // Required
"identityType": "EMAIL_ADDRESS", // Required
"identityValue": "<[email protected]>", // Required
"identityProvider": "SRC"
},
"emailAddress": "<[email protected]>",
"mobileNumber": {
"countryCode": "1",
"phoneNumber": "50012345678"
},
"nationalIdentifier": "<national identifier>",
"countryCode": "US", // Required
"languageCode": "EN" // Required
}
{
"srcClientId": "<Partner SRC Client ID>",
"encryptedConsumer": "<JWE consumer data>",
"encryptedCard": "<JWE card data with CVV2>",
"complianceSettings": {
"complianceResources": [
{
"complianceType": "TERMSANDCONDITIONS",
"uri": "<Visa T&C URI>"
},
{
"complianceType": "PRIVACY\_POLICY",
"uri": "<Visa Privacy URI>"
}
]
}
}
{
"srcCorrelationId": "<ID>",
"maskedCard": {
"panBin": "409758",
"panLastFour": "4340"
},
"recognitionToken": "<JWT token>"
}
Identity Lookup enables SRCis to determine whether the provided consumer identity (email address or mobile phone number) exists within Visa Click to Pay. SRCis (Non-Payment SRCi or Payment SRCi) or an SRCi Enabler may use Identity Lookup.
Workflow:
1. Consumer enters identity
The consumer enters an identity (email address or mobile phone number) and provides it to the SRC Initiator (SRCi).
2. SRCi sends Identity Lookup request
The SRCi calls the Identity Lookup endpoint (POST /identities/lookup) using the provided consumerIdentity and srcClientId.
3. Visa Click to Pay searches for the identity
Visa Click to Pay searches for the provided consumerIdentity in the Visa Click to Pay system.
4. Visa Click to Pay returns lookup result
5. SRCi processes the response
The SRCi uses the lookup result to determine next steps, such as whether to proceed with enrollment or continue with another Visa Click to Pay flow.
6. SRCi displays the result to the consumer
The SRCi displays the lookup outcome to the consumer (recognized or not recognized, and any applicable status).
This information enables SRCis to determine next steps, such as whether to proceed with enrollment, retrieve cards associated with the identity, or initiate any other Visa Click to Pay flows.
Endpoint Name: Identity Lookup
Method: POST
Endpoint: /identities/lookup
Refer to the API specifications for the complete request and response and any additional details.
{
"srcClientId": "partner-client-id",
"consumerIdentity": {
"identityType": "EMAILADDRESS", // or "MOBILEPHONE_NUMBER"
"identityValue": "[email protected]"
}
}
{
"consumerPresent1": true,
"consumerStatus": "ACTIVE",
"lastUsedCardTimestamp": "2025-11-19T21:02:10Z",
"idLookupSessionId": "b1234567-89ab-cdef-0123-456789abcdef",
"supportedValidationChannels": [
{
"validationChannelId": "email",
"identityType": "EMAIL_ADDRESS",
"maskedValidationChannel": "us***@example.com"
}
]
}
With the Identity Validation endpoints, you can initiate validation of a claimed consumer identity (email address or mobile phone number) to determine whether that consumer has access to the identity claimed. An SRCi (Payment SRCi or Non-Payment SRCi) or an SRCi Enabler may perform Identity Validation. Identity Validation must be completed before an SRCi or SRCi Enabler may call the Profile Retrieval endpoints.
With express written approval from Visa, an SRCi or SRCi Enabler may use its own identity validation solution to complete consumer identity validation. In this event, the steps below are not applicable.
Identity validation is a two-step process through which Visa Click to Pay confirms that the consumer has access to the identity they have provided. After successful validation, Visa Click to Pay issues a Federated ID Token (idToken), a digitally-signed JWT that attests that a consumer has been successfully verified by an SRC system. The Federated ID Token contains consumer identities that allow other SRC systems to identity the corresponding SRC profile, has an expiration period of 8 minutes, and may be used across multiple API calls within a session.
There are several ways to obtain a Federated ID Token:
If an SRCi is integrated with multiple SRC systems, the SRCi must initiate the identity validation operation with the SRC system that has:
If no SRC system responds with lastUsedCardTimestamp, the SRCi must choose the SRC system that responded first.
SRCis initiate identity validation by requesting Visa Click to Pay to send a One-Time Passcode (OTP) to the consumer. The Visa SRC system generates an OTP and delivers it via email and/or SMS.
Prerequisites:
Workflow:
Verify OTP and Obtain Federated ID Token (idToken).
Prerequisites:
Workflow:
Endpoint Name: Initiate Identity Validation
Method: POST
Endpoint: /identities/validation/initiate
Refer to the API specifications for the complete request and response and any additional details.
{
"srcClientId": "partner-client-id",
"consumerIdentity": {
"identityType": "EMAIL_ADDRESS",
"identityValue": "[email protected]"
}
}
{
"idValidationSessionId": "c2345678-90ab-cdef-1234-567890abcdef",
"maskedValidationChannel": {
"validationChannelId": "email",
"identityType": "EMAIL_ADDRESS",
"maskedValidationChannel": "us***@example.com"
}
}
Endpoint Name: Complete Identity Validation
Method: POST
Endpoint: /identities/validation/complete
Refer to the API specifications for the complete request and response and any additional details.
{
"srcClientId": "partner-client-id",
"idValidationSessionId": "c2345678-90ab-cdef-1234-567890abcdef",
"validationData": "123456"
}
{
"idToken": "<JWTIDTOKEN>",
"maskedCard": {
"srcDigitalCardId": "d48ac10b-58cc-4372-a567-0e02b2c3d489",
"panBin": "409758",
"panLastFour": "4340"
}
}
Profile Retrieval enables retrieval of a consumer's Visa Click to Pay profile using the provided consumer identities (email address or mobile phone number) or Federated ID Token(s). The profile contains a list of masked cards and credentials associated with that identity.
Payment SRCis or Non-Payment SRCis may perform Profile Retrieval after the identity is recognized and (where required) validated so a compliant card list can be presented for card selection and proceed to checkout.
Visa supports two forms of identity evidence for Profile Retrieval:
SRCi‑Validated Identity
The SRC Initiator (SRCi) has performed consumer identity verification using its own Visa‑approved methods. In this model, the SRCi may supply consumerIdentities without a Federated ID token and Visa will return profiles accordingly. SRCis must be authorized by Visa to perform identity verification themselves.
Visa‑Validated Identity
Visa performs the consumer identity validation (e.g., OTP) and issues a Federated ID Token. In this model, the SRCi must provide the Visa‑generated ID token in the request. Consumer identity‑only retrieval is not permitted.
If both idTokens[] and consumerIdentities[] are present, the ID token takes precedence.
Workflow:
A srcCorrelationId may be included to continue an existing session; otherwise, a new one is created.
Only cards for which the consumer has accepted the Visa Terms of Service and Privacy Notice are eligible to be displayed. Cards pending acceptance will not be returned until the cosnumer completes the required acceptance flow.
If no cards meet the eligibility criteria (for example, all cards are pending terms acceptance), the reponse contains an empty card list.
Endpoint Name: Prepare SRC Profile
Method: POST
Endpoint: /profiles/prepare
Refer to the API specifications for the complete request and response and any additional details.
{
"srcClientId": "partner-client-id",
"idTokens": [
"<JWTIDTOKEN>"
],
"consumerIdentities": [
{
"identityProvider": "SRC",
"identityType": "EMAIL_ADDRESS",
"identityValue": "[email protected]"
}
],
"srcCorrelationId": "12345678-1234-1234-1234-123456789012",
"srcDpaId": "DPAID",
"dpaTransactionOptions": {
"transactionAmount": {
"transactionAmount": 99.99,
"transactionCurrencyCode": "USD"
},
"authenticationPreferences": {
"payloadRequested": "AUTHENTICATED"
}
}
}
{
"srcCorrelationId": "12345678-1234-1234-1234-123456789012",
"profiles": [
{
"maskedCards": [
{
"srcDigitalCardId": "card-12345678-abcd-efgh-ijkl-123456789012",
"cofEligible": true,
"panBin": "411111",
"panLastFour": "1111",
"tokenBinRange": "444433",
"tokenLastFour": "3333",
"digitalCardData": {
"status": "ACTIVE",
"presentationName": "My Visa Card",
"authenticationMethods": [
{
"authenticationMethodType": "CSCVALIDATION",
"authenticationSubject": "CARD"
},
{
"authenticationMethodType": "SMSOTP",
"authenticationSubject": "CONSUMER",
"authenticationCredentialReference": "--1234"
}
]
}
}
],
"maskedConsumer": {
"srcConsumerId": "consumer-98765432-fedc-ba98-7654-321098765432",
"maskedConsumerIdentity": {
"identityProvider": "SRC",
"identityType": "EMAILADDRESS",
"maskedIdentityValue": "[email protected]"
},
"maskedEmailAddress": "[email protected]",
"maskedMobileNumber": {
"countryCode": "1",
"phoneNumber": "--1234"
},
"countryCode": "US",
"languageCode": "en",
"status": "ACTIVE"
},
"authorization": "<JWTAUTHORIZATION_TOKEN>",
"srcDpaId": "dpa-11111111-2222-3333-4444-555555555555"
}
]
}
Use the POST /transaction/credentials endpoint to initiate and complete a checkout transaction using a consumer‑selected card. Visa Click to Pay performs a transaction risk evaluation and may require additional cardholder authentication before checkout can be finalized.
Both Payment SRCis and Non‑Payment SRCis can invoke the Checkout API. Supported payload types depend on the SRCi classification.
Payload type support
The payloadTypeIndicatorCheckout value determines the type of payload returned in the Checkout API response.
Payment SRCi supported values: FULL, PAYMENT, NON_PAYMENT, SUMMARY
Non-Payment SRCi supported values: NON_PAYMENT, SUMMARY
A Non‑Payment SRCi must not request FULL or PAYMENT payloads.
Visa Click to Pay supports two checkout transaction types. The transaction type is determined by whether the merchant requests an authenticated payload and by the outcome of CTP's risk evaluation.
1. Standard Frictionless Checkout
If the merchant does not request an authenticated payload (i.e. they choose a simpler integration without seeking liability shift) and Visa Click to Pay's risk engine does not flag the transaction as suspicious, Visa Click to Pay aims for a frictionless experience. The transaction typically does not invoke an issuer challenge by default. The card token and cryptogram are returned to the merchant for authorization (with ECI 07, no liability shift) without additional consumer steps.
2. Authenticated Checkout
If the merchant requests an authenticated checkout (signaling they want fraud liability protection on this sale) or risk evaluation determines the transaction as risky, Visa Click to Pay will attempt strong customer authentication inline during checkout. The merchant's integration passes additional data (final transaction amount, merchant ID/name, acquirer BIN, etc.) and sets payloadRequested = "AUTHENTICATED" in the Checkout API call.
Given this indication, Visa Click to Pay engages one of the issuer authentication methods before providing the payment payload:
Visa Click to Pay first checks its authentication rules:
If yes, Visa Click to Pay triggers that method (e.g. a 3DS challenge or a passkey prompt) within a lightbox/webview so the cardholder can verify themselves. If authentication is successful, Visa Click to Pay returns an ECI 05 (fully authenticated) token payload with cryptographic proof (e.g. a CAVV/TAVV) to the merchant. This gives the merchant fraud liability shift — any fraud chargeback would be borne by the issuer, just as with 3-D Secure.
Authentication may also be triggered explicitly by a merchant request. When initiating checkout, the SRCi sends a Checkout request that includes authentication-related data via the AuthenticationPreferences object. To request an authenticated payload, set AuthenticationPreferences.payloadRequested to AUTHENTICATED.
The AuthenticationPreferences object may also carry additional merchant- or SRCi-specific attributes that Visa can use when initiating authentication. Supported merchant and transaction details include:
Risk Evaluation
Visa Click to Pay's risk engine evaluates the transaction to determine whether step-up authentication is required. The decision is based on factors such as the card, device, velocity, and region settings.
Visa Click to Pay may require one of the following authentication methods. The method is selected by Click to Pay and returned as SRCS-Hosted-authentication in the Checkout API response — the SRCi must not assume or preselect a specific method.
Click to Pay applies the following preference order when selecting an authentication method (subject to issuer support, device eligibility, and risk evaluation):
What it is: A Visa Payment Passkey (VPP) is a FIDO2-compliant passkey (platform authenticator) that binds a cryptographic key pair to the user's device and card credentials. It allows the cardholder to authenticate by simply using a biometric (fingerprint, face recognition) or device PIN, without needing a separate code or password.
How it works: If a cardholder has registered a passkey for their card (typically offered during a prior Click to Pay checkout after completing an issuer-managed authentication), Click to Pay will preferentially prompt them to confirm their identity via biometric or device unlock. The passkey (backed by Visa's FIDO authentication service) locally verifies the user and generates a cryptographic signature (e.g. a TAVV — token authentication cryptogram). Click to Pay then returns an authenticated payload to the merchant indicating successful passkey-based authentication. Visa Payment Passkey will only be supported in Checkout API if SRCI supports pre-init.
If authentication is required, Visa Click to Pay returns the authentication method as SRCS_HOSTED_AUTHENTICATION and uriData. The SRCi launches the URL in a pop-up; Visa Click to Pay will administer passkey authentication. Once the authentication is completed by the cardholder, a postMessage is delivered.
After a successful passkey authentication, Visa Click to Pay returns the authentication result to the SRCi via postMessage. The assuranceData payload identifies passkey-based verification through verificationMethod: "05":
{
"assuranceData": {
"verificationData": [
{
"verificationType": "CARDHOLDER",
"verificationEntity": "02",
"verificationEvents": [
"01"
],
"verificationMethod": "05",
"verificationResults": "01",
"verificationTimestamp": "1754500546"
}
],
"eci": "07"
}
}
Security & friction: Passkeys provide high security (phishing-resistant, requiring possession of the user's device plus a biometric or PIN) with very low friction. The user experience is seamless — a quick face or fingerprint scan (or phone unlock) confirms the payment, avoiding the need to re-enter codes or passwords. Passkeys offer security comparable to or better than 3DS, while being faster and more user-friendly.
What it is: 3DS ("Three-Domain Secure," branded as Visa Secure for Visa) is a classic industry-standard protocol that enables issuers to authenticate cardholders during online transactions via an additional verification step. In Visa Click to Pay, 3DS is built into the platform — if required, Click to Pay can initiate a 3DS challenge behind the scenes on the merchant's behalf, without the merchant needing a separate 3DS integration.
How it works: If triggered (e.g. by merchant request or risk rules requiring a fully authenticated transaction), Click to Pay launches a 3DS challenge — usually by redirecting the shopper to their issuer's secure page or app (an Access Control Server, ACS) within a popup (iframes are not supported). The shopper may be asked to provide a password, one-time code, or use a biometric login to verify their identity to the issuer. After successful verification, the issuer's ACS returns a cryptographic CAVV/Authentication Value confirming strong authentication, and Click to Pay returns an authenticated payment payload (with appropriate ECI flag and cryptogram) to the merchant.
After a successful 3DS challenge, Visa Click to Pay returns the authentication result to the SRCi via postMessage. The assuranceData payload includes the 3DS-specific result fields (transStatus, dsTransId, acsTransId) inside methodResults.threeDsData:
{
"assuranceData": {
"verificationData": [
{
"verificationType": "CARDHOLDER",
"verificationEntity": "03",
"verificationEvents": [
"01"
],
"verificationMethod": "01",
"verificationResults": "01",
"verificationTimestamp": "1754500546",
"methodResults": {
"threeDsData": {
"transStatus": "Y",
"dsTransId": "123e4567-e89b-12d3-a456-426614174000",
"acsTransId": "987e6543-e21b-12d3-a456-426614174999"
}
}
}
],
"eci": "05"
}
}
Security & friction: 3DS authentication is very secure — a multi-factor check under direct issuer control, providing fraud liability shift to the issuer — but can introduce friction if a challenge is needed. In some cases, the issuer's risk engine may allow a frictionless 3DS flow (no user action required), but if a challenge is deemed necessary (e.g. for high-value payments or regulatory SCA requirements in regions like the EU), the customer must complete the extra step (entering an OTP, password, etc.).
What it is: Issuer Online Banking Authentication (also known as issuer "app" authentication) is an issuer-driven method facilitated by the Cloud Token Framework. The issuer uses its own banking app or web portal to authenticate the cardholder (often via a push notification or in-app approval) and signals the result back to Click to Pay via VTS. This leverages token-to-device binding data to securely link the device and card, ensuring the challenge is delivered to the correct cardholder's app. This also leverages cardholder verification for certain scenarios when authentication is required and token-to-device binding already exists for the card and device combination.
How it works: If transaction risk checks or preferences call for it — and the issuer supports CTF app-based authentication — Click to Pay redirects the user to a secure URL provided by the issuer (or opens an embedded frame). Depending on the user's device and issuer capability, the issuer may launch its mobile banking app (if installed) or prompt the user with a push notification. The user approves the pending transaction (often via biometric login or confirming within the app). The issuer then confirms the authentication to Click to Pay through the CTF back-end, and the shopper is seamlessly returned to the Click to Pay checkout screen to finalize the purchase.
After a successful issuer online banking authentication, Visa Click to Pay returns the authentication result to the SRCi via postMessage. The assuranceData payload identifies issuer online banking verification through verificationType: "CARDHOLDER" and verificationMethod: "02":
{
"assuranceData": {
"verificationData": [
{
"verificationType": "CARDHOLDER",
"verificationEntity": "03",
"verificationEvents": [
"01"
],
"verificationMethod": "02",
"verificationResults": "01",
"verificationTimestamp": "1754500546"
}
],
"eci": "05"
}
}
Security & friction: Issuer Online Banking authentication is very secure, since it happens in the issuer's controlled environment (typically requiring the user's banking login or biometric) — effectively a "bank-grade" multi-factor verification. User experience is convenient when the user has the banking app on the same device (a tap-to-approve), but adds friction if they need to switch apps or devices. It's often considered a more secure alternative to SMS OTP in markets where bank apps are common, and provides SCA compliance in regions like Europe.
What it is: Issuer OTP authentication is a method where the card's issuer verifies the shopper by sending a one-time password (often a 6-digit code) to the cardholder's email or mobile phone on record. In Click to Pay, this is implemented through Visa's Cloud Token Framework (CTF), which leverages token-to-device binding data to coordinate OTP delivery and verification between Visa and the issuer. This also leverages cardholder verification for certain scenarios when authentication is required and token-to-device binding already exists for the card and device combination.
How it works: If Click to Pay's risk engine or the merchant's preferences indicate that step-up verification is needed — and the card's issuer supports CTF OTP — Click to Pay initiates an OTP challenge. The Checkout API response provides the URL. The user is prompted to enter the code sent by their bank via SMS or email. The code is delivered out-of-band through the issuer's systems (or via Visa on the issuer's behalf), ensuring that only the legitimate cardholder with access to the registered phone/email can complete the purchase. The user enters the OTP into the Click to Pay interface, which verifies it with the issuer via the cloud service. Upon successful entry, the cardholder's identity is confirmed and the checkout proceeds with an authenticated status.
After a successful OTP challenge, Visa Click to Pay returns the authentication result to the SRCi via postMessage. The assuranceData payload identifies issuer OTP verification through verificationMethod: "04":
{
"assuranceData": {
"verificationData": [
{
"verificationType": "CARDHOLDER",
"verificationEntity": "03",
"verificationEvents": [
"01"
],
"verificationMethod": "04",
"verificationResults": "01",
"verificationTimestamp": "1754500546"
}
],
"eci": "05"
}
}
Security & friction: Issuer OTP offers strong two-factor security — requiring something the user has (their phone/email) and something they know (the code). It introduces moderate friction since the customer must retrieve a code from a separate channel and type it in. Overall, OTP provides a good balance between security and usability when passkeys or 3DS challenges aren't available or necessary.
What it is: CVV2-based authentication verifies the 3-digit Card Verification Value (CVV2) printed on the card. It's essentially a "something you have" check — confirming the shopper possesses the physical card by asking for the code.
How it works: During a Click to Pay checkout, a CVV2 prompt may appear, asking the cardholder to enter their card's security code (the familiar e-commerce CVV/CVC field). The code is validated either through Visa's network (if the issuer has shared CVV validation keys with Visa for on-behalf verification) or directly by the issuer in the authorization message. A correct CVV2 entry is taken as evidence that the user has the physical card (or its details) and is likely the legitimate cardholder.
After a successful CVV2 challenge, Visa Click to Pay returns the authentication result to the SRCi via postMessage. The assuranceData payload identifies CVV2-based verification through verificationType: "CARD" and verificationMethod: "02":
{
"assuranceData": {
"verificationData": [
{
"verificationType": "CARD",
"verificationEntity": "02",
"verificationEvents": [
"01"
],
"verificationMethod": "02",
"verificationResults": "01",
"verificationTimestamp": "1754500546"
}
],
"eci": "07"
}
}
Security & friction: CVV2 verification is a basic security step — less robust than the other methods (CVV2 is a static code that can be compromised along with the card number), but it does provide some assurance of card possession. Friction is low (a quick code entry). Unlike 3DS or passkeys, CVV2 is not considered fully strong authentication — it doesn't generate an authentication cryptogram or fulfill two-factor requirements — so it's typically treated as a fallback method in Click to Pay.
The DPA URL is required for hosting the authentication and providing the post message afte completion of authentication. When Visa Click to Pay requires step-up authentication, the SRCi launches the Visa-hosted B2B UX in a popup or iframe (the uriData URL returned in the Checkout response). On completion, the Visa page is on a *.visa.com origin while the merchant page is on merchant.com. Because these are different origins, the result cannot be passed by direct JavaScript access; it is returned via the window.postMessage API.
For postMessage to deliver the result securely and only to the merchant, Visa needs to know the merchant's exact origin. The merchant supplies this through dpaData.dpaUri in the /transaction/credentials Checkout request. Visa uses that value as the targetOrigin when posting the result back.
Key rule: Pass window.location.origin (scheme + host + port) as dpaData.dpaUri — never window.location.href, and never a wildcard (*).
Setting dpa.Data.dpa.Uri
const dpaData = {
dpaUri: window.location.origin
};
// If the merchant checkout page is:
// https://merchant.com/checkout/payment?sessionId=abc123
window.location.origin // → "https://merchant.com"
// Pass to Visa in the /transaction/credentials request:
{ "dpaUri": "https://merchant.com" }
Origin vs. Full URL vs. Wildcard
| Value | Example | Use? | Reason |
|---|---|---|---|
| window.location.origin | https://merchant.com | Yes | Matches the postMessage targetOrigin; the exact value Visa needs |
| window.location.href | https://merchant.com/checkout?sessionId=abc123 | No | Includes path/query/fragment that aren't needed and can leak data |
| * (wildcard) | * | No | Delivers the result to any origin — a malicious origin could receive it |
How Visa Returns the Result
// Popup flow
window.opener.postMessage(assuranceData, dpaData.dpaUri);
// Iframe flow
window.parent.postMessage(assuranceData, dpaData.dpaUri);
The browser delivers the message only if the receiving window's origin exactly matches dpaData.dpaUri.
Merchant Integration Steps
| Step | Action | Required | Notes |
|---|---|---|---|
| 1 | Set dpaData.dpaUri = window.location.origin in the /transaction/credentials request | Yes | Provides the exact merchant origin for secure delivery |
| 2 | Use origin only (https://merchant.com), not the full URL | Yes | Origin is the value Visa needs as targetOrigin |
| 3 | Register a message listener before launching the B2B UX | Yes | window.addEventListener("message", handleVisaMessage) |
| 4 | Launch the B2B UX (uriData) as popup or iframe | Yes | Visa uses dpaData.dpaUri when posting the result back |
| 5 | Validate the sender origin (event.origin) | Yes | Accept only trusted *.visa.com origins |
| 6 | Validate the message shape before processing | Yes | Handle event.data.error and event.data.assuranceData |
| 7 | Handle result statuses (success / cancel / error) | Yes | Implement business logic per outcome |
Merchant Copy/Paste Example
// 1. Build DPA data
const dpaData = { dpaUri: window.location.origin };
// 2. Validate that a message came from a trusted Visa origin.
// Maintain a wildcard pattern (*.visa.com) in configuration and
// validate concrete origins at runtime, e.g.:
// https://sandbox.clicktopay.auth.visa.com
// https://clicktopay.auth.visa.com
// https://src.visa.com
function isAllowedVisaOrigin(origin) {
try {
const url = new URL(origin);
return url.protocol === "https:" &&
(url.hostname === "visa.com" || url.hostname.endsWith(".visa.com"));
} catch {
return false;
}
}
// 3. Register the listener BEFORE launching the B2B UX
window.addEventListener("message", function (event) {
// Always validate the sender origin first
if (!isAllowedVisaOrigin(event.origin)) return;
if (!event.data) return;
// Error response
if (event.data.error) {
const error = event.data.error;
console.error(`Visa Error ${error.status}: ${error.reason} - ${error.message}`);
// e.g. { status: "403", reason: "SESSION_TIMEOUT", message: "Session has expired..." }
return;
}
// Success response with assuranceData
if (event.data.assuranceData) {
const { assuranceData } = event.data;
if (assuranceData.verificationData) { /* verificationType, verificationMethod, eci, ... */ }
if (assuranceData.eci) { /* ECI 05/07 */ }
// Re-initiate Checkout with assuranceData (see End-to-End Checkout Workflow, step 8)
}
});
// 4. Launch the Visa B2B UX (uriData from the Checkout response)
const popup = window.open(uriData, "visa-b2b-ux-popup", "width=600,height=700");
// Iframe alternative: <iframe src="<uriData>"></iframe>
Security Benefits
Merchant Checklist
Before invoking the Checkout API, the following conditions must be met:
Workflow:
The following workflow describes the complete checkout sequence, from card selection through payment authorization and consumer outcome. Steps marked (conditional) apply only when step-up authentication is required.
Select card for checkout
The cardholder selects a card for checkout in the SRCi checkout experience.
Initiate Checkout
The SRCi calls the Checkout endpoint, including the selected digital card and the desired payloadTypeIndicatorCheckout value. SRCi requesting authentication includes AuthenticationPreferences.payloadRequested = AUTHENTICATED and supported merchant and transaction details include:
Authentication evaluation
Visa Click to Pay evaluates the transaction for the need for authentication based on risk rules or request from SRCi. Visa Click to Pay determines whether cardholder authentication is required.
Authentication decision
Launch authentication (conditional)
The SRCi launches the uriData URL in a popup window to initiate the step-up authentication experience.
Consumer authentication (conditional)
The consumer completes the authentication challenge in the Visa-hosted user experience using one of the following methods:
Visa Payment Passkeys
Authentication result (conditional)
Visa Click to Pay returns the authentication result via postMessage, including:
The assurance data provides the details of the authentication method completed.
Complete Checkout
The SRCi resumes checkout by calling the Checkout endpoint again, including the received assuranceData.
Final checkout response
Visa Click to Pay returns the final checkout response.
Payload decision
Payload retrieval (conditional)
If a FULL payload is required, the SRCi calls the Checkout endpoint with the transaction identifier to retrieve a FULL payload.
Payment authorization
The SRCi submits the payment authorization request to the payment processor (gateway/acquirer) using the available FULL payload. The payment processor returns an authorization result.
Consumer outcome
Endpoint Name: Checkout Operation
Method: POST
Endpoint: /transaction/credentials
Refer to the API specifications for the complete request and response and any additional details.
Sample Request
{
"srcClientId": "{{srcClientId}}",
"srcDpaId": "{{srcDpaId}}",
"srcCorrelationId": "{{srcCorrelationId}}",
"srciTransactionId": "{{srciTransactionId}}",
"srcDigitalCardId": "{{srcDigitalCardId}}",
"dpaData": {
"dpaUri": “{
{dpaUri
}
}”
},
"dpaTransactionOptions": {
"transactionAmount": {
"transactionAmount": "{{transactionAmount}}",
"transactionCurrencyCode": "{{currencyCode}}"
},
"authenticationPreferences": {
"payloadRequested": "AUTHENTICATED"
},
"acquirerMerchantId": “{
{acquirerMerchantId
}
}","acquirerBin": “{
{acquirerBin
}
}”,
"merchantName": “{
{merchantName
}
}”,
"consumerNationalIdentifierRequested": true,
"dpaLocale": "en_US"
},
"payloadTypeIndicatorCheckout": "FULL"
}
Sample Response - Pending Authentication
{
"srcCorrelationId": "5C8E8754E800R2b3c3ed4-97f1-753d-54a2-1a08d44ad401",
"srciTransactionId": "14744809-1b67-45dd-9bfb-12910f5f2ad9",
"maskedConsumer": {
"srcConsumerId": "1febd823-6392-fa8a-dc45-11a262cc4a01",
"maskedConsumerIdentity": {
"identityType": "EMAIL_ADDRESS",
"maskedIdentityValue": "tes**@yopmail.com"
},
"maskedEmailAddress": "tes**@yopmail.com",
"maskedMobileNumber": {
"countryCode": "1",
"phoneNumber": "5652"
},
"countryCode": "US",
"languageCode": "en-US",
"status": "ACTIVE",
"maskedFirstName": "P",
"maskedLastName": "T**",
"maskedFullName": "P*****"
},
"maskedCard": {
"srcDigitalCardId": "fa88832cda834e36e45c1e844fae7c01",
"panBin": "414778",
"panLastFour": "0745",
"tokenBinRange": "464050733",
"tokenLastFour": "0069",
"tokenId": "ea01b1b60a317be587c418a7969d9301",
"digitalCardData": {
"status": "PENDING",
"descriptorName": "longDescription",
"artUri": "https://qa.assets.vims.visa.com/vims/cardart/0962c
844f27e4a83b912ad5545518d9d.png",
"artHeight": 968,
"artWidth": 1536,
"pendingEvents": [
"PENDING_CARDHOLDER_AUTHENTICATION"
],
"authenticationMethods": [
{
"authenticationMethodType": "SRCS_HOSTED_AUTHENTICATION",
"authenticationSubject": "CARDHOLDER",
"uriData": {
"uri": "https://b2cp-vco-dev2b-2.oce-np-sm-ddp-p-
en.trusted.visa.com/
checkout-widget/stepup/b2b-integration",
"uriType": "WEB_URI"
}
}
]
},
"panExpirationMonth": "10",
"panExpirationYear": "2029",
"paymentCardDescriptor": "longDescription",
"paymentCardType": "Credit Card",
"countryCode": "US",
"maskedBillingAddress": {
"addressId": "cc912b29-8b5a-36ef-3698-1f1cb5145a01",
"line1": "801*****",
"city": "Fos*****",
"state": "CA",
"countryCode": "US",
"zip": "944*****"
},
"paymentAccountReference": "V0010013825314391699431661850",
"dateOfCardCreated": 1767742548509
}
}
{
"srcDigitalCardId": "{{srcDigitalCardId}}",
"srcDpaId": "{{srcDpaId}}",
"srcCorrelationId": "{{srcCorrelationId}}",
"srciTransactionId": "{{srciTransactionId}}",
"payloadTypeIndicatorCheckout": "FULL",
"assuranceData": {
"verificationData": [
"{{verificationData}}"
]
},
"dpaTransactionOptions": {
"transactionAmount": {
"transactionAmount": "{{transactionAmount}}",
"transactionCurrencyCode": "{{currencyCode}}"
},
"authenticationPreferences": {
"payloadRequested": "AUTHENTICATED"
}
}
}
{
"checkoutResponse": {
"srcCorrelationId": "{{srcCorrelationId}}",
"maskedCard": {
"srcDigitalCardId": "{{srcDigitalCardId}}",
"panLastFour": "{{panLastFour}}",
"digitalCardData": {
"status": "ACTIVE"
}
},
"assuranceData": {
"eci": "{{eci}}"
},
"encryptedPayload": "{{encryptedPayload}}",
"enrollmentReferenceData": "{{enrollmentReferenceData}}"
}
}
The Payload Retrieval capability allows retrieval of payment data and payment‑related information required for payment authorization using the GET /transactions/credentials endpoint. Payload retrieval is typically performed after checkout when the checkout response does not include a FULL payload suitable for authorization, such as when a SUMMARY or NON_PAYMENT payload type is used.
Payload retrieval using GET /transactions/credentials may only be performed by a Payment SRCi. Retrieving a FULL or PAYMENT payload using this endpoint must only be done by Payment SRCis. If the SRCi is operating in a Non‑Payment SRCi role, payload retrieval must be performed by the SRCi’s payment facilitator, payment processor, or gateway (the entity responsible for transaction processing).
This capability is commonly used to obtain payment credentials required to complete authorization, including scenarios where payment data is pre‑stored or where downstream payment systems require an encrypted payload.
Use Cases:
Payload retrieval supports the following use cases:
Payload Types:
Using GET /transactions/credentials, the following payload types may be retrieved:
Retrieval of FULL or PAYMENT payloads using this endpoint is restricted to Payment SRCis.
Cryptogram Details:
Payloads returned from GET /transactions/credentials may include the following EMVCo cryptogram types:
An encryptedSignedPayload contains either:
In addition, the payload may also include a CARDHOLDER_AUTHENTICATION_CRYPTOGRAM alongside the LONG or SHORT FORM cryptogram.
The payload retrieved using GET /transactions/credentials is used by the Payment SRCi (or its delegated payment processor) to submit a payment authorization request and complete transaction processing. Payload retrieval itself does not authorize a transaction; it provides the encrypted data required to do so.
Either of the following approaches will work. They differ only in how the cryptogram is delivered to the SRCI/Merchant; via a separate Get Payload API call, or inline in the Checkout API response.
Option 1: Checkout API returns a summary; cryptogram retrieved via Get Payload API
The Checkout API does not return a payload containing the cryptogram. Instead, the merchant application retrieves the cryptogram separately using the Get Payload API.
1. Merchant application calls the Checkout API (Post/src/v1/transaction/credentials) with SUMMARY indicators:
checkout.DpaTransactionOptions.payloadTypeIndicatorCheckout = "SUMMARY"
2. Merchant application calls the Get Payload API (Get/src/v1/transaction/credentials), passing:
The Get Payload API response includes the cryptogram (see Cryptogram Response by Authentication Method below).
Any subsequent get Payload API calls for the same transaction will provide a TAVV with no liability shift.
Option 2: Checkout API returns the cryptogram inline
The Checkout API itself returns the payload containing the cryptogram. No separate Get Payload API call is required.
1. Merchant application calls the Checkout API with FULL indicators: checkout.DpaTransactionOptions.payloadTypeIndicatorCheckout = " "FULL"
2. The Checkout API response includes the cryptogram (see Cryptogram Response by Authentication Method below).
Calling Get Payload API a Second Time for the Same Transaction
If the Get Payload API is called again for the same transaction — using the same srcCorrelationId and srcClientId as the Checkout API and payloadTypeIndicator = "FULL" — then regardless of which authentication method was completed earlier, Visa returns only a TAVV (Card Application Cryptogram Long Form) with ECI 07.
Cryptogram Response by Authentication Method:
The cryptogram(s) returned depend on the authentication method completed. This is identical for both options above.
· 3DS authentication completed
Both a CAVV (ECI 05) and a TAVV are returned:
"dynamicData": [
{
"dynamicDataValue": "AgA...A=",
"dynamicDataType": "CARD_APPLICATION_CRYPTOGRAM_LONG_FORM",
"dynamicDataExpiration": "Thu Jun 17 03:23:13 GMT 2026"
},
{
"dynamicDataValue": "Y2F...g=",
"dynamicDataType": "CARDHOLDER_AUTHENTICATION_CRYPTOGRAM"
}
]
· Other authentication methods (Passkeys, Issuer OTP, Issuer Online Banking)
Only a TAVV is returned, with a liability shift:
"dynamicData": [
{
"dynamicDataValue": "AgA...A=",
"dynamicDataType": "CARD_APPLICATION_CRYPTOGRAM_LONG_FORM",
"dynamicDataExpiration": "Thu Jun 17 03:23:13 GMT 2026"
}
]
Workflow:
Initiate payload retrieval
A Payment SRCi initiates payload retrieval by calling Payload Retrieval (GET /transactions/credentials), providing:
• srcCorrelationId or srcDigitalCardId
• payloadTypeIndicator=FULL (or PAYMENT, if applicable)
Validate SRCi role
Visa Click to Pay validates that the caller is acting in the Payment SRCi role and is authorized to retrieve FULL or PAYMENT payloads.
Validate request parameters
Visa Click to Pay validates the request parameters, including the transaction identifier and requested payload type.
Retrieve payment credentials
Visa Click to Pay retrieves the required payment data, including the token and applicable cryptogram(s), for the identified transaction.
Visa Click to Pay assembles the encrypted payload (encryptedPayload) containing the payment credentials and associated transaction data.
Return payload response
Visa Click to Pay returns a successful response to the Payment SRCi, including:
• encryptedPayload
• The applicable Electronic Commerce Indicator (ECI)
Submit payment authorization
The Payment SRCi submits the authorization request to the payment processor (gateway or acquirer) using the retrieved payload.
Receive authorization result
The payment processor returns the authorization result (approved or declined) to the Payment SRCi.
Endpoint Name: GetPayload
Method: GET
Endpoint: /transaction/credentials
Refer to the API specifications for the complete request and response and any additional details.
{
"srcClientId": "3EY722QTUPZCY5X5A3IY21OLy4te0ZTO9KB3PJMW9ugdQ3ZAQ",
"srcCorrelationId": "5C8E8754E800R2b3c3ed4-97f1-753d-54a2-1a08d44ad401",
"payloadTypeIndicator": "FULL"
}
{
"payloadResponse": {
"srcCorrelationId": "5C8E8754E800R2b3c3ed4-97f1-753d-54a2-1a08d44ad401",
"srciTransactionId": "14744809-1b67-45dd-9bfb-12910f5f2ad9",
"maskedConsumer": {
"srcConsumerId": "1febd823-6392-fa8a-dc45-11a262cc4a01",
"maskedConsumerIdentity": {
"identityType": "EMAIL_ADDRESS",
}
},
"maskedCard": {
"srcDigitalCardId": "fa88832cda834e36e45c1e844fae7c01",
"panBin": "414778",
"panLastFour": "0745",
"digitalCardData": {
"status": "ACTIVE"
}
},
"assuranceData": {
"eci": "05",
"verificationData": [
{
"verificationType": "CARDHOLDER",
"verificationEntity": "03",
"verificationEvents": [
"01"
],
"verificationMethod": "01",
"verificationResults": "01",
"verificationTimestamp": "1770189908889"
}
]
}
},
"encryptedPayload": "eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ.payloadJWE.signature"
}
The Transaction Confirmation capability is used to notify Visa Click to Pay of the final outcome of a checkout or payment authorization. Transaction Confirmation ensures that Visa Click to Pay is informed of whether a transaction was successfully authorized or declined.
Both Payment SRCis and Non‑Payment SRCis may perform Transaction Confirmation using the POST /confirmations endpoint.
Prerequisites:
Workflow:
Submit authorization request
The SRCi submits a payment authorization request to the payment processor or acquirer using the retrieved payment credentials.
Authorization processing
The payment processor processes the authorization request and returns one of the following outcomes:
• Approved – Transaction authorized
• Declined – Transaction declined by issuer
Handle authorization outcome
On approval:
On decline:
Notify Visa Click to Pay
The SRCi notifies Visa Click to Pay of the checkout or payment authorization result by calling the Transaction Confirmation endpoint (POST /confirmations), including the event type and authorization outcome.
Confirmation response
Visa Click to Pay records the transaction confirmation and returns a response to the SRCi.
Consumer notification
The SRCi displays the final success or failure status to the consumer.
Transaction Confirmation ensures Visa Click to Pay has an accurate record of the transaction outcome. This step does not authorize a transaction; it records the result of authorization processing performed by the payment processor.
Endpoint Name: Create Confirmation
Method: POST
Endpoint: /confirmations
Refer to the API specifications for the complete request and response and any additional details.
{
"srcClientId": "3EY722QTUPZCY5X5A3IY21OLy4te0ZTO9KB3PJMW9ugdQ3ZAQ",
"srcCorrelationId": "5C8E8754E800R2b3c3ed4-97f1-753d-54a2-1a08d44ad401",
"confirmationData": {
"checkoutEventType": "01",
"confirmationStatus": "01",
"confirmationTimestamp": "1770191200123",
"networkAuthorizationCode": "A12345",
"networkTransactionIdentifier": "9876543210"
}
}
{
"srcCorrelationId": "5C8E8754E800R2b3c3ed4-97f1-753d-54a2-1a08d44ad401"
}