Unified Click to Pay

Merchants and Payment Service Providers

How to Integrate Unified Click to Pay

Introduction

While e-commerce has become one of the fastest-growing environments for payments, online transactions are associated with a unique set of challenges. Merchant checkout conversion remains low in e-commerce, with high cart abandonment rates, partly caused by friction from manual entry of multiple form fields at checkout. In cases where conversions succeed, payment approval rates for e-commerce may be lower than for in-store card present transactions. In addition, e-commerce fraud rates are rising compared to fraud in the card present environment.

EMVCo has created a set of industry-wide standards for e-commerce transactions. The EMV Secure Remote Commerce (SRC) standards aim to address these concerns for remote commerce, including e-commerce and mobile commerce, and will serve as a framework for solutions that can help make online buying easy and smart.

Visa is applying these standards through a suite of solutions, including Unified Click to Pay, which incorporates our proprietary technologies for tokenization of primary account numbers, fraud prevention, and real-time transaction risk analysis.

Unified Click to Pay provides merchants and payment service providers (PSP) with a frictionless, network agnostic online checkout experience through a single point of integration.​

Unified Click to Pay is an important part of the Visa Digital Commerce Program, which aims to address industry concerns surrounding digital payments, including improving cardholder/merchant trust and checkout conversion. Unified Click to Pay supports and builds upon the security provided by Visa Token Service.

Similar to the brick-and-mortar environment in which a POS terminal provides merchants with card acceptance capability, the Unified Click to Pay provides e-commerce merchants with a secure method to initialize the Click to Pay checkout experience and accept card payments. Unified Click to Pay is designed to:

  • Reduce the need to enter account numbers and passwords during checkout flows.
  • Provide a simple and consistent digital checkout experience.
  • Help make payment credentials less vulnerable to fraud.
  • Enables multiple payment networks that support Click to Pay checkout experience.

Audience and Scope

This document defines implementation requirements for solution providers participating in the Visa Digital Commerce Program (VDCP) and utilizing Unified Click to Pay.

This document focuses on the Merchant Orchestrated Checkout experience, in which the end-to-end user experience is rendered by a merchant or its payment service providers. The non-Visa schemes accessible through Unified Click to Pay may also provide separate, UX guidance for completion of checkout (e.g., with respect to authentication UX). 

Key Terms

Please view the Glossary here.

Related Publications

The table below includes related documents that should be read for complete understanding of technical and user experience requirements. These documents are available from your Visa representative.

Title

Description

EMV® Payment Tokenisation Specification Technical Framework

Describes the payment token system landscape, the types of entities that provide key support for the use of payment tokens, the details to implement multiple use cases, and the benefits of adopting a unified approach. Available from www.emvco.com.

Unified Click to Pay JavaScript Reference

Provides API specifications for DPA to integrate with Unified Click to Pay.

Visa Token Service e-Commerce/Card-on-File Implementation Guide for Token Requestors

Provides information about implementing Visa Token Service e-commerce token use cases.

Roles and Responsibilities

The table below details the roles and responsibilities of Unified Click to Pay participants.

 

Digital Payment Application (Payment Service Provider)

Digital Payment Application (Merchant)

Non-Payment SRCi

(Unified Click to Pay)

Digital Card Facilitator

Click to Pay SRC System (participating payment networks)

Issuer

Merchant Registration

Onboard merchant and perform KYC.

 

Validate incoming merchant application end points.

 

Register merchant with Unified Click to Pay.

Onboard to Unified Click to Pay by working with Payment Service Provider or working with Visa.

N/A

N/A

Register merchant’s applications and processing identifiers.

 

Generate and provide “Token User” identifier

N/A

Guest Checkout - Repeat Purchase Flow

Trigger Click to Pay checkout from Merchant Guest Checkout flow.

 

Provide card list from all supported Click to Pay Systems and card selection UX.

 

Receive authenticated Click to Pay payload for payment processing.

Trigger Click to Pay checkout from Merchant Guest Checkout flow.

 

Provide card list from all supported Click to Pay Systems and card selection UX.

 

Receive authenticated Click to Pay payload for payment processing.

Fetch list of cards from all supported Click to Pay Systems for recognized and unrecognized users.

Initiate CVM.

 

Retrieve checkout response from Click to Pay System.

Send Click to Pay payload based on transaction parameters.

Provide issuer card art and Cardholder Verification (CVM) services.

Guest Checkout – Payment Flow

Present Review and Confirm and Order Confirmation page.

Present Review and Confirm and Order Confirmation page.

Receive Visa Click to Pay Payload from DPA

Retrieve payment credentials from encrypted Payload or from Visa Click to Pay System using Click to Pay Transaction ID.

Return Click to Pay Summary Payload to Digital Terminal

 

 

DPA Onboarding to Unified Click to Pay

A DPA manages and provides checkout integration to its clients. The following business entities may participate under VDCP:

  • Merchants
  • Acquirers/Gateways
  • Platform providers
  • Other third-party service providers

DPA must enroll and adhere to Visa Digital Commerce Program requirements. Visa will work with qualified DPA to certify their solution for VDCP participation. Please contact your Visa representative for more information.

Architecture and User Experience

High Level Architecture

  1. DPA (Merchant or Payment Service Provider) integrates Unified Click to Pay for the checkout flow.
  2. Upon initialization, DPA performs card entry/selection step based on user recognition performed by Unified Click to Pay.
  3. DPA sends the order, consumer selection, and additional data captured to Unified Click to Pay.
  4. Unified Click to Pay responds with a checkout payload to DPA.
  5. DPA calls Unified Click to Pay (if needed) to receive the full payment payload and completes transaction processing.

High Level User Flow

Use Cases

This section will cover high level use cases, related user journeys, and requirements to enable the Unified Click to Pay Merchant Orchestrated Checkout experience on a payment application.

Click to Pay Merchant Orchestrated Checkout

Merchant Orchestrated Checkout is a type of Click to Pay implementation in which a DPA enables an end-to-end checkout experience for the consumer. It eliminates key entry of card and personal information for a recognized user, reduces the number of steps involved in checkout completion, and avoids errors, leading to a better checkout conversion.

For a recognized consumer on a device, DPA will display the list of Click to Pay enabled cards on the checkout page. Once the consumer selects a card, the DPA will orchestrate functions to collect additional information, perform cardholder verification, and show the order confirmation page.

Note: A recognized experience can be enabled for a new consumer if the consumer has used Click to Pay previously on the same device (with a different merchant) and has opted into “Remember Me”. 

User Journeys

A DPA can create multiple checkout initialization experiences for their consumers. Sample user journeys are discussed in this section and the Click to Pay UX Guidelines, available from your Visa representative.

Note: These user journeys are provided for illustrative purposes only. DPA should independently evaluate all content and recommendations considering their specific business needs, operations, and policies, as well as any applicable laws and regulations.

Assumptions:

  • DPA is onboarded for integrating with Unified Click to Pay.
  • Consumer has used the device to perform a prior checkout.
  • Consumer has previously enrolled in Click to Pay and chosen to be remembered during prior checkout on the same device.
  • Consumer has one or more cards enrolled in Click to Pay.

Journey:

  1. Consumer navigates to the merchant’s checkout page.
    1. DPA calls initialize() method (if not already done before).
  2. DPA calls Unified Click to Pay to obtain card list. Since user had previously selected the option to be remembered on this device, an aggregated ordered card list will be returned. (For more information, see Section, DPA Click to Pay Card List for Presentment.)
    1. DPA calls getCards() method with the consumer email value in consumerIdentity request field. Since the consumer is recognized the response actionCode is set to SUCCESS and returns card list for all participating SRC networks.
  3. DPA displays card selection from the card list obtained from Unified Click to Pay.
  4. Consumer selects a card from the card list and continues to perform the checkout. Note: If only one card is available, this step may be skipped.
    1. DPA calls checkout() method to receive the full checkout payload if  payloadTypeIndicatorCheckout is set FULL.
    2. DPA calls checkout() method to receive the summary checkout payload if  payloadTypeIndicatorCheckout is set SUMMARY. In this case DPA need to call the Get Payload API to receive full checkout payload.
  5. DPA receives card details. If a step-up indicator is returned, only partial information will be available for display for security and privacy reasons.
  6. Unified Click to Pay orchestrates the Cardholder Verification Method (CVM) for the selected card (when applicable).
  7. Once the consumer confirms the order, DPA submits the order.
Returning recognized user

Assumptions:

  • DPA is onboarded for integrating with Unified Click to Pay.
  • Consumer has previously enrolled in Click to Pay and chosen not to be remembered on device.
  • Consumer is not recognized on the device by Unified Click to Pay.
  • DPA provides an option to perform Email Lookup for consumer.

 Journey:

  1. Consumer navigates to the merchant’s checkout page.
    1. DPA calls initialize() method (if not already done before).
  2. DPA calls Unified Click to Pay to obtain card list. Since user had chosen not to be remembered on this device, Unified Click to Pay initiates consumer profile lookup from all Click to Pay supported schemes with consumer email address.Based on the responses from the Click to Pay schemes, a one-time code flow is initiated to validate the consumer’s identity.
    1. DPA calls getCards() method with the consumer email value in consumerIdentity request field. Since the consumer is unrecognized the response actionCode field is set to PENDING_CONSUMER_IDV.
  3. Consumer receives a one-time code via email or text (SMS).
  4. DPA presents a screen to capture the one-time code. The one-time code entered is sent to Unified Click to Pay for verification. Note: At this step, merchant may also present “Skip Verification” or “Remember Me” options to make future purchases faster using Click to Pay on the same device or browser. If the user chooses this option, the merchant also passes this consent to Unified Click to Pay.
    1. DPA calls getCards() method again with the consumer entered one-time code value in validationData request field. The response actionCode is set to SUCCESS and returns card list for all participating SRC networks.
  5. Unified Click to Pay uses the verified identity to return an aggregated ordered card list obtained from all Click to Pay schemes.
  6. DPA displays card selection from the card list obtained from Unified Click to Pay.
  7. Consumer selects a card from the card list and continues to perform the checkout. Note: If only one card is available, this step may be skipped.
    1. DPA calls checkout() method to receive the full checkout payload if  payloadTypeIndicatorCheckout is set FULL.
    2. DPA calls checkout() method to receive the summary checkout payload if  payloadTypeIndicatorCheckout is set SUMMARY. In this case DPA need to call the Get Payload API to receive full checkout payload.
  8. DPA receives card details. If a step-up indicator is returned, only partial information will be available for display for security and privacy reasons.
  9. Unified Click to Pay orchestrates any Cardholder Verification Method (CVM) for the selected card (when applicable)
  10. Once the consumer confirms the order, DPA submits order.
Returning unrecognized user
First Time User

Assumptions:

  • Consumer does not have a Click to Pay profile.

Journey:

  1. Consumer navigates to the merchant's checkout page.
  2. The merchant captures all necessary data, including card details, name, billing address, email address, and phone number.
  3. The merchant displays Click to Pay awareness content, terms, privacy notice, profile information, and an opt-out option to consumer.
  4. After consumer confirms the order, the payment transaction is processed outside Click to Pay and consumers card is enrolled in Click to Pay.
  5. The merchant submits the order and other selections to the Click to Pay system to receive the checkout response.
  6. The Click to Pay system creates a new profile for consumer and adds the card under the profile for future use.
  7. An email is sent to consumer with the result of the enrollment request.

Cardholder Authentication Methods

Visa Secure with EMV 3-D Secure is embedded within Click to Pay to get authenticated payload without having to integrate with an external 3DS provider for Unified Click to Pay transactions. This may not be available depending on regulatory requirements for certain countries or regions (e.g., Strong Consumer Authentication in Europe). DPA can provide a specific authentication preference during the transaction for Click to Pay to facilitate 3DS authentication.

In the checkout request, the merchant can pass an authentication preference specifying 3DS as a method and pass respective configuration settings, including challenge indicator, to request 3DS authentication to be performed by Unified Click to Pay on behalf of its DPA. Unified Click to Pay will perform 3DS and return payment credentials in the checkout response, including ECI value and dynamic data.

Note: The merchant must be configured for 3DS authentication with Visa to take advantage of 3DS within Click to Pay.

3DS Authentication

Assumptions:

  • The merchant may or may not provide an authentication preference for the transaction.
  • The merchant may be in a region that only supports 3DS.
  • Unified Click to Pay may decide to perform step-up authentication based on risk assessment.

Journey:

  1. The merchant receives masked card details from the Unified Click to Pay.
  2. Consumer selects a card from the card list and continues to perform the checkout.
  3. Once consumer confirms the order, the merchant indicates the preference for authentication and submits the information and other selections to Unified Click to Pay to receive the checkout payload.
  4. Unified Click to Pay performs risk assessment and/or based on merchant request for authentication, may decide that cardholder verification is required. Unified Click to Pay determines authentication method based the issuer’s/countries or regions preferred method (e.g., 3DS, Passkeys, Issuer Online Banking, Issuer SMS/Email OTP, and CVV2). In this use case, Unified Click to Pay determines to perform 3DS authentication.
  5. Upon successful 3DS authentication, Unified Click to Pay returns payment credentials in the checkout response, including ECI value and dynamic data.
  6. If authentication is unsuccessful or declined, consumer will not be able to proceed with the transaction using the selected card. The transaction must be reinitiated, and consumer may select another card for the transaction.

FIDO (Fast Identity Online) is a set of standards-based authentication protocols designed to enable biometric authentication online. To ensure cardholders get an improved and more seamless e-Commerce checkout experience, Visa is introducing Click to Pay with authentication through passkeys built on FIDO alliance standards. 

Enrollment

FIDO Enrollment

Assumptions:

  • Issuer supports 3DS authentication.

Journey:

  1. The merchant receives masked card details from Unified Click to Pay.
  2. Consumer selects a card from the card list and continues to perform the checkout.
  3. Once consumer confirms the order, the merchant indicates the preference for authentication and submits the information and other selections to Unified Click to Pay to receive the checkout payload.
  4. Unified Click to Pay performs risk assessment and/or based on merchant request for authentication, may decide that cardholder verification is required. Unified Click to Pay determines authentication method based on the issuer’s/countries or regions preferred method (3DS, Passkeys, Issuer Online Banking, Issuer SMS/Email OTP, and CVV2). In this use case, Unified Click to Pay determines to perform 3DS validation.
  5. Upon successful 3DS validation, Unified Click to Pay will also determine if consumer is eligible for Passkey registration based on device, and other parameters. If eligible, will initiate Passkey enrollment.
  6. Upon successful Passkey enrollment, Unified Click to Pay returns payment credentials in the checkout response, including ECI value and dynamic data.
  7. If authentication is unsuccessful or declined, consumer will not be able to proceed with the transaction using the selected card. The transaction must be reinitiated, and consumer may select another card for the transaction.
  8. Consumer receives a confirmation email stating they have successfully created a Passkey associated with the selected card for future use.

Authentication

FIDO Authentication

Assumptions:

  • Consumer has previously setup a Passkey for the card selected on the same device during checkout.

Journey:

  1. The merchant receives masked card details from Unified Click to Pay.
  2. Consumer selects a card from the card list and continues to perform the checkout.
  3. Once consumer confirms the order, the merchant indicates the preference for authentication and submits the information and other selections to Unified Click to Pay to receive the checkout payload.
  4. Unified Click to Pay performs risk assessment and/or based on merchant request for authentication, may decide that cardholder verification is required. Unified Click to Pay determines authentication method based on the issuer’s/countries or regions preferred method (3DS, Passkeys, Issuer Online Banking, Issuer SMS/Email OTP, and CVV2). In this use case, Unified Click to Pay recognizes a Passkey in association with the device and card selected and prompts consumer to complete Passkey authentication.
  5. Upon successful Passkey validation, Unified Click to Pay returns payment credentials in the checkout response, including ECI value and dynamic data.
  6. If authentication is unsuccessful or declined, consumer will not be able to proceed with the transaction using the selected card. The transaction must be reinitiated, and consumer may select another card for the transaction.

Assumptions:

  • The merchant may or may not provide an authentication preference for the transaction.
  • Unified Click to Pay may decide to perform step-up authentication based on risk assessment.

Journey:

  1. The merchant receives masked card details from the Unified Click to Pay.
  2. Consumer selects a card from the card list and continues to perform the checkout.
  3. Once consumer confirms the order, the merchant indicates the preference for authentication and submits the information and other selections to Unified Click to Pay to receive the checkout payload.
  4. Unified Click to Pay performs risk assessment and/or based on merchant request for authentication, may decide that cardholder verification is required. Unified Click to Pay determines authentication method based on the issuer’s/countries or regions preferred method (3DS, Passkeys, Issuer Online Banking, Issuer SMS/Email OTP, and CVV2). In this use case, Unified Click to Pay determines to perform CVV2 validation.
  5. Upon successful CVV2 authentication, Unified Click to Pay returns payment credentials in the checkout response, including ECI value and dynamic data.
  6. If authentication is unsuccessful or declined, consumer will not be able to proceed with the transaction using the selected card. The transaction must be reinitiated, and consumer may select another card for the transaction.

Unified Click to Pay Functional Requirements

DPA Integration

DPA can use the URLs in table below for their integration with Unified Click to Pay:

Environment

JavaScript SDK Endpoint

Sandbox

https://sandbox.secure.checkout.visa.com/checkout-widget/resources/js/integration/v2/sdk.js?

dpaId={dpaId}&cardBrands={cardBrands}&dpaClientId={dpaClientId}

Production

https://secure.checkout.visa.com/checkout-widget/resources/js/integration/v2/sdk.js?

dpaId={dpaId}}&cardBrands={cardBrands}&dpaClientId={dpaClientId}

 

The following are the parameters that are passed while invoking the SDK as URL parameters.

Query Parameters

R/C/O

Description

dpaId

Type: String

Max Length = 255

R

Reference identifier of the DPA. Based on the previously generated identifier during the DPA registration process. DPA can either be a merchant or partner.

cardBrands

Type: String

R

List of card schemes the merchant accepts.

It is a comma separated string with the following supported values.

  • visa
  • mastercard
  • amex
  • discover

Example, “visa, mastercard, amex, discover”.

dpaClientId

Type: String

C

Reference identifier of the merchant. Based on the previously generated identifier during the DPA registration process. This DPA will always be a merchant and not a partner.

Conditionality: Required when the dpaId is representing a partner and has multiple merchants on boarded via the partner. This reference identifier will represent the merchant on boarded via the partner.

DPA Functional Requirements

Unified Click to Pay requirements for DPA are elaborated in this section.

The DPA initializes the Unified Click to Pay checkout flow by calling initialize() SDK API and passing all DPA specific preferences, such as Transaction ID (generated by the DPA for each unique transaction), DPA ID and DPA Transaction Options.

#

Requirements

Flows impacted

Priority

1

Must be onboarded to Unified Click to Pay.

Onboarding

Required

2

Must support initiation of Click to Pay checkout by selecting an existing merchant Guest Checkout.

All flows

Required

3

May load the SDK and trigger its initialization during page load before the consumer navigates to card payment section to optimize the user experience.

All flows

Recommended

4

Based on fraud decisioning, Unified Click to Pay may indicate the need for cardholder verification/step-up after a card selection for checkout.

All flows

Required

5

Can present the Review and Confirm page with the following details: card info, first/last name of the cardholder, phone number, email address, and billing/shipping address.

Note: Only masked information may be presented before cardholder verification. Full info can be presented after verification.

Note: In Brazil, DPA must also collect CPF (national identifier) and CEP (Postal Code).

All flows

Recommended

6

Must be compliant with local regulations. All flows must be tested and certified in the context of local regulatory requirements. For example, to satisfy PSD2 regulations in EU, a DPA must implement and perform Strong Customer Authentication (SCA) during checkout flow.

All flows

Required

7

Must enable consumer consent (with default checked, like "Remember Me") where applicable during the flows based on local regulations.

All flows

Required

8

Must upgrade to the latest Unified Click to Pay SDK (JS or backend APIs) provided by Visa to enable the integration within 6 months of SDK release. Must support any mandatory changes as per guidance published in the Unified Click to Pay release notes.

All Flows

Required

9

Must support presenting Click to Pay enabled card list within the merchant Guest Checkout experience, along with other payment methods accepted by the merchant.

Recognized/ Unrecognized User flows

Required

10

Click to Pay card list must be ordered according to requirements (See Section 3.2.2, DPA Click to Pay Card List for Presentment.)

Recognized/ Unrecognized User flows

Required

11

May present an Add Card option along with Click to Pay card list presented within the merchant checkout flow.

Recognized/ Unrecognized User flows

Recommended

12

To support collection of billing address.

Note: In Brazil, DPA must support the Postal Code (CEP) for the address format in Brazil.

Recognized/ Unrecognized User flows

Recommended

13

Must support an email entry option for an unrecognized user to initiate lookup. Can use an existing email address field to satisfy this requirement.

Unrecognized User flow

Required

14

Must support functionality to validate user identity by entering a one-time code. Depending on merchant, this can be an inline option or a modal or a separate page, all hosted by the DPA.

Unrecognized User flow

Required

15

Must present references to Click to Pay Terms and Privacy Notice, taking into account consumer’s country and language preference.

Add Card flow for New and Returning User

Required

16

Must collect additional data during checkout including first/last name, email, and phone number and present a review screen based on guidelines provided by Unified Click to Pay.

Note: In Brazil, DPA can capture CPF number (national identifier).

New User flow

Required

17

Must support collection of token-based checkout payload and pass to their respective processor for further processing.

Checkout Flow

Required

DPA Integrates Click to Pay on Online Checkout Flows

The DPA integrates Click to Pay checkout experience. DPA must ensure eligibility and acceptance-related settings before initiating Click to Pay checkout flow.

DPA Click to Pay Card List for Presentment

DPA presents Click to Pay card list and applies acceptance settings to determine which cards are made available during checkout.

  1. Unified Click to Pay returns the customer profiles with a list of cards linked to its user and a unique transaction identifier.
  2. DPA presents all the obtained Click to Pay cards to the consumer for card selection.
  3. The card list presentation is based on the following logic:
    1. Divide the list of cards into usable and unusable sets (based on flags set for each card).
    2. Order each set by the date of last use for a Click to Pay payment (if never used for payment, by the date of enrollment in the Click to Pay system).

DPA Facilitates Card Selection

  1. A consumer selects a card from the card list provided by the DPA.
  2. At this point, DPA invokes the Unified Click to Pay to complete the checkout journey.
  3. DPA can use the checkout reference identifier from payload to obtain a full payment payload from Click to Pay system after the consumer submits the order.

DPA Facilitates Add Card

DPA may present Add Card flow when Click to Pay system fails to recognize the user on a device or when an existing user chooses to add a new card to Click to Pay.

DPA Facilitates Email Lookup

The consumer performs an email lookup facilitated by the DPA.

  1. Consumer enters an email identity and DPA requests Unified Click to Pay to verify it using getCards() API call.
  2. Based on the responses, an initiate identity validation flow may be invoked.
  3. If identity validation is required, then the consumer receives a one-time code via email or text (SMS).
  4. DPA presents a screen to enter the one-time code, embedded within the checkout flow. The one-time code entered is sent to Unified Click to Pay for verification using the same getCards() API with the one-time code in the request.
  5. Once the consumer identity is verified the Unified Click to Pay will respond back with the card list obtained from all Click to Pay schemes.
  6. DPA displays the card list to consumer for selection.
  7. On card selection by the consumer, DPA calls checkout() API with card ID, transaction data, and other data parameters.
  8. Unified Click to Pay passes payload back to DPA. DPA (or its processor) may also use the checkout reference identifier to obtain a full payment payload for transaction processing.

DPA Passes Accepted Billing Countries for Card List Presentment

DPA has the option to supply a list of accepted billing countries during each checkout transaction, within the DpaTransactionOptions.dpaAcceptedBillingCountries object. Unified Click to Pay response will flag ineligible cards if the billing address country of the card is not part of accepted billing country list. DPA must make ineligible cards unusable for selection using visual cues.

Note: Visa recommends displaying all cards returned in the Click to Pay card list to ensure consistency across multiple merchant’s on the same device.

DPA Passes Display and Processing Preferences for Payment Credentials

After a successful Click to Pay checkout flow, a checkout payload is passed back for transaction processing. DPA (or it’s respective processor) may also use the checkout reference identifier to obtain a full payment payload for transaction processing.

  • Display Only Payment Data: Based on its preference, a DPA could display Order Confirmation page using the attributes from the Unified Click to Pay summary payload response. The following attributes may be used: Transaction Reference ID, Masked Card, and Masked Address information.
  • Full Payment Payload: DPA or a third party acting on its behalf can request a full payment payload for processing the transaction authorization. Token payload will include a dynamic cryptogram.

For Visa supported cryptogram options, please refer to How to Integrate Visa Click to Pay, section “DPA Passes Display and Processing Preferences for Payment Credentials”.

For Mastercard supported cryptogram options, please refer to MasterCard Developer Portal