While e-commerce has become one of the fastest-growing environments for payments, online transactions are associated with a unique set of challenges. Merchant checkout conversion remains low in e-commerce, with high cart abandonment rates, partly caused by friction from manual entry of multiple form fields at checkout. In cases where conversions succeed, payment approval rates for e-commerce may be lower than for in-store card present transactions. In addition, e-commerce fraud rates are rising compared to fraud in the card present environment.
EMVCo has created a set of industry-wide standards for e-commerce transactions. The EMV Secure Remote Commerce (SRC) standards aim to address these concerns for remote commerce, including e-commerce and mobile commerce, and will serve as a framework for solutions that can help make online buying easy and smart.
Visa is applying these standards through a suite of solutions, including Unified Click to Pay, which incorporates our proprietary technologies for tokenization of primary account numbers, fraud prevention, and real-time transaction risk analysis.
Unified Click to Pay provides merchants and payment service providers (PSP) with a frictionless, network agnostic online checkout experience through a single point of integration.
Unified Click to Pay is an important part of the Visa Digital Commerce Program, which aims to address industry concerns surrounding digital payments, including improving cardholder/merchant trust and checkout conversion. Unified Click to Pay supports and builds upon the security provided by Visa Token Service.
Similar to the brick-and-mortar environment in which a POS terminal provides merchants with card acceptance capability, the Unified Click to Pay provides e-commerce merchants with a secure method to initialize the Click to Pay checkout experience and accept card payments. Unified Click to Pay is designed to:
This document defines implementation requirements for solution providers participating in the Visa Digital Commerce Program (VDCP) and utilizing Unified Click to Pay.
This document focuses on the Merchant Orchestrated Checkout experience, in which the end-to-end user experience is rendered by a merchant or its payment service providers. The non-Visa schemes accessible through Unified Click to Pay may also provide separate, UX guidance for completion of checkout (e.g., with respect to authentication UX).
Please view the Glossary here.
The table below includes related documents that should be read for complete understanding of technical and user experience requirements. These documents are available from your Visa representative.
Title |
Description |
---|---|
EMV® Payment Tokenisation Specification Technical Framework |
Describes the payment token system landscape, the types of entities that provide key support for the use of payment tokens, the details to implement multiple use cases, and the benefits of adopting a unified approach. Available from www.emvco.com. |
Provides API specifications for DPA to integrate with Unified Click to Pay. |
The table below details the roles and responsibilities of Unified Click to Pay participants.
|
Digital Payment Application (Payment Service Provider) |
Digital Payment Application (Merchant) |
Non-Payment SRCi (Unified Click to Pay) |
Digital Card Facilitator |
Click to Pay SRC System (participating payment networks) |
Issuer |
---|---|---|---|---|---|---|
Merchant Registration |
Onboard merchant and perform KYC.
Validate incoming merchant application end points.
Register merchant with Unified Click to Pay. |
Onboard to Unified Click to Pay by working with Payment Service Provider or working with Visa. |
N/A |
N/A |
Register merchant’s applications and processing identifiers.
Generate and provide “Token User” identifier |
N/A |
Guest Checkout - Repeat Purchase Flow |
Trigger Click to Pay checkout from Merchant Guest Checkout flow.
Provide card list from all supported Click to Pay Systems and card selection UX.
Receive authenticated Click to Pay payload for payment processing. |
Trigger Click to Pay checkout from Merchant Guest Checkout flow.
Provide card list from all supported Click to Pay Systems and card selection UX.
Receive authenticated Click to Pay payload for payment processing. |
Fetch list of cards from all supported Click to Pay Systems for recognized and unrecognized users. |
Initiate CVM.
Retrieve checkout response from Click to Pay System. |
Send Click to Pay payload based on transaction parameters. |
Provide issuer card art and Cardholder Verification (CVM) services. |
Guest Checkout – Payment Flow |
Present Review and Confirm and Order Confirmation page. |
Present Review and Confirm and Order Confirmation page. |
Receive Visa Click to Pay Payload from DPA Retrieve payment credentials from encrypted Payload or from Visa Click to Pay System using Click to Pay Transaction ID. |
Return Click to Pay Summary Payload to Digital Terminal |
|
|
A DPA manages and provides checkout integration to its clients. The following business entities may participate under VDCP:
DPA must enroll and adhere to Visa Digital Commerce Program requirements. Visa will work with qualified DPA to certify their solution for VDCP participation. Please contact your Visa representative for more information.
This section will cover high level use cases, related user journeys, and requirements to enable the Unified Click to Pay Merchant Orchestrated Checkout experience on a payment application.
Merchant Orchestrated Checkout is a type of Click to Pay implementation in which a DPA enables an end-to-end checkout experience for the consumer. It eliminates key entry of card and personal information for a recognized user, reduces the number of steps involved in checkout completion, and avoids errors, leading to a better checkout conversion.
For a recognized consumer on a device, DPA will display the list of Click to Pay enabled cards on the checkout page. Once the consumer selects a card, the DPA will orchestrate functions to collect additional information, perform cardholder verification, and show the order confirmation page.
Note: A recognized experience can be enabled for a new consumer if the consumer has used Click to Pay previously on the same device (with a different merchant) and has opted into “Remember Me”.
A DPA can create multiple checkout initialization experiences for their consumers. Sample user journeys are discussed in this section and the Click to Pay UX Guidelines, available from your Visa representative.
Note: These user journeys are provided for illustrative purposes only. DPA should independently evaluate all content and recommendations considering their specific business needs, operations, and policies, as well as any applicable laws and regulations.
Assumptions:
Journey:
Assumptions:
Journey:
Assumptions:
Journey:
Visa Secure with EMV 3-D Secure is embedded within Click to Pay to get authenticated payload without having to integrate with an external 3DS provider for Unified Click to Pay transactions. This may not be available depending on regulatory requirements for certain countries or regions (e.g., Strong Consumer Authentication in Europe). DPA can provide a specific authentication preference during the transaction for Click to Pay to facilitate 3DS authentication.
In the checkout request, the merchant can pass an authentication preference specifying 3DS as a method and pass respective configuration settings, including challenge indicator, to request 3DS authentication to be performed by Unified Click to Pay on behalf of its DPA. Unified Click to Pay will perform 3DS and return payment credentials in the checkout response, including ECI value and dynamic data.
Note: The merchant must be configured for 3DS authentication with Visa to take advantage of 3DS within Click to Pay.
Assumptions:
Journey:
FIDO (Fast Identity Online) is a set of standards-based authentication protocols designed to enable biometric authentication online. To ensure cardholders get an improved and more seamless e-Commerce checkout experience, Visa is introducing Click to Pay with authentication through passkeys built on FIDO alliance standards.
Assumptions:
Journey:
Assumptions:
Journey:
Assumptions:
Journey:
DPA can use the URLs in table below for their integration with Unified Click to Pay:
Environment |
JavaScript SDK Endpoint |
---|---|
Sandbox |
https://sandbox.secure.checkout.visa.com/checkout-widget/resources/js/integration/v2/sdk.js? dpaId={dpaId}&cardBrands={cardBrands}&dpaClientId={dpaClientId} |
Production |
https://secure.checkout.visa.com/checkout-widget/resources/js/integration/v2/sdk.js? dpaId={dpaId}}&cardBrands={cardBrands}&dpaClientId={dpaClientId} |
The following are the parameters that are passed while invoking the SDK as URL parameters.
Query Parameters |
R/C/O |
Description |
---|---|---|
dpaId Type: String Max Length = 255 |
R |
Reference identifier of the DPA. Based on the previously generated identifier during the DPA registration process. DPA can either be a merchant or partner. |
cardBrands Type: String |
R |
List of card schemes the merchant accepts. It is a comma separated string with the following supported values.
Example, “visa, mastercard”. |
dpaClientId Type: String |
C |
Reference identifier of the merchant. Based on the previously generated identifier during the DPA registration process. This DPA will always be a merchant and not a partner. Conditionality: Required when the dpaId is representing a partner and has multiple merchants on boarded via the partner. This reference identifier will represent the merchant on boarded via the partner. |
Unified Click to Pay requirements for DPA are elaborated in this section.
The DPA initializes the Unified Click to Pay checkout flow by calling initialize() SDK API and passing all DPA specific preferences, such as Transaction ID (generated by the DPA for each unique transaction), DPA ID and DPA Transaction Options.
# |
Requirements |
Flows impacted |
Priority |
---|---|---|---|
1 |
Must be onboarded to Unified Click to Pay. |
Onboarding |
Required |
2 |
Must support initiation of Click to Pay checkout by selecting an existing merchant Guest Checkout. |
All flows |
Required |
3 |
May load the SDK and trigger its initialization during page load before the consumer navigates to card payment section to optimize the user experience. |
All flows |
Recommended |
4 |
Based on fraud decisioning, Unified Click to Pay may indicate the need for cardholder verification/step-up after a card selection for checkout. |
All flows |
Required |
5 |
Can present the Review and Confirm page with the following details: card info, first/last name of the cardholder, phone number, email address, and billing/shipping address. Note: Only masked information may be presented before cardholder verification. Full info can be presented after verification. Note: In Brazil, DPA must also collect CPF (national identifier) and CEP (Postal Code). |
All flows |
Recommended |
6 |
Must be compliant with local regulations. All flows must be tested and certified in the context of local regulatory requirements. For example, to satisfy PSD2 regulations in EU, a DPA must implement and perform Strong Customer Authentication (SCA) during checkout flow. |
All flows |
Required |
7 |
Must enable consumer consent (with default checked, like "Remember Me") where applicable during the flows based on local regulations. |
All flows |
Required |
8 |
Must upgrade to the latest Unified Click to Pay SDK (JS or backend APIs) provided by Visa to enable the integration within 6 months of SDK release. Must support any mandatory changes as per guidance published in the Unified Click to Pay release notes. |
All Flows |
Required |
9 |
Must support presenting Click to Pay enabled card list within the merchant Guest Checkout experience, along with other payment methods accepted by the merchant. |
Recognized/ Unrecognized User flows |
Required |
10 |
Click to Pay card list must be ordered according to requirements (See Section 3.2.2, DPA Click to Pay Card List for Presentment.) |
Recognized/ Unrecognized User flows |
Required |
11 |
May present an Add Card option along with Click to Pay card list presented within the merchant checkout flow. |
Recognized/ Unrecognized User flows |
Recommended |
12 |
To support collection of billing address. Note: In Brazil, DPA must support the Postal Code (CEP) for the address format in Brazil. |
Recognized/ Unrecognized User flows |
Recommended |
13 |
Must support an email entry option for an unrecognized user to initiate lookup. Can use an existing email address field to satisfy this requirement. |
Unrecognized User flow |
Required |
14 |
Must support functionality to validate user identity by entering a one-time code. Depending on merchant, this can be an inline option or a modal or a separate page, all hosted by the DPA. |
Unrecognized User flow |
Required |
15 |
Must present references to Click to Pay Terms and Privacy Notice, taking into account consumer’s country and language preference. |
Add Card flow for New and Returning User |
Required |
16 |
Must collect additional data during checkout including first/last name, email, and phone number and present a review screen based on guidelines provided by Unified Click to Pay. Note: In Brazil, DPA can capture CPF number (national identifier). |
New User flow |
Required |
17 |
Must support collection of token-based checkout payload and pass to their respective processor for further processing. |
Checkout Flow |
Required |
The DPA integrates Click to Pay checkout experience. DPA must ensure eligibility and acceptance-related settings before initiating Click to Pay checkout flow.
DPA presents Click to Pay card list and applies acceptance settings to determine which cards are made available during checkout.
DPA may present Add Card flow when Click to Pay system fails to recognize the user on a device or when an existing user chooses to add a new card to Click to Pay.
The consumer performs an email lookup facilitated by the DPA.
DPA has the option to supply a list of accepted billing countries during each checkout transaction, within the DpaTransactionOptions.dpaAcceptedBillingCountries object. Unified Click to Pay response will flag ineligible cards if the billing address country of the card is not part of accepted billing country list. DPA must make ineligible cards unusable for selection using visual cues.
Note: Visa recommends displaying all cards returned in the Click to Pay card list to ensure consistency across multiple merchant’s on the same device.
After a successful Click to Pay checkout flow, a checkout payload is passed back for transaction processing. DPA (or it’s respective processor) may also use the checkout reference identifier to obtain a full payment payload for transaction processing.
For Visa supported cryptogram options, please refer to How to Integrate Visa Click to Pay, section “DPA Passes Display and Processing Preferences for Payment Credentials”.
For Mastercard supported cryptogram options, please refer to MasterCard Developer Portal