Visa Click to Pay

This section describes how Visa Click to Pay API endpoints can be used to support different consumer checkout scenarios.

1. Identity Lookup

   Determine whether the provided email address or mobile phone number is associated with an existing Visa Click to Pay profile.

2. Identity Validation

   Verify the consumer’s identity, performed either by the SRCi or by Visa Click to Pay, depending on the scenario.

3. Profile and Card Retrieval

   Retrieve the consumer’s enrolled Visa Click to Pay cards for display.

4. Card Selection

   The consumer selects a preferred payment card.

5. Authentication and Payload Retrieval (if required)

   Additional authentication may be triggered based on transaction risk or card status (for example, 3DS or passkey), followed by retrieval of the appropriate payload for payment processing.

6. Checkout and Transaction Confirmation

   Complete the payment using the selected card and notify Visa Click to Pay of the transaction outcome.

Depending on the consumer and their prior interactions with Visa Click to Pay, consumers can be categorized into one of the following profiles.

The following are use cases that can be performed using the Visa Click to Pay API in addition to the consumer checkout flows.

As the SRCi, you can authenticate your consumer using your own identity verification mechanism and retrieve your consumer’s Visa Click to Pay card list for secure payment method presentation and transaction processing.

• Consumer has an existing account with the SRCi
• Consumer is already verified by the SRCi
• Consumer has enrolled cards in Visa Click to Pay
• SRCi performs all identity verification independently

Flow: SRCi verifies the consumer's identity using their own mechanism, then calls Visa Click to Pay to retrieve the consumer's card list for checkout.

Note: An SRCi or SRC Enabler can only perform this flow with their own identity validation solution upon express written approval from Visa.

Determine whether the provided consumer identity (email addressor mobile phone number) exists within Visa Click to Pay using the Identity Lookup endpoint.

Expected returned result:

Retrieve the consumer’s profile using the Profile Retrieval endpoint. Results in a card list with the srcDigitalCardIds.

Present the card list to the consumer, resulting in a selected card.

Call the Checkout endpoint with optional additional authentication. This step includes two POST calls to the checkout endpoint.

If the payloadTypeIndicator from the previous step is NON_PAYMENT or SUMMARY, call the Payload Retrieval endpoint to retrieve the payment payload.

Once the transaction has been processed, notify Visa Click to Pay of the checkout or payment authorization results with the Transaction Confirmation endpoint.

See SRCi-Scoped eCommerce (eCom) Token using Visa Click to Pay.

As an SRCi, you want Visa Click to Pay to perform consumer identity validation so that you can retrieve the Visa Click to Pay card list for consumers who have a Visa Click to Pay profile but do not have an existing account with you. This enables guest checkout without requiring SRCi account creation, while still allowing you to optionally present an account creation flow.

Context:

• Consumer does NOT have an existing account with the SRCi
• Consumer has enrolled cards in Visa Click to Pay
• SRCi wants Visa to perform identity verification
• SRCi wants to enable checkout for new consumers

Flow: SRCi checks if the consumer exists in Visa Click to Pay, then delegates identity verification to Visa using OTP validation. After successful verification, Visa returns the consumer's card lists for checkout.

Determine whether the provided consumer identity (email addressor mobile phone number) exists within Visa Click to Pay using the Identity Lookup endpoint.

Expected returned result:

See for more details.

On confirmation that a Visa Click to Pay profile exists, call the Initiate Identity Validation endpoint Initiate Identity Validation endpoint to receive an idValidationSessionId, corresponding to the OTP that is sent in parallel.

Capture the OTP from the consumer and send it to the Complete Identity Validation to receive an idToken on a successful response.

Retrieve the consumer’s profile using the Profile Retrieval endpoint. Results in a card list with the srcDigitalCardIds.

Call the Checkout endpoint with optional additional authentication. This step includes two POST calls to the checkout endpoint.

If the payloadTypeIndicator from the previous step is NON_PAYMENT or SUMMARY, call the Payload Retrieval endpoint to retrieve the payment payload.

Once the transaction has been processed, notify Visa Click to Pay of the checkout or payment authorization results with the Transaction Confirmation endpoint.

SRCi may present consumers with an option to create an account with them for future non-Visa Click to Pay checkout convenience after successful transaction completion.

Future Checkout Flow:

With SRCi Account Created:

• Future Flow: Existing SRCi Consumer
• Verification: SRCi performs verification
• Speed: Faster - no OTP required
• Experience: Streamlined checkout

Without SRCi Account (Guest Continues):

• Future Flow: This flow
• Verificiation: Visa performs verification (OTP)
• Speed: Requires OTP validation each time
• Experience: Guest checkout maintained

Refer to DPA-Scoped Card-on-File (CoF) Token using Visa Click to Pay.

As an SRCi, you want to support checkout for consumers whose cards are not yet enrolled in Visa Click to Pay by enabling in‑checkout card enrollment, allowing consumers to seamlessly enroll their card and continue directly to payment.

Context:

• Consumer does not have an existing account with the SRCi
• Consumer's card is NOT enrolled in Visa Click to Pay
• Card enrollment occurs during checkout (just-in-time)
• SRCi collects required enrollment data and consumer consent (refer to )
• Enrollment creates the necessary credentials for checkout

Flow: SRCi attempts to find the consumer's cards in Visa Click to Pay, discovers none are enrolled, then collects card details and consumer information to enroll the card just-in-time before proceeding with checkout.

Determine whether the provided consumer identity (email addressor mobile phone number) exists within Visa Click to Pay using the Identity Lookup endpoint.

Expected returned result:

Collect all required information before enrollment may proceed. This includes:

• Card details: number, expiry, name on card
• Consumer data requirements:
  • First and Last Name - Required if Full Name not provided
  • consumerIdentity - Required
    • Email - If consumerIdentity is mobile phone number, email address is required
    • Mobile - If consumerIdentity is email address, mobile phone number is required
  • Country - Required
  • Language - Required
• Consent to Visa Terms of Service and Privacy Notice
• (Optional) Card Security Code (CVV2) - improves verification status
  • If provided, card is verified; if not provided, card is unverified

Enroll the card to Visa Click to Pay using the Card Enrollment endpoint, resulting in getting a srcDigitalCardId returned in the enrollment confirmation.

Call the Checkout endpoint with optional additional authentication. This step includes two POST calls to the checkout endpoint.

If the payloadTypeIndicator from the previous step is NON_PAYMENT or SUMMARY, call the Payload Retrieval endpoint to retrieve the payment payload.

Once the transaction has been processed, notify Visa Click to Pay of the checkout or payment authorization results with the Transaction Confirmation endpoint.

Merchant Digital Card‑On‑File (COF) via Visa Click to Pay enables a merchant to support saved‑card use cases—such as subscriptions, recurring payments, and repeat checkout—without storing card data.

The Consumer completes a purchase using Visa Click to Pay. After a successful transaction, the Consumer may elect to designate the card used as the merchant Digital Card‑On‑File for that merchant. Visa Click to Pay securely stores the card, while the merchant retains a reference identifier (srcDigitalCardId) that can be used to retrieve encrypted payment payloads on demand for future transactions.

Any consent to store credentials for merchant Digital Card‑On‑File is collected and managed by the merchant prior to enrolling the card for COF.

• The DPA is responsible for consumer consent and Card‑On‑File token scope (TRID).
• The SRCi is responsible for invoking Visa Click to Pay APIs, including Checkout, Card Enrollment, and Payload Retrieval.

Unless explicitly stated otherwise, references to Merchant encompass both roles.

• Cards are stored by Visa Click to Pay; the merchant does not store PANs or sensitive card data.
• The Consumer explicitly designates a card as a merchant Digital Card‑On‑File for a specific merchant.
• COF enrollment returns a merchant‑scoped srcDigitalCardId, which serves as the reference for future payments.
• Consumer consent to store and use the card for COF is required and controlled by the merchant.
• Payment credentials (cryptograms and EMV payloads) are retrieved on demand using GetPayload.
• A merchant Digital Card‑On‑File may be used for:
  • repeat consumer‑initiated transactions, and
  • merchant‑initiated transactions (for example, subscriptions or recurring payments), subject to applicable merchant terms and consumer authorization.

In this diagram, Merchant denotes the merchant entity operating the Digital Payment Application (DPA) and/or the Payment SRC Initiator (SRCi). The DPA is responsible for consumer consent and Card‑On‑File token scope (TRID), and the SRCi is responsible for invoking Visa Click to Pay APIs.

The Consumer completes a purchase at the merchant using Visa Click to Pay.

• srcDigitalCardId
• srcCorrelationId
• srciTransactionId

The merchant uses the returned payment payload to complete authorization and stores the returned identifiers for potential COF enrollment.

After the purchase is completed, the Consumer chooses to designate the card used in the transaction as the merchant Digital Card‑On‑File.

The merchant presents applicable terms and conditions and collects explicit consumer consent to store and use the card for future payments.

If consent is not provided, the card is not enrolled for COF.

Once consent has been obtained, the merchant enrolls the card for COF using the previously returned srcDigitalCardId.

Visa Click to Pay provisions a merchant‑specific Card‑On‑File token and returns a merchant‑scoped srcDigitalCardId representing the merchant Digital Card‑On‑File.

The merchant stores this reference for future use.

• The merchant uses the stored srcDigitalCardId to request a payment payload from Visa Click to Pay.
• No SRC checkout or Consumer interaction is required.

This use case enables a Payment SRCi to obtain and use an SRCi‑specific eCommerce (eCom) token for transactions processed through Visa Click to Pay.

During the initial transaction, payment processing is performed using a token bound to the Visa Click to Pay Token Requestor ID (TRID). After checkout, the Payment SRCi may elect to request an SRCi‑specific eCom token—a Visa network token bound to the SRCi's TRID—for use in subsequent transactions.

The SRCi‑specific eCom token enables streamlined repeat checkout and follow‑on transactions without repeating the full Visa Click to Pay lookup flow.

Only Payment SRCis are eligible to request SRCi‑specific tokens.

• An SRCi‑specific eCom token is a Visa network token bound to the Payment SRCi's TRID
• Only Payment SRCis may request SRCi‑specific tokens
• First transaction: processed using a token bound to the Visa Click to Pay TRID
• Subsequent transactions: may use the SRCi‑specific eCom token once provisioned
• Enrollment occurs post‑ Visa CTP checkout by invoking the Card Enrollment endpoint with the srcDigitalCardId returned from checkout

Scenario A - SRCi-Specific Token Exists:

• Checkout returns an SRCi specific payload
• The Payment SRCi uses the SRCi specific token for transaction confirmation and processing

Scenario B — SRCi‑Specific Token Does Not Exist:

• Option A (Default): The Payment SRCi uses the Visa Click to Pay eCom payload bound to the Visa Click to Pay TRID
• Option B: The Payment SRCi requests an SRCi‑specific eCom token via post‑checkout enrollment

High-Level Flow

• The Payment SRCi invokes Checkout (POST /transactions/credentials)
• The response includes identifiers such as srcDigitalCardId and srcCorrelationId
• The payload is bound to the Visa Click to Pay TRID
• Authorization and approval/decline are completed using the checkout payload or a subsequent payload retrieval

After checkout, the Payment SRCi determines whether an SRCi‑specific eCom token is required for subsequent transactions.

• If the payload is bound to the SRCi’s TRID, an SRCi‑specific eCom token already exists
• If the payload is bound to the Visa Click to Pay TRID, no SRCi‑specific token exists

No additional API call is required solely to determine token existence.

• The Payment SRCi invokes Card Enrollment:
  • Endpoint: POST /cards
  • Inputs: srcDigitalCardId (from Checkout), srcClientId

• Token reference
• Token metadata
• Token expiration details

The Payment SRCi stores the token reference for future use.

• The Payment SRCi retrieves payment credentials using Payload Retrieval (GET /transactions/credentials), providing the SRCi‑specific token reference
• Visa Click to Pay returns an encrypted payment payload bound to the SRCi’s TRID
• The Payment SRCi submits the payload for authorization via its acquirer or PSP
• Approval or decline is processed as a standard eCommerce authorization

• Complete the initial checkout using Visa Click to Pay with minimal friction
• Optionally provision an SRCi‑scoped token after checkout
• Use Payload Retrieval (GET /transactions/credentials) to retrieve encrypted payment payloads where required
• Enable repeat and follow‑on transactions without repeating the full Visa Click to Pay flow
• Maintain a clear distinction between Visa Click to Pay‑scoped and SRCi‑scoped tokens