All of the Visa Direct APIs use Two-Way SSL (Mutual SSL) authentication and channel encryption, which requires you to provide a user name and password as well as install an X509 security certificate issued by Visa. Test credentials can be obtained online in your Project Dashboard for sandbox testing. Production credentials will be supplied to you as part of production on-boarding. Contact [email protected] for more information or to begin the production on-boarding process.
As one of the security protocols, Visa Developer sandbox secures its connections with clients by means of Two-Way SSL (Mutual Authentication) method. Refer to the link below to quickly learn about how to get credentials to start building with Two-Way SSL.
Visit the Two-way SSL Guide to learn more.
For clients using the Mobile Push Payment Receive Side APIs, it is important to understand that some of the sensitive information (e.g. PAN, consumer name) are encrypted by Visa in the outgoing message from Visa to the client. This encryption is done using a key ID and shared secret assigned to the client during onboarding. All the data elements in the payload that have the prefix "enc" are encyrpted, for e.g. 'encMerchantPan'.
Clients need to follow these steps in order to decrypt these fields:
There is no need to perform encryption of the response payload data as there is no sensitive data field in the response payload.
As part of continuing security improvements, Visa enabled Message Level Encryption (MLE) for Visa Direct APIs. Clients using Visa Direct APIs are required to support MLE in both certification and production environment.
For existing clients already using Visa Direct APIs, refer to “New Encryption Requirements for Visa Direct APIs” in the Visa Business News, dated 17 October 2019 for adoption timelines.
Refer to the Message Level Encryption guide for more details.