Introduction

Secure Acceptance requires each merchant to use a unique security key—consisting of an access key and a secret key—to authenticate and sign transactions. Keys must be generated separately for each environment (Test and Production) and for each Secure Acceptance profile. This article outlines the requirements, key‑creation workflow, expiration behavior, and best practices for securely managing and rotating keys in alignment with Visa security standards.

Requirements

• A unique security key must be generated for each environment (Test and Production), and for each Secure Acceptance profile.
• The user must have the Secure Acceptance Settings permission assigned.

Security Key Expiration

Secure Acceptance keys expire every two years. Merchants receive email notifications prior to expiration. When a key expires or is nearing expiration, a new key must be created to continue processing transactions.

Procedure – Create a Secure Acceptance Security Key

Access the Secure Acceptance Profile

1. Sign in to the correct Business Center environment:
   Test or Production.
2. Select Payment Configuration → Secure Acceptance Settings.
3. From Active Profiles, select the three-dot menu next to the profile.
4. Select View Profile.
   Use Edit Profile only when modifying other profile settings. View Profile is sufficient for key creation.

Generate a New Key

5. Select the SECURITY tab.
6. Select Create Key.
7. On the Key Creation screen:
   • Enter a descriptive Key Name (max 40 alphanumeric characters).
   • No spaces or special characters allowed.
   • Leave defaults unchanged:
     • Signature Version: 1
     • Signature Method: HMAC‑SHA256
8. Select Create and then Confirm.
   If the window closes, select View Key to reopen.
9. Within 120 seconds, copy the access key and secret key or download them using the file button.
10. Once the new key appears under Active Keys, no further action is required.
    Re‑promoting the profile is not needed when keys are created using View Profile.

Use Your Security Key

Each security key includes two linked components:

Key Type	Description
Access Key	Used for SSL authentication. Must be included as a name/value pair in every Secure Acceptance POST/transaction. Multiple access keys may exist per profile.
Secret Key	Used to sign transaction payloads. Must be securely stored and referenced by the merchant’s signing script.

Because these values are linked, update both the access key and secret key in your system at the same time to avoid mismatches.

Security Best Practices

To avoid unnecessary expiration notifications, Deactivate any keys that are no longer used after updating your system. Delete copied keys from clipboard or temporary storage after use. Newly generated keys appear as Active by default.

Button	Action
Deactivate	Moves an active key to inactive status, preventing use in transaction processing.
Activate	Re‑activates an inactive key for use in transaction processing.