Payer Authentication Data Fields in Relation to Visa Secure Program Guide Updates - August 2024
KA-04583
646
09/17/2024 08:56 AM
2.2
The Visa Secure Program Guide, which supplements the Visa Rules, reference 12 additional data fields in the authentication request message due to become mandatory in February 2024, with a revised mandatory date of 12 August 2024. Visa revised the mandatory date to provide the ecosystem with more time to prepare for the new requirements. Based on ecosystem feedback and further analysis, Visa has further reduced the required data fields to three (3) required data fields for browser transactions, or three (3) required data fields for in-app transactions.
The following additional data fields are to be provided in Payer Authentication Enrollment Requests:
|
Priority Data Fields |
Requirement Status |
|---|---|
|
Browser IP Address |
Mandatory (Browser) |
|
Cardholder Name |
Mandatory (Browser / In-App) |
|
Cardholder Email Address1 |
Mandatory (Browser / In-App) |
|
Cardholder Phone Number (Work / Home / Mobile)1 |
Mandatory (Browser / In-App) |
|
Common Device Identification Parameters (Device IP Address) |
Mandatory (In-App) |
1 The Cardholder Email Address OR the Cardholder Phone Number must be present in Payer Authentication Enrollment Requests.
Note: Despite the minimum requirements outlined, it is recommended that merchants provide as many true cardholder data fields as possible and avoid sending dummy values in Payer Authentication Enrollment calls as more data supports issuers’ authentication decision-making. For further information on the other required fields in Payer Authentication requests, please refer to the Cybersource Payer Authentication guides.
|
Rest API Field |
Simple Order/SOAP Field |
SCMP Field |
Secure Acceptance |
Note |
|---|---|---|---|---|
|
deviceInformation.ipAddress |
billTo_ipAddress |
customer_ipaddress |
customer_ip_address |
It is mandatory for browser-based transactions only, and this is collected during the Device Data Collection (DDC) process. As a best practice, we recommend collecting the browser fields that are listed in the Data Device Collection page as well as a backup to DDC to ensure the authentication qualifies as an EMV 3DS transaction. |
|
orderInformation.billTo.email |
billTo_email |
customer_email |
bill_to_email |
These are existing mandatory fields in Payer Authentication services, please continue to send them in Payer Authentication Enrollment requests. |
|
orderInformation.billTo.firstName |
billTo_firstName |
customer_firstname |
bill_to_forename |
|
|
orderInformation.billTo.lastName |
billTo_lastName |
customer_lastname |
bill_to_surname |
|
|
buyerInformation.workPhone |
payerAuthEnrollService_workPhone |
pa_work_phone |
NIL |
At least one of these fields must be present unless market or regional mandate restricts sending Cardholder Phone Number. |
|
orderInformation.billTo.phoneNumber |
billTo_phoneNumber |
customer_phone |
bill_to_phone |
|
|
buyerInformation.mobilePhone |
payerAuthEnrollService_mobilePhone |
pa_mobile_phone |
payer_authentication_mobile_phone |
|
|
Common Device Identification Parameters (Device IP Address) are applicable only to Software Development Kit (SDK) transactions, which are handled by the Cardinal SDK. |
||||
Additional Information
EMV 3DS - Device Data Collection and Method URL Best Practices (requires sign-in)
Was this article helpful?