Guides
Sub-processorsAbout PismoContact us

Visa Consumer Authentication Service (VCAS)

Visa Consumer Authentication Service (VCAS) is a service that verifies cardholder identity during online transactions—especially important for card-not-present purchases like those made on e-commerce websites.

VCAS is Visa’s EMV® 3-D Secure protocol (also known as 3DS 2.x) implementation.

Its primary goals are to:

  • Reduce fraud
  • Ensure regulatory compliance (such as PSD2 in Europe)
  • Improve the user's authentication experience

PIsmo supports Real Time Data Exchange (RDX) APIs to integrate into VCAS and provides a 3DS authentication service to clients based on a referral model. This solution includes EMV 3DS and Visa network transactions initially with plans to add other networks in the near future.

Frictionless transactions require no user verification while friction transactions do require this. In this solution, PISMO in VCAS will provide three specific working flows with StepUp OTP for friction transactions and out-of-band (OOB) authentication, enabling VCAS configuration to support two use cases for the OTP challenge flow (e-mail and SMS), and additionally, having an in-app authentication (OOB) for Pismo’s customer banks.

Issuer webhooks

You, as the issuer, need to code 3 webhooks to implement Pismo's VCAS solution. These webhooks are detailed on Pismo's Client webhooks guide:

  • StepUp—Get authentication method/delivery channel and display text. For more information, refer to Stepup call in the Getting Started with RDX guide.
  • Initiate Action—Request One-Time Passcode (OTP) action. For more information, refer to Initiate Action call in the Getting Started with RDX guide.
  • Validate—Validate entered OTP verification code. For more information, refer to Validate call in the Getting Started with RDX guide.

Notes:

  • PISMO will use RDX integration to communicate the StepUp method.
  • Pismo does not share PCI-DSS (Payment Card Industry Data Security Standard) data.
  • Pismo provides the encrypt/decrypt keys for the hashed PAN.

VCAS use cases


Use case #1

  1. Ecommerce site calls VCAS with OTP request
  2. VCAS calls Pismo with OTP request and PAN
  3. Pismo calls issuer's StepUp webhook
  4. Issuer responds with OTP delivery channel (SMS or email) and informational texts
  5. Pismo sends issuer's response to VCAS
  6. VCAS generates OTP verification code
  7. VCAS notifies ecommerce site of delivery channel
  8. Ecommerce site prompts cardholder for OTP verification code
  9. VCAS sends verification code to cardholder via delivery channel
  10. Cardholder enters OTP verification code at ecommerce site
  11. Ecommerce site sends entered OTP verification code to VCAS for validation
  12. VCAS validates OTP verification code and sends result to ecommerce site

Use case #2

  1. Ecommerce site calls VCAS with OTP request
  2. VCAS calls Pismo with OTP request
  3. Pismo calls issuer's StepUp webhook
  4. Issuer responds with delivery channel (SMS or email) and informational texts
  5. Pismo sends issuer's response to VCAS
  6. VCAS notifies ecommerce site of delivery channel
  7. Ecommerce site prompts cardholder for verification code
  8. VCAS calls Pismo to initiate action
  9. Pismo calls issuer's Initiate Action webhook
  10. Issuer generates verification code
  11. Issuer sends verification code to cardholder via delivery channel
  12. Cardholder inputs verification code at ecommerce site
  13. Ecommerce site calls VCAS to validate entered verification code
  14. VCAS calls Pismo to validate entered verification code
  15. Pismo calls issuer's Validate webhook
  16. Issuer responds with validation result
  17. Pismo sends validation result to VCAS
  18. VCAS sends validation result to ecommerce site

Use case #3

In this use case, Pismo receives the request from VCAS and engages with the issuer to initiate the
OOB process. This use case requires integration between Pismo and the issuer bank, outside of
VCAS solution scope.

  1. Ecommerce site calls VCAS with OTP request
  2. VCAS calls Pismo with OTP request
  3. Pismo calls issuer's StepUp webhook
  4. Issuer responds with delivery channel (SMS or email) and informational texts
  5. Pismo sends issuer's response to VCAS
  6. VCAS generates OTP verification code
  7. VCAS calls ecommerce site to notify user of delivery channel
  8. Ecommerce site prompts user for verification code
  9. VCAS calls Pismo to initiate action
  10. Pismo calls Issuer's Initiate Action webhook
  11. Issuer sends verification code to cardholder via delivery channel
  12. Cardholder enters verification code
  13. Ecommerce site sends entered verification code to VCAS for validation
  14. VCAS validates entered verification code and sends result to ecommerce site

Updated about 19 hours ago