Student
Professional
- Messages
- 1,874
- Reaction score
- 1,780
- Points
- 113
Visa’s dCVV2 Generate and Authenticate APIs empower issuers (and approved third parties) to implement dynamic Card Verification Value 2 (dCVV2) for enhanced security in card-not-present (CNP) transactions. These APIs enable on-demand generation of time-limited security codes and managed validation, reducing fraud from static CVV2 compromise without requiring physical e-ink cards for all use cases.
Core Benefits:
Regional Availability: Global, with full support across major regions (North America, Asia-Pacific, Europe, etc.), though issuers must register specific BINs/account ranges.
Things to Know:
Example Request:
Overview and Key Capabilities
- dCVV2 Generate API: Requests 1–24 dynamic codes per call for a specific PAN. Codes are time-based (validity windows configurable from 1–18 hours) and delivered to cardholders via mobile apps, SMS, or other channels.
- dCVV2 Authenticate APIs: Handle enrollment (enroll/unenroll/enquire) for individual accounts. Support issuer-hosted or Visa-hosted (On Behalf Of – OBO) validation during authorization.
Core Benefits:
- Dramatically reduces CNP fraud by time-bounding codes.
- Cost-effective alternative to physical dynamic cards.
- Minimal backend changes when using Visa OBO services.
- Supports virtual cards, pre-plastic issuance, breach response (no full reissue needed), and app-based delivery.
- Seamless for cardholders: Enter the current dCVV2 exactly like a static CVV2.
Regional Availability: Global, with full support across major regions (North America, Asia-Pacific, Europe, etc.), though issuers must register specific BINs/account ranges.
Prerequisites and Onboarding
- Client Information Questionnaire (CIQ): Submit to Visa representative to register entire BIN(s) or account ranges. Individual accounts can then be selectively enabled.
- Visa Developer Program Registration: Access sandbox and production via developer.visa.com.
- Authentication: Two-Way SSL (Mutual TLS) + x-pay-token (API Key + Shared Secret) for certain calls.
- PCI DSS Compliance: Treat dCVV2 like static CVV2 — no merchant storage post-authorization.
Things to Know:
- Not used for card-on-file/recurring transactions.
- All Visa acquirers support CVV2 processing; dCVV2 flows through existing authorization paths.
Technical API Specifications
1. dCVV2 Generate API (v1)
- Endpoint: POST /dCVV2/v1/PanDB/dCVV2GenerationRequest
- Request Body(application/json):
- acctInfo (required object):
- primryAcctNum (required):
- pan (required, integer): Primary Account Number.
- panExpDt (required, string, e.g., "2019-11" or MMYY format).
- primryAcctNum (required):
- cardAcceptr (required object):
- clientId (required, string, 1–64 chars): Client identifier.
- itemCount (integer, 1–24): Number of codes to generate.
- acctInfo (required object):
Example Request:
JSON:
{
"acctInfo": {
"primryAcctNum": {
"panExpDt": "2019-11",
"pan": "4046760000000008"
}
},
"cardAcceptr": {
"clientId": "A98YG89AG89"
},
"itemCount": 2
}
```<ai-card data-id="65f29b" data-type="citation_card" data-plain-type="render_inline_citation" ></ai-card>
- **Response** (201 Created):
- `dCVV2ItemList`: Array of objects with `dCVV2Value` (3-digit code) and `dCVV2Expiry` (timestamp).
- `transctnReslts`: Includes `actionCd` (e.g., "00" for success).
- PAN and other details echoed back.<ai-card data-id="fdefe5" data-type="citation_card" data-plain-type="render_inline_citation" ></ai-card>
**Example Response Snippet**:
```json
{
"acctInfo": { ... },
"dCVV2ItemList": [
{ "dCVV2Expiry": "2802200000", "dCVV2Value": "123" },
{ "dCVV2Expiry": "2802200000", "dCVV2Value": "456" }
],
"transctnReslts": { "actionCd": "00" }
}
```<ai-card data-id="808060" data-type="citation_card" data-plain-type="render_inline_citation" ></ai-card>
#### 2. dCVV2 Authenticate APIs
- **Enroll**: Registers a PAN for validation service.
- **Unenroll**: Removes a PAN.
- **Enquire**: Checks enrollment status (Yes/No).
- Responses confirm actions or provide status. Validation during auth uses existing CVV2 fields and returns standard match/no-match codes.<ai-card data-id="96d7e7" data-type="citation_card" data-plain-type="render_inline_citation" ></ai-card>
**Error Handling**: Standard Visa error codes (e.g., 402 Application Error, 403 Forbidden for invalid clientId, 503). Detailed in Visa Developer error documentation.<ai-card data-id="ff541c" data-type="citation_card" data-plain-type="render_inline_citation" ></ai-card>
### Implementation and Integration Flow
**Typical Issuer Workflow (Generate + App Delivery)**:
1. Cardholder requests code via issuer mobile app.
2. Issuer calls dCVV2 Generate (batch 1–24 codes for efficiency).
3. Store codes securely short-term with expiry times.
4. Deliver current valid code to user (app notification, in-app display).
5. User enters code at merchant checkout.
6. Transaction routes through VisaNet; issuer or Visa OBO validates against expected dCVV2 for the time window.
7. Authorization response includes CVV result (M = match, N = no match, etc.).<ai-card data-id="99535c" data-type="citation_card" data-plain-type="render_inline_citation" ></ai-card>
**Usage Scenario Example** (from Visa):
- User sees offer in app → Requests dCVV2 → Issuer generates batch → User uses current code for multiple transactions over hours/days.<ai-card data-id="8a3bf7" data-type="citation_card" data-plain-type="render_inline_citation" ></ai-card>
**Sandbox Testing**:
- Available in Visa Developer Portal.
- Use test PANs and credentials.
- Supports full end-to-end simulation.<ai-card data-id="bcde9a" data-type="citation_card" data-plain-type="render_inline_citation" ></ai-card>
**Production Considerations**:
- Batch generation minimizes API calls and latency.
- Configure validity windows via CIQ (balance security vs. UX).
- Integrate with existing host authorization systems or use Visa OBO for lighter lift.
### Security, Compliance, and Best Practices
- **Cryptography**: Time-based with issuer/Visa synchronized secrets; codes tied to PAN and timestamps.
- **PCI DSS**: dCVV2 treated as Sensitive Authentication Data — delete after use.
- **Fraud Mitigation**: Combines with 3DS, tokenization, AVS, and ML scoring. Real-world results (e.g., Fidelity Bank) show major CNP fraud reductions.ai-card data-id="da5e03" data-type="citation_card" data-plain-type="render_inline_citation" ></ai-card>
- **Issuer Best Practices**:
- Offer app + SMS fallback.
- Monitor usage and sync issues.
- Test edge cases (expiry, multiple codes).
- Provide clear UX for code requests.
- **Merchant Side**: No changes needed — request CVV2 as usual and set decline rules for mismatches.
- **Consumer Tips**: Use official issuer channels; codes auto-expire.
### Real-World Adoption and Case Studies
- **Fidelity Bank (Bahamas)**: Significant reduction in CNP fraud via dCVV2.<ai-card data-id="51190d" data-type="citation_card" data-plain-type="render_inline_citation" ></ai-card>
- **Third-Party Solutions**: Providers like Keyno (CVVkey) offer turnkey SDKs/white-label apps integrated with these APIs.<ai-card data-id="20b0ec" data-type="citation_card" data-plain-type="render_inline_citation" ></ai-card>
- Growing use for virtual cards and breach remediation.
### Limitations and Future Outlook
- Requires BIN registration and issuer effort for delivery/UI.
- User friction if codes change frequently (mitigated by batching).
- Not universal for all transaction types.
- Visa continues enhancing integration with digital wallets, biometrics, and EMV 3DS.
For the absolute latest schemas, full OpenAPI specs, sample code (multiple languages), and certification, register at the **Visa Developer Center** (developer.visa.com) and explore the dCVV2 Generate and Authenticate capability. Contact your Visa representative for CIQ, regional details, and production support.<ai-card data-id="a39238" data-type="citation_card" data-plain-type="render_inline_citation" ></ai-card>
This API suite is a powerful, practical tool for issuers to modernize CNP security with minimal disruption, delivering measurable fraud reduction and improved customer trust in the evolving payments landscape.
