Visa used the Visa Information Delivery External Certificate Authority (CA), also known as VICA3, to sign client API credentials for Two-Way Secure Socket Layer (SSL) or mutual Transport Layer Security (mTLS) authentication. Visa is launching enhancements to its certificate authentication framework that are designed to help strengthen the security of all digital payment experiences. Effective 28 June 2025, the existing VICA3 root and intermediate certificates used for authenticating API calls to Visa will expire. Clients that utilize these certificates for their API calls to Visa will need to update their full certificate chain and their API integrations before the certificates expire.
About Two-Way SSL (aka Mutual Authentication or mTLS)
- Two-Way SSL, also known as mutual SSL (mTLS), is a security protocol that ensures both parties in a communication channel can authenticate each other. In Two-Way SSL authentication, the client and server need to authenticate and validate each other’s online identities.
- As one of the security protocols, Visa Developer secures its connections with clients by means of Two-Way SSL (Mutual Authentication or mTLS) method, which is one of the two authentication methods with X-Pay Token (aka API Key-Shared Secret Authentication) offered by Visa for connectivity.
- Two-Way SSL: Requires both the client and the server to present and verify each other's digital certificates for mutual authentication.
Client Impacts and Required Actions
Impacted clients have a Visa Developer project that has a two-way Secure Socket Layer(SSL) (mutual authentication) certificate (inbound or outbound) that expires in June 2025. Clients should confirm their certificate expiration date by navigating to the “Credentials” screen within their Visa Developer project. Those with certificates expiring in June 2025 should request new certificates as soon as possible, but no later than 1 June 2025. Clients with Visa Developer projects in the Certification or Production environments will need to submit their certificate configuration request to Visa no later than 1 June 2025 to trigger new certificate provisioning and allow adequate time to update their application servers. Clients with Visa Developer projects in the Sandbox environment can complete this change on a self-serve basis by requesting a new auto-generated certificate from their dashboard.
Note: In October 2024, Visa started issuing certificates using Visa Services Issuing CA, the new CA; clients with Visa certificates issued using the latest CA are not impacted by this change, and no action is required of them.
FAQs for Impacted Clients
What happens if I do not act?
If you do not update your certificates and update your API integration by the 28 June 2025expiration date, any API calls that use two-way SSL (mutual authentication) certificates to authenticate will fail and your service will be interrupted.
How do I create the new certificates?
Anyone with access to their Visa Developer project and the API credentials can request a new set of credentials. For clients with projects in Certification and Production, submit your certificate request to Visa through your Visa Developer dashboard. This will trigger provisioning of your client certificate. Once the certificate is provisioned, download the intermediate and root certificates under the “Credentials” screen in your project dashboard.
