
VISA Api: The Power of Visa Network Delivered as an API - adamliesko
https://developer.visa.com/
======
bri3d
It doesn't seem like any of these products actually process payments, or is
there something I'm missing?

Checkout:

> "Depending on your configuration, you will process the actual payment
> through your own system, a payment processor, or an e-commerce partner as
> you normally do."

(
[https://developer.visa.com/products/visa_checkout/guides](https://developer.visa.com/products/visa_checkout/guides)
)

CyberSource:

> Before moving to production and running real transactions, you must have a
> merchant account from an acquiring (merchant) bank that can process the
> credit card payments.

(
[https://developer.visa.com/products/cybersource/thingstoknow](https://developer.visa.com/products/cybersource/thingstoknow)
)

Visa Direct APIs:

> However, in order to use the Visa Direct APIs in production, the Originator
> must either be a Visa client financial institution (issuer or acquirer), a
> third-party Originator that has been granted a Visa acquirer POS license
> (geographical restrictions apply), or a third-party Originator that has
> established an acquiring relationship for that purpose with a Visa client
> financial institution.

(
[https://developer.visa.com/products/visa_direct/thingstoknow](https://developer.visa.com/products/visa_direct/thingstoknow)
)

The token and transaction services are very interesting and it's cool to see
Visa jumping into decent modern payment UX, but I don't think they're gunning
for Stripe just yet...

~~~
jesseangell
This product is essentially a gateway. The same that Stripe or Braintree are
gateways. They just do a much better job of abstracting the confusion that is
payments.

You will still need a merchant account and a processor. A processor is the
party that actually handles authorization/settlements between the issuing bank
and acquiring banks.

~~~
bri3d
Right - but Square/Stripe/Braintree supply the merchant account and the
processor for me, so I can sign up, pay a transparent/upfront fee schedule,
and get payments delivered to my (standard checking) account.

~~~
jesseangell
Correct. They're definitely not targeting people that are just beginning to
process payments.

Their intention is to likely attract really large merchants/platforms, one way
or another.

~~~
f3llowtraveler
VISA is still living in the 20th century.

------
mark242
[https://developer.visa.com/images/cybersource.png](https://developer.visa.com/images/cybersource.png)

[https://developer.visa.com/products/cybersource/reference#cy...](https://developer.visa.com/products/cybersource/reference#cybersource__cybs__v1__authorize)

Ugh. Using this means that your application is in scope for PCI controls,
since card data will be transmitted across your network into your application.

One of the reasons that Braintree and Stripe, for example, are so popular is
because of the tokenization that they do prior to sending the card data to
your systems, thereby putting your application out of scope for PCI.

If Visa added that _one_ detail, this would be a fantastic solution.

~~~
ryanlol
Stripe bypassing PCI is still really questionable, if someone hacks you stripe
isn't gonna stop them from stealing your customers credit cards.

~~~
eibrahim
Stripe does not bypass PCI. Stripe does not transmit any credit card
information to your servers and if there are no CC info on your server then
you don't have to deal with PCI compliance.

If your server gets hacked you don't have any customer info stored on it. All
you have is a stripe token.

~~~
ryanlol
But generally the credit card data is in fact transmitted via your website to
stripe.

While not over the network, the user enters his credit card into the form ON
YOUR WEBSITE that POSTs it on to stripe. This means your site has full access
to the credit card info, choosing whether or not to store is up to you (or in
case you get hacked, up to the hacker).

~~~
derefr
No. You embed Stripe's iframe, which posts to Stripe. The iframe has a
separate _origin_ from your own website, which creates a mutual isolation
boundary between your site and that iframe: neither can read or modify the
contents of the other. It's just as secure as e.g. Paypal's workflow of
redirecting to the Paypal website and back.

~~~
ryanlol
I'm aware, but I was talking more in the practical sense.

The attacker can replace the iframe with his own and proxy it, or perhaps
simply display an error and ask the user to re-insert his payment info into
the actual stripe form.

~~~
derefr
The attacker can replace the server's response with his own form that pretends
to be Stripe's, too. In the end, there's no real defense against phishing.

~~~
Lazare
That's not strictly true.

Flow 1: User visits shop.com, selects some items, hits checkout, enters his
credit card details into a form on shop.com, hits submit, gets emailed a
receipt.

Flow 2: User visits shop.com, selects some items, hits checkout, is redirected
to a form on processor.com, enters his card details, hits submit, gets email a
receipt.

Now flow 1 and flow 2 _could_ be the same internally if the form in flow 1 was
actually from processor.com, just embedded into an iframe displayed on
shop.com. But the key is that _the user has no idea if it is or not_.

The form in frame 1 could be in an iframe from anywhere, or it might actually
be embedded directly into the page and posting, again, to anywhere. You just
have to take it on faith that shop.com hasn't been compromised, and isn't now
sending your details to malware.com.

In flow 2, you only enter your details into a form on processor.com; you no
longer need to worry if shop.com has been compromised, you just need to verify
that you're actually at processor.com, and not proccesor.com or whatever.

------
kumarski
This is awesome.

Wonder if VISAs exposes the BIN #.

BrainTree exposes the BIN number. Built this at a hackathon last year.

[http://www.reversecreditscore.com](http://www.reversecreditscore.com).

You can reverse engineer the BIN Number offered by BrainTree's API to
calculate the species of a credit card, thus the minimum credit score.

I have a payments entrepreneur group on facebook. It has about 50 folks in it.
if you want in and have built payments stuff message me.

~~~
chatmasta
That seems like a pretty fickle data source to build a product around.

I have multiple credit cards. I only use one of them for online purchases. It
happens to be my oldest card, the one I got when I was 18 years old. Therefore
it qualifies as an "introductory" card available with little/no credit
history. Would you assume anyone paying with their oldest card has a low
credit score?

There are so many factors that go into a credit score that it seems asinine to
base an estimate of it on the specific card used for a particular purchase.

Sure you can get the "tier" of a card and know that the issuer only grants
that card to someone meeting a minimum credit score. But you know nothing
else. Some people have a 750 credit score but have never applied for a second
card. You don't know how the age of the credit line, its utilization, its
size, its payment history...

This "reverse credit score" estimate seems like complete snake oil. If credit
checks are actually an important part of your business, factor them into your
costs and just pay the $50.

~~~
dclowd9901
You might find this unfair, but if you're using an introductory card for your
normal purchases, you're being financially stupid.

Myriad higher tier cards offer many rewards that you're actually paying for
anyway on marked up costs of items merchants have to charge to pay card
processing fees. So I would say, yes, you deserve a low credit rating.

~~~
barrkel
Somebody who is actively seeking to get every nickel and dime they can from
credit card purchases seems more like a marginal customer to me - warranting a
lower score rather than higher.

------
unwind
Weird caps in the title, "Visa API" would better match how these two words are
usually written, in my opinion.

"Visa" is a name, so it should have title caps (I know their branding calls
for "VISA" but such is often ignored in non-corporate reporting), and "API" is
an abbreviation so it should be all-caps.

I know, I should go back to work.

~~~
derefr
I think they try to use "VISA" to distinguish it from a
[https://en.wikipedia.org/wiki/Visa_(document)](https://en.wikipedia.org/wiki/Visa_\(document\)).
I would expect a "Visa API" to have something to do with immigration.

~~~
oxguy3
yeah that's fair, but then they wrote "Api", and now I'm convinced they're
deliberately trying to piss off pedants like myself

------
bryanthompson
This thing is a total disaster.

Some of their example code:
[https://github.com/VisaDeveloperProgram/SampleCode/blob/mast...](https://github.com/VisaDeveloperProgram/SampleCode/blob/master/SampleCode/VisaAPICalls/Ruby/CybersourceSample.rb)

Docs are incoherent in just so many ways - and their quick start drops you
right into like a 9 page guide for generating two-way ssl docs. Not exactly a
quick dev onboarding path.

Request docs list attributes as required that aren't in their examples or
runnable sidebar thing (the only cool part). Returns an error body with no
error messages, codes, or info. You use some "correlation-id" (called
"correlationId" in other places) to apparently get your error messages for a
failed request.

Final rating: 1/7, would not play with again.

~~~
techman9
I worked at Visa. You don't know the half of it...

------
notliketherest
Banks are still the gatekeepers of this network. Unless you've negotiated
deals with VISA partner banks, these APIs are pretty much useless. Companies
like Marqueta on the issuer side and Stripe on the acquirer side have
relationships with banks that let them move money from your VISA cards. (And
even in ACH land, which is lightyears behind the card companies, SynapsePay
for example has a bank partner who provides a license for their charter).

Don't think you're gonna be able to write a script to move money from your
credit card to your friend. This is still a tightly controlled network of
banks. If you're looking to innovate in the payments space, take a look at
Bitcoin and other digital currencies.

~~~
SwellJoe
I don't think I understand. Why would they go to the trouble to launch this
API, make claims of being able to process payments, etc. if it is "useless"?

~~~
spydum
You have no idea of the plethora of CIO/CTO digital transformation initiatives
being kicked off at fortune 100s.. Everybody needs an API, even if they serve
no purpose. Oh yes, and agile too.

------
nodesocket
Nothing here that would encourage me to switch from Stripe or Braintree. Both
those companies handle all the insane edge cases, recurring payments, and
refunds.

~~~
TheLogothete
Well, it's not meant to. Unless you want to process the credit cards yourself.
You are comparing chalk and cheese.

------
tyingq
I see a lot of comparisons to Stripe. While I'm sure this API has it's warts,
the reasons for it to exist center around cost and control. At a certain
scale, companies want the lower cost and higher control associated with having
their own merchant account.

Cost: Stripe's 2.9% + 30 cents per transaction, if you do enough transactions
per month, is very high. How much better you can do depends on some variables
like average transaction size, debit/credit mix, etc. You can easily shave it
down to around 1.9% in most cases, or better. Again, at a certain scale,
giving up 1% or more of your incoming revenue just isn't smart.

Control: Lots of areas here. Removing "STRIPE" from the charge listing on the
customer's credit card statement. Direct control of chargebacks. Routing to
different payment gateways based on card type. Better integration of card-
present and online transactions.

You do, of course, lose the advantages that Stripe provides, so your scale
would have to be such that replicating that functionality is justified. There
are solutions in the middle. Authorize.net, for example, will let you use your
own merchant account and pay just for the gateway services. They provide some
of benefits/features that you would lose doing it from scratch.

~~~
stanley
The thing is, there doesn't seem to be a clear benefit to this over say,
Authorize.net.

~~~
tyingq
I agree, but that doesn't seem to be the discussion here :)

------
davidkellis
But what does it cost?

~~~
TranquilMarmot
This is the real question- I can't find anything on their page saying how much
it costs to use their API. No such thing as a free lunch...

------
edko
Maybe I understood it wrong ... but you don't know how much it will cost to
use their API before you submit your application to them?

Why would anyone invest any nontrivial amount of resources on developing
something for which they don't know what the cost of running it is going to
be?

What is lacking is a clear business overview of what their product is, its
costs and benefits.

~~~
bryanthompson
Once your application is completely functional, you email them (lol) and then
they go through contract negotiation and application/security/etc. review
where you get your terms.

~~~
rokhayakebe
Isn't this just a way to filter out the type of clients they don't want. If
you do not have the time or resource to go through these bureaucratic
scenarios, then you aren't a good fit.

~~~
bryanthompson
Sure, but they're not going to even tell you if you're a good fit until you go
through the entire expense of building for their gateway. I'd think one would
spend that effort integrating with any number of other gateways that have some
clear requirements. There's just no clear advantage here that I can see.

------
Patrick_Devine
I think it's cool that VISA is trying to innovate in the space, but I'm not
sure of the target audience for these APIs. For most businesses, you're
probably better off integrating to Stripe and not having to deal with Gateways
or Merchant Accounts.

Speaking of which, VISA should just buy Stripe.

~~~
foota
Maybe high volume processors looking for reduced fees?

~~~
Patrick_Devine
Right. That was my thought, but that's going to be a diminishingly small set
of customers. Why go through the hassle of opening it up to everyone? I
suppose it's "hip" to have a cool bootstrappy website and an API that anyone
can use, but it's just not super useful for most businesses.

~~~
foota
Granted it may be a diminishing set, but regardless of the size of the set it
seems they would be a large portion of the business? Some sort of 90 10 rule.

------
robbiet480
Blog post announcing new developer initiative
[https://community.developer.visa.com/t5/Blogs/Hello-
World/ba...](https://community.developer.visa.com/t5/Blogs/Hello-
World/ba-p/5402)

------
etix
Their ATM locator API doesn't really work in France, I just tried for the
Paris suburb and the nearest ATM found was miles away. There are dozens of
them between the test location and the closest one returned.

------
tomelders
Why bother putting so much time and effort to release something this bad?

Because the executive committee has no understanding of why they need a "good"
API, and no appetite for the difficult journey they need to embark on to
create one, but they just have to do "something", and they're happy with
"anything". That's my bet.

The largest player in the market just entered the API arms race, years late
and with pockets deeper than any of their rivals. Yet two brothers from
Ireland are still the best game in town.

------
VonGuard
Master Card has been doing this for a while, and I think they do it better:
[https://developer.mastercard.com/portal/dashboard.action](https://developer.mastercard.com/portal/dashboard.action)

They've had hackathons, and they have a few sample ideas. My favorite is
checking local restaurants and the zip codes of users. This gives you a
listing of places that are popular with locals.

------
sagivo
does anyone know what's the pricing for this service?

~~~
livingparadox
You have to submit your app for approval to get pricing.

"Once you’re ready to move forward and submit your app for approval, contact
developer@visa.com and work with our team to complete risk reviews, contracts,
system configurations, pricing, and billing arrangements."

[https://developer.visa.com/vdpguide#get-started-
overview](https://developer.visa.com/vdpguide#get-started-overview)

~~~
Laaw
I dunno if this is kosher, but if someone who qualifies wants to go through
the process of applying and posting the rates, there would be a wealth of
gratitude in it for you.

~~~
notatoad
It sounds like the rates they offer one business will not necessarily be the
same as the rates they offer another business.

This is kind of Visa's whole business model - assessing and pricing credit
risk. There isn't too much point in learning the rates they offer somebody
else.

------
nambante
I'm building a gem for it
[https://github.com/GildedHonour/frank_visa](https://github.com/GildedHonour/frank_visa)

An beta version should be ready pretty soon.

------
ksred
MasterCard also has an API:
[https://developer.mastercard.com/](https://developer.mastercard.com/)

Just as the VISA API, this requires you to be a "verified partner" or be
sponsored when going to production.

------
ryandetzel
While this is great (although very late) it's biggest issue is that I have to
implement this and another service if I care about the other credit card
companies. Merchants would be fools to just accept Visa.

~~~
Kinnard
That's why Bitcoin's great! It's an electronic payment system, and the
underlying currency.

~~~
chc
I don't see how it's different at all in this respect. If you want to support
other payment systems or currencies, you need to implement Bitcoin and another
service. Just like the GP was saying about Visa.

------
slantaclaus
Reahhh but there's no ruby gem how am I supposed to use it??

------
desireco42
Took you long enough.

------
Cieplak
I wonder if their funds transfer service will support payroll or rent
payments, and if so, what fees are negotiable based on volume.

------
oxguy3
> VISA Api

why would you ever capitalize those words that way goddammit there's no way
this wasn't deliberate

------
pfarnsworth
At one of my previous companies, once we reached significant volume,
Cybersource asked us for a material percentage of our transaction volume as a
reserve, otherwise they would shut us down. I would never use them again as a
processor.

~~~
song
I've used them for a customer processing more than 20 million dollars/year and
we didn't have that. The merchant account does take a small percentage as a
rolling reserve though (3% if I remember correctly).

In term of programing, I much prefer dealing with Braintree but Cybersource is
not too bad (not the worse gateway I've dealt with, less issues tha
Authorize.net)

------
rmac
this is great!

sadly all the cool fraud api stuff can only be used by issuers (e.g., banks)
in production :(

------
pcora
Your move, MasterCard. :)

~~~
nbohra
[https://developer.mastercard.com/](https://developer.mastercard.com/)

------
gansai
who is providing api management solution for VISA?

------
Kinnard
I wonder how much of a role Bitcoin played as an impetus for finally coming
out with this. Sure, it should have been done way before Bitcoin, but I bet
that gave them a reason to put the peddle to the metal.

~~~
geofft
Visa's product is almost entirely orthogonal to Bitcoin. It has a fairly high
service fee, which provides a (worthwhile) service of insuring both the
customer and the merchant against misdoings by the other, that is, offering
payments that can be reversed in the far future. It's centralized, and humans
can reverse payments. It discriminates strongly on what fields they're willing
to serve payments for. It requires not only identities but background checks
of both customers and merchants, and can permanently shut down a customer or
merchant they don't want to serve any more. It provides credit.

If they really felt threatened by Bitcoin, they would have changed any one of
those things. Bitcoin doesn't even have an HTTP API, so adding one doesn't
help you compete.

~~~
techman9
Visa does not provide credit. The banks with which they contract do.

~~~
Kinnard
I think he's referring to a different kind of 'credit'.

