In progress - Scheduled maintenance is currently in progress. We will provide updates as necessary.
Apr 18, 2025 - 12:00 EDT
Scheduled - Starting on May 16, 2025, the VCAS Portal will transition its sign-in process to Visa Access (formerly Visa Online) for all external users, completing by May 19, 2025. Post-migration, all VCAS users will access VCAS through the Visa Access URL: https://www.visaonline.com/login. This change is driven by our commitment to maintaining the highest standards of security and compliance. With the new PCI 4.0 requirements going into effect in 2025, we are required to implement multifactor authentication (MFA) to remain PCI compliant and retain our PCI certification. By transitioning to Visa Access, we are not only meeting these compliance requirements but also enhancing your login experience with improved security and convenience.
We are dedicated to ensuring a smooth transition with minimal disruption to your operations. Find below the key steps you need to take to prepare for the migration and resources available to help you navigate this change seamlessly.
Key Things to Know:
Update VCAS User Credentials: Users must ensure that their usernames and corporate email addresses are updated by their Admin in the VCAS Portal by the following deadlines:
NEW DATE: Staging environment: April 18, 2025 by no later than 20:00 UTC NEW DATE: Production environment: May 2, 2025 by no later than 20:00 UTC
User Creation Freeze Periods: During the migration period, no new users can be edited or created. Freeze dates as follows:
NEW DATES: Staging environment: Starting on 20:00 UTC April 18, 2025 - May 2, 2025 NEW DATES: Production environment: Starting on 20:00 UTC May 2, 2025 - May 18, 2025
Usernames meet the minimum length requirement of 10 characters.
A valid corporate email is loaded for each user being migrated (personal email addresses like @gmail.com are not acceptable).
Impact to SFTP Reports: For customers receiving our VCAS SFTP reports today, please note the below reports will be impacted due to this migration:
User Access Report (UAR): The classifications related to a user's account status will be changed. The following new statuses will be reflected in the UAR: Pending, Active, Disabled, and Delete_Pending Violation Report: This report will be unavailable for a period of time due to a limitation in the data that is currently sent in that report. We are working with the Visa Access team to evaluate when this report can be supported in the future. The current timeline is FY26.
First Time Login to VCAS Post-Migration:
The first-time login experience will depend on how your user account was migrated. If you already had an active Visa Access account at the time of migration, you would log in at https://www.visaonline.com/login using your existing Visa Access account information. If not already set up, you will be prompted to set up your multi-factor authentication (MFA) preferences and security questions, and all users will be prompted to change their password. Once login is complete, VCAS portal will be accessible in the My Services dashboard. Please see document VCAS Portal User Login Flows on Visa Access for more details on first time login.
If you did not have a Visa Access account at the time of migration, you will log in at https://www.visaonline.com/login using your current VCAS portal username and password. The VCAS username will become your Visa Access username. After entering your credentials, you will be prompted to complete the setup your MFA preferences, security questions, and change your password. Once login is complete, VCAS portal will be accessible in the My Services dashboard. Please see document VCAS Portal User Login Flows on Visa Access for more details on first time login.
Note: Current Federated SSO VCAS issuers will maintain their current login process with Visa Access. For more details on the migration, please refer to the FAQs page (https://visa.highspot.com/items/67d897cc62dd4456eb238110) or do not hesitate to contact your Local VISA support if you have any questions or concerns.
In progress - Scheduled maintenance is currently in progress. We will provide updates as necessary.
Apr 09, 2025 - 18:00 EDT
Scheduled - Target Audience - Only applicable to clients processing UPI transactions on VCAS.
We're excited to let you know that VCAS will soon support Union Pay International’s EMV 3DS v2.2.0 before it phases out. This transition aims to enhance your experience and ensure seamless transactions. UnionPay 3-D Secure Program (UP3DS) is a secure e-commerce payment solution designed for Issuers and Merchants who want to reduce the risk of fraudulent transactions. UP3DS divides the online payment process into separate authentication and authorization flows.
Union Pay International released a product bulletin on November 30, 2023, with the following requirements: 1. All new components used in UPI 3DS products must be certified under the EMV Co. v2.2.0 standards starting January 1, 2024. 2. Issuers and acquirers must support EMV 3DS v2.2.0 by October 31, 2024. UPI will soon release its sunset plan for UP3DS v2.1.
Key Date: • May 14, 2025: VCAS will collaborate with UPI to update Issuer BIN ranges to support v2.2.
These requirements apply to participants in all regions globally, including EU, AP, LAC, NA, and CEMEA. VCAS is fully certified for UPI v2.2.0 and ready to support issuers. Outside of issuers in the EEA supporting PSD2, customers do not need any configurations in VCAS to support it. To support UPI 2.2, all BIN ranges on the UPI Directory Server need to be loaded with a "Protocol" of 2.2.0.
To eliminate the large manual effort for both VCAS issuer services teams and VCAS issuers, VCAS teams have coordinated with UPI to programmatically update all VCAS registered BIN ranges at the DS to End Protocol 2.2.0 on a coordinated date. The UPI team will enable ranges and set “ACS Protocol Version” and “ACS URLs” to VCAS to “2.2.0”.
The target implementation date for this migration is May 14, 2025, however, notifications will be sent out to issuers prior if this date changes.
If you prefer to opt out of this mass update, please work with your Visa Account Manager (or Support Center) to open a project by April 23, 2025. Your assigned VCAS Implementation Manager will work with you and the UPI team to enable your ranges in the UPI Directory server.
Additional Support and Recommendations:
Message Version Field (RDX): For issuers integrated to the VCAS RDX API, we recommend confirming that you do not have any validation logic on the Message Version field as this could cause issues when the new 2.2.0 value passes through in RDX. - Ensure any hard-coding logic in place for the ‘messageversion’ field is removed, if present. For instance, if a 2.2.0 message is sent and the messageversion field populates 2.1.0 as a hard-coded field by the issuer, the system will throw an error and result in authentication failure. - In principle, avoid hard-coding values in the ‘messageversion’ field.
VCAS recommends all issuers monitor their VCAS authentication traffic and authorization traffic to ensure there are no unexpected errors or issues after the update to 2.2. Internal support teams have been made aware of the upcoming UPI 2.2 boarding activities by issuers and will be vigilant during this time to any issues related to UPI 2.2.
Please do not hesitate to contact your Local VISA support if you have any questions or concerns.
In progress - Scheduled maintenance is currently in progress. We will provide updates as necessary.
Mar 07, 2025 - 16:11 EST
Scheduled - Visa will be updating a set of staging and production leaf certificates that are set to expire on May 02, 2025. To prevent disruption to services, we ask that you review your configuration immediately.
The Leaf certificates that are expiring may be in use by VCAS to your endpoint as part of the mutual TLS (MTLS) handshake for RDX, ADX, or Oauth connections.
Please review the certs below to see if they are in use with your VCAS connection.
The expiring STAGING leaf certificate details:
Common Name (CN): rdxstag.cardinalcommerce.com Serial Number: 0a86c117a3fef467682b740deef86f1c Date of Replacement: March 18, 2025 10:00 EDT Date of Expiry: May 02, 2025 18:59:59 EDT
The new STAGING leaf certificate details:
Common Name (CN): rdxstag.cardinalcommerce.com Serial Number: 0dd1c3f351d61449b0702f5ec0d14a47 Date of Replacement: March 18, 2025 10:00 EDT Date of Expiry: March 28, 2026 18:59:50 EDT
The expiring PRODUCTION leaf certificate details:
Common Name (CN): rdx.cardinalcommerce.com Serial Number: 07ec4a5fc0d1c1049a1590b7d4788719 Date of Replacement: April 22, 2025 10:00 EDT Date of Expiry: May 02, 2025 18:59:59 EDT
The new PRODUCTION leaf certificate details:
Common Name (CN): rdx.cardinalcommerce.com Serial Number: 0ead8d09102f51d80fb614eec175f0a1 Date of Replacement: April 22, 2025 10:00 EDT Date of Expiry: April 3, 2026 18:59:59 EDT
The Intermediate CA and Root CA will remain the same:
Intermediate Certificate Details: Common Name (CN): DigiCert Global G2 TLS RSA SHA256 2020 CA1 Serial Number: 0cf5bd062b5602f47ab8502c23ccf066
Root Certificate Details: Common Name (CN): DigiCert Global Root G2 Serial Number: 033af1e6a711a9a0bb2864b11d09fae5
Customer Responsibilities:
-If you trust on the leaf certificate, we will have to coordinate the switchover with your connection. Please contact your local VCAS support and/or account manager to coordinate this change.
-If you require coordination, we will schedule a time to switch over the leaf certificate. It is imperative that the migration occur before certificate expiration, otherwise RDX services will be impacted.
Testing – How can I test these changes?
Customers are encouraged to work with their network teams to ensure they can support the updated certificates.
No new parameters or fields are required for these changes. If you do not trust the new certificate, you will be unable to connect to Cardinal endpoints receiving a connection timeout or certificate error response.
Please do not hesitate to contact your Local VISA support if you have any questions or concerns. Please refer to the knowledge article titled "DigiCert MTLS RDX Certificate Update" for the full cert chain. You may also contact support or your account manager if you require the full Cert Chain.
In progress - Scheduled maintenance is currently in progress. We will provide updates as necessary.
Feb 06, 2025 - 11:30 EST
Scheduled - The Visa Consumer Authentication Service (VCAS) will be migrated to Visa data centers in a phased approach beginning 1 July 2025 and ending 31 March 2026. VCAS users will need to take specific actions to complete the migration depending on the VCAS features and functionality they use today.
Visa will begin a phased migration of VCAS to Visa data centers beginning 1 July 2025 and ending 31 March 2026 to improve security, performance and resiliency by maximizing Visa's global scale and infrastructure. The specific actions needed to complete the migration will depend on which VCAS features and functionality are being used today. See the Client Impact and Required Actions section below for a summary of the current actions required based on the VCAS solution being used.
Key Dates • 1 July 2025: Start of phased VCAS customer migration • 31 March 2026: End of phased VCAS customer migration
VCAS Background
Visa acquired CardinalCommerce in 2017, and since then has built VCAS into a robust, state-of-the-art authentication solution.
The VCAS team is committed to handling the majority of the requirements in order to reduce the effort and resources needed for VCAS users to complete the migration. Visa will provide additional details in future communications on the migration plan and how VCAS users will be migrated in the most efficient and effective way possible.
Client Impact and Required Actions:
Trust new IP Ranges Continue to trust current IP addresses until the migration is complete
VCAS users that have integrated Real-time Data Exchange (RDX) or Authentication Data Exchange (ADX) APIs will need to trust new IP ranges. Please visit the Visa Support Hub (https://visasupporthub.visaonline.com/) and reference the Knowledge Article titled "VCAS Customer Data Center Migration" for the IP's and additional information.
Request a Project
VCAS users that utilize file transfer services (Secure File Transfer Protocol [SFTP] Reporting, File Processor or Bulk Confirmed Marking) will need to open a case using the Visa Support Hub under VCAS (https://visasupporthub.visaonline.com) via Visa Access (formerly Visa Online) or engage their Customer Success Manager (CSM) by 1 July 2025.
The objective of this project is to establish connectivity between the user’s system and the Visa File Exchange Service (VFES). A secondary project will be needed to complete the actual data center migration; this secondary project will include testing the files before sending traffic to the Visa data center. Prior to requesting a project, users should have the information listed below, as it is required to create a new Visa Access ID for VFES.
Account Owner (the person responsible for file transfer services in the user’s organization) and Manager (backup contact):
o Organization Name o Visa Business Identification (BID) number o Full Name (file delivery contact) o Job Title o Email Address o Business Address o Phone Number
Secure Shell (SSH) Keys:
o VFES requires SSH keys for authentication and securing communication. o If VCAS currently hosts the SFTP folders, users will need to create a public and private key pair per environment (Staging and Production). o If you currently host the SFTP folders, Visa will provide the SSH public key during your project.
Sign Up for Future Data Center Migration Updates Visa will use the following channels to communicate data center migration updates, and strongly recommends VCAS users subscribe to ensure receipt of migration-related communications and notifications.
VCAS Status Page / CardinalCommerce Status (https://cardinalcommercecorporation.statuspage.io): This status page is primarily used to communicate planned and unplanned events that may impact operational status.
Subscribe for updates to one or more of the following based on your VCAS solution: -VCAS Issuer Services -The Real-time Data Exchange (RDX) -File Processor -Authentication Data Exchange (ADX) -Reporting Extract -VCAS Portal
The visa.com Opt-in to VCAS updates today page (https://globalclient.visa.com/Opt-inToVCASUpdatesToday). This is primarily for new VCAS product information, updates and educational opportunities. Visa will also use this channel to communicate data center migration updates via email.
Please do not hesitate to contact your Local VISA support if you have any questions or concerns.
We are excited to announce the launch of a newly redesigned website for Cardinal Consumer Authentication (CCA) Implementation guides! This update brings a more streamlined, user-friendly experience, offering a central hub for all our CCA product offerings & specifications. You can expect a more intuitive navigation, better filtering for CMPI messages, and easy access to critical resources like technical specifications and integration guides.
As part of this update, we’ve combined all of our CCA product offerings into one consolidated website, making it easier than ever to access the latest information about our products and services.
With the link above, expect to see a new Cardinal Consumer Authentication Integration guide, better filtering for our CMPI messages, and a new look and feel across the site.
This new site will be replacing our old site completely as of January 17, 2025. Cardinal recommends bookmarking the new URLs in the table below to get the most up to date information about our products and services.
Visa monitoring has identified an issue with VCAS Reporting on challenge transactions that experience timeouts (indicated by ChallengeCancel 04 or ChallengeCancel 05). This does not impact VCAS transaction processing or the merchant business decision on Auth Status results since the API response remains unchanged. These abandoned challenge transactions were previously marked with an authentication status of "MC" (Merchant Cancelled). However, they are now being reported as authentication status "N" (Not Authenticated).
A fix is scheduled to be implemented in staging on Monday, 28 April 2025 and production on Wednesday 30 April 2025. The fix will revert Challenge transactions that time out (challengeCancel 04 or challengeCancel 05) resulting in an Auth Status N (Not Authenticated) back to MC (Merchant Cancelled) in reporting going forward.
Reported Start Time: 18:00 UTC 21 April 2025
Impact: This affects reporting in VCAS Portal, and ReportingExtract TDR Auth Status results. This does not impact any transaction processing or merchant business decision on Auth Status results since API remains unchanged.
Next Update: We will provide an update once the permanent fix to reporting is applied Wednesday 30 April 2025
Please do not hesitate to contact your local Visa support team if you have any questions or concerns.
Completed -
The scheduled maintenance has been completed.
Apr 25, 20:00 EDT
In progress -
Scheduled maintenance is currently in progress. We will provide updates as necessary.
Apr 8, 12:00 EDT
Scheduled -
You’re invited to attend our informational customer webinar on the VCAS Data Center (DC) Migration, hosted by our VCAS Solutions Management Director, Austin Poole. This session will aim to help you understand the "what" and "why" of the DC migration.
Receive key information about the VCAS DC Migration, including:
- Required actions to prepare for the migration
- The timeline of the migration and steps taken by our team
- Introduction to the upcoming Directory Server (DS) cutover milestone
Following the presentation, there will be a Q&A session to address additional questions you may have.
We encourage your participation to ensure you are prepared for this transition. Your involvement is crucial for a successful migration.
Please register for the webinar based on your region:
Resolved -
Connectivity issues with our Customer Support Site (https://support.cardinalcommerce.com) are resolved, and the site is now available.
Reported Start Time: 23-April-2025 14:20 UTC Reported End Time: 23-April-2025 15:52 UTC
Impact: During this time customers may have experienced inability to access or use certain functionality within the legacy support site. While this site was impacted the new support site through the Cardinal Support Hub at https://centinel.visaonline.com/login/ was available. Consumer authentication processing was not impacted by this event.
Note: Customers may need to clear their browser cache in order to access the full site. Please be sure to bookmark the new Cardinal Support Site URL: https://centinel.visaonline.com/login/
Impact: During this time customers may experience inability to access or use certain functionality within the support site. Consumer authentication processing is not impacted by this event.
VISA engineers are currently engaged in resolving this issue. The next update will be within 1 hour or as the current status changes.
Completed -
The scheduled maintenance has been completed.
Apr 19, 08:30 EDT
In progress -
Scheduled maintenance is currently in progress. We will provide updates as necessary.
Mar 10, 15:30 EDT
Scheduled -
Visa will be updating a set of VCAS staging and production root, intermediate and leaf certificates that are set to expire on April 20, 2025. To prevent disruption to services, we ask that you review your configuration immediately if you are using one of the certificates below associated with RDX, ADX, or Oauth connections.
The expiring STAGING leaf certificate details:
Common Name (CN): rdxstag.cardinalcommerce.com Serial Number: 09:c4:9d:f4:ea:3e:1b:1e:88:70:ad:bc:3b:a7:38:da Date of Replacement: March 11, 2025 10:00 EDT Date of Expiry: April 20, 2025 18:59:59 EDT
The new STAGING leaf Visa Signed certificate details:
Common Name (CN): rdxstag.cardinalcommerce.com Serial Number: 74:c5:06:03:3b:77:36:d5:36:fe:c7:30:d8:24:86:74 Date of Replacement: March 11, 2025 10:00 EDT Date of Expiry: April 28, 2027 09:26:51 EDT
The expiring PRODUCTION leaf certificate details:
Common Name (CN): rdx.cardinalcommerce.com Serial Number: 7a:52:88:3a:65:bf:81:a6:e6:89:98:a8:bd:a5:d1:b9 Date of Replacement: April 10, 2025 10:00 EDT Date of Expiry: April 20, 2025 18:59:59 EDT
The new PRODUCTION Visa-signed certificate details:
Common Name (CN): rdx.cardinalcommerce.com Serial Number: 39:4a:7d:cd:05:9f:4b:bf:07:cb:a1:37:36:92:d6:b6 Date of Replacement: April 10, 2025 10:00 EDT Date of Expiry: May 5, 2027 09:33:30 EDT
The old CardinalCommerce Intermediate Certificate Details: Common Name (CN): CardinalCommerce Issuing CA Serial Number: 76:3a:5e:30:d2:05:6f:dc:8d:d4:65:7c:4c:83:99:f1
The old CardinalCommerce Root Certificate Details: Common Name (CN): CardinalCommerce Root CA Serial Number: 2d:a0:e3:db:0e:56:dc:79:e0:70:53:62:6a:7d:ca:8b
The new Visa Intermediate Certificate Details Common Name (CN): Visa Information Delivery Internal Issuing CA G2 Serial Number: 51:3e:96:00:00:00:8e:65:54:4b:3e:b1:2d:cd:1a
The new Visa Root Certificate Details: Common Name (CN): Visa Corporate Root CA - G2 Serial Number: 51:3e:96:00:00:00:6b:4e:81:30:23:be:66:05:f6
Customer Responsibilities:
The new certificate is issued by a different certificate authority. To ensure proper connection, you will need to install the new intermediate and root certificates. The CardinalCommerce client certificate authority, used in MTLS connections will no longer be supported. Please contact your local VCAS support and/or account manager to coordinate this change.
If you require coordination, please contact your local VCAS support and/or account manager, we will schedule a time to switch over the leaf certificate. It is imperative that the migration occur before certificate expiration, otherwise RDX services will be impacted.
Testing – How can I test these changes?
Customers are encouraged to work with their network teams to ensure they can support these updated certificates.
No new parameters or fields are required for these changes. If you do not trust the new certificate, you will be unable to connect to Cardinal endpoints receiving a connection timeout or certificate error response.
Please do not hesitate to contact your Local VISA support if you have any questions or concerns. Please refer to the knowledge article titled "Certificate Expiry Cardinal RDX CC Update 2025" on the Visa Support Hub for the full cert chain. You may also contact support or your account manager if you require the full Cert Chain.
Completed -
The scheduled maintenance has been completed.
Apr 15, 11:00 EDT
In progress -
Scheduled maintenance is currently in progress. We will provide updates as necessary.
Apr 15, 10:00 EDT
Scheduled -
We wanted to inform you about unscheduled network maintenance activity on our portal.cardinalcommerce.com endpoint to enhance security and performance.
This maintenance will take place on April 15, 2025, between 14:00-15:00 UTC. During this transition, you may experience some latency while accessing the site. Additionally, you will notice that the endpoint will resolve to a different IP address associated with Cloudflare.
We appreciate your patience and understanding as we work to improve our services. If you have any questions or encounter any issues, please do not hesitate to reach out to our support team.
Completed -
The scheduled maintenance has been completed.
Apr 14, 08:00 EDT
In progress -
Scheduled maintenance is currently in progress. We will provide updates as necessary.
Apr 10, 08:00 EDT
Scheduled -
CardinalCommerce will be performing network and database system maintenance starting at 12:00 UTC on April 10, 2025, through 12:00 UTC on April 14, 2025.
During this window we will apply the most recent network and database updates for optimal performance and to prevent new exploits from being used against our VCAS systems.
This is being performed in high availability mode and should have no impact to transaction processing. While no transaction impact is anticipated during this maintenance you may experience a few periods of network latency. During this time, we will be fully staffed from a support and network operations standpoint to perform monitoring and testing.
Please do not hesitate to contact your Local VISA support if you have any questions or concerns.