At Visa Commercial Pay, we continuously strive to uphold the highest standards of security and compliance. In line with this commitment to security, we are opting all customers in to Multi Factor Authentication (MFA) for Visa Commercial Pay products.
With MFA enabled, users will be required to provide additional identity verification in the form of a time-based one-time passcode at every login on all Visa Commercial Pay portals.
End users will be prompted to set up MFA when they sign in to any of the Visa Commercial Pay portals from the week commencing 12th February 2024. They will be able to skip the prompt and continue to log in using memorable word until 1st April 2024. From 1st April 2024, MFA cannot be skipped and must be set up in order to log in to any of the portals.
The set up process is listed below:
-
The end user will be presented with the option to download the Visa Commercial Pay App. They can also click to use their own authenticator app.
Caution
Only the Visa Commercial Pay App or a supported third-party authenticator can be used to create a One Time Passcode (OTP). There is no option to receive the OTP via SMS or email.
-
If they click to use their own authenticator, they will be presented with a QR code to scan.
-
Clicking View supported apps will display a list of apps that are compatible. Currently, these are:
Google Authenticator
Microsoft Authenticator
Authy
Duo Mobile
Lastpass Authenticator
-
If the user is unable to scan the QR Code, they can click the Unable to scan the QR code? link, which will present them with a manual key to enter. When this has been entered into the authenticator app, they can click Continue.
-
They will be asked to enter the code from their authenticator app and click Verify.
-
A confirmation message will be displayed and the user can click Continue to complete their login.
Note
For the first login after completing MFA, the user will still be asked for their memorable word. For all subsequent logins, they will only be asked to provide the code from their chosen authenticator.
Once enabled, the Forgotten Password process also uses a time-based one-time passcode in place of the security question and answer and your memorable word.
When a Visa Commercial Pay App user has set up MFA, the app will automatically include a new ‘Authenticator’ menu option when the user is logged in to the app with the same username and password they use to log in to the Visa Commercial Pay web portals. This Authenticator option is not visible to any app users who have not started the MFA set-up process.
The passcode will refresh every 30 seconds, and a countdown timer is displayed to indicate how long is left before the code will refresh.
You can also use a 3rd-party authenticator. Clicking View supported apps at MFA set up displays a list of supported 3rd-party authenticators, which are currently:
Google Authenticator
Microsoft Authenticator
Authy
Duo Mobile
Lastpass Authenticator
SMS and email are not currently supported methods of receiving an OTP.
Visa Commercial Pay is unable to provide support relating to 3rd-party authentication apps. If you need assistance with setting up or using any 3rd-party authenticator, please refer to the provider's support documentation. For example, if you are using Google Authenticator, please refer to Google's support documentation for any assistance.
Note
The exact amount of time that an authentication code remains valid is controlled by the third party authenticator. Although all passcodes are only valid for a short window of time, depending on the authenticator you choose, the passcode may remain valid for longer than 30 seconds. The exact expiry time is controlled by the third party authenticator.
Yes, once you have set up MFA you will need to enter the one-time passcode every time you log in to Visa Commercial Pay products.
The only exception is the Visa Commercial Pay App, because the app already meets all PCI 4.0 requirements for user authentication via the biometrics and your device's authentication and security features.
No, you will need to use the Visa Commercial Pay App or a supported third-party authenticator app.
If you cannot access your device to complete MFA at login, you will need to have your account reset by one of the following:
Visa Commercial Pay Support.
Super Administrator.
Issuer Administrator.
You will not be able to log in until your account has been reset.
Some of the authenticators that we support may allow for TOTP browser or desktop authentication. Customers with Single Sign On (SSO) enabled will bypass MFA altogether.
Yes, MFA will be required when logging in to all Visa Commercial Pay web portals. It is not required for the mobile app.
Users can skip the MFA prompt until 1st April 2024. From this date, it will be mandatory, and users will not be able to skip.
Users with multiple accounts will need to set up MFA for each account. We are investigating the possibility of potential future development to allow multiple accounts under one username.