developer.visa.com
Open in
urlscan Pro
104.18.14.153
Public Scan
URL:
https://developer.visa.com/pages/security-terms
Submission: On October 20 via api from IN — Scanned from DE
Submission: On October 20 via api from IN — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
* Products
* Regional Availability
* Working with Visa APIs
* Use Cases
* Partner Gallery
* Browse All Products
* Resources
* Request and Response Codes
* Error Codes
* Visa Developer Center Playground
* Visa Chart Components
* Visa Sensory Branding
* Guides
* Developer Quick Start Guide
* Business Quick Start Guide
* Global Accessibility Requirements
* Visa Secure using EMV 3DS UX Guide
* Community
* Tutorials
* Forums
* Blogs
* Github
* Browse Community
* About
* About Visa Developer
* Release Notes
* Support
* Contact
* Sign In
search
clear
* All
* Overview
* Community
* Docs
* Use Cases
Docs play_arrow Visa Developer Center Security Terms
keyboard_arrow_down
VISA DEVELOPER CENTER SECURITY TERMS
Visa Developer Center Security and Penetration Testing Terms, Version: April 19,
2018
Security. Based on Company’s use of and access to VDP, Company agrees to the
following security tests, that Visa may request from time to time:
1. Penetration Testing. Company shall cooperate with Visa to conduct
penetration test(s) (“PenTest”) as described in this Section 1.
1.1. Scope of PenTest. The scope of the PenTest must encompass applications
and infrastructure that are accessing, using, benefitting from or otherwise
storing information, credentials or data resulting from accessing or using the
Visa Developer Platform (“In-Scope Aspects”) and be jointly defined and approved
by Visa’s PenTest team and Company’s subject matter experts. All application
PenTests must be performed in a pre-production environment that mimics
production and all infrastructure PenTested must be performed in production
environment encompassing the production infrastructure following an industry
standard methodology. Visa will require application PenTesting on an annual
basis.
1.2. PenTest Provider.
1.2.1. For applications owned by or developed exclusively for Visa, Visa or an
industry standard PenTest provider (“PenTest Provider”) of Visa’s choice will
perform all PenTests;
1.2.2. If a PenTest Provider conducts the PenTest, Company shall provide Visa
with an unaltered copy of the attestation report for Visa’s review. Such
PenTest report or attestation will highlight the scope, methodology, results,
finding summary, status of the findings and an outline of Company’s remediation
timeline and policies within 14 days of the PenTest’s conclusion;
1.2.3. If Visa will perform the PenTest, Company hereby authorizes Visa to
perform the PenTest on the In-Scope Aspects including the systems and services
that Company owns, manages or accesses (collectively the “Tested Systems”).
Company certifies that it owns or has the exclusive right to and use of the
Tested Systems and that Company has notified appropriate Personnel within its
organization and any third parties including without limitation any host master,
systems administrator, technical manager, and security manager prior to
commencement of the PenTest. Company acknowledges that a PenTest, including
testing, assessing, scanning, or monitoring the Tested Systems, including
implementation and deployment, may disclose or create problems in the operation
of such Tested Systems. Company acknowledges and accepts the risks involved
with the Tested Systems, which may include without limitation, down time, loss
of connectivity or data, system crashes or performance degradation (collectively
“Claims”). Visa shall not be liable for any such Claims. During the duration
of the PenTest, Visa will not perform intentional denial of service (DoS) or
social engineering testing.
1.3. Findings. Any findings identified as a part of the Pen Test will be
addressed in a timely fashion prioritized by severity in accordance with
industry best practices, such that any matters categorized as high priority will
be resolved prior to matters categorized as lower priority.
2. Security Testing
2.1. All In-Scope Aspects as defined in Section 1.1 must be subject to a
security review. At Company’s discretion, such applications can be optionally
enrolled in Visa’s Vendor Application Security Testing (VAST) program to meet
this security review requirement. Company can meet Visa’s VAST requirements by
complying with one of the following options in 2.2.1 or 2.1.2:
2.1.1. Company may use their own internal source code scanning tools to perform
static and dynamic code scanning and submit results via an alternate attestation
document provided by the Visa VAST program. Company agrees to work with Visa to
remediate findings according to industry guidelines based on severity of
findings; or
2.1.2. Company may choose to enroll in the Visa third party VAST program. As
part of the VAST Review, Visa utilizes a third party vendor (“Scanning Vendor”)
to conduct the secure coding activities (“Code Scans”). Visa will, at its cost,
provide Company with static code scanning licenses so that the Scanning Vendor
may perform Code Scans during the development lifecycle. In addition, the
Scanning Vendor will act as an intermediary between the Company and Visa SSDLC
team to ensure clear communication of Code Scan results to Visa. Company agrees
to work with Visa to remediate findings according to industry guidelines based
on severity of findings.
2.2. The following are the requirements that Company, when applicable, will
need to meet as part of the Visa Secure Code Program:
2.2.1. Company will perform a static application security test scan, and all
findings of such scan will be remediated according to criticality; and
2.2.2. Company will perform dynamic security testing for applications with API
interfaces and/or web services (“DAST Scan”). Company will remediate all
findings from the DAST Scan according to criticality.
2.2.3. Upon request by Visa, Company will perform an audit, at Company’s
expense, of all software, Applications and any content created by or on behalf
of Company in connection with the VDP API Agreement to identify any free and
open source software code that may be present in such materials. Company will
provide Visa with results of such audit within 14 days of Company completing the
audit;
2.2.4. Upon request by Visa, Company will provide Visa with written
documentation detailing the applications development, patch management and
update processes. The written documentation will clearly identify the measures
that will be taken by Company to securely develop, maintain and manage the
application;
2.2.5. Upon request by Visa, Company will provide Visa with written secure
configuration guidelines describing all relevant security configurations and the
implications of such configurations on the overall security of the application
(“Security Guidelines”). The Security Guidelines will include a full
description of dependencies on the supporting platform, including web service,
and application server, and how they should be configured for security. Company
shall ensure that the application’s default configuration will be secure;
2.2.6. Upon request, Company will disclose to Visa what tools are used in the
applications development environment to encourage secure coding;
2.2.7. Upon request, Company will provide and follow a security test plan that
(a) defines an approach to testing or establish that Company has met each of the
security requirements identified in test plan and (b) set forth the level of
rigor of the testing process. Company will implement the test plan set forth in
this Section 2.2.7 and provide Visa a written report of the results within 14
days of Company completing such test plan.
Copyright 2015–2023 Visa. All rights reserved.
* Visa Global Sites
* Visa Partner
* Privacy Notice
* Cookie Preferences
* Terms of Use
* Security Terms
* Adjust Ad Preferences
* Visa Ready
We are actively updating this site to accommodate AA compliance for
accessibility.
We use cookies to give you the best online experience, measure your visits to
our sites and to enable marketing activities (including with our marketing
partners). For details, see the Visa Cookie Notice.
AcceptReject allReview
51
Strictly necessary
Consent for: Strictly necessary
These technologies are necessary for the underlying operation of the site or app
or to display or enable functionality you have requested.
Detailed description of cookies categorised as: Strictly necessary.
CookieExpiryDomainCompanyPurposeCookie__cflbExpiry23
hoursDomaindeveloper.visa.comCompanyCloudflare, Inc.PurposeYour visit
Cookie related to load balancing.
Cookie related to load
balancing.Cookie__cfruidExpirySessionDomaindeveloper.visa.comCompanyCloudflare,
Inc.PurposeAuthorisation
Cookie related to rate limiting policies. Cloudflare Rate Limiting is a feature
that allows customers to identify and mitigate high request rates automatically,
either for specific URLs or for an entire domain.
Cookie related to rate limiting policies. Cloudflare Rate Limiting is a feature
that allows customers to identify and mitigate high request rates automatically,
either for specific URLs or for an entire domain.Cookie__cf_bmExpiry30
minutesDomainradar.cloudflare.comCompanyCloudflare, Inc.PurposeAuthorisation
Maintains bot management for our site and manage incoming traffic that may be
associated with bots for security purposes
Maintains bot management for our site and manage incoming traffic that may be
associated with bots for security purposesCookiewscrCookieConsentExpiry30
daysDomaindeveloper.visa.comCompanyDigital Control Room LtdPurposeYour visit
Stores your cookie consent session for our site. It contains no information
other than whether you have opted in or out for each cookie level.
Stores your cookie consent session for our site. It contains no information
other than whether you have opted in or out for each cookie
level.CookiebuidExpiry30 daysDomainlogin.microsoftonline.comCompanyMicrosoft
CorporationPurposeYour visit
Set as part of Microsoft Login process
Set as part of Microsoft Login
processCookieesctxExpirySessionDomainlogin.microsoftonline.comCompanyMicrosoft
CorporationPurposeYour visit
Set as part of Microsoft Login process
Set as part of Microsoft Login processCookiefpcExpiry30
daysDomainlogin.microsoftonline.comCompanyMicrosoft CorporationPurposeYour visit
Set as part of Microsoft Login process
Set as part of Microsoft Login
processCookiestsservicecookieExpirySessionDomainlogin.microsoftonline.comCompanyMicrosoft
CorporationPurposeYour visit
Set as part of Microsoft Login process
Set as part of Microsoft Login
processCookiex-ms-gateway-sliceExpirySessionDomainlogin.microsoftonline.comCompanyMicrosoft
CorporationPurposeYour visit
Set as part of Microsoft Login process
Set as part of Microsoft Login processCookieagent-authn-tx* (x 40)Expiry5
minutesDomaindeveloper.visa.comCompanyVisaPurposeYour visit
This cookie is being used for authentication purposes every time the user tries
to login.
This cookie is being used for authentication purposes every time the user tries
to
login.Cookieconnect.sidExpirySessionDomaindeveloper.visa.comCompanyVisaPurposeYour
visit
Required for maintaining common standards and protocols to manage and map user
identities between Community portal and Developer portal
Required for maintaining common standards and protocols to manage and map user
identities between Community portal and Developer
portalCookie_csrfExpirySessionDomaindeveloper.visa.comCompanyVisaPurposeAuthorisation
Required for preventing from CSRF attacks
Required for preventing from CSRF attacks
2
Site experience
Consent for: Site experience
These technologies are used to support your experience and include user-selected
options and site navigation aids.
Detailed description of cookies categorised as: Site experience.
CookieExpiryDomainCompanyPurposeCookieAzureAppProxyAnalyticCookie_*ExpirySessionDomainissues.trusted.visa.comCompanyAzure
App Proxy, Microsoft CorporationPurposeNavigation
Used by the Windows Azure platform to effectively balance load on the servers.
Used by the Windows Azure platform to effectively balance load on the
servers.CookieAzureAppProxyPreauthSessionCookie_*Expiry1
hourDomainissues.trusted.visa.comCompanyAzure App Proxy, Microsoft
CorporationPurposeNavigation
Used by the Windows Azure platform to effectively balance load on the servers.
Used by the Windows Azure platform to effectively balance load on the servers.
6
Performance and operation
Consent for: Performance and operation
These technologies are used in the management of a site or app, including to
record visitor numbers and identify issues users are experiencing.
Detailed description of cookies categorised as: Performance and operation.
CookieExpiryDomainCompanyPurposeCookieELOQUAExpiry2
yearsDomaineloqua.comCompanyEloqua, Oracle CorporationPurposeAnalytics
This cookie has a value pair of guid = randomly generated string of characters
and numbers. Used for data lookup which allows the dynamic pulling of data from
the Eloqua system for use on a given web page. The range of data that can be
returned is virtually unlimited allowing for Contact, Prospect, Data Card, Group
membership or Visitor data to be returned. Data lookups are used to populate
data in a form or validate if the contact is part of an email group.
This cookie has a value pair of guid = randomly generated string of characters
and numbers. Used for data lookup which allows the dynamic pulling of data from
the Eloqua system for use on a given web page. The range of data that can be
returned is virtually unlimited allowing for Contact, Prospect, Data Card, Group
membership or Visitor data to be returned. Data lookups are used to populate
data in a form or validate if the contact is part of an email
group.CookieELQSTATUSExpiry2 yearsDomaineloqua.comCompanyEloqua, Oracle
CorporationPurposeAnalytics
This cookie gets dropped ONLY if the client consents to being tracked. Used for
data lookup which allows the dynamic pulling of data from the Eloqua system for
use on a given web page. The range of data that can be returned is virtually
unlimited allowing for Contact, Prospect, Data Card, Group membership or Visitor
data to be returned. Data lookups are used to populate data in a form or
validate if the contact is part of an email group.
This cookie gets dropped ONLY if the client consents to being tracked. Used for
data lookup which allows the dynamic pulling of data from the Eloqua system for
use on a given web page. The range of data that can be returned is virtually
unlimited allowing for Contact, Prospect, Data Card, Group membership or Visitor
data to be returned. Data lookups are used to populate data in a form or
validate if the contact is part of an email group.Cookie_dc_gtm_UA*Expiry10
minutesDomaindeveloper.visa.comCompanyGoogle Analytics, Google
LLCPurposeAnalytics
A unique identifier given to each browser to track user interactions with the
website.
A unique identifier given to each browser to track user interactions with the
website.Cookie_gaExpiry2 yearsDomaindeveloper.visa.comCompanyGoogle Analytics,
Google LLCPurposeAnalytics
A unique identifier given to each browser to track user interactions with the
website.
A unique identifier given to each browser to track user interactions with the
website.Cookie_galiExpiry1 minuteDomaindeveloper.visa.comCompanyGoogle
Analytics, Google LLCPurposeAnalytics
A unique identifier generated by the enhanced link attribution plugin to track
user interactions with the website.
A unique identifier generated by the enhanced link attribution plugin to track
user interactions with the website.Cookie_gidExpiry1
dayDomaindeveloper.visa.comCompanyGoogle Analytics, Google LLCPurposeAnalytics
A unique identifier given to each browser to track user interactions with the
website.
A unique identifier given to each browser to track user interactions with the
website.
8
Marketing, personalization and advertising
Consent for: Marketing, personalization and advertising
These technologies gather information about your browsing. We also work with
advertising partners to serve you personalized ads online. For information on
our marketing and advertising activities visit our Global Privacy Center
Detailed description of cookies categorised as: Marketing, personalization and
advertising. CookieExpiryDomainCompanyPurposeCookieAnalyticsSyncHistoryExpiry30
daysDomainlinkedin.comCompanyLinkedIn CorporationPurposeSocial networking
Used to store information about the time a sync with the lms_analytics cookie
took place for users in the Designated Countries
Used to store information about the time a sync with the lms_analytics cookie
took place for users in the Designated CountriesCookiebcookieExpiry2
yearsDomainlinkedin.comCompanyLinkedIn CorporationPurposeSocial networking
Browser Identifier cookie to uniquely identify devices accessing LinkedIn to
detect abuse on the platform
Browser Identifier cookie to uniquely identify devices accessing LinkedIn to
detect abuse on the platformCookiebscookieExpiry2
yearsDomainwww.linkedin.comCompanyLinkedIn CorporationPurposeSocial networking
Used for saving the state of 2FA of a logged in user
Used for saving the state of 2FA of a logged in userCookielidcExpiry1
dayDomainlinkedin.comCompanyLinkedIn CorporationPurposeSocial networking
Set by social networking platform LinkedIn Corporation when you load web pages
that include a panel inviting you to Follow us.
Set by social networking platform LinkedIn Corporation when you load web pages
that include a panel inviting you to Follow us.Cookieli_gcExpiry2
yearsDomainlinkedin.comCompanyLinkedIn CorporationPurposeSocial networking
Used to store consent of guests regarding the use of cookies for non-essential
purposes
Used to store consent of guests regarding the use of cookies for non-essential
purposesCookieli_sugrExpiry90 daysDomainlinkedin.comCompanyLinkedIn
CorporationPurposeSocial networking
Used to make a probabilistic match of a user's identity outside the Designated
Countries
Used to make a probabilistic match of a user's identity outside the Designated
CountriesCookieln_orExpiry1 dayDomaindeveloper.visa.comCompanyLinkedIn
CorporationPurposeSocial networking
Used to determine if analytics can be carried out on a specific domain.
Used to determine if analytics can be carried out on a specific
domain.CookieUserMatchHistoryExpiry1 monthDomainlinkedin.comCompanyLinkedIn
CorporationPurposeSocial networking
LinkedIn Ads ID syncing
LinkedIn Ads ID syncing
Cookie Notice
For more information about the use of cookies, please see the Visa Cookie
Notice.
Powered by Digital Control Room