Which Is Best: Merchant-Level or ISV-Level Token-Based Authentication?

Merchants and ISVs want to grow and be more profitable, but they face some serious challenges.

When not trying to keep up with all the changes in payments technology or dealing with delayed migrations or integrations, they’re battling fraudsters and data thieves: We live in a world in which criminals take advantage of any weak spot in the payment process, which has cost U.S. consumers over $9 billion to online fraud since 2020.

How a merchant and their location’s payment transactions are authenticated play a role in mitigating all these challenges.

Individual transactions are secured with technologies such as E2EE (end-to-end encryption), tokenization and DUPKT (Derived Unique Key Per Transaction). At the merchant level, APIs authenticate merchants’ devices to payment gateways and processors.

Until recently, API authentication was limited to the merchant level. Now, new technology provides another option: ISV-level authentication.

What Is ISV-Level Payment Authentication?

Quick review: ISVs design payment solutions with merchant APIs that use a combination of long-lived tokens (API keys) and short-lived tokens (Java web tokens, or JWTs). The API key continuously gets exchanged for the JWT to access the payment gateway, and the JWT lifecycle determines the reauthentication interval.

Those API keys have always been at the merchant level. That means one or more API keys had to be created for each merchant that uses an ISV payment solution. And when you have an ISV partner integrating hundreds of merchants, creating an API for each merchant is time- and resource-intensive.

But what if an ISV could use a single API key for many merchants?

Enter ISV-level authentication, which lets ISVs use one API key for an entire integration. Not only does it save integration time, but ISV-level authentication also provides more options for each integration.

In addition to the time savings, there are other reasons why ISV-level authentication is an excellent option.

Why Authenticate Your Payments Integration at the ISV Level?

Instead of creating one key per merchant, ISV-level authentication lets ISVs use a single API key for all merchants. During an integration, this can save considerable time and resources. Payment devices can be injected with one key — manually or at a remote key injection site, which speeds up the process of configuring devices for deployment.

Just because ISVs can create one API key for all merchants, however, doesn’t mean they have to. An ISV can strategically use multiple ISV-level keys in anticipation of future migrations, long-term growth and even accommodating country-specific security requirements.

What does that look like?

Streamlined Device Migration

Let’s say an ISV knows the payment devices in their Midwest merchant locations must be replaced within the next two years. Using merchant-level authentication, each new device would have to be injected with a merchant-specific API key. In a geographic region that large, the number of merchants could be in the hundreds.

That’s time-consuming enough, but consider this: Anytime many devices are deployed, there will undoubtedly be at least a few that are sent to the wrong locations. OK, so that’s a bit inconvenient, but they can just use what they received, right? We’re afraid not. Those devices are set up with merchant-specific APIs and aren’t interchangeable. Instead, those devices must be returned and redeployed.

Meanwhile, migration is on hold at the impacted locations.

Even worse, if the device swap was critical to maintaining operations, those locations won’t process transactions until the correct devices are received.

With ISV-level authentication, an API key can be created for all the devices in the ISV’s Midwest merchant locations. Now the migration process is simple and efficient: New devices are injected with the Midwest-specific ISV-level key and deployed to the Midwest merchant locations. And if any get swapped in the mail, it makes no difference.

Regional and Global Flexibility

Payment security requirements are not the same from country to country. In fact, some countries have extremely strict rules pertaining to customer transactions, fraud prevention and data security.

To navigate this complex landscape, an ISV with international merchants might consider ISV-level APIs specific to individual countries or continents across integrations.

Why? Just like in the device migration example, it can simplify and streamline the process. If the country requires proof of process and procedures, an ISV may not have a choice other than designating a unique API for that country’s merchants.

Segmented Reporting

Another benefit of ISV-level authentication, especially when multiple ISV-level APIs are created? ISVs can segment and report on specific integrations, countries, regions, states and more.

This easy-to-curate data lets ISVs see relevant segmented trends related to transaction type, sales volume, chargebacks and even fraud. The result? They can make better strategic decisions — faster and more confidently. (FYI: Worldnet Payments has a grouping called “Merchant Portfolios” for admin users to plan configurations and migrations.)

Ultimately, ISV-level authentication makes it easier to strategically manage, monitor and migrate merchants and devices. At Worldnet Payments, we help ISVs evaluate whether merchant-level or ISV-level authentication is best for their implementations. Our experts ask the right questions to determine which approach will set ISVs and their merchants up for optimal growth and seamless scalability.

We want to help get your business ready for the future of payments.