[bryanthompson]

This thing is a total disaster.

Some of their example code: https://github.com/VisaDeveloperProgram/SampleCode/blob/mast...

Docs are incoherent in just so many ways - and their quick start drops you right into like a 9 page guide for generating two-way ssl docs. Not exactly a quick dev onboarding path.

Request docs list attributes as required that aren't in their examples or runnable sidebar thing (the only cool part). Returns an error body with no error messages, codes, or info. You use some "correlation-id" (called "correlationId" in other places) to apparently get your error messages for a failed request.

Final rating: 1/7, would not play with again.

[techman9]

I worked at Visa. You don't know the half of it...

[comex]

I could be missing something, but the code at that link looks seriously insecure. Using sha(secret + parameters) as a MAC is the classic pattern vulnerable to length extension attacks; the self-delimiting nature of JSON might save you, except various parameters are concatenated together with no delimiter, so you might be able to move data from one to another and make it work anyway. In practice this is unlikely to be exploitable as the whole thing is over SSL, but any case, using a HMAC to avoid length extension is basic security engineering stuff.