# Support source: https://developer.mastercard.com/business-payment-controls/documentation/support/index.md ## Frequently asked questions {#frequently-asked-questions} ### About Business Payment Controls {#about-business-payment-controls} There are no additional fees for Business Payment Controls. As an existing In Control participant, you will be charged for implementation as with your current contract, but there are no additional recurring fees. Mastercard limits the rate at which users can access the service to protect the services offered by API providers. The Business Payment Controls rate limit is 600 requests per second (RPS). In certain circumstances, more restrictive rate limits may be applied. Consult with your technical account manager to confirm whether the restrictive rate-limiting policy applies to your API integration. The average response time for a Business Payment Controls API request is less than three seconds. You can refer to the [API Status](https://developer.mastercard.com/api-status?environment=production&service=Business%20Payment%20Controls) that works as a single point of access for monitoring the health of APIs hosted on the platform. ### Setting up {#setting-up} The registration service allows Business Payment Controls API users to integrate with Mastercard's Commercial Products platform by connecting with Mastercard Commercial Products' identity service. This allows API users to use any existing entitlements and structures from Mastercard Commercial Products. This also allows for consistent identity management across Mastercard Commercial Products. We provide a tutorial on creating and configuring a Sandbox project [here](https://developer.mastercard.com/business-payment-controls/documentation/tutorial/tutorial-1/index.md). Details on accessing a production environment are [here](https://developer.mastercard.com/business-payment-controls/documentation/tutorial/tutorial-3/index.md). A Sandbox key is intended just for testing purposes. In the Sandbox environment, you can make any changes you want. A production key gives you access to the live production environment. Any changes you make in the production environment will affect customers and needs to be carefully considered. See [Getting Started](https://developer.mastercard.com/business-payment-controls/documentation/api-basics/index.md). Mastercard provides a [Reference Application](https://developer.mastercard.com/business-payment-controls/documentation/reference-app/index.md), which contains sample codes. You can use those sample codes as a base to develop your integration. An ownerGUID, also known as an entityGUID, is a globally unique identifier for the entity that the real card is registered with. It is either an Issuer GUID or a Corp GUID. If you are already an In Control for Commercial Payments (ICCP) or In Control API customer, you can obtain your ownerGUID/entityGUID using the [Entity API](https://link.to.entity-api.use-case/when-available). If you are a new customer, contact [support](https://developer.mastercard.com/business-payment-controls/documentation/support/#get-help-1) to get started. ### Real Cards {#real-cards} Mastercard has standardized requirements for real card number (RCN) maintenance for commercial ranges that are used by all current and future Mastercard® In Control® products. All Issuers that use In Control, now or in the future, must use either Mastercard's Automatic Billing Updater (ABU) or perform RCN maintenance directly within In Control. For more details, see *AN 8635 Announcing Standardized Requirements for RCN Maintenance* in [**Mastercard Connect™ \> Technical Resource Center**](https://trc-techresource.mastercard.com/home). The recommended automated approach for Issuers is to ensure that all ranges are enrolled in ABU. Customers can use ABU to keep the Real Card expiration dates, card status (in other words blocked / unblocked), and card number (PAN) synchronized, giving a smoother customer experience. No additional action is required. Real card updates done using Mastercard's Automatic Billing Updater (ABU) are automatically updated in Business Payment Controls. This is applicable to expiration date, real card status and real card number (PAN). Yes, that is possible. No, a real card can be linked to one active funding source. Yes, a real card to funding source mapping can be changed. Refer to [Replace a Real Card](https://developer.mastercard.com/business-payment-controls/documentation/use-cases/01-real-cards/#replace-a-real-card). No, the same real card (RCN) cannot be registered more than once. ### Virtual cards {#virtual-cards} A Virtual Card Number (VCN) is a credit card number, which is generated dynamically for a particular payment purpose. It is created with a limited validity period and controls on how it should be spent. Corporate buyers can create virtual cards to pay supplier invoices and cover business expenses. You must subscribe to [Commercial Event Notifications](https://developer.mastercard.com/commercial-event-notifications/documentation/#how-it-works) to receive payment notifications using virtual card accounts (VCNs). By subscribing to notifications, payment details are available as soon as the transaction takes place, allowing you to take rapid follow-on action in accordance with the business processes. No, a VCN can only be linked to a single funding source. No, the parent-child relationship between a funding source and VCN cannot be altered. However, you can update the funding source to a Real Card (RCN) relationship, but note this will impact all the VCNs associated with that funding source. Card Expiry is the period for which the VCN is valid (minimum one month, maximum 24 months). Validity is a control that defines the period for which specific controls are applicable for. The validity period is used to prevent misuse of cards, beyond the period for which it is intended to be used. All transactions on a VCN beyond the validity period will be declined. For a VCN transaction Mastercard validates the controls on the virtual card first. If the transaction breaches the controls set, the transaction is rejected. If the VCN controls are satisfied, Mastercard will check if there are any controls on the underlying RCN. If the RCN controls are breached, Mastercard will respond to the issuer with an advice to decline the RCN transaction message to the issuer. No, one of either simple controls or complex controls should be used. ### Payload Encryption {#payload-encryption} No, you can choose whether or not to use encryption with Business Payment Controls. Information about how payload encryption will work is available [here](https://developer.mastercard.com/platform/documentation/authentication/securing-sensitive-data-using-payload-encryption/). Details of how to set-up the encryption keys are available [here](https://developer.mastercard.com/platform/documentation/authentication/securing-sensitive-data-using-payload-encryption/#getting-keys-for-your-application). Payload encryption is supported in all environments. Create a new project in Mastercard Developers, and set-up the encryption keys as described [here](https://developer.mastercard.com/platform/documentation/authentication/securing-sensitive-data-using-payload-encryption/#getting-keys-for-your-application). If an endpoint is not listed below, it does not transmit PCI data and therefore is not in-scope for encryption. **Real card API** | **Endpoint** | **BPC Client** | **Mastercard** | |--------------------------------------------------------------------|------------------------------------|------------------------------------| | `POST real-card-accounts` | Encrypts Request Decrypts Response | Decrypts Request Encrypts Response | | `POST real-card-accounts/searches` | Encrypts Request Decrypts Response | Decrypts Request Encrypts Response | | `GET real-card-accounts/{account_guid}` | n/a | Encrypts Response | | `PUT real-card-accounts/{account_guid}` | Encrypts Request Decrypts Response | Decrypts Request Encrypts Response | | `DELETE real-card-accounts/{account_guid}` | n/a | n/a | | `POST real-card-accounts/{account_guid}/contacts` | Encrypts Request Decrypts Response | Decrypts Request Encrypts Response | | `PUT real-card-accounts/{account_guid}/contacts/{contact_guid}` | Encrypts Request Decrypts Response | Decrypts Request Encrypts Response | | `GET real-card-accounts/{account_guid}/contacts` | n/a | Encrypts Response | | `GET real-card-accounts/{account_guid}/contacts/{contact_guid}` | n/a | Encrypts Response | | `DELETE real-card-accounts/{account_guid}/contacts/{contact_guid}` | n/a | n/a | **Custom Data Fields API** | **Endpoint** | **BPC Client** | **Mastercard** | |-----------------------------------------|------------------------------------|------------------------------------| | `POST custom-data` | Encrypts Request Decrypts Response | Decrypts Request Encrypts Response | | `POST custom-data/searches` | Encrypts Request Decrypts Response | Decrypts Request Encrypts Response | | `PUT custom-data/{custom_data_guid}` | Encrypts Request Decrypts Response | Decrypts Request Encrypts Response | | `GET custom-data/{custom_data_guid}` | n/a | Encrypts Response | | `DELETE custom-data/{custom_data_guid}` | n/a | n/a | **Authorization Reports API** | **Endpoint** | **BPC Client** | **Mastercard** | |-----------------------------------------|------------------------------------|------------------------------------| | `POST authorization-reports` | Encrypts Request Decrypts Response | Decrypts Request Encrypts Response | | `GET authorization-reports` | n/a | Encrypts Response | | `GET authorization-reports/{guid}` | n/a | Encrypts Response | | `GET authorization-reports/{guid}/data` | n/a | Encrypts Response | **Clearing Reports API** | **Endpoint** | **BPC Client** | **Mastercard** | |------------------------------------|------------------------------------|------------------------------------| | `POST clearing-reports` | Encrypts Request Decrypts Response | Decrypts Request Encrypts Response | | `GET clearing-reports` | n/a | Encrypts Response | | `GET clearing-reports/{guid}` | n/a | Encrypts Response | | `GET clearing-reports/{guid}/data` | n/a | Encrypts Response | **Clearing Summary Reports API** | **Endpoint** | **BPC Client** | **Mastercard** | |--------------------------------------------|------------------------------------|------------------------------------| | `POST clearing-summary-reports` | Encrypts Request Decrypts Response | Decrypts Request Encrypts Response | | `GET clearing-summary-reports` | n/a | Encrypts Response | | `GET clearing-summary-reports/{guid}` | n/a | Encrypts Response | | `GET clearing-summary-reports/{guid}/data` | n/a | Encrypts Response | **Virtual card API** | **Endpoint** | **BPC Client** | **Mastercard** | |---------------------------------------------------|------------------------------------|------------------------------------| | `POST virtual-card-accounts` | n/a | Encrypts Response | | `POST virtual-card-accounts/searches` | Encrypts Request Decrypts Response | Decrypts Request Encrypts Response | | `DELETE virtual-card-accounts/{account_guid}` | n/a | n/a | | `GET virtual-card-accounts/{account_guid}` | n/a | Encrypts Response | | `PUT virtual-card-accounts/{account_guid}` | n/a | Encrypts Response | | `PUT virtual-card-accounts/{account_guid}/status` | n/a | Encrypts Response | **End-User API** | **Endpoint** | **BPC Client** | **Mastercard** | |------------------------------------------------------|------------------------------------|------------------------------------| | `POST virtual-card-accounts/{account_guid}/end-user` | Encrypts Request Decrypts Response | Decrypts Request Encrypts Response | | `GET virtual-card-accounts/{account_guid}/end-user` | n/a | Decrypts Request Encrypts Response | | `PUT virtual-card-accounts/{account_guid}/end-user` | Encrypts Request Decrypts Response | Decrypts Request Encrypts Response | No, only full payload encryption is available. Yes. Please revoke both the Mastercard and Client encryption keys in your BPC project by navigating to the Credentials section, clicking the three vertical dots beside each key listed, and choosing Revoke key. Once complete, after a period of 5 minutes, Business Payment Controls will now accept your unencrypted traffic. ### Idempotency {#idempotency} Idempotency is available for all endpoints. When making an idempotent API call, include a valid v4 UUID for the `Idempotency-Key` with a unique value. This key ensures that the action you are taking (such as creating a VCN) is unique. If this key is not provided, it means that idempotency will not be applied to the request. For example, if two VCNs are being requested, you can use the idempotency functionality to make sure no extra VCNs are created, even if there are network issues. First, make a POST call with an `Idempotency-Key` set to ``. If a network issue occurs, retry the same call with the same `` value. When you get an **HTTP 201** response, only one VCN has been created. Then, make a second POST call with an `Idempotency-Key` set to `` to create the second VCN. This will be considered as the same request, and will be treated as idempotent. This scenario should be avoided when availing of idempotency. 30 seconds ### Custom Data Fields and GDR {#custom-data-fields-and-gdr} For details on how to associate CDFs with a BPC card, see [Set up Custom Data Fields](https://developer.mastercard.com/business-payment-controls/documentation/use-cases/04-custom-data-fields/index.md). Yes, a Custom Data collection can be associated with multiple BPC cards. No, only one Custom Data collection can be associated with a single BPC card. However a Custom Data collection can contain up to 99 customizable key value pairs. Once a Custom Data collection has been associated with a BPC card, when a clearing event occurs, the transaction data and associated Custom Data Fields will be sent to the GDR. For details on how to integrate with GDR, see [Common Data Format (CDF) Implementation](https://trc-techresource.mastercard.com/r/bundle/m_cdf_implement_en-us/page/d/en-US/tgn1745421404196.html) on Mastercard's [Technical Resource Center](https://trc-techresource.mastercard.com/). Please see [Common Data Format (CDF) Information](https://trc-techresource.mastercard.com/r/bundle/m_cdf_rq_en-us/page/d/en-US/wdd1743174220658.html) on Mastercard's [Technical Resource Center](https://trc-techresource.mastercard.com/). ### Migrating from Retail API to Business Payment Controls {#migrating-from-retail-api-to-business-payment-controls} No. Once a card has been migrated, use Business Payment Controls to modify that card. Cards that have not yet been migrated can be used in the Retail API. CPN ID is a proxy card identifier. It is an internal unique ID that is assigned to each card. A globally unique identifier (GUID) is a unique reference number in a 128-bit text string format that represents an identification (ID). Every real card, virtual card, and funding source have a GUID. No. All active cards that are migrated are already registered in Business Payment Controls and a funding source is created. No. Delete is a terminal status for a VCN, so a deleted VCN cannot be migrated. No. Migrate one card at a time. Start with the RCN and migrate the VCNs associated with the RCN. ### Get help {#get-help} #### Phone {#phone} * In the U.S. region, 1-800-288-3381, Option 4 * Outside the U.S. region, 1-636-722-6636, Option 4 #### Email {#email} [commercial.support@mastercard.com](mailto:commercial.support@mastercard.com) ## Get help {#get-help-1} ##### Contact us for technical support {#contact-us-for-technical-support}