VISA payments needed JavaScript enabled for https://secure5.arcot.com/
Posted by jpluimers on 2025/07/04
While paying with VISA card for some services, I had to explicitly enable JavaScript for the https://secure5.arcot.com/ domain which looks suspicious and is titled [Wayback/Archive] location.hostname
Before I enabled JavaScript for it, I did some querying around as at first it looked like a man-in-the-middle-attack. I wasn’t the only one, as this was going on since 2013 (but I didn’t notice it earlier as I only disabled JavaScript for most sites in 2022): [Wayback/Archive] Verified by Visa and arcot.com function like a man-in-the middle attack – Jason Pearce (found via [Wayback/Archive] arcot obo – Google Search)
JavaScript there is needed so VISA card can use Arcot to be the intermediate between VISA and the web-site:
- [Wayback/Archive] arcot site:visa.com – Google Search
- [Wayback/Archive] obo site:visa.com – Google Search
- [Wayback/Archive] Getting Started with Visa Transaction Controls
Visa’s On Behalf Of (OBO) service reduces your work-effort and costs
- [Wayback/Archive] Getting Started with Visa Transaction Controls
The links on the VISA site are not really encouraging: Acrot expired, OBO not in the same document as Acrot, etc.
So despite [Wayback/Archive] What is arcot.com: T-Time With Tillison – Tillison Consulting (found via [Wayback/Archive] “secure5.arcot.com” – Google Search) being positive about Arcot, I am not.
–jeroen
PS: My Twitter thread on it which got unanswered by VISA is at [Wayback/Archive] Thread by @jpluimers on Thread Reader App and started with this message:
[Wayback/Archive] Jeroen Wiert Pluimers @wiert@mastodon.social on Twitter: “Wow, this looked like man-in-the-middle to me at first:
secure5.arcot.comThere is only very thin information on the VISA card site on Arcot. Since I run with JavaScript turned off by default I found out it is used in order to pay at a web-site with VISA.”
The Wiert Corner - irregular stream of stuff 
Leave a comment