Page 39 - GS180102
P. 39

Education





        Most risk officers are well aware of   I suspect this subset of merchants will be required to acknowledge some ad-
        these tactics and effectively thwart   ditional liabilities in order to have this capability turned on. And all of us will
        them. Unfortunately, as basic and old   have to again reprogram or update our base of merchants. I encourage you to
        school as these methods seem, they   review Visa's "Acquirer Requirements to Control the Use of Force-Post Trans-
        still work. Remember, for a fraud    actions" directly. If you do not have the document, which was not distributed
        scheme to be effective, it just has to   publicly, ask your acquirer for a copy.
        work  once.  Additionally,  regardless
        of whether the funds are held back   Ken Musante is President of Eureka Payments LLC. Contact him by phone at 707-476-0573 or by
        from the merchant, they still pass   email at kenm@eurekapayments.com. For more information, visit www.eurekapayments.com.
        through interchange.
        Visa moves to limit vulnerability
        Consequently, Visa decided to en-
        force  a rule change to further limit
        the exploitation of this vulnerability.
        Effective Jan. 26, 2019, acquirers must
        grant force-post functionality as an
        exception and only if warranted by
        a given merchant's practices. All ex-
        isting merchants not specifically ap-
        proved to process force-post transac-
        tions must be systematically restrict-
        ed from doing so. While the details
        have not yet been worked through, I
        suspect this will necessitate a full or
        partial reprogramming of terminals
        and an update from POS providers
        and gateways.

        I do not foresee processors updating
        their systems, because some mer-
        chants will still require this service,
        so it cannot be systematically turned
        down at the processor. Some mer-
        chants legitimately need to obtain an
        authorization prior to the sale so that
        they can later pair or "force" the au-
        thorization and sale.

        Think about a mail order merchant
        who is obtaining a custom part on
        behalf of a cardholder. Before the
        merchant hunts down and buys the
        custom part, he or she wants to en-
        sure  the  cardholder  has  the  funds
        available to buy. In that instance, the
        merchant would be wise to authorize
        the transaction and, upon shipping
        the part, pair the authorization and
        sale.
        Going forward, acquirers will need
        to specifically review and approve
        merchants  to  have  force-post  ca-
        pabilities. Additionally, they must
        document the merchant's need and
        monitor force-post activity to ensure
        it is not being abused.


                                                                                                                39
   34   35   36   37   38   39   40   41   42   43   44