Bankcard buzz: Card Associations, Congress take action on several fronts By David H. Press, Integrity Bankcard Consultants Inc.
otable among recent industry developments are MasterCard Worldwide's SecureCode provisions for international e-commerce transactions, Visa U.S.A.'s new Account Data Compromise Recovery (ADCR) process and Visa's decision to join MasterCard in posting interchange fees online.
Congress got in the act, too. It recently passed legislation that could be problematic for ISOs and merchant level salespeople (MLSs) still processing for online gambling sites. Like gun control and immigration legislation, actual enforcement may never come. But you don't want to be, in effect, the guarantor for a test-case gambling merchant.
Cross-cultural risk reduction
MasterCard announced a new standard for SecureCode, which is designed to protect from fraud liability e-commerce merchants doing interregional transactions. The new rules are expected to reduce fraud and chargeback risks for merchants engaged in cross-border transactions.
As of Nov. 1, 2006, SecureCode is implementing an interregional liability shift, MasterCard stated. This means when a U.S. e-commerce merchant accepts a foreign transaction, the liability for a fraudulent chargeback is shifted to the card issuer, regardless of the cardholder's SecureCode status. E-commerce merchants can now be protected from the liability of foreign, fraudulent chargebacks just by implementing MasterCard SecureCode on their U.S. e-commerce Web sites.
This change may allow online merchants who are declining foreign transactions to begin accepting them, provided they properly implement programs to take advantage of SecureCode and Verified by Visa.
The MasterCard reason codes protected under the SecureCode liability shift are 4837, no cardholder authorization, and 4863, cardholder does not recognize the transaction. These reason codes represent the majority of all e-commerce merchants' chargebacks not related to merchant failure to properly provide refunds to customers.
Unfortunately, transactions between U.S. merchants and U.S. cardholders are not included in this rule change. For domestic transactions, the liability shift continues to apply only to fully authenticated SecureCode transactions.
De-compromising data
Visa's operating regulations state:
"A merchant or its agent must not retain or store the full contents of the magnetic stripe subsequent to an authorization of a transaction, and Visa has developed a new compliance process to resolve disputes related to account compromises for magnetic stripe-read counterfeit fraud.
"Visa has replaced the current compliance process with one that limits exposure and is supposed to be cost-effective, efficient, and equitable for all parties involved. It is called the Account Data Compromise Recovery (ADCR) process."
ADCR became effective Oct. 1, 2006, and is used exclusively for compromised magnetic-stripe data. ADCR limits counterfeit fraud liability for acquirers to a timeframe capped at 13 months. It allows for the partial recovery of some operating expenses for issuers.
Once a merchant notifies his acquirer of an account compromise, the acquirer sends the stolen account numbers to Visa through Compromised Account Management System, a secure system that allows acquirers, merchants and law enforcement officers to upload compromised and stolen or recovered account numbers directly to Visa.
It is up to Visa to determine if the validated account compromise meets ADCR criteria. If it does, Visa calculates and advises the acquirer of its potential ADCR financial liability, which includes a percentage of magnetic stripe-read counterfeit fraud and partial operating expense liability amounts.
The magnetic stripe-read counterfeit fraud estimate is based on the magnetic stripe-read counterfeit fraud reported at the time of the notice. It includes an estimation of fraud that is projected to occur before the end of the event window (which can be up to 13 months) but is not yet reported.
Acquirers can pass the ADCR liability amounts to merchants, but like chargebacks and fines, the funds might not be collectible. ISOs and MLSs may be the ones who pay in the end.
Visa's public Web site contains a four-page document, "What every merchant should know about the new account data compromise recovery process," explaining the new process. You and your merchants can download it at http://usa.visa.com/business/accepting_visa/ops_risk_management/adcr.htm
Interchange illumination
Visa joined MasterCard in posting its U.S. interchange fee schedule on the Web at http://usa.visa.com/business/accepting_visa/ops_risk_management/regulations.html MasterCard previously announced it would post its interchange rates on its merchant services Web site beginning Nov. 1, 2006. They are now available at www.mastercardmerchant.com
I hope this will someday eliminate the question I am so tired of hearing: I am supposedly getting interchange pass-through, how can I find out the card Associations' true interchange rates?
David H. Press is Principal and President of Integrity Bankcard Consultants Inc. Call him at 630-637-4010, send him an e-mail at dhpress@ibc411.com
or visit www.ibc411.com
|