The New Account Data Compromise Recovery Process
Since 2004, Visa and its members have struggled to resolve disputes related to account compromises that have been linked to subsequent magnetic stripe-read counterfeit fraud. The existing process, according to members, has been too cumbersome and costly, particularly when there were thousands of affected accounts and fraudulent transactions. In response, Visa has replaced the current compliance process with one that limits exposure and is cost-effective, efficient, and equitable for all parties involved. It is called the Account Data Compromise Recovery (ADCR) process.
ADCR, which becomes effective October 1st, 2006, is used exclusively for magnetic-stripe data determined as compromised, limits counterfeit fraud liability for acquirers to a timeframe that is capped at 13 months, and allows for the partial recovery of some operating expenses for issuers.
On this page
ADCR process in brief
Compromised Account Management System (CAMS) Alert
Once a merchant notifies their acquirer of an account compromise, the acquirer sends the stolen account numbers directly to CAMS, a secure system that allows acquirers, merchants, and law enforcement officers to upload compromised and stolen or recovered account numbers directly to Visa. Visa then validates that an account compromise has occurred. Via CAMS, e-mail alerts are sent to affected issuers to notify them of the compromised accounts. Affected issuers monitor, close, or block the compromised accounts.
It is up to Visa to determine if the validated account compromise meets ADCR criteria. If it does, Visa calculates and advises the acquirer of its potential ADCR financial liability, which includes a percentage of magnetic stripe-read counterfeit fraud and partial operating expense liability amounts. The magnetic stripe-read counterfeit fraud estimate is based on the magnetic stripe-read counterfeit fraud that has been reported at the time of the notice and includes an estimation of fraud that is projected to occur prior to the end of the event window, but has yet to be fraud reported. An event window is a 13-month time period that can be up to 12 months prior to and one month past the CAMS event date.
An acquirer has 30 days to appeal the preliminary decision and provide documents to Visa for consideration. If Visa confirms the event still meets ADCR criteria at the end of the issuer fraud-reporting window, which ends 90 days after the end of the 13th month, Visa calculates the actual acquirer magnetic stripe-read counterfeit fraud and operating expense liability amounts due each participating issuer impacted by the compromise.
Acquirers, at their discretion, determine when and how to notify a merchant about estimated and final liability amounts.
Reduce your risk exposure and liability
Avoid magnetic-stripe data storage violations by following these key rules:
- Be CISP-compliant. Visa merchants and service providers who store, process, or transmit cardholder data must comply with Visa's Cardholder Information Security Program (CISP) requirements. For details, review the information about CISP.
- Do not store magnetic-stripe data after transaction authorization.
- Do a thorough review of all payment applications to ensure non-storage of magnetic-stripe data. Confirm the security of your payment applications using Payment Application Best Practices (PABP), which can be downloaded from the CISP web site. This site also lists all software vendors whose payment applications have been Visa-approved.
- If you suspect an account compromise, alert all necessary parties of a suspected or confirmed security breach immediately. Provide all compromised Visa account numbers to your acquirer bank within 24 hours.
- Know your liability for data security problems.