Navigation Indication

  • Visa Merchant Business
    News Digest

    February 2019

Visa Merchant Business News Digest

The Visa Merchant Business News Digest is an online publication, providing a summary of recent Visa Business News articles. We know how important it is for you to have the pertinent information quickly and clearly, and our mission is to make that as simple as possible. The digest provides highlights of key merchant-related publications, but is not intended to be a complete list. As always, please work with your acquirer for further information on released publications and applicable announcements.

PCI SSC Publishes New Software Security Framework

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

17 JAN 2019

To facilitate secure, reliable and accurate payments, the systems and software used as part of the transaction flow must be designed, developed and maintained in a manner that protects the integrity of payment transactions and the confidentiality of all sensitive data that they store, process or transmit. 

The Payment Card Industry Security Standards Council (PCI SSC) has published the new Software Security Framework in order to provide software vendors with updated security requirements and assessment procedures for payment software. 

In this initial publication, the Software Security Framework includes two standards:

  • The Secure Software Standard, intended for software vendors that develop payment software that is sold, distributed or licensed to third parties, outlines security requirements and assessment procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data. 
  • The Secure Software Lifecycle (Secure SLC) Standard outlines security requirements and assessment procedures for software vendors to validate how they properly manage the security of payment software throughout the software lifecycle. 

Both standards are designed for use as part of the PCI Software Security Framework and are intended for software vendors that develop software for the payments industry. Software vendors wishing to validate payment software under the PCI Software Security Framework should use the PCI Secure Software Standard. In addition, software vendors may opt to validate their Secure SLC practices for that payment software using the PCI Secure SLC Standard. 

Transition from the Payment Application Data Security Standard  

While the PCI Software Security Standards include elements of the Payment Application Data Security Standard (PA-DSS), the standards represent a new approach for securely designing and developing both existing and future payment applications. The overarching PCI Software Security Framework is designed to support a broader array of payment software types, technologies and development methodologies currently in use and also to support future technologies and use cases.  

Visa clients, as well as their agents and merchants, must use only secure, validated payment applications that do not retain prohibited data elements. While the PA-DSS and Software Security Framework is intended for payment software that is sold, distributed or licensed to third parties, payment software that is developed in-house or customized for a single customer can also benefit when the requirements are applied as a best practice.

Upcoming EMV Contactless Acceptance Requirements

REGIONS: U.S.
20 DEC 2018

Effective 13 April 2019, all terminals accepting contactless payments in the U.S. must actively support EMV contactless functionality, and the legacy magnetic stripe data contactless technology should be upgraded.

New U.S. Debit Test Card Versions Must Be Used for U.S. ADVT and CDET Testing

REGIONS: U.S.
18 DEC 2018

Effective 14 December 2018, U.S. Debit Test Card #1 (version 2.0), #2 (version 2.0) and #3 (version 3.0) must be used for U.S. Acquirer Device Validation Toolkit (ADVT) and U.S. Contactless Device Evaluation Toolkit (CDET) testing.

Merchant Security Reporting for Acquirers Due 31 January 2019

REGIONS: US, Canada
6 DEC 2018

Acquirers must submit merchant validation reports to Visa by 31 January 2019. Information on acquirers' compliance status and data security efforts enables Visa to understand how security measures are being adopted across the industry. As a reminder, acquirers must submit their Acquirer Merchant Reporting Template by 31 January 2019.

Visa 3DS 2.0 Performance Program Rules

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
25 OCT 2018

Visa is updating its 3-D Secure (3DS) program to support the updated EMV 3-D Secure specification, also referred to by the industry as 3DS 2.0. As part of the program update, issuer and merchant performance requirements are being established to ensure the Visa 3DS 2.0 program is deployed in a manner that will help to reduce fraud, enable effective authentication decision-making, and allow for a seamless user experience.

Cash Discounting and Discount Offers Explained

REGIONS: US
18 OCT 2018

Because cash discount or discount offer programs have become increasingly popular at merchants, Visa is reminding U.S. acquirers, merchants, processors and agents that discount offer programs should be evaluated to ensure compliance with the Visa Rules.

Reminder and Clarification on New Merchant Category Code for Marketplaces

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
11 OCT 2018

Acquirers and issuers are reminded that Visa is introducing a new merchant category code (MCC) for marketplaces. Visa is also clarifying applicable usage of the new MCC to sell goods / services within a single line of business.

Visa Rules Will Be Updated to Streamline Cardholder and Merchant Interaction at the Point of Sale

REGIONS: US
27 SEP 2018

Recently announced acceptance policy changes, evolving and innovative new products, and changing risk parameters have created an opportunity to streamline Visa's requirements for merchants to identify and verify cardholders at the point of interaction in face-to-face environments. These updates will remove outdated requirements and practices, reduce friction and clarify a merchant's responsibility for verifying cardholders at the point of interaction.

Original Credit Transaction Terminology in Visa Direct Rules Updated

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
20 SEP 2018

Visa Direct-related rules and terminology have been updated to bring consistency and alignment with the nomenclature changes introduced in December 2017 in the Visa Direct Original Credit Transaction Global Implementation Guide.

Increase in Payment Facilitator Annual Transaction Volume Limit for India

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
20 SEP 2018

The maximum annual transaction volume limit for payment facilitator / acquirer direct merchant agreement will be increased from USD 100,000 to USD 1 million in India.

Visa Threat Intelligence Historical Library Available Through December 2018 at No Charge

REGIONS: US
13 SEP 2018

To help protect payment data from cyberattacks, Visa Threat Intelligence historical library will be available to qualified clients through the end of 2018.

Verified by Visa Endpoints Must Support Failover Processing

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
6 SEP 2018

Visa will be updating all Verified by Visa server environments to better support redundancy.

PCI PIN Security Requirements Updated

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
6 SEP 2018

The Payment Card Industry Security Standards Council (PCI SSC) has published version 3.0 of the PCI PIN security requirements.

PCI SSC Publishes New Guidance for Small Merchants

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
6 SEP 2018

Visa encourages clients and small merchants to review the simplified guidance documents on protecting payment card data published by the Payment Card Industry Security Standards Council (PCI SSC).

3DS 2.0 Service for Processing Secure E-commerce Transactions Available and Updated Activation Dates

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
30 AUG 2018

Visa 3-D Secure (3DS) 2.0 service is now available for clients and merchants to enhance the security of e-commerce transactions. In addition, updated regional activation dates that define when fraud liability extends to issuers that do not participate in 3DS 2.0 are now available.

U.S. EMV Acceptance: Streamlined Contactless Level 3 Chip Certifications

REGIONS: US
30 AUG 2018

Visa has streamlined contactless Level 3 chip certifications. Once a terminal device is set up to process online quick Visa Smart Debit / Credit (qVSDC) contactless transactions and has been certified for contact chip, then only limited streamlined testing will be required for qVSDC contactless.

Visa Token Service Will Expand for Adyen

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
16 AUG 2018

Visa will introduce a new credential-on-file use case with Adyen to accelerate the deployment of Visa tokens to e-commerce merchants.

Visa Account Funding Transaction Processing Guide Updated

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
9 AUG 2018

Visa has updated the Visa Account Funding Transaction (AFT) Processing Guide. Clients and their partners that originate or receive AFTs should review the updated guide for information on how to best support these transactions.

Visa Token Service Will Expand for Use Case with Cherri Tech, Inc.

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
9 AUG 2018

Visa will introduce a new merchant credential-on-file use case with payment service provider Cherri Tech, Inc. to accelerate the deployment of Visa tokens to e-commerce merchants.

Test Encryption Keys in VCMS Must Be Provided by Visa

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
9 AUG 2018

Effective April 2019, clients and processors must use Visa-provided test encryption keys for testing in the VisaNet Certification Management Service (VCMS). Clients and processors must upgrade their VisaNet Test System-VisaNet Integrated Payment, host security modules and test host systems to support the Visa-provided test encryption keys.

Visa Direct OCT Global Implementation Guide Updated

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
2 AUG 2018

Visa has updated the Visa Direct Original Credit Transaction (OCT)-Global Implementation Guide. Clients and their partners that originate or receive Visa Direct original credit transactions (OCTs) should review the updated guide for information on how to enable and support services such as money transfers, funds disbursements, prepaid loads and credit card bill payments.

Ensuring Network Integrity—Reminder to Focus on Data Quality

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
26 JUL 2018

Visa is reminding all clients to review their system setup and transaction coding to ensure compliance with Visa rules.

White Paper on Digital Transformation of Small-and-Medium-Sized Businesses Published

REGIONS: US
26 JUL 2018

Visa has published a white paper, flyer and brochure that help address how small- and medium-sized businesses (SMBs) can increase sales and improve the customer experience through technology and digital commerce. These materials, which include research findings, real-life testimonials and a practical how-to guide, are available for Visa’s partners to distribute to SMBs.

Europe Contactless Magnetic-Stripe Data Transactions Will Be Blocked By V.I.P. System

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
26 JUL 2018

For all Europe region-issued card payment devices, the VisaNet Integrated Payment (V.I.P.) System will block all contactless magnetic-stripe data transactions. This will affect all Europe region issuers, acquirers and merchants worldwide.

PCI Software-based PIN Entry on COTS Device Standard and Program Published

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
26 JUL 2018

The Payment Card Industry Security Standards Council (PCI SSC) has published a standard for protecting PIN-based transactions on commercial off-the-shelf (COTS) devices. Merchants accepting PIN-based transactions via COTS devices must use or transition to a PCI-validated software-based PIN entry on COTS solution by 31 July 2019.

Support for Key Exchange in Key Block Format

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
19 JUL 2018

All organizations that exchange keys with Visa should plan to transition from variant format encryption to key block format encryption. The ability to perform key exchanges with Visa in variant format will not be supported by Visa after June 2021.

Visa Token Service Will Expand for CyberSource

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
19 JUL 2018

Visa will introduce a new credential-on-file use case with CyberSource to accelerate the deployment of Visa tokens to e-commerce merchants.

Updated PCI SSC Guidance on SSL and Early TLS

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
21 JUNE 2018

The Payment Card Industry Security Standards Council (PCI SSC) has updated the information supplements to provide guidance to merchants and service providers using Secure Sockets Layer / early Transport Layer Security for card-present POS point of interaction terminal connections after 30 June 2018, as well as the impact on Approved Scan Vendor scans in such cases.

Updates to Visa PIN Security Website Include Europe Integration

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
21 JUNE 2018

The Visa PIN security website has been updated to provide news about the PIN Security Program and includes important information about the Europe PIN Security Program integration.

Visa Sensory Branding Introduced

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
21 JUNE 2018

Visa Sensory Branding elements consisting of the Visa brand animation, the Visa brand sound and the Visa brand haptic are now available for use in client applications. Visa Sensory Branding elements can be downloaded as a software development kit for iOS, Android and web through the Visa Developer Platform.

Visa Merchant Data Standards Manual Updated

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
7 JUNE 2018

The Visa Merchant Data Standards Manual has been updated to provide more clarity related to merchant category code definitions for transactions involving non-fiat currency and money transfer merchants. The document remains publicly available at visa.com to make it easily accessible to all clients, merchants, agents and processors.

Signature Requirement Will Become Optional for EMV-enabled Merchants Everywhere

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
31 MAY 2018

Visa is making the requirement to capture and validate a signature optional for all EMV-enabled merchants across all Visa regions. Visa is also removing the requirement to keep transaction receipts, and is prohibiting issuers from initiating retrieval requests for transactions at all EMV-enabled merchants. These changes were previously announced for the U.S., Canada and LAC regions, and now reflect a global policy.

Card Absent Tokenization for U.S. Visa Debit Issuers Participating in Visa Token Service: Additional Feature

REGIONS: US
23 MAY 2018

Visa is expanding its existing Visa Token Service debit token call-out functionality to include detokenization of Visa tokens for card-absent debit transactions.

Effective 1 August 2018, U.S. Visa Debit issuers participating in Visa Token Service will have the option to allow their unaffiliated debit networks to call-out to Visa systems for card-absent transactions to exchange the Visa token for the associated primary account number.

PCI DSS Version 3.2.1 Published

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
17 MAY 2018

Visa will only accept Payment Card Industry Data Security Standard (PCI DSS) validations that comply with version 3.2.1.

Online Merchant Dispute Guide Now Available

REGIONS: US, Canada
10 MAY 2018

Visa published an easy-to-use guide to help smaller merchants navigate the world of transaction disputes.

For more information, please see Dispute Management Guidelines for Visa Merchants on Visa.com.

Visa Fraud Monitoring Program Will Support 3-D Secure in the U.S.

REGIONS: US
26 APR 2018

As a part of efforts to enhance the 3-D Secure (3DS) program, Visa is announcing changes to the Visa Fraud Monitoring Program and Visa Acquiring Monitoring Program to help mitigate U.S. domestic 3DS fraud.

Fraud Reporting System Enhancements

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
26 APR 2018

The Fraud Reporting System has been enhanced with operational and functional changes as part of the April 2018 VisaNet Business Enhancements release. The changes are centered on incorporating new fraud types that reflect a changing fraud landscape and updating program rules around the fraud reporting process.

Sunsetting of Static Data Authentication Rules for Mass Transit

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
12 APR 2018

Visa will sunset rules for issuance of transit-only Static Data Authentication (SDA) cards, as well as acceptance of SDA contactless payments in the mass transit environment. Following the sunset of these rules, Visa will require all new contactless cards and contactless-only terminals to support only fast dynamic data authentication.

Merchant Plug-in Validations for 3DS 1.0.2 Visa Token Service Transactions

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
5 APR 2018

Effective immediately, for 3-D Secure 1.0.2 Visa Token Service transactions only, merchant plug-ins should not match the last four digits of the PAN received in the authentication response message with the value supplied in the initial verification enrollment request message. Other validation options are provided for these transactions.

Signature Requirement Rule Update for EMV-enabled Merchants in U.S., U.S. Territories, Canada and LAC

REGIONS: US, Canada
29 MAR 2018

As previously announced, effective 14 April 2018, Visa made the requirement to capture and validate a signature optional for all EMV-enabled merchants in the U.S., U.S. Territories and Canada. The requirement to capture and validate a signature will become optional for all EMV-enabled merchants in LAC effective 13 October 2018.

For EMV-enabled merchants who prefer to continue to capture a signature or to use a signature for ensuring the cardholder’s acceptance of additional terms and conditions of sale, no change is required. However, these merchants will no longer need to store signatures if they do not wish to do so.

These changes apply to all transactions performed at EMV-enabled merchant terminals and apply to Visa requirements only. Merchants should use their own discretion about whether they should capture signatures or keep receipts for non-Visa related requirements.

EMV enablement is defined as the implementation of an acceptance device capable of reading, communicating and processing full-data transactions from a compliant EMV chip card. Specifically, this means that the Terminal Entry Capability (TEC) in the authorization message must be “5” for all Visa products the merchant accepts, as defined in the applicable VisaNet manuals.

For further information, please see additional information on Visa.com.

Purchase Return Requirements Will Be Updated in the Visa Rules

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
8 MAR 2018

Effective 13 April 2019, the Visa Rules will be updated to clarify merchant requirements for processing purchase returns. Visa recently announced new requirements to support the authorization of credit transactions for purchase returns / refunds. In response to client feedback, Visa is further clarifying requirements for processing refunds.

Payment Facilitator Requirements Will Be Updated

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
8 MAR 2018

Effective 13 October 2018 requirements for Europe payment facilitators will be aligned with global requirements to provide a more comprehensive risk practice. Existing European rules for payment facilitators requiring customer service to be provided in the language in which the services are offered will be expanded globally. Additionally, in cases where a cardholder can access the payment facilitator’s website directly, the payment facilitator will be required to clearly display customer service contact information.

Acceptance Rules Update and Simplification

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
8 MAR 2018

Effective 14 April 2018, Visa is streamlining the Visa Rules by removing retired requirements, eliminating redundancies and simplifying language. Most of the changes will have no operational impact and have no action required.

Visa Reminds Clients to Register Third Party Agents

REGIONS: US, AP, Canada, CEMEA, LAC
22 FEB 2018

Visa reminds clients of the importance of the agent registration program, which provides Visa with visibility into the service providers in the payment ecosystem.

New CDET 2.3—Revision A Required by 1 March 2018

REGIONS: US, AP, Canada, CEMEA, LAC
15 FEB 2018

Visa is updating the eligibility requirements for retail and supermarket credit transactions for merchants to qualify for incentive interchange programs.

Consumer Credit Performance Thresholds for Retail and Supermarket Transactions Will Change

REGIONS: US
15 FEB 2018

Visa is updating the eligibility requirements for retail and supermarket credit transactions for merchants to qualify for incentive interchange programs.

New PCI SSC Guidance on Connected-to Service Providers Published

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
8 FEB 2018

Visa encourages all organizations to review the new guidance document published by the Payment Card Industry Security Standards Council and share it with customers, as appropriate.

U.S. EMV Terminal Requirements to Ensure Interoperability With Canada-issued Co-badged Cards

REGIONS: US
8 FEB 2018

Visa is clarifying requirements to ensure that U.S. EMV terminals can properly originate transactions from Canada-issued co-badged credit and debit cards. It is critical that vendors implement these changes to ensure interoperability.

Chargeback Rights for CVV2 Mismatch Transactions Will Be Removed for All Regions

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
1 FEB 2018

Effective 14 April 2018, issuer fraud-chargeback rights for card-absent transactions that are approved with a Card Verification Value 2 mismatch response will be removed for all transactions in all regions.

Merchant Best Practices and Webinars are available on Visa.com

Card Acceptance Guidelines for Visa Merchants

The Card Acceptance Guidelines for Visa Merchants is a comprehensive manual for all businesses that accept Visa® transactions in the card-present and/or card-absent environment. The purpose of this guide is to provide merchants and their back-office sales staff with accurate, up-to-date information and best practices to help merchants process Visa transactions, understand Visa products and rules, and protect cardholder data while minimizing the risk of loss and fraud.

What to Do If Compromised

The updated resource defines required procedures in response to an account data compromise.

Counterfeit Fraud Mitigation Tools for Automated Fuel Dispenser Transactions: Fuel Merchants Who Are Not EMV Chip Enabled

As merchants in United States enable their payment card acceptance infrastructure for EMV chip technology starting October 1, 2015, counterfeit fraud will increasingly migrate to acceptance segments that have not implemented EMV chip technology, such as automated fuel dispensers (AFDs). This will lead to counterfeit fraud chargeback liability for fuel merchants if AFD EMV chip acceptance enablement is not completed by October 1, 2020.

Learn more

Visa Partial Authorization Service: Improve the Customer Experience and Increase Sales

Visa prepaid and debit cards are popular forms of payment at the register. Visa’s Partial Authorization service provides an alternative to declining a transaction when the card’s available balance is not sufficient to approve a transaction in full. Participating issuers return an authorization response with an approval for a portion of the original amount requested, enabling the remainder of the transaction amount to be paid by other means using split tender functionality.

More at Visa.com Merchant Resource Library

More webinars and documents containing in-depth information designed to help Visa merchants navigate acceptance, fraud, data security, authorization and more. Download, print and keep them on hand at your business.

This digest consists of summaries only and does not supersede or modify Visa Business News publications. Please contact your Acquirer for further information about any publications.  Actual Visa Business News articles are not public materials and should not be treated as public documents, e.g., posting on merchant websites, etc.

The Visa Business News was launched to Europe clients on August 11, 2016. Prior to that, announcements were communicated via Visa Europe Member Letter.