Navigation Indication

  • Visa Merchant Business
    News Digest

    August 2017

Visa Merchant Business News Digest

The Visa Merchant Business News Digest is an online publication, providing a summary of recent Visa Business News articles. We know how important it is for you to have the pertinent information quickly and clearly, and our mission is to make that as simple as possible. The digest provides highlights of key merchant-related publications, but is not intended to be a complete list. As always, please work with your acquirer for further information on released publications and applicable announcements.

Virtual Cards Will Be Allowed for Lodging Reservations and Compelling Evidence

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
20 JUL 2017

Effective 14 April 2018, the Visa Payables Automation (VPA) platform will begin supporting a secure fax delivery method for issuers to validate their customer’s Visa card to a lodging merchant (e.g., hotel).

The Visa Rules will be updated to allow provision of an issuer VPA-generated fax or electronically delivered form for the lodging merchant to accept the virtual card, and to allow the virtual card to serve as compelling evidence in the event of chargebacks under Reason Code 81—Fraud: Card-Present Environment and Reason Code 83—Fraud: Card-Absent Environment.

New Implementation Date for Purchase Return Authorization Messages

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
20 JUL 2017

Visa is postponing the implementation date for clients to support purchase return authorization messages on credit vouchers / purchase returns and introducing a phased rollout of the requirement for merchants.

New Merchant Date Requirements:

Merchants with the largest return volumes must send authorization messages on credit vouchers / purchase returns effective with the October 2018 VisaNet Business Enhancements release. This extends the time requirement from April 2018 to October 2018 for merchants with the largest return volumes. Merchants with the following Visa Purchase Return volumes are included in this first phase:

Region Annualized Visa Purchase Return Volume
AP USD 1 million
Canada USD 5 million
CEMEA USD 1 million
Europe USD 5 million
LAC USD 1 million
U.S. USD 10 million

 

Effective with the April 2019 VisaNet Business Enhancements release, all remaining merchants in all regions will be required to send an authorization on a credit voucher / purchase return. This extends the time requirement from April 2018 to April 2019 for all remaining merchants.

Please note the following:

  • All merchants may choose to adhere to the earlier issuer implementation schedule
  • Airline merchants will have the option to delay implementation until April 2019

Global Compromised Account Recovery Program Will Be Modified

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
13 JUL 2017

To address the growing number of card-not-present (CNP) compromises and accelerate case processing, effective 14 October 2017, Visa will modify the Global Compromised Account Recovery Program to include operating expense recovery for CNP account data compromises and eliminate incremental fraud recovery.

In May 2012, Visa consolidated its regional account data compromise recovery programs into the Global Compromised Account Recovery (GCAR) Program, which is a loss-allocation program designed to balance the needs of Visa clients following a large-scale account data compromise event. It provides a fair and efficient process to help issuers recover a portion of the estimated incremental fraud and operating expenses associated with the account data compromise event and establishes certain limits on potential acquirer liability under the Visa Rules.

Global Brand Protection Program Guide Updated

REGIONS: US, AP, Canada, CEMEA, LAC
15 JUN 2017

Visa has updated the ‘Visa Global Brand Protection Program Guide’ to improve program effectiveness and help acquirers minimize risk presented by merchants selling illegal or brand-damaging goods and services.

Advance Copy of Rules for Stored Credential Transaction Framework

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
15 JUN 2017

Visa is providing an advance copy of the Visa Rules related to its previously announced Stored Credential Transaction Framework updates.

Additional information found in the April 2017 announcement Stored Credential Transaction Framework Clarifications and Mandates

Best practices are published on Visa.com https://usa.visa.com/dam/VCOM/global/support-legal/documents/stored-credential-transaction-framework-vbs-10-may-17.pdf

All Merchant-Supported Card Acceptance Interfaces Must Be Available to Cardholders

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
15 JUN 2017

New or upgraded acceptance devices must make all merchant-supported card acceptance interfaces for Visa transactions available to the cardholder when a transaction is initiated.

Preventing Brute-Force Authorization Attacks

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
8 JUN 2017

Visa is providing an overview of brute-force attacks and best practices on how merchants and clients can identify and mitigate them. Issuers, acquirers and merchants are ultimately responsible for preventing this type of attack. A brute-force attack is a trial-and-error method used by fraudsters to obtain, within seconds, payment card information such as an account number, card expiration date, PIN or Card Verification Value 2 (CVV2), as well as a user password for online account access. In a brute-force attack, automated software commonly known as a “botnet” is used as a downloader or a credential-collection tool that generates a large volume of consecutive guesses of account data.

Best Practices for Merchants:

Merchants use different criteria in their fraud-prevention strategies than issuers or acquirers. Merchants’ risk priorities are based on product type, history of chargebacks, delivery time for goods in the retail environment, time to departure in the airline industry, etc. Therefore, Visa recommends all merchants consider the following best practices:

Process

Recommendation

Real-time fraud detection 
  • Where available, use a layered validation approach that employs CVV2 and Address Verification Service (AVS).
  • All online merchants should manage fraud-detection systems that support device fingerprint, email validation and botnet detection.
  • Analyze time zone differences and browser language consistency from the cardholder’s IP address and device. The transaction may be classified as a higher risk and be sent for manual review instead of bypassing the automatic approval process.
  • Look for multiple tracking elements in a purchase linked to the same device. For example, multiple transactions with different cards, using same the email address and same device ID, may be a trigger for fraud classification or review.
  • Look for logins for a single card account coming from many IP addresses.
  • Look for excessive usage and bandwidth consumption from a single user.
  • Review logins with suspicious passwords that hackers commonly use. For example, today some merchants are detecting fraud based on a gray list with set or combinations of passwords commonly used in fraudulent transactions.

Payment gateway 
  • Payment gateways should implement tracking rules to alert simultaneous transactions testing with low amounts at the merchant ID level.

Front-end controls 
  • Consider using Three-Domain Secure (3DS) authentication and captcha controls to prevent automated transaction initiation by robots or scripts (for example, five authorizations from one IP address or card).
  • Lock out an account if a user guesses the user name / password and any account authentication data incorrectly on “x” number login attempts.
  • Include IP address with multiple failed card payment data in a fraud detection's black-list database for manual review.
  • In addition to velocity checks for small and large transactions, use velocity checks for low amounts or authorization-only transactions.

Analytics 
  • Create a Management Information System (MIS) or report based on "Invalid Account Number" fraud detection attempts at the issuer BIN level, the account number or terminal ID level, or the IP address or device ID level. 

Verified by Visa Requirement for Travel Agencies Will Be Introduced

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
1 JUN 2017

To ensure Verified by Visa program eligibility, Visa will require that airline transactions booked through travel agencies include the name of the airline in the authentication message.

Effective 14 October 2017, to ensure airline transactions purchased through a travel agency can qualify for Verified by Visa (VbV) program benefits (including liability protection), travel agencies that use VbV must include the airline name in the VbV authentication message when an airline is the merchant of record in authorization.

More information at https://usa.visa.com/run-your-business/small-business-tools/payment-technology/verified-by-visa.html

Recommendations for Upcoming E-commerce Regulation in Turkey

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
25 MAY 2017

Effective 17 August 2017, a new local e-commerce regulation published by the Banking Regulations and Supervision Agency (BRSA) will require Turkish issuers to obtain consent from their cardholders to enable their cards to perform e-commerce transactions.

In cases where the cardholders have not yet given their consent, issuers are required to decline ecommerce transactions performed with these cards. Visa suggests certain actions be taken by the Turkish issuers and all global acquirers to address the potential impacts. Examples include actions such as using decline response “Transaction Cannot Be Completed: Violation of Law” when declining an e-commerce transaction on a card that has not received consent for this type of transaction from the cardholder.

Acquirers may also have their merchants customize their messages for Turkey-issued cards when they are declined with ‘Transaction Cannot Be Completed: Violation of Law.’ They may suggest cardholders contact their issuing banks to enable e-commerce transactions.

Visa Chargeback and Fraud Monitoring Programs Will Be Updated

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
18 MAY 2017

Effective 1 October 2017, Visa will update its merchant and acquirer level fraud and chargeback monitoring programs to improve the efficiency of the Visa Chargeback Monitoring Program (VCMP), update the VCMP reimbursement policy, and restrict the number of disputes that an account number can contribute to a program identification.

Taxi Authorizations Enhanced and New Limit Set for Aggregated Transactions

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
4 MAY 2017

Effective 14 October 2017, card-absent taxi service transactions may use an estimated authorization request and an incremental authorization request. These authorizations will be valid for the same day.

Separately, Visa will also reduce the maximum amount of an aggregated transaction in the card-absent environment to USD 15 for all regions.

Implementation Date Change for PCI PIN Security Key Bundling Requirement

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
4 MAY 2017

The Payment Card Industry Security Standards Council has revised the implementation date for its Key Bundling requirement.

In December 2014, Version 2.0 of the Payment Card Industry (PCI) PIN Security Requirements introduced a requirement: 18-3, Key Bundling. The requirement, sometimes referred to as “key blocks” or “key bundling,” greatly improved the protection of symmetric keys that are shared among payments system participants to protect PINs and other sensitive data.

Effective 1 January 2018, encrypted symmetric keys must be managed in structures called key blocks. The key usage must be cryptographically bound to the key using accepted methods.

More information at https://usa.visa.com/dam/VCOM/global/partner-with-us/documents/key-bundling-effective-date-change.pdf

Stored Credential Transaction Framework Clarifications and Mandates

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
27 APR 2017

Visa is clarifying the definition of and requirements for its Stored Credential Transaction framework, including mandates to identify initial storage and subsequent usage of payment credentials. Visa is also clarifying the definition and identifiers for Unscheduled Credential-on-File transactions.

Growth in digital commerce, together with the emergence of new business models, has increased the number of transactions where a merchant or its agent, a payment facilitator or a staged digital wallet operator uses cardholders’ payment credentials (i.e., account details) that they previously stored for future purchases. Effective with the October 2017 VisaNet Business Enhancements release, merchants and acquirers must use certain data values in the authorization message.

Improving Authorization Management for Transactions with Stored Credentials

Reminder: PCI PIN Entry Devices Version 2.x Approval Is Expiring

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
13 APR 2017

The PCI Security Standards Council (SSC) and Visa recognize that expired devices are more vulnerable to compromise and may contribute to the theft of cardholder and PIN data.  Effective 30 April 2017, Payment Card Industry PIN Entry Devices Version 2.x security approval will expire. 

More information at PCI Security Standards.org

Visa Claims Resolution Implementation Date Change

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
11 APR 2017

The announced VCR implementation date was October 2017 initially.  In response to client feedback, and to help ensure the readiness of stakeholders around the world, Visa has adjusted the VCR implementation date to coincide with the April 2018 VisaNet Business Enhancements release. 

Learn more about dispute basics

Visa Debit and Prepaid Hold Times Will Be Extended for Some Merchant Segments

REGIONS: US
6 APR 2017

The Visa Rules will be updated to allow issuers to hold funds for Visa debit and prepaid card-absent, lodging, vehicle rental and cruise line transactions for up to seven business days.

To better manage holds on cardholder funds, effective 21 July 2017, Visa will update the Visa Rules to allow issuers to hold funds for up to seven business days for Visa debit and prepaid transactions in the card-absent environment, or at merchants in the lodging, vehicle rental and cruise line segments.

Issuers Must Transmit Card Authentication Results Code

REGIONS: US
23 FEB 2017

Visa reminds issuers to transmit Field 44.8—Card Authentication Results Code on all chip authorizations, as required. In addition, acquirers and their merchant clients must not decline any approved authorization response based on Field 44.8, as there is no liability shift associated with this field.

U.S. Interlink AFD EMV Liability Shift Delayed to 2020

REGIONS: US
9 FEB 2017

The EMV liability shift for U.S. domestic Interlink automated fuel dispenser (AFD) transactions has been delayed until 1 October 2020. Visa will expand its current Visa Fraud Monitoring Program (VFMP) to help mitigate counterfeit fraud for these transactions at U.S. AFDs during the interim period.

U.S. Automated Fuel Dispenser EMV Liability Shift Delayed

Visa Payment Acceptance Best Practices for U.S. Retail Petroleum Merchants

Merchant POS Branding Requirements Will Be Updated

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
2 FEB 2017

To provide additional flexibility to merchants and simplify existing rules, Visa will modify the display requirements for the Visa Point-of-Sale (POS) Graphic.

Effective 22 April 2017, Visa is modifying the display requirements for the Visa POS Graphic at the physical point of sale and at e-commerce checkouts, including application-based payments. Merchants that choose to accept Visa for one form factor are reminded that they also must do so for all Visa account payment credentials presented using the same underlying technology (e.g., near-field communication [NFC]).

Merchant Outlet Location Matching Will Be Required Throughout the Transaction Life Cycle

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
12 JAN 2017

To ensure data integrity and appropriate processing, the Visa Rules require that data elements must match between the authorization and clearing stages of a transaction.  Effective 22 April 2017, Visa will expand these rules to require that the merchant country location match throughout the rest of the transaction’s life cycle.

It is important that the same merchant country location be used in the initial purchase and in all subsequent transactions tied to the purchase. Changing the merchant country location in the purchase or subsequent transactions negatively affects the cardholder experience and can lead to unnecessary customer service calls.

Visa is introducing a compliance program to ensure that acquirers accurately assign and disclose merchant outlet location.

U.S. Automated Fuel Dispenser EMV Liability Shift Delayed to 2020

REGIONS: US
1 DEC 2016

The EMV liability shift for U.S. domestic automated fuel dispenser (AFD) transactions has been delayed until 1 October 2020. Visa will expand its current Visa Fraud Monitoring Program (VFMP) to help mitigate counterfeit fraud at U.S. AFDs during the interim period.

U.S. Automated Fuel Dispenser EMV Liability Shift Delayed

Visa Payment Acceptance Best Practices for U.S. Retail Petroleum Merchants

Rules for Authorization Currency Will Be Updated

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
1 DEC 2016

To ensure a positive cardholder experience and increase approval rates, Visa is updating rules related to authorization currency used for cross-border transactions, effective 1 January 2017 for acquirers in the AP, Canada, CEMEA, LAC and U.S. regions, and effective 1 April 2017 for acquirers in the Europe region.

Visa will allow those acquirers to also send authorization requests in their merchant’s local currency. Acquirers that wish to use this option must update their host systems. Acquirers that choose not to use this option will not be affected.

Visa Issues Updated EMV Documentation Regarding Merchant Routing Choice Flexibility

REGIONS: US
22 NOV 2016

Merchants can use the U.S. Common Debit Application Identifier (AID) to route all U.S. debit transactions regardless of cardholder verification method and are not required to prompt for cardholder selection of AID.

Additional information

Rules Related to Transaction Receipts Will Be Updated

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
10 NOV 2016

Visa will update rules related to transaction receipts to help simplify merchant / acquirer operations and reduce costs associated with transaction receipt storage and fulfillment.

Effective for transactions initiated on or after 22 April 2017, Visa will revise rules that affect transaction receipts, including: (1) what content elements must be displayed (2) when a receipt must be provided (3) how long merchants must retain receipts (4) when a merchant must fulfill a request for copy.

EMV 3-D Secure Protocol and Core Function Specification Version 2.0 Now Available

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
27 OCT 2016

EMVCo’s EMV 3-D Secure Protocol and Core Functions Specification v2.0 is now available to the general public from EMVCo’s website.  

PCI DSS Version 3.2 Implementation Dates

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
27 OCT 2016

To ensure cardholder data is protected according to the most current security controls, Visa encourages organizations to transition to version 3.2 of the PCI Data Security Standard (PCI DSS)—Requirements and Security Assessment Procedures as soon as possible.

Visa Token Service Provider Program Introduced

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
20 OCT 2016

Visa is launching the Visa Token Service Provider Program, a technology and service enablement program that complements the Visa Digital Enablement Program (VDEP) and provides issuers and token requesters with greater flexibility in using third-party technology and service providers to enable, manage and support their integration with and use of the Visa Token Service (VTS) and perhaps other token services.

Visa Digital Solutions

Ensure Acceptance of Myanmar-issued Visa Cards Across All Channels

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
13 OCT 2016

Visa reminds acquirers and merchants to update their systems to enable acceptance of Myanmar-issued Visa cards.

New Effective Date for Changes to Special Authorization Rules for T&E and Transit Merchants

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
6 OCT 2016

In response to merchant and issuer processing needs, Visa will update rules related to estimated, initial and incremental authorization request processing, as well as authorization reversals, issuer hold releases and chargeback rights.

Beginning 22 April 2017, select merchant segments (e.g. equipment rental, restaurants and bars, amusement parks) will be permitted to perform estimated, initial and incremental authorizations. For merchant segments currently performing estimated authorizations, Visa has pushed back the effective date for these changes from 22 April 2017 to 14 October 2017.

New Digital Wallet Definitions and Rules Introduced

REGIONS: US, AP, Canada, CEMEA, LAC
25 AUG 2016

Visa willintroduce new definitions and update its rules in response to the growing interest in digital wallets. New requirements will also address the processing of transactions completed with a staged digital wallet and the responsibilities of a staged digital wallet operator (SDWO) and its acquirer.

New Purchase Return Authorization Messages Will Be Implemented

REGIONS: US, AP, Canada, CEMEA, LAC
25 AUG 2016

Visa is updating acceptance rules to require merchants to send an authorization message on credit vouchers / purchase returns. New return authorization messages will enable issuers to update cardholders’ online banking statements in real time and provide text alerts to those cardholders that opt in to the service with their issuer.

This new flow of information on returns is intended to enhance cardholder confidence in the payments system, because the information they receive on purchase returns will better align with what they see on purchases.

New Purchase Return

New Resources for Acquirers, POS Partners and Value-Added Resellers

REGIONS: US
25 AUG 2016

Visa has introduced a series of initiatives in the U.S. to facilitate the migration to chip for acquirers, point-of-sale (POS) partners and value-added resellers(VARs).

Verified by Visa-specific Static Password Authentication Will Be Eliminated

REGIONS: US, AP, Canada, CEMEA, LAC
25 AUG 2016

Visa will eliminate the use of Verified by Visa-specific static passwords and related enrollment processes beginning in 2018.  Advances in risk modeling and predictive analytics have helped improve the security of 3-D Secure transactions while minimizing friction for cardholders.

Risk-based and dynamic authentication takes an assessment of a transaction’s riskiness behind the scenes. This is done by analyzing contextual data about purchases, such as behavioral checks device checks and merchant checks.

Improving Security in E-commerce

Reminder: Upgrade Verified by Visa Digital Certificates

REGIONS: US, AP, Canada, CEMEA, LAC
11 AUG 2016

All Verified by Visa endpoints are reminded to upgrade digital certificates from Secure Hash Algorithm 1 (SHA-1) to SHA-2 for Verified by Visa transactions.

Fraud-Related Chargeback Rules to Be Updated; New Conditions Introduced for Non-Fulfilled Transaction Receipt and Cardholder Letter Requests

REGIONS: US
11 AUG 2016

Visa is clarifying its rules to prevent fraud-related chargebacks on the basis of fraudulent applications, and to invalidate counterfeit fraud chargebacks for tokenized transactions. Visa is updating its rules to include new conditions for issuers that initiate pre-compliance against acquirers on a non-fulfilled transaction receipt request for copy (RFC) and for acquirers that initiate pre-compliance against issuers for a cardholder letter RFC.

Eight-Digit Issuer BIN Implemented April 2022

REGIONS: US, AP, Canada, CEMEA, LAC
4 AUG 2016

Effective with the April 2022 Business Enhancements release, Visa will implement eight-digit issuer Bank Identification Numbers (BINs) in accordance with the forthcoming migration from six- to eight-digit Issuer Identification Numbers
(IINs).

New Android-based Mobile App Enables Convenient CDET Testing

REGIONS: US, AP, Canada, CEMEA, LAC
4 AUG 2016

Visa has released a new Android-based mobile app as an alternative and convenient option for performing the latest Contactless Device Evaluation Toolkit (CDET) testing requirements using a mobile near field communication (NFC)-capable handset.

To continually provide clients with enhanced test tool solutions that simplify, automate and accelerate the testing processes required before deploying EMV contact and contactless products, effective immediately, Visa has introduced an Android-based mobile app that fully supports the capabilities of the latest CDET (currently, Version 2.2).

EMV Chip Terminal Testing Requirements

Merchant Outlet Location and Website Disclosure Rules Will Be Clarified

REGIONS: US, AP, Canada, CEMEA, LAC
4 AUG 2016

Visa has existing rules that require merchants to properly identify their name, type of business, and location. All of these elements are key to helping merchants be properly identified by cardholders for all transactions processed through the Visa system. Providing the proper information helps prevent unnecessary cardholder disputes and reduces additional risk to the Visa system.

Effective 15 October 2016, the rules for identifying merchant location are being clarified to help acquirers and merchants more accurately identify the merchant location to the cardholder.

Providing the proper location of your Merchant Business

Merchant Best Practices and Webinars are available on Visa.com

Card Acceptance Guidelines for Visa Merchants

The Card Acceptance Guidelines for Visa Merchants is a comprehensive manual for all businesses that accept Visa® transactions in the card-present and/or card-absent environment. The purpose of this guide is to provide merchants and their back-office sales staff with accurate, up-to-date information and best practices to help merchants process Visa transactions, understand Visa products and rules, and protect cardholder data while minimizing the risk of loss from fraud.

Learn more

What to Do If Compromised

The updated resource defines required procedures in response to an account data compromise.

Learn more

Counterfeit Fraud Mitigation Tools for Automated Fuel Dispenser Transactions: Fuel Merchants Who Are Not EMV Chip Enabled

As merchants in United States enable their payment card acceptance infrastructure for EMV chip technology starting October 1, 2015, counterfeit fraud will increasingly migrate to acceptance segments that have not implemented EMV chip technology, such as automated fuel dispensers (AFDs). This will lead to counterfeit fraud chargeback liability for fuel merchants if AFD EMV chip acceptance enablement is not completed by October 1, 2020.

Learn more

Visa Partial Authorization Service: Improve the Customer Experience and Increase Sales

Visa prepaid and debit cards are popular forms of payment at the register. Visa’s Partial Authorization service provides an alternative to declining a transaction when the card’s available balance is not sufficient to approve a transaction in full. Participating issuers return an authorization response with an approval for a portion of the original amount requested, enabling the remainder of the transaction amount to be paid by other means using split tender functionality.

Learn more

More at Visa.com Merchant Resource Library

More webinars and documents containing in-depth information designed to help Visa merchants navigate acceptance, fraud, data security, authorization and more. Download, print and keep them on hand at your business.

Visit Merchant Library

This digest consists of summaries only and does not supersede or modify Visa Business News publications. Please contact your Acquirer for further information about any publications.  Actual Visa Business News articles are not public materials and should not be treated as public documents, e.g., posting on merchant websites, etc.

The Visa Business News was launched to Europe clients on August 11, 2016. Prior to that, announcements were communicated via Visa Europe Member Letter.