Navigation Indication

  • Visa Merchant Business
    News Digest

    June 2018








Visa Merchant Business News Digest

The Visa Merchant Business News Digest is an online publication, providing a summary of recent Visa Business News articles. We know how important it is for you to have the pertinent information quickly and clearly, and our mission is to make that as simple as possible. The digest provides highlights of key merchant-related publications, but is not intended to be a complete list. As always, please work with your acquirer for further information on released publications and applicable announcements.

Signature Requirement Will Become Optional for EMV-enabled Merchants Everywhere

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
31 MAY 2018

Visa is making the requirement to capture and validate a signature optional for all EMV-enabled merchants across all Visa regions. Visa is also removing the requirement to keep transaction receipts, and is prohibiting issuers from initiating retrieval requests for transactions at all EMV-enabled merchants. These changes were previously announced for the U.S., Canada and LAC regions, and now reflect a global policy.

Card Absent Tokenization for U.S. Visa Debit Issuers Participating in Visa Token Service: Additional Feature

REGIONS: US
23 MAY 2018

Visa is expanding its existing Visa Token Service debit token call-out functionality to include detokenization of Visa tokens for card-absent debit transactions.

Effective 1 August 2018, U.S. Visa Debit issuers participating in Visa Token Service will have the option to allow their unaffiliated debit networks to call-out to Visa systems for card-absent transactions to exchange the Visa token for the associated primary account number.

PCI DSS Version 3.2.1 Published

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
17 MAY 2018

Visa will only accept Payment Card Industry Data Security Standard (PCI DSS) validations that comply with version 3.2.1.

Online Merchant Dispute Guide Now Available

REGIONS: US, Canada
10 MAY 2018

Visa published an easy-to-use guide to help smaller merchants navigate the world of transaction disputes.

For more information, please see Dispute Management Guidelines for Visa Merchants on Visa.com.

Visa Fraud Monitoring Program Will Support 3-D Secure in the U.S.

REGIONS: US
26 APR 2018

As a part of efforts to enhance the 3-D Secure (3DS) program, Visa is announcing changes to the Visa Fraud Monitoring Program and Visa Acquiring Monitoring Program to help mitigate U.S. domestic 3DS fraud.

Fraud Reporting System Enhancements

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
26 APR 2018

The Fraud Reporting System has been enhanced with operational and functional changes as part of the April 2018 VisaNet Business Enhancements release. The changes are centered on incorporating new fraud types that reflect a changing fraud landscape and updating program rules around the fraud reporting process.

Sunsetting of Static Data Authentication Rules for Mass Transit

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
12 APR 2018

Visa will sunset rules for issuance of transit-only Static Data Authentication (SDA) cards, as well as acceptance of SDA contactless payments in the mass transit environment. Following the sunset of these rules, Visa will require all new contactless cards and contactless-only terminals to support only fast dynamic data authentication.

Merchant Plug-in Validations for 3DS 1.0.2 Visa Token Service Transactions

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
5 APR 2018

Effective immediately, for 3-D Secure 1.0.2 Visa Token Service transactions only, merchant plug-ins should not match the last four digits of the PAN received in the authentication response message with the value supplied in the initial verification enrollment request message. Other validation options are provided for these transactions.

Signature Requirement Rule Update for EMV-enabled Merchants in U.S., U.S. Territories, Canada and LAC

REGIONS: US, Canada
29 MAR 2018

As previously announced, effective 14 April 2018, Visa made the requirement to capture and validate a signature optional for all EMV-enabled merchants in the U.S., U.S. Territories and Canada. The requirement to capture and validate a signature will become optional for all EMV-enabled merchants in LAC effective 13 October 2018.

For EMV-enabled merchants who prefer to continue to capture a signature or to use a signature for ensuring the cardholder’s acceptance of additional terms and conditions of sale, no change is required. However, these merchants will no longer need to store signatures if they do not wish to do so.

These changes apply to all transactions performed at EMV-enabled merchant terminals and apply to Visa requirements only. Merchants should use their own discretion about whether they should capture signatures or keep receipts for non-Visa related requirements.

EMV enablement is defined as the implementation of an acceptance device capable of reading, communicating and processing full-data transactions from a compliant EMV chip card. Specifically, this means that the Terminal Entry Capability (TEC) in the authorization message must be “5” for all Visa products the merchant accepts, as defined in the applicable VisaNet manuals.

For further information, please see additional information on Visa.com.

Purchase Return Requirements Will Be Updated in the Visa Rules

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
8 MAR 2018

Effective 13 April 2019, the Visa Rules will be updated to clarify merchant requirements for processing purchase returns. Visa recently announced new requirements to support the authorization of credit transactions for purchase returns / refunds. In response to client feedback, Visa is further clarifying requirements for processing refunds.

Payment Facilitator Requirements Will Be Updated

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
8 MAR 2018

Effective 13 October 2018 requirements for Europe payment facilitators will be aligned with global requirements to provide a more comprehensive risk practice. Existing European rules for payment facilitators requiring customer service to be provided in the language in which the services are offered will be expanded globally. Additionally, in cases where a cardholder can access the payment facilitator’s website directly, the payment facilitator will be required to clearly display customer service contact information.

Acceptance Rules Update and Simplification

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
8 MAR 2018

Effective 14 April 2018, Visa is streamlining the Visa Rules by removing retired requirements, eliminating redundancies and simplifying language. Most of the changes will have no operational impact and have no action required.

Visa Reminds Clients to Register Third Party Agents

REGIONS: US, AP, Canada, CEMEA, LAC
22 FEB 2018

Visa reminds clients of the importance of the agent registration program, which provides Visa with visibility into the service providers in the payment ecosystem.

New CDET 2.3—Revision A Required by 1 March 2018

REGIONS: US, AP, Canada, CEMEA, LAC
15 FEB 2018

Visa is updating the eligibility requirements for retail and supermarket credit transactions for merchants to qualify for incentive interchange programs.

Consumer Credit Performance Thresholds for Retail and Supermarket Transactions Will Change

REGIONS: US
15 FEB 2018

Visa is updating the eligibility requirements for retail and supermarket credit transactions for merchants to qualify for incentive interchange programs.

New PCI SSC Guidance on Connected-to Service Providers Published

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
8 FEB 2018

Visa encourages all organizations to review the new guidance document published by the Payment Card Industry Security Standards Council and share it with customers, as appropriate.

U.S. EMV Terminal Requirements to Ensure Interoperability With Canada-issued Co-badged Cards

REGIONS: US
8 FEB 2018

Visa is clarifying requirements to ensure that U.S. EMV terminals can properly originate transactions from Canada-issued co-badged credit and debit cards. It is critical that vendors implement these changes to ensure interoperability.

Chargeback Rights for CVV2 Mismatch Transactions Will Be Removed for All Regions

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
1 FEB 2018

Effective 14 April 2018, issuer fraud-chargeback rights for card-absent transactions that are approved with a Card Verification Value 2 mismatch response will be removed for all transactions in all regions.

Visa Removing Requirement to Use payWave Brand on Cards, Terminals

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
25 JAN 2018

Visa is moving away from the Visa payWave brand name for Visa’s contactless solution.

In keeping with Visa’s ongoing efforts to provide greater flexibility for clients, Visa is removing the requirement to use Visa payWave branding on cards and on merchant terminals effective 1 February 2018. This change applies to AP and LAC only – payWave is currently optional on cards and terminals in all other regions.  

Visa will no longer approve new card designs or merchant / terminal signage using the payWave brand as of 1 November 2018. Visa will not require existing cards or terminal signage to be replaced as a result of this brand change. 

The future state is focused on contactless payments with Visa, and the guiding language at point-of-sale for consumers is “tap to pay here” to facilitate the transaction.

New Indicator Requirement For Deferred Authorizations

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
18 JAN 2018

Visa is implementing new requirements for card present transactions when merchants defer transaction authorizations. 

When their POS authorization systems are offline and cannot process card-present transactions, merchants often complete the transaction with the cardholder and defer the authorization until their POS authorization systems are back online. Currently there is no requirement for merchants to identify a deferred authorization. In some instances, this can cause confusion for issuers.

To improve authorization processing, effective October 2018 optional and April 2019 mandatory, Visa is implementing new rules pertaining to deferred authorization indication and processing timeframes.

Recommendations for Upcoming E-commerce Regulation in Turkey

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
11 JAN 2018

This article originally ran in the 25 May 2017 (summary below) edition of the Visa Business News. It is being republished, as the effective date of 31 December 2017 has been postponed to 31 January 2018. Please use this version of the article going forward.

Sales Tax Rebate Processing Requirements

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
21 DEC 2017

A rule to clarify the requirement that merchants process sales tax rebates as original credit transactions will take effect 13 April 2019.

Many governments allow tax-free shopping for foreign travelers. Merchants, acquirers and solution providers collaborate to offer sales tax / value-added tax (VAT) recovery to foreign travelers when they leave the country with purchased goods. To ensure this practice is conducted according to the Visa Rules, Visa is mandating that merchants:

  • Use original credit transactions (OCTs) for sales tax disbursements
  • Follow dynamic currency conversion (DCC) rules if the rebate amount is converted from a merchant’s local currency to a cardholder’s billing currency

Visa is clarifying the existing merchant processing rules to ensure acquirers and service providers that offer sales tax recovery service can place the funds on the cards.

Use of Acquirer Device Validation Toolkit Version 6.1.1 Extended

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
21 DEC 2017

Visa is providing clients additional time to transition to Acquirer Device Validation Toolkit Version (ADVT) 7.0 from ADVT Version 6.1.1.

In September 2017, Visa announced the release of a new version of the Acquirer Device Validation Toolkit (ADVT)—ADVT Version 7.0—and informed users that they had until 31 January 2018 to upgrade from the previous version of the toolkit—ADVT Version 6.1.1. Due to delays in certifying third-party test tools, Visa is allowing clients to use ADVT Version 6.1.1 until 31 May 2018.

Effective 1 June 2018, use of ADVT Version 6.1.1 will not be permitted. Instead, users will be required to obtain a copy of ADVT Version 7.0, either through a third-party test tool provider or via the Visa Mobile Card Personalization App / Utility Card.

Brand Standards Created for Blind Notch Cards

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
7 DEC 2017

Visa has created standards to support the non-standard blind notch card shape for visually impaired cardholders.

Effective immediately, issuers may develop and issue the non-standard blind notch card shape for visually impaired cardholders. Visa has created standards in support of these non-standard card shapes that allow for a cut-out notch to assist cardholders in determining the direction in which the card is to be inserted into a payment terminal at the point of sale.

Connection and Encryption Policies for Verified by Visa Transactions

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
16 NOV 2017

To increase security for Verified by Visa (VbV) transactions, Visa is requiring TLS version 1.2 to connect to all VBV hardware. Clients may need to make changes to their VbV infrastructure to meet the new security requirements.

In the 4 February 2016 edition of the Visa Business News, Visa announced support of the Payment Card Industry Security Standards Council (PCI SSC) bulletin on migrating from Secure Sockets Layer (SSL) and early versions of Transport Layer Security (TLS) on all Verified by Visa (VbV) endpoints. Version 3.2 of the PCI Data Security Standard (DSS) was released in April 2016 and now requires all endpoints stop the use of SSL and early versions of TLS.

To ensure Visa meets its compliance commitments for PCI, Visa is requiring that all VbV merchant server plug-in and access control server providers that connect to VbV production infrastructure, including the Visa directory server and the authentication history server, meet the following requirements by the specified date:

  • Effective 28 January 2018, Visa will disable the use of TLS version 1.0, 1.1 and 3DES cipher and require that secure connections to all VbV production hardware use TLS version 1.2 encryption.

Version 2.1.0 of 3-D Secure 2.0 Specifications Now Available

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
2 NOV 2017

A new 3-D Secure Protocol and Core Functions Specification v2.1.0 can be downloaded from EMVCo’s website.

3-D Secure is a messaging protocol that allows the merchant, card issuer and consumer to exchange data during an e-commerce transaction for consumer authentication purposes.

EMVCo has released 3-D Secure 2.0 Protocol and Core Functions Specification Version 2.1.0 and Bulletin 196. Bulletin 196 provides updates, clarification and errata that are incorporated into the October 2017 version 2.1.0 specification. The new 3-D Secure 2.0 specification and Bulletin 196 are available to the general public from the EMVCo website.

Global Expansion of Debt Repayment on Debit and Prepaid Cards

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
2 NOV 2017

Visa allows debt repayment to occur on debit and prepaid cards in all regions. In addition, debt repayment rules will be refined in Australia, Canada, New Zealand, the U.S. and Europe.

Visa is expanding the use of debit and prepaid cards for debt repayment. The following rules will take effect in 2018.

Effective 14 April 2018:

  • Cardholders in all regions will be able to repay debt with debit and prepaid cards.
  • The debt repayment rules will be refined in Australia, Canada, New Zealand and U.S.

Effective 13 October 2018, the debt repayment rules will be refined in the Europe region.

Debt Defined

The Visa Rules define debt as money owed by one party (debtor) to another party (creditor), including the obligation to repay money in connection with the following:

  • Loans
  • Credit card balances
  • Funding of the purchase of goods and/or services by a third party

According to the Visa Rules, the following are not treated as debt:

  • Lease payments where ownership of the goods does not automatically pass to the lessee at the end of the lease
  • Installment or delayed payment for the purchase of goods or services under terms provided to the cardholder by the seller of the goods or services

Additional Requirements

For additional requirements, including changes for existing markets in Canada, Europe and the U.S. regions, as well as in Australia and New Zealand, refer to the October publication of Visa Rules found on Visa.com.

Global Dynamic Currency Conversion Compliance Program Expands to Europe; International Transactions Guide Updated

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
26 OCT 2017

The Dynamic Currency Conversion Compliance Program now includes European acquirers. The Visa Rules and the International Transactions Guide have been updated to provide additional information about regulations, best practices and compliance procedures.

Delay in Compliance Action for Stored Credential Framework

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
17 OCT 2017

In the 1 September 2016 edition of the Visa Business News, Visa introduced new rules related to credential-on-file transactions, including merchant disclosure requirements and transaction identifier requirements went into effect for merchants and acquirers on 14 October 2017.

However, based on stakeholder feedback, and after assessing market readiness and taking into account the holiday season system freeze, Visa will extend the time to make the necessary system changes until 30 April 2018.

While the rule is still effective as of 14 October 2017, Visa will not take any compliance action or assess non-compliance assessments to non-compliant entities prior to 30 April 2018. Entities that comply with the rule by 30 April 2018 will not be required to submit a waiver request to Visa.

EMV Contactless Acceptance Requirements

REGIONS: US
12 OCT 2017

Effective 13 April 2019, all terminals accepting contactless payments in the U.S. must actively support EMV contactless functionality; and the legacy magnetic stripe data contactless technology will be retired.

New Android-based Mobile Application Available for Convenient Test Card Creation

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
12 OCT 2017

Visa has released a new Android-based mobile app that combines the ability to personalize chip test cards for various testing toolkits, including the Acquirer Device Validation Toolkit, Visa Contactless Device Evaluation Toolkit, Global Host Test Cards, and other specialized test cards. This new app requires the use of a mobile handset with near-field communication capability, as well as a Visa-supplied VMCP Utility Card.

Updated Global ADVT, CDET and VpTT Versions Released

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
28 SEP 2017

Version 7.0 of the Acquirer Device Validation Toolkit and Version 2.3 of the Contactless Device Evaluation Toolkit have now been released by Visa to third-party test tool providers. In the coming weeks, Visa will begin working with these providers to ensure test tools are available that meet the requirements of these newly released toolkit versions. An updated Version 4.3.0 of the Visa payWave Test Tool is also available from the tool vendor for use in the Europe region.

VSDC CA 1152-bit Key Will Expire and Must Be Removed From Terminals

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
14 SEP 2017

The Visa Smart Debit / Credit (VSDC) Certificate Authority 1152-bit key will expire on 31 December 2017. After its expiration and no later than 1 July 2018, this key must be removed from VSDC terminals. Each Visa Smart Debit / Credit (VSDC) or Visa contactless card that supports Offline Data Authentication (ODA) or Offline Enciphered PIN must contain an Issuer Public Key (IPK) Certificate that is signed by a VSDC Certificate Authority (CA) private key and provided to the issuer by the VSDC CA. These keys are validated by VSDC terminals using the associated public key. In order to ensure that expired keys are no longer used at terminals, Visa requires that only valid, non-expired public keys be loaded into VSDC terminals.

Chargeback Rights for U.S. Domestic CVV2 Mismatch Transactions Will Be Removed

REGIONS: US
14 SEP 2017

Effective 14 April 2018, issuer fraud-chargeback rights for U.S. domestic card-absent transactions that are approved with a card verification value mismatch response will be removed to align the U.S. with similar practices in AP, Canada, CEMEA and Europe.

Minor Unit Currency Changes for Icelandic Króna Cancelled

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
14 SEP 2017

Effective immediately, Visa is cancelling minor unit currency changes for the Icelandic króna that were to take effect with the October 2017 VisaNet Business Enhancements release. Clients and processors that have already changed the minor units in their processing systems must revert those changes.

 

U.S. Acceptance: Quick Chip and Contactless Implementation and Testing Best Practices

REGIONS: US
7 SEP 2017

To help acquirers, POS partners and value-added resellers migrate to quick Visa Smart Debit / Credit contactless solutions, Visa is providing implementation and testing best practices.



ZIP Code Information Will Be Required in AFD Authorization Messages for U.S. Fuel Merchants in High-Fraud

REGIONS: US
7 SEP 2017

Visa is requiring acquirers to ensure that their U.S. fuel merchants in areas identified as high-fraud geographies include Address Verification Service ZIP code information in all automated fuel dispenser authorization messages.

Mobile Contactless Cardholder Verification Method Prioritization Introduced

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
24 AUG 2017

Visa will partner with Visa Digital Enablement Program participants, including issuer-branded and third-party wallet providers compliant with the Consumer Device Cardholder Verification Method (CDCVM) Requirements and Best Practices, to prioritize the CDCVM for mobile contactless payment transactions.

Visa reminds acquirers that they must support the correct version of Visa Contactless Payment Specification or EMV equivalent.

About the CDCVM

In addition to signing a receipt or entering a PIN on a merchant’s PIN pad, a contactless payment allows cardholders to verify that they are the legitimate user on the consumer’s own device via the CDCVM, which offers the following benefits to consumers and merchants:

  • Consumers are familiar with the equipment (e.g., their phones) and in most cases, the CDCVM is the same mechanism they use to gain access to their phones.
  • Consumers typically verify themselves prior to the transaction occurring, which improves throughput at checkout. 
  • Consumers may verify the transaction securely and discreetly.

Recommendations for Upcoming E-commerce Regulation in Turkey

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
24 AUG 2017

This article originally ran in the 25 May 2017 edition of the Visa Business News. It is being republished, as the original effective date of 17 August 2017 has been postponed to 31 December 2017.

Please refer to below to summary 25 May 2017 for further details.

Card Network Name Requirement Will Be Updated

REGIONS: US
17 AUG 2017

To support U.S. region and U.S. territory transactions initiated with the Visa U.S. Common Debit application identifier, Visa will require the printing of the application label or an enhanced descriptor instead of “Visa” when the network is not known at the time a receipt is generated for new terminals and existing terminals.

Effective 14 October 2017 for new terminals and effective 14 October 2018 for existing terminals, Visa will clarify its card network name on receipts requirement in the U.S. region and U.S. territories when the Common Debit application identifier (Common AID) is selected and when the network is not known at the time the receipt is generated.

Merchants may need to adjust their terminals and receipt-generation logic accordingly.

Obligation to Report Suspected or Confirmed Account Data Compromises

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
10 AUG 2017

As Visa continually monitors network intrusions involving service providers (re-breaches of merchant payment environments and skimming incidents involving POS device overlays), we are alerting clients and entities of their obligations to investigate and immediately report all data compromise events.

Visa Token Service Will Expand for AsiaPay

REGIONS: US, AP, Canada, CEMEA, LAC
10 AUG 2017

Visa will introduce a new E-Commerce Enabler use case with AsiaPay to accelerate the deployment of Visa tokens to e-commerce merchants.

Virtual Cards Will Be Allowed for Lodging Reservations and Compelling Evidence

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
20 JUL 2017

Effective 14 April 2018, the Visa Payables Automation (VPA) platform will begin supporting a secure fax delivery method for issuers to validate their customer’s Visa card to a lodging merchant (e.g., hotel).

The Visa Rules will be updated to allow provision of an issuer VPA-generated fax or electronically delivered form for the lodging merchant to accept the virtual card, and to allow the virtual card to serve as compelling evidence in the event of chargebacks under Reason Code 81—Fraud: Card-Present Environment and Reason Code 83—Fraud: Card-Absent Environment.

New Implementation Date for Purchase Return Authorization Messages

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
20 JUL 2017

Visa is postponing the implementation date for clients to support purchase return authorization messages on credit vouchers / purchase returns and introducing a phased rollout of the requirement for merchants.

New Merchant Date Requirements:

Merchants with the largest return volumes must send authorization messages on credit vouchers / purchase returns effective with the October 2018 VisaNet Business Enhancements release. This extends the time requirement from April 2018 to October 2018 for merchants with the largest return volumes.  Merchants with the following Visa Purchase Return volumes are included in this first phase:

Region Annualized Visa Purchase Return Volume Minimum
AP USD 1 million
Canada USD 5 million
CEMEA USD 1 million
Europe USD 5 million
LAC USD 1 million
U.S. USD 10 million

 

Effective with the April 2019 VisaNet Business Enhancements release, all remaining merchants in all regions will be required to send an authorization on a credit voucher / purchase return. This extends the time requirement from April 2018 to April 2019 for all remaining merchants.

Please note the following:

  • All merchants may choose to adhere to the earlier issuer implementation schedule
  • Airline merchants will have the option to delay implementation until April 2019

Global Compromised Account Recovery Program Will Be Modified

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
13 JUL 2017

To address the growing number of card-not-present (CNP) compromises and accelerate case processing, effective 14 October 2017, Visa will modify the Global Compromised Account Recovery Program to include operating expense recovery for CNP account data compromises and eliminate incremental fraud recovery.

In May 2012, Visa consolidated its regional account data compromise recovery programs into the Global Compromised Account Recovery (GCAR) Program, which is a loss-allocation program designed to balance the needs of Visa clients following a large-scale account data compromise event. It provides a fair and efficient process to help issuers recover a portion of the estimated incremental fraud and operating expenses associated with the account data compromise event and establishes certain limits on potential acquirer liability under the Visa Rules.

Global Brand Protection Program Guide Updated

REGIONS: US, AP, Canada, CEMEA, LAC
15 JUN 2017

Visa has updated the ‘Visa Global Brand Protection Program Guide’ to improve program effectiveness and help acquirers minimize risk presented by merchants selling illegal or brand-damaging goods and services.

Advance Copy of Rules for Stored Credential Transaction Framework

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
15 JUN 2017

Visa is providing an advance copy of the Visa Rules related to its previously announced Stored Credential Transaction Framework updates.

Additional information found in the April 2017 announcement Stored Credential Transaction Framework Clarifications and Mandates can be found here.

All Merchant-Supported Card Acceptance Interfaces Must Be Available to Cardholders

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
15 JUN 2017

New or upgraded acceptance devices must make all merchant-supported card acceptance interfaces for Visa transactions available to the cardholder when a transaction is initiated.

Preventing Brute-Force Authorization Attacks

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
8 JUN 2017

Visa is providing an overview of brute-force attacks and best practices on how merchants and clients can identify and mitigate them. Issuers, acquirers and merchants are ultimately responsible for preventing this type of attack.

A brute-force attack is a trial-and-error method used by fraudsters to obtain, within seconds, payment card information such as an account number, card expiration date, PIN or Card Verification Value 2 (CVV2), as well as a user password for online account access. In a brute-force attack, automated software commonly known as a “botnet” is used as a downloader or a credential-collection tool that generates a large volume of consecutive guesses of account data.

Best Practices for Merchants:

Merchants use different criteria in their fraud-prevention strategies than issuers or acquirers. Merchants’ risk priorities are based on product type, history of chargebacks, delivery time for goods in the retail environment, time to departure in the airline industry, etc. Therefore, Visa recommends all merchants consider the following best practices:

Brute Force Attacks

Process

Recommendation

Real-time fraud detection
  • Where available, use a layered validation approach that employs CVV2 and Address Verification Service (AVS).
  • All online merchants should manage fraud-detection systems that support device fingerprint, email validation and botnet detection.
  • Analyze time zone differences and browser language consistency from the cardholder’s IP address and device. The transaction may be classified as a higher risk and be sent for manual review instead of bypassing the automatic approval process.
  • Look for multiple tracking elements in a purchase linked to the same device. For example, multiple transactions with different cards, using same the email address and same device ID, may be a trigger for fraud classification or review.
  • Look for logins for a single card account coming from many IP addresses.
  • Look for excessive usage and bandwidth consumption from a single user.
  • Review logins with suspicious passwords that hackers commonly use. For example, today some merchants are detecting fraud based on a gray list with set or combinations of passwords commonly used in fraudulent transactions.

Payment gateway
  • Payment gateways should implement tracking rules to alert simultaneous transactions testing with low amounts at the merchant ID level.

Front-end controls
  • Consider using Three-Domain Secure (3DS) authentication and captcha controls to prevent automated transaction initiation by robots or scripts (for example, five authorizations from one IP address or card).
  • Lock out an account if a user guesses the user name / password and any account authentication data incorrectly on “x” number login attempts.
  • Include IP address with multiple failed card payment data in a fraud detection's black-list database for manual review.
  • In addition to velocity checks for small and large transactions, use velocity checks for low amounts or authorization-only transactions.

Analytics
  • Create a Management Information System (MIS) or report based on “Invalid Account Number” fraud detection attempts at the issuer BIN level, the account number or terminal ID level, or the IP address or device ID level.
Brute Force Attacks

Verified by Visa Requirement for Travel Agencies Will Be Introduced

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
1 JUN 2017

To ensure Verified by Visa program eligibility, Visa will require that airline transactions booked through travel agencies include the name of the airline in the authentication message.

Effective 14 October 2017, to ensure airline transactions purchased through a travel agency can qualify for Verified by Visa (VbV) program benefits (including liability protection), travel agencies that use VbV must include the airline name in the VbV authentication message when an airline is the merchant of record in authorization.

Merchant Best Practices and Webinars are available on Visa.com

Card Acceptance Guidelines for Visa Merchants

The Card Acceptance Guidelines for Visa Merchants is a comprehensive manual for all businesses that accept Visa® transactions in the card-present and/or card-absent environment. The purpose of this guide is to provide merchants and their back-office sales staff with accurate, up-to-date information and best practices to help merchants process Visa transactions, understand Visa products and rules, and protect cardholder data while minimizing the risk of loss and fraud.

What to Do If Compromised

The updated resource defines required procedures in response to an account data compromise.

Counterfeit Fraud Mitigation Tools for Automated Fuel Dispenser Transactions: Fuel Merchants Who Are Not EMV Chip Enabled

As merchants in United States enable their payment card acceptance infrastructure for EMV chip technology starting October 1, 2015, counterfeit fraud will increasingly migrate to acceptance segments that have not implemented EMV chip technology, such as automated fuel dispensers (AFDs). This will lead to counterfeit fraud chargeback liability for fuel merchants if AFD EMV chip acceptance enablement is not completed by October 1, 2020.

Learn more

Visa Partial Authorization Service: Improve the Customer Experience and Increase Sales

Visa prepaid and debit cards are popular forms of payment at the register. Visa’s Partial Authorization service provides an alternative to declining a transaction when the card’s available balance is not sufficient to approve a transaction in full. Participating issuers return an authorization response with an approval for a portion of the original amount requested, enabling the remainder of the transaction amount to be paid by other means using split tender functionality.

More at Visa.com Merchant Resource Library

More webinars and documents containing in-depth information designed to help Visa merchants navigate acceptance, fraud, data security, authorization and more. Download, print and keep them on hand at your business.

This digest consists of summaries only and does not supersede or modify Visa Business News publications. Please contact your Acquirer for further information about any publications.  Actual Visa Business News articles are not public materials and should not be treated as public documents, e.g., posting on merchant websites, etc.

The Visa Business News was launched to Europe clients on August 11, 2016. Prior to that, announcements were communicated via Visa Europe Member Letter.