The Visa Merchant Business News Digest is an online publication, providing a summary of recent Visa Business News articles. We know how important it is for you to have the pertinent information quickly and clearly, and our mission is to make that as simple as possible. The digest provides highlights of key merchant-related publications, but is not intended to be a complete list. As always, please work with your acquirer for further information on released publications and applicable announcements. As well, Visa Core Rules and Product and Service Rules are available on online and updated twice a year.
Visa has updated the Visa Direct Original Credit Transaction (OCT)—Global Implementation Guide. Clients and their partners that originate or receive Visa Direct original credit transactions (OCTs) should review the updated guide for information on how to enable and support services for a variety of use cases.
Visa has updated the Account Funding Transaction (AFT): Processing Guide. Clients and their partners that originate or receive AFTs should review the updated guide for information on how to best support these transactions.
Visa’s International Airline Program allows acquirers to partner with qualifying airline merchants and on-board service providers in any jurisdiction. This helps airline merchants consolidate their acquiring relationships and meet the unique needs of airlines for a comprehensive global acquiring service in all countries where they sell their tickets.
Acquirers are reminded that the correct merchant outlet location must be reflected in the merchant contract and in transaction processing, and that they are only permitted to enter into interchange transactions from countries where they are lawfully entitled to acquire transactions.
Visa has introduced a streamlined Level 3 (L3) testing process when using a Terminal Management System or Electronic Payment Server architecture in the U.S. In addition, Visa is reminding clients of the expiry periods for L1, L2 and L3 Letters of Approval for contact and contactless.
Visa is updating the U.S. activation date for EMV 3-D Secure (formerly 3DS 2.0) to 31 August 2020. This date defines when fraud liability extends to non-participating issuers.
Visa has created a new program guide that contains the rules for participating in Visa Secure using either 3-D Secure (3DS) 1.0.2 or EMV® 3DS.
Visa is publishing a new Visa Direct original credit transaction use case for Earned Wage Access (EWA), a service that enables fintechs to allow employees early access to their earned wages.
Visa will allow payroll service providers in the U.S. to use Visa Direct to facilitate faster small business payroll processing.
Issuers should prepare to support new credential-on-file and e-commerce Token Requestor IDs for Braintree Payment Solutions and IP Solutions International.
Visa has updated the U.S. Quick Chip and Minimum Terminal Configuration Acquirer Device Validation Toolkit (ADVT) Version 7 and the Contactless Device Evaluation Toolkit (CDET) Version 2.3 Use Cases on Visa Online and the Visa Technology Partner website in order to include a new mandatory U.S. CDET Magnetic-Stripe Data (MSD) only test case.
Starting in 2019, the Verified by Visa (VbV) program name will be rebranded to Visa Secure. The Visa Secure badge, combined with descriptive language emphasizing “your online transactions are secure with Visa,” will be the way consumers learn about Visa’s 3-D Secure (3DS) offering.
Existing VbV marks will be replaced with a Visa Secure badge across consumer-facing merchant and issuer channels, while all 3DS authentication screens will simply display the Visa logo.
Visa developed the 3-D Secure standard—currently branded for Visa cardholders as Verified by Visa— to provide merchants and issuers a way to authenticate the cardholder for card-not-present payments. Today, 3DS has become the industry-wide e-commerce authentication standard.
Merchants are encouraged to use the Visa Secure badge and messaging when implementing the enhanced EMV 3DS technology. Starting 1 October 2019, merchants must use the new badge and messaging whenever EMV 3DS technology is used. Guidelines and communication materials are available to merchants via their normal channels.
Visa has extended the dates for implementing a new indicator for card-present and card-absent transactions when merchants defer transaction authorization. A deferred authorization occurs when a merchant cannot complete an authorization at the time of the transaction with the cardholder due to connectivity, systems issues or other limitations, and then later completes the authorization when it is able to do so.
To give issuers information when a deferred authorization takes place and to help Acquirers & merchants obtain more approvals on deferred authorizations, Visa previously announced that it would require merchants and acquirers to identify deferred authorizations by 12 April 2019. However, in response to feedback and to allow more time for clients to prepare their authorization systems, Visa has postponed the previously announced implementation dates for rules pertaining to deferred authorization indicators to April 2019, October 2019 and April 2021.
Beginning 12 April 2019 as optional, and becoming mandatory for all deferred authorization requests by 16 April 2021, an acquirer or merchant that submits a deferred authorization for a card-present or card-absent transaction must both:
Effective 18 October 2019, acquirers must be able to support sending this indicator if a merchant includes it, but will not be required to send it in all deferred authorization requests until 16 April 2021. Issuers are required to be able to receive the deferred authorization indicator effective 12 April 2019.
Effective 19 April 2019, Visa will discontinue certification testing of all 3-D Secure 1.0.2 products and licensing of the specifications.
Clients should update their systems to comply with upcoming changes to floor limits in multiple markets in the Europe region, effective 18 October 2019.
Table 1: Floor Limits for Certain Countries in the Europe Region
|
Country |
MCC |
Current Magnetic Stripe and Contact Chip Floor limit |
Current Contactless Chip Floor Limit |
New Floor Limit for All Entry Modes |
|---|---|---|---|---|
Andorra |
All |
0 |
EUR 20 |
0 |
Austria |
All |
0 |
EUR 20 |
0 |
Belgium |
All |
0 |
EUR 20 |
0 |
Cyprus |
All |
0 |
EUR 20 |
0 |
Czech Republic |
All |
0 |
CZK 500 |
0 |
Estonia |
All |
0 |
EUR 20 |
0 |
Finland |
All |
0 |
EUR 20 |
0 |
France |
All |
0 |
EUR 20 |
0 |
Gibraltar |
All |
0 |
GBP 15 |
0 |
Greenland |
All |
0 |
DKK 140 |
0 |
Hungary |
All |
0 |
HUF 6000 |
0 |
Iceland |
All |
0 |
ISK 3000 |
0 |
Israel |
All |
0 |
ILS 90 |
0 |
Italy |
All |
0 |
EUR 20 |
0 |
Latvia |
All |
0 |
EUR 20 |
0 |
Liechtenstein |
All |
0 |
EUR 20 |
0 |
Lithuania |
All |
0 |
EUR 20 |
0 |
Luxembourg |
All |
0 |
EUR 20 |
0 |
Monaco |
All |
0 |
EUR 20 |
0 |
Poland |
All |
0 |
PLN 80 |
0 |
San Marino |
All |
0 |
EUR 20 |
0 |
Slovakia |
All |
0 |
EUR 20 |
0 |
Sweden |
MCC 4121—Taxicabs and Limousines |
|
EUR 20 |
0 |
All other MCCs |
|
EUR 20 |
0 |
|
Switzerland |
All |
0 |
CHF 20 |
0 |
Vatican City |
All |
0 |
EUR 20 |
0 |
¹ Floor limit currently applicable to domestic transactions only.
Table 2: Exceptions to Zero Floor Limits for Countries Listed in Table 1
|
MCC |
Terminal Type |
Non-Chip |
Contact Chip |
Contactless Chip |
|---|---|---|---|---|
MCC 4111—Local and Suburban Commuter Passenger Transportation, Including Ferries |
Unattended |
0 |
EUR 20² |
EUR 20² |
MCC 4112—Passenger Railways |
Unattended |
0 |
EUR 20² |
EUR 20² |
MCC 4131—Bus Lines |
Unattended |
0 |
EUR 20² |
EUR 20² |
MCC 4784—Tolls and Bridge Fees |
Unattended |
0 |
EUR 20² |
EUR 20² |
MCC 7523—Parking Lots, Parking Meters and Garages |
Unattended |
0 |
EUR 20² |
EUR 20² |
MCC 8398—Charitable Social Service Organizations |
All |
0 |
0 |
EUR 20² |
² Or local currency equivalent.
Select U.S. casinos will be able to use original credit transactions to disburse winnings at face-to-face establishments. Effective 18 October 2019, U.S. issuers will be able to receive domestic original credit transactions (OCTs) associated with select casinos that operate face-to-face establishments under Merchant Category Code (MCC) 7995—Betting, including Lottery Tickets, Casino Gaming Chips, Off-Track Betting, and Wagers at Race Tracks.
While MCC 7995 will be enabled by Visa in October 2019, only select face-to-face U.S. casinos and/or associated technology providers will be permitted to process OCTs and only through debit and eligible prepaid cards. Visa will monitor the program and make any necessary adjustments prior to expanding the program to additional participants.
Visa Approved PIN Security Assessors are migrating to a new assessor program managed by the Payment Card Industry Security Standards Council (PCI SSC). Visa PIN Security Program participants will be required to use a PCI Qualified PIN Assessor (QPA) for all on-site PIN assessments beginning 1 October 2019.
All on-site PIN assessments beginning on 1 January 2020 and after must validate to version 3 of the PCI PIN security requirements.
The PCI SSC, which develops and manages payment card security standards to protect payment card data, has updated two previously published information supplements to provide additional security guidance to address compliance, data security challenges and evolving technology.
Visa encourages all organizations to review the following updated materials and share them with customers, as appropriate:
Information Supplement: Protecting Telephone-Based Payment Card Data, Version 3.0: Discusses fundamental principles associated with applying Payment Card Industry Data Security Standards (PCI DSS) and best practices for securing telephone-based account data in a telephone environment.
Best Practices for Maintaining PCI DSS Compliance, Version 2.0: Provides best practices for maintaining compliance with PCI DSS after an organization has already undergone an initial PCI DSS assessment and successfully achieved compliance.
To facilitate secure, reliable and accurate payments, the systems and software used as part of the transaction flow must be designed, developed and maintained in a manner that protects the integrity of payment transactions and the confidentiality of all sensitive data that they store, process or transmit.
The Payment Card Industry Security Standards Council (PCI SSC) has published the new Software Security Framework in order to provide software vendors with updated security requirements and assessment procedures for payment software.
In this initial publication, the Software Security Framework includes two standards:
Both standards are designed for use as part of the PCI Software Security Framework and are intended for software vendors that develop software for the payments industry. Software vendors wishing to validate payment software under the PCI Software Security Framework should use the PCI Secure Software Standard. In addition, software vendors may opt to validate their Secure SLC practices for that payment software using the PCI Secure SLC Standard.
Transition from the Payment Application Data Security Standard
While the PCI Software Security Standards include elements of the Payment Application Data Security Standard (PA-DSS), the standards represent a new approach for securely designing and developing both existing and future payment applications. The overarching PCI Software Security Framework is designed to support a broader array of payment software types, technologies and development methodologies currently in use and also to support future technologies and use cases.
Visa clients, as well as their agents and merchants, must use only secure, validated payment applications that do not retain prohibited data elements. While the PA-DSS and Software Security Framework is intended for payment software that is sold, distributed or licensed to third parties, payment software that is developed in-house or customized for a single customer can also benefit when the requirements are applied as a best practice.
Effective 13 April 2019, all terminals accepting contactless payments in the U.S. must actively support EMV contactless functionality, and the legacy magnetic stripe data contactless technology should be upgraded.
Effective 14 December 2018, U.S. Debit Test Card #1 (version 2.0), #2 (version 2.0) and #3 (version 3.0) must be used for U.S. Acquirer Device Validation Toolkit (ADVT) and U.S. Contactless Device Evaluation Toolkit (CDET) testing.
Acquirers must submit merchant validation reports to Visa by 31 January 2019. Information on acquirers' compliance status and data security efforts enables Visa to understand how security measures are being adopted across the industry. As a reminder, acquirers must submit their Acquirer Merchant Reporting Template by 31 January 2019.
Visa is updating its 3-D Secure (3DS) program to support the updated EMV 3-D Secure specification, also referred to by the industry as 3DS 2.0. As part of the program update, issuer and merchant performance requirements are being established to ensure the Visa 3DS 2.0 program is deployed in a manner that will help to reduce fraud, enable effective authentication decision-making, and allow for a seamless user experience.
Because cash discount or discount offer programs have become increasingly popular at merchants, Visa is reminding U.S. acquirers, merchants, processors and agents that discount offer programs should be evaluated to ensure compliance with the Visa Rules.
Acquirers and issuers are reminded that Visa is introducing a new merchant category code (MCC) for marketplaces. Visa is also clarifying applicable usage of the new MCC to sell goods / services within a single line of business.
Recently announced acceptance policy changes, evolving and innovative new products, and changing risk parameters have created an opportunity to streamline Visa's requirements for merchants to identify and verify cardholders at the point of interaction in face-to-face environments. These updates will remove outdated requirements and practices, reduce friction and clarify a merchant's responsibility for verifying cardholders at the point of interaction.
Visa Direct-related rules and terminology have been updated to bring consistency and alignment with the nomenclature changes introduced in December 2017 in the Visa Direct Original Credit Transaction Global Implementation Guide.
The maximum annual transaction volume limit for payment facilitator / acquirer direct merchant agreement will be increased from USD 100,000 to USD 1 million in India.
To help protect payment data from cyberattacks, Visa Threat Intelligence historical library will be available to qualified clients through the end of 2018.
Visa will be updating all Verified by Visa server environments to better support redundancy.
The Payment Card Industry Security Standards Council (PCI SSC) has published version 3.0 of the PCI PIN security requirements.
Visa encourages clients and small merchants to review the simplified guidance documents on protecting payment card data published by the Payment Card Industry Security Standards Council (PCI SSC).
Visa 3-D Secure (3DS) 2.0 service is now available for clients and merchants to enhance the security of e-commerce transactions. In addition, updated regional activation dates that define when fraud liability extends to issuers that do not participate in 3DS 2.0 are now available.
Visa has streamlined contactless Level 3 chip certifications. Once a terminal device is set up to process online quick Visa Smart Debit / Credit (qVSDC) contactless transactions and has been certified for contact chip, then only limited streamlined testing will be required for qVSDC contactless.
Visa will introduce a new credential-on-file use case with Adyen to accelerate the deployment of Visa tokens to e-commerce merchants.
Visa has updated the Visa Account Funding Transaction (AFT) Processing Guide. Clients and their partners that originate or receive AFTs should review the updated guide for information on how to best support these transactions.
Visa will introduce a new merchant credential-on-file use case with payment service provider Cherri Tech, Inc. to accelerate the deployment of Visa tokens to e-commerce merchants.
Effective April 2019, clients and processors must use Visa-provided test encryption keys for testing in the VisaNet Certification Management Service (VCMS). Clients and processors must upgrade their VisaNet Test System-VisaNet Integrated Payment, host security modules and test host systems to support the Visa-provided test encryption keys.
Visa has updated the Visa Direct Original Credit Transaction (OCT)-Global Implementation Guide. Clients and their partners that originate or receive Visa Direct original credit transactions (OCTs) should review the updated guide for information on how to enable and support services such as money transfers, funds disbursements, prepaid loads and credit card bill payments.
Visa is reminding all clients to review their system setup and transaction coding to ensure compliance with Visa rules.
Visa has published a white paper, flyer and brochure that help address how small- and medium-sized businesses (SMBs) can increase sales and improve the customer experience through technology and digital commerce. These materials, which include research findings, real-life testimonials and a practical how-to guide, are available for Visa’s partners to distribute to SMBs.
For all Europe region-issued card payment devices, the VisaNet Integrated Payment (V.I.P.) System will block all contactless magnetic-stripe data transactions. This will affect all Europe region issuers, acquirers and merchants worldwide.
The Payment Card Industry Security Standards Council (PCI SSC) has published a standard for protecting PIN-based transactions on commercial off-the-shelf (COTS) devices. Merchants accepting PIN-based transactions via COTS devices must use or transition to a PCI-validated software-based PIN entry on COTS solution by 31 July 2019.
All organizations that exchange keys with Visa should plan to transition from variant format encryption to key block format encryption. The ability to perform key exchanges with Visa in variant format will not be supported by Visa after June 2021.
Visa will introduce a new credential-on-file use case with CyberSource to accelerate the deployment of Visa tokens to e-commerce merchants.
The Payment Card Industry Security Standards Council (PCI SSC) has updated the information supplements to provide guidance to merchants and service providers using Secure Sockets Layer / early Transport Layer Security for card-present POS point of interaction terminal connections after 30 June 2018, as well as the impact on Approved Scan Vendor scans in such cases.
The Visa PIN security website has been updated to provide news about the PIN Security Program and includes important information about the Europe PIN Security Program integration.
Visa Sensory Branding elements consisting of the Visa brand animation, the Visa brand sound and the Visa brand haptic are now available for use in client applications. Visa Sensory Branding elements can be downloaded as a software development kit for iOS, Android and web through the Visa Developer Platform.
The Visa Merchant Data Standards Manual has been updated to provide more clarity related to merchant category code definitions for transactions involving non-fiat currency and money transfer merchants. The document remains publicly available at visa.com to make it easily accessible to all clients, merchants, agents and processors.
The Card Acceptance Guidelines for Visa Merchants is a comprehensive manual for all businesses that accept Visa® transactions in the card-present and/or card-absent environment. The purpose of this guide is to provide merchants and their back-office sales staff with accurate, up-to-date information and best practices to help merchants process Visa transactions, understand Visa products and rules, and protect cardholder data while minimizing the risk of loss and fraud.
Visa published an easy-to-use guide to help smaller merchants navigate the world of transaction disputes. For more information, please see Dispute Management Guidelines for Visa Merchants on Visa.com.
The updated resource defines required procedures in response to an account data compromise.
As merchants in United States enable their payment card acceptance infrastructure for EMV chip technology starting October 1, 2015, counterfeit fraud will increasingly migrate to acceptance segments that have not implemented EMV chip technology, such as automated fuel dispensers (AFDs). This will lead to counterfeit fraud chargeback liability for fuel merchants if AFD EMV chip acceptance enablement is not completed by October 1, 2020.
Visa prepaid and debit cards are popular forms of payment at the register. Visa’s Partial Authorization service provides an alternative to declining a transaction when the card’s available balance is not sufficient to approve a transaction in full. Participating issuers return an authorization response with an approval for a portion of the original amount requested, enabling the remainder of the transaction amount to be paid by other means using split tender functionality.
More webinars and documents containing in-depth information designed to help Visa merchants navigate acceptance, fraud, data security, authorization and more. Download, print and keep them on hand at your business.
This digest consists of summaries only and does not supersede or modify Visa Business News publications. Please contact your Acquirer for further information about any publications. Actual Visa Business News articles are not public materials and should not be treated as public documents, e.g., posting on merchant websites, etc.
The Visa Business News was launched to Europe clients on August 11, 2016. Prior to that, announcements were communicated via Visa Europe Member Letter.
