Visa Merchant Business News Digest

Account Funding Transaction Processing Guide Updated

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

14 NOV 2019

Visa has updated the Account Funding Transaction (AFT): Processing Guide (English only). Clients and their partners that originate or receive AFTs should review the updated guide for information on how to best support these transactions.

Reminder: Brand Standards for Contactless Point-of-Sale Terminals

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

14 NOV 2019

Visa is reminding clients of the brand standards for contactless point-of-sale terminals.

Download article about brand standards for contactless point-of-sale terminals

Visa Rules Will Be Updated to Address First Party Fraud

REGIONS: US, AP, Canada, LAC

7 NOV 2019

Effective 18 April 2020, the Visa Rules will be updated to ensure issuers, acquirers and their sponsored merchants control first party fraud. First party fraud is a concern for all parties in the payment system. This occurs when a cardholder seeks reimbursement or a credit for legitimately purchased goods and services, resulting in potential disputes and creating additional costs for all participants.

New Revision of Contactless Device Evaluation Toolkit Available

REGIONS: US, AP, Canada, CEMEA, LAC

7 NOV 2019

Visa has released Revision 2.3B of the Contactless Device Evaluation Toolkit.

Download article about new revision of contactless device evaluation toolkit

Simplified International Airline Program Registration

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

7 NOV 2019

Visa has simplified the registration process for the International Airline Program, expanded program registration requirements to domestic airlines and updated the Visa International Airline Program Guide.

Download article about simplified international airline program

Proper Account Verification Message Processing Reminders

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

7 NOV 2019

Visa is reminding acquirers, their merchants and issuers that they must correctly process zero-amount account verification messages.

Download article about account verification message processing reminders

Acceptance Policies Clarified for New, Flexible Card Design Options

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

24 OCT 2019

Visa has clarified its acceptance policies to support updated Visa Product Brand Standards that offer greater flexibility in card design. To ensure an optimal cardholder experience, acquirers and merchants should be aware of Visa’s new card design options.

Effective immediately, Visa has modified standards to allow increased flexibility when issuers are designing Visa cards. Key changes include fewer required card elements and broader options for placement and color of the Visa Brand Mark.

To support these updated card design options, the Visa Rules have been updated to clarify cardholder verification requirements for cards without signature panels. For transactions with cards that do not have a signature panel, merchants do not have to validate a cardholder’s signature.¹ Additionally, issuers will not be permitted to raise a request for copy (RFC) for a transaction receipt. This applies regardless of whether the merchant has deployed an EMV®-capable terminal.² 

¹ Visa cards issued in the U.S. will continue to contain a signature panel, but merchants may be presented with Visa cards issued from outside the U.S., which may not contain a signature panel.

² Merchants with non-EMV capable terminals (i) must continue to capture and validate a cardholder signature and (ii) remain subject to RFCs for transactions on all other cards above the applicable Visa Easy Payment Service (VEPS) limit, if no PIN is obtained.

New Encryption Requirements for Visa Direct APIs

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

17 OCT 2019

Visa will require clients that connect to Visa Direct APIs to support Message Level Encryption.

Download article about the new encryption requirements

Visa Merchant Data Standards Manual Updated

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

17 OCT 2019

The Visa Merchant Data Standards Manual has been updated to provide additional details and clarifications on some merchant category code descriptions. The document remains publicly available at visa.com to make it easily accessible to all clients, merchants, agents and processors.

What To Do If Compromised Document Revised

REGIONS: US, AP, Canada, CEMEA, LAC

10 OCT 2019

Visa’s What To Do If Compromised document has been updated to more clearly define required procedures and timelines for reporting and responding to a suspected or confirmed account data compromise. This latest version incorporates new investigation fees and non-compliance assessment information. Fees are entirely avoidable if entities cooperate with applicable investigations in a timely fashion. 

Download document about What to do if compromised

Open File Delivery Cipher Changes for FTPS, SSH and Connect: Direct

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

10 OCT 2019

To meet Payment Card Industry Security Standards Council (PCI SSC) compliance commitments and maintain the highest standards of system security, Visa will be upgrading the Open File Delivery (OFD) platform to utilize stronger cipher suites, while concurrently decommissioning older and less secure cipher suites effective 30 November 2019. Clients must ensure that their systems are updated to support new requirements in order to successfully connect to the OFD platform once these changes are in effect.  

Download article about Open file delivery cipher changes

Clients Must Ensure Compliance When Processing International Visa, Visa Electron and Plus Card Transactions

REGIONS: US, Canada

3 OCT 2019

Clients are reminded to ensure all international transactions are correctly classified, processed and reported in accordance with the Visa Rules. Failure to comply with Visa processing requirements may render them subject to non-compliance assessments.

Visa Smart Debit / Credit Certificate Authority Annual Key Assessment

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

26 SEP 2019

The Visa Smart Debit / Credit Certificate Authority (CA) has extended the expiration date of the 1984-bit CA key. The expiration date of the 1408-bit CA key has not changed.

Download article about Visa Smart Debit/Credit Certificate authority annual key assessment

Reminder: Updated Policy for Subscription Merchants Offering Free Trials or Introductory Promotions

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

26 SEP 2019

Visa is reminding clients about changes to acceptance, disclosure and dispute policies for transactions at merchants that offer free trials or introductory promotions as part of an ongoing subscription service. The new policies will enable greater customer recognition, easier cancellation and clearer dispute rights. A flyer is also available now for distribution directly to merchants.

Download article about updated policy for subscription merchants

Updates to Transaction Receipt Requirements

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

26 SEP 2019

Visa is updating the rules to streamline requirements for transaction receipts by removing duplication and outdated / unnecessary data elements. The updates will also provide increased flexibility for transactions where receipts are required to be provided.

Download article about updates to transaction receipt requirements

Updated Non-Compliance Assessment Schedules for General and Willful Violations; New Significant Violations Schedule Introduced

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

26 SEP 2019

Effective 25 January 2020, Visa will update the non-compliance assessment schedules for general and willful violations, and introduce a new significant violation schedule.

Visa Secure Processing Requirements and Reminders

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

12 SEP 2019

Visa has compiled several processing requirements and reminders for processing 3-D Secure (3DS) 1.0.2 and EMV® 3DS transactions with Visa Secure.

Download the article about Visa Secure processing requirements and reminders

Visa Easy Payment Service Changes for Europe

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

12 SEP 2019

To align with the upcoming revised Payment Services Directive provisions and country requests for updated limits, a number of changes to the Visa Easy Payment Service program are being made in Europe.

Important Changes to 3-D Secure Rules to Support Strong Customer Authentication Compliance in Europe

REGIONS: US, AP, Canada, CEMEA, LAC

5 SEP 2019

To help move the e-commerce ecosystem to full strong customer authentication (SCA) compliance, Visa is making some important changes to help accelerate deployment of new 3-D Secure (3DS) technology. EMV® 3DS 2.2.0 provides key functionality which underpins the move to biometrics, the ability to take advantage of SCA exemptions and accommodates the delivery of a cryptogram in complex merchant use cases such as travel. All issuers, acquirers and merchants are expected to implement 3DS 2.2.0 by 14 September 2020.

Reminder: Upcoming PIN Security Program Changes

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

29 AUG 2019

Visa is reminding clients that Visa PIN Security Program participants will be required to use a Payment Card Industry (PCI) Qualified PIN Assessor for all on-site PIN assessments beginning 1 October 2019. All on-site PIN assessments beginning on 1 January 2020 and after must validate to version 3 of the PCI PIN security requirements.

Download article about PIN security program changes

Visa Chargeback Monitoring Program Renamed as Visa Dispute Monitoring Program

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

22 AUG 2019

The Visa Chargeback Monitoring Program will be renamed as the Visa Dispute Monitoring Program. Visa is also reminding clients of upcoming changes to fraud and dispute volume thresholds.

Numerics Initiative: Reinforcing the Importance of Smart BIN Management Policies

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

18 JUL 2019

Visa has implemented policies to support its Smart BIN Management strategy of responsible use of Bank Identification Numbers (BINs). This article reinforces the importance of these policies leading up to the April 2022 effective date for Visa clients to support the new eight-digit BIN standard.

Download article about importance of smart BIN management policies

Expanded Eligibility for Estimates and Incremental Authorizations

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

12 JUL 2019

Effective 18 October 2019, parking, electric vehicle charging and card-absent grocery merchants may use estimated authorization and incremental authorization requests.

Download article about expanded eligibility

New Merchant Category Code for Electric Vehicle Charging

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

11 JUL 2019

Clients should update their systems to account for a new electric-vehicle charging merchant category code (MCC).

Download article about new merchant category

Merchant Data Security Reporting for Acquirers Due 31 July 2019

REGIONS: US, Canada

11 JUL 2019

Acquirers must submit merchant validation reports to Visa by 31 July 2019.

Visa Analytics Platform Now Available

REGIONS: US, AP, Canada, CEMEA, LAC

27 JUN 2019

Visa Analytics Platform is launching globally with new application packages and applications.

Updated Policy for Subscription Merchants Offering Free Trials or Introductory Promotions

REGIONS: US, AP, Canada, CEMEA, LAC

20 JUN 2019

To enable greater customer recognition, easier cancellation and clearer dispute rights, Visa is updating its rules related to transactions at merchants that offer free trials or introductory offers as part of an ongoing subscription service.

Visa has policies, rules and requirements in place to regulate subscription and “negative option” merchants dating back to 2011, including express, informed consent from customers after required disclosures and a simple cancellation mechanism.

Upon further review of its existing rules, Visa recognizes that free trials or introductory offers that roll into ongoing subscriptions or recurring charges can lead to problems for cardholders and clients, including multimillion-dollar operational cost increases due to high call center volumes, customer complaints, write-offs and card closures / re-issuances. To address these concerns and help provide clarity for all parties, Visa is updating its acceptance, disclosure and cancellation policies effective 18 April 2020.

Additionally, Visa has identified potential solutions to the following pain points around notification, identification and resolution of issues with these transactions:

• Cardholder complaints and confusion. After taking advantage of a free trial • Disputes or introductory offer, cardholders often forget or do not understand that they had agreed to future transactions at the time of the original enrollment or purchase. They also find it difficult to cancel the subscription. This can lead to an increase in customer service contacts for both merchants and issuers.
• Tracking and monitoring difficulties. Currently, no mechanism is available to distinguish transactions involving promotional or introductory offers from any other subscription / recurring transaction. Helping cardholders to better identify these types of transactions is in all parties’ interest in order to reduce confusion and/or frustration, customer service issues and disputes.
• Lack of issuer clarity on available dispute rights. There is confusion regarding dispute rights for issuers to address recurring transactions after an initial free trial / promotional period ends. Some issuers raise disputes as “Fraud,” some as “Cancelled Recurring” and others as “Goods / Services Not Received.”

Subscription Merchant Transaction Policy Updates

The changes are designed to (1) promote an enhanced cardholder experience; (2) enable issuers to clearly identify these transactions; and (3) bring more specificity and clarity to the disputes requirements. With these changes, cardholders will be provided clearer information, enabling them to identify, recognize and take action on subscription transactions, reducing the need for disputes. Specifically, cardholders will benefit from:

• Opportunities to expressly acknowledge the ongoing subscription agreement
• Immediate confirmation of the terms of the agreement
• Proactive notification of future transactions
• Easier cancellation

The changes apply equally to merchants selling either physical or digital goods and services, if they offer free trials or introductory offers that roll into an ongoing subscription / recurring agreement. There are no new indicators or other changes to these transactions that issuers or acquirers need to cater for.

Download article about Updated Policy for Subscription Merchants

Annex to PCI SPoC Standard Published to Support Magnetic-Stripe Transactions

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

20 JUN 2019

The Payment Card Industry Security Standards Council (PCI SSC) has published an annex to the security standard for protecting PIN-based transactions on commercial off-the-shelf (COTS) devices. The annex defines security requirements for magnetic-stripe transaction acceptance with no PIN in Software-based PIN Entry on COTS (SPoC) solutions. The date for merchants accepting PIN-based transactions via COTS devices to use or transition to a PCI-validated SPoC solution has been extended to 31 December 2019.

In the 26 July 2018 edition of the Visa Business News, Visa announced the publication of the PCI SPoC security standard, which defines global industry security requirements and testing procedures for securing PIN-based transactions on COTS devices.¹ Due to security risks associated with primary account numbers and PINs on unsecure COTS devices, the standard was originally published to explicitly prohibit the acceptance of magnetic-stripe transactions.

Based on industry feedback and the need for continued support of magnetic-stripe transaction acceptance in some markets, PCI has published the Payment Card Industry (PCI) Software-based PIN Entry on COTS Magnetic Stripe Readers Annex, which defines security requirements for accepting magnetic-stripe transactions without PIN in a SPoC solution. The Payment Card Industry (PCI) Software-based PIN Entry on COTS (SPoC) Program Guide has been updated to align with the annex and outlines the elements of SPoC solutions, roles of parties involved in development, solution-testing process and validated solution-listing instructions.

(¹) A COTS device is a mobile device (e.g., smartphone or tablet) designed for mass-market distribution and which is not designed uniquely for payment transaction processing.

Visa SPoC Compliance Deadline

In order to support the transition to PCI-approved SPoC solutions, Visa has extended the deadline that requires all merchants accepting PIN-based transactions via COTS devices to use or transition to a compliant, PCI-validated SPoC solution to 31 December 2019.

The publication of the SPoC standard or the SPoC annex does not change any Visa requirement related to hardware PIN-entry devices. All existing Visa rules and requirements continue to apply, including Visa’s Honor All Cards policy. Visit the PCI SSC website for resources for locating PCI-recognized laboratories and validated SPoC solutions.

Visa Direct OCT Global Implementation Guide Updated

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

30 MAY 2019

Visa has updated the Visa Direct Original Credit Transaction (OCT)—Global Implementation Guide. Clients and their partners that originate or receive Visa Direct original credit transactions (OCTs) should review the updated guide for information on how to enable and support services for a variety of use cases.

Account Funding Transaction Processing Guide Updated

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

30 MAY 2019

Visa has updated the Account Funding Transaction (AFT): Processing Guide. Clients and their partners that originate or receive AFTs should review the updated guide for information on how to best support these transactions.

International Airline Program Reminder for Acquirers

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

23 MAY 2019

Visa’s International Airline Program allows acquirers to partner with qualifying airline merchants and on-board service providers in any jurisdiction. This helps airline merchants consolidate their acquiring relationships and meet the unique needs of airlines for a comprehensive global acquiring service in all countries where they sell their tickets.

Acquirers are reminded that the correct merchant outlet location must be reflected in the merchant contract and in transaction processing, and that they are only permitted to enter into interchange transactions from countries where they are lawfully entitled to acquire transactions.

Updated Activation Date for EMV® 3-D Secure in the U.S.

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

9 MAY 2019

Visa is updating the U.S. activation date for EMV 3-D Secure (formerly 3DS 2.0) to 31 August 2020. This date defines when fraud liability extends to non-participating issuers.

Visa Secure Rules Now Available in a Separate Program Guide

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

9 MAY 2019

Visa has created a new program guide that contains the rules for participating in Visa Secure using either 3-D Secure (3DS) 1.0.2 or EMV® 3DS.

New Visa Token Service Token Requestors: Braintree Payment Solutions and IP Solutions International

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

2 MAY 2019

Issuers should prepare to support new credential-on-file and e-commerce Token Requestor IDs for Braintree Payment Solutions and IP Solutions International.

Verified by Visa Will Be Rebranded as Visa Secure to Emphasize Online Transaction Security

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

28 Mar 2019

Starting in 2019, the Verified by Visa (VbV) program name will be rebranded to Visa Secure. The Visa Secure badge, combined with descriptive language emphasizing “your online transactions are secure with Visa,” will be the way consumers learn about Visa’s 3-D Secure (3DS) offering.

Existing VbV marks will be replaced with a Visa Secure badge across consumer-facing merchant and issuer channels, while all 3DS authentication screens will simply display the Visa logo.

Visa developed the 3-D Secure standard—currently branded for Visa cardholders as Verified by Visa— to provide merchants and issuers a way to authenticate the cardholder for card-not-present payments. Today, 3DS has become the industry-wide e-commerce authentication standard. 

Merchants are encouraged to use the Visa Secure badge and messaging when implementing the enhanced EMV 3DS technology. Starting 1 October 2019, merchants must use the new badge and messaging whenever EMV 3DS technology is used. Guidelines and communication materials are available to merchants via their normal channels.

Revised Implementation Dates for New Deferred Authorization Indicator

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

28 Mar 2019

Visa has extended the dates for implementing a new indicator for card-present and card-absent transactions when merchants defer transaction authorization. A deferred authorization occurs when a merchant cannot complete an authorization at the time of the transaction with the cardholder due to connectivity, systems issues or other limitations, and then later completes the authorization when it is able to do so.

To give issuers information when a deferred authorization takes place and to help Acquirers & merchants obtain more approvals on deferred authorizations, Visa previously announced that it would require merchants and acquirers to identify deferred authorizations by 12 April 2019. However, in response to feedback and to allow more time for clients to prepare their authorization systems, Visa has postponed the previously announced implementation dates for rules pertaining to deferred authorization indicators to April 2019, October 2019 and April 2021.

Beginning 12 April 2019 as optional, and becoming mandatory for all deferred authorization requests by 16 April 2021, an acquirer or merchant that submits a deferred authorization for a card-present or card-absent transaction must both:

• Include the deferred authorization indicator value of 5206 in the authorization request; and
• Obtain an authorization as follows:
  • For Merchant Category Code (MCC) 4111—Local and Suburban Commuter Passenger Transportation, Including Ferries; MCC 4112—Passenger Railways; and MCC 4131—Bus Lines: Within four days of the transaction date
  • For all other MCCs: Within 24 hours of the transaction date

Effective 18 October 2019, acquirers must be able to support sending this indicator if a merchant includes it, but will not be required to send it in all deferred authorization requests until 16 April 2021. Issuers are required to be able to receive the deferred authorization indicator effective 12 April 2019.

3-D Secure 1.0.2 product certification testing will be discontinued

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

14 Mar 2019

Effective 19 April 2019, Visa will discontinue certification testing of all 3-D Secure 1.0.2 products and licensing of the specifications.

Floor limits will be updated for countries in the europe region

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

14 Mar 2019

Clients should update their systems to comply with upcoming changes to floor limits in multiple markets in the Europe region, effective 18 October 2019.

Updates to PIN Assessors and Requirements for PIN Security Program

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

28 FEB 2019

Visa Approved PIN Security Assessors are migrating to a new assessor program managed by the Payment Card Industry Security Standards Council (PCI SSC). Visa PIN Security Program participants will be required to use a PCI Qualified PIN Assessor (QPA) for all on-site PIN assessments beginning 1 October 2019. 

All on-site PIN assessments beginning on 1 January 2020 and after must validate to version 3 of the PCI PIN security requirements.

Updated PCI SSC Publications Available to Assist With Security Efforts

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

7 FEB 2019

The PCI SSC, which develops and manages payment card security standards to protect payment card data, has updated two previously published information supplements to provide additional security guidance to address compliance, data security challenges and evolving technology. 

Visa encourages all organizations to review the following updated materials and share them with customers, as appropriate: 

Information Supplement: Protecting Telephone-Based Payment Card Data, Version 3.0: Discusses fundamental principles associated with applying Payment Card Industry Data Security Standards (PCI DSS) and best practices for securing telephone-based account data in a telephone environment. 

Best Practices for Maintaining PCI DSS Compliance, Version 2.0: Provides best practices for maintaining compliance with PCI DSS after an organization has already undergone an initial PCI DSS assessment and successfully achieved compliance.

Visa Dispute and Fraud Monitoring Programs Will Be Updated

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

7 FEB 2019

Effective 1 October 2019, as part of Visa’s ongoing assessment and updates to meet prevailing trends, Visa will apply new thresholds to improve the efficiency of the Visa Fraud Monitoring Program, the Visa Chargeback Monitoring Program and the Visa Acquirer Monitoring Program.

PCI SSC Publishes New Software Security Framework

REGIONS: US, AP, Canada, CEMEA, LAC, Europe

17 JAN 2019

To facilitate secure, reliable and accurate payments, the systems and software used as part of the transaction flow must be designed, developed and maintained in a manner that protects the integrity of payment transactions and the confidentiality of all sensitive data that they store, process or transmit. 

The Payment Card Industry Security Standards Council (PCI SSC) has published the new Software Security Framework in order to provide software vendors with updated security requirements and assessment procedures for payment software. 

In this initial publication, the Software Security Framework includes two standards:

• The Secure Software Standard, intended for software vendors that develop payment software that is sold, distributed or licensed to third parties, outlines security requirements and assessment procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data. 
• The Secure Software Lifecycle (Secure SLC) Standard outlines security requirements and assessment procedures for software vendors to validate how they properly manage the security of payment software throughout the software lifecycle. 

Both standards are designed for use as part of the PCI Software Security Framework and are intended for software vendors that develop software for the payments industry. Software vendors wishing to validate payment software under the PCI Software Security Framework should use the PCI Secure Software Standard. In addition, software vendors may opt to validate their Secure SLC practices for that payment software using the PCI Secure SLC Standard. 

Transition from the Payment Application Data Security Standard  

While the PCI Software Security Standards include elements of the Payment Application Data Security Standard (PA-DSS), the standards represent a new approach for securely designing and developing both existing and future payment applications. The overarching PCI Software Security Framework is designed to support a broader array of payment software types, technologies and development methodologies currently in use and also to support future technologies and use cases.  

Visa clients, as well as their agents and merchants, must use only secure, validated payment applications that do not retain prohibited data elements. While the PA-DSS and Software Security Framework is intended for payment software that is sold, distributed or licensed to third parties, payment software that is developed in-house or customized for a single customer can also benefit when the requirements are applied as a best practice.