GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

PCI: The 'little engine that could' gains steam


Industry Update

Eureka! HMS has conference hosting down

Visa muscles to squelch risk

Interchange under attack

Visa identifies apps storing sensitive data

Restaurants most vulnerable to data breaches


Mind on the ATM money

Tracy Kitten

Industry Leader

Kim Fitzsimmons –


Payments: A very large space

Patti Murphy
The Takoma Group


Street SmartsSM:
To certify or not to certify: That is the MLS question

Dee Karawadra
Impact PaySystem

What if my ISO tanks?

Adam Atlas
Attorney at Law

Ten myths muddling PCI mastery

Ross Federgreen

Statement analysis for cave men

Jason Felts
Advanced Merchant Services Inc.

Getting wise to wireless security

Joel and Rachael Rydbeck
Nubrek Inc.

Help desk quality check

Biff Matthews
CardWare International

Company Profile

WAY Systems Inc.

Premier Payment Systems

New Products

No-brainer protection on smart cards

Smart Card Guard
National Envelope Corp.

Fort Knox for merchant data

3Delta Systems Inc.

A new Vu of IP device management

NetVu version 2.3
Precidia Technologies Inc.


What about you?



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

May 29, 2007  •  Issue 07:05:02

previous next

Visa muscles to squelch risk

New initiatives by Visa U.S.A. control merchant risk on a granular level through greater scrutiny. The Association revamped its Risk Identification Service (RIS) for acquirers, establishing a remediation timeline, streamlining the process and making all communications and reports available online.

Visa also issued new rules restricting who may be known as an Internet payment service provider (IPSP).

More data mojo

Called RIS Online, the new service gives Visa members the tools to "drill down" into fraud risk data by merchant and category, allowing them to generate a variety of reports and analyze the information in a number of ways, Ginger Bergman, Director of Visa's Acceptance Risk & Compliance Group, said at a Compliance Day seminar at the 2007 Electronic Transactions Association Annual Meeting & Expo.

A pilot program began in February 2007. The system was to go live May 1. It is currently for domestic acquirers only.

"Instead of 10 to 20 notices a week, you're going to get one a month," she said. Because all notifications will be electronic, members will not be able to claim they didn't receive them.

"No more 'The dog ate my homework,'" she said. "Anything you need to send back to us, such as questionnaires or the fraud-reduction program, will all come in through the program electronically."

A high-impact workout

"If you understand the chargeback monitoring program, you can understand the RIS Online program," Bergman said. It follows a set schedule. Initial notification that a merchant has exceeded a fraud threshold is followed by a 90-day workout period.

Thereafter, escalating fees (from $10,000 to $100,000 per month) are charged during a six-month remediation period as long as the merchant is out of compliance. Then, if the situation has not returned to normal thresholds, disqualification follows.

The program's parameters will be listed on the Visa members' site. "You've never had access to them before," Bergman said. "We want you to know what they are."

Twenty initial parameters have been established by merchant category code (MCC), channel and fraud type. Initially, nine category codes are affected:

Channel parameters include Verified by Visa and chip cards.

The top 10 MCCs account for as much as 90% of the fraud in the payments system, Bergman said.

Unlike the legacy RIS system, the new program's parameters will be continually reviewed and adjusted. "As a new trend pops up - say [fraud at] gas stations in Florida - we'll have that in here ... and you can then put that into your decisioning practices," she said. Visa likely will change parameters no more than twice a year.

RIS Online will provide the following:

The system is "really about understanding fraud, addressing fraud proactively and helping you guys get the information you need to reduce fraud in the system," Bergman said. "If [merchants] exceed one of the thresholds and get close on the other two, we're going to tell you."

Although only for domestic reporting, the system takes cross-border transactions into account.

The global minimum standard threshold is considered to have been exceeded for merchants with 25 or more interregional transactions, $45,000 or more in interregional fraud and a 2.5% fraud-to-sales ratio. The pilot program had already identified two such merchants, Bergman said.

New IPSP moves

To better control high-risk merchant processing, Visa also issued new rules on IPSPs, Bergman said.

Merchants accepting payments both over the phone and the Internet are no longer considered IPSPs, she said.

"There are a lot of high-risk merchants in [that designation]," Bergman said. "We wanted to look at how to mitigate that risk." Visa now requires registration of all IPSPs and minimum tier one capital requirements of $100 million. Registration fees for IPSPs are waived through June 2007.

Quarterly reporting requirements will be enforced beginning in July. Monthly activity reporting must include each merchant's MCC, sales count and amount, and chargeback count and amount.

Visa expects IPSPs to monitor their Web merchants daily. Any sponsored merchants who exceed 1% should be "remediated." Bergman said, "Once that merchant blows up, we don't want the rest of [an IPSP's] volume from other merchants to mask that problem."

Visa considers designating each IPSP by MCC to be a best practice, but does not require it yet. "Right now, we want to know who these people are in this system," Bergman said.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios