Article published in Issue Number: 070101Card Association rules and regs 2007: Get ready for scrutiny By David H. Press, Integrity Bankcard Consultants Inc.
ast January, I wrote that ISOs better do something about Payment Card Industry (PCI) Data Security Standard (DSS) compliance. That still holds true for 2007.
In December 2006, Visa U.S.A. announced it will offer $20 million in financial incentives and create new sanctions to further merchant compliance with PCI. The new effort, which Visa calls the Visa PCI Compliance Acceleration Program (PCI CAP), provides positive reinforcement to the industry's traditional fine-only approach.
"By combining both incentives and fines, we expect acquirers to increase their efforts with merchants to accelerate their progress toward becoming PCI-compliant and eliminating the storage of sensitive card data. Nothing is more important to Visa than securing commerce," Visa stated.
The Visa program targets acquirers responsible for the largest 1,200 merchants, known as level 1 and 2 merchants, who each process more than 1 million Visa transactions a year. The initiative's goal is to eradicate the storage of full-track data, Cardholder Verification Value 2 (CVV2) data and PIN data, and grow PCI compliance among this merchant group.
Visa reports current PCI compliance among level 1 merchants at just 65% and only 15% among level 2 merchants. And the majority in both levels are actively working toward compliance.
Linking compliance to interchange
Visa is investing up to $20 million in an incentive fund payable to the acquiring financial institutions of the 1,200 targeted merchants who have already validated or will validate PCI compliance by Aug. 31, 2007, and have not been involved in a data compromise.
In addition, Visa will link the benefits of tiered interchange rates to PCI compliance, creating an additional security incentive for the acquirers of large merchants. If you process for any of these merchants you will need to work with the merchants to bring them into compliance and qualify for the incentives.
"To qualify for an incentive payment, acquirers of level 1 and 2 merchants who have validated full compliance with the PCI DSS by March 31, 2007, will be eligible to receive a one-time payment for each qualifying merchant," Visa stated.
"Acquirers whose level 1 and 2 merchants validate compliance after March 31, 2007, and prior to August 31, 2007, will be eligible to receive a reduced one-time payment for each qualifying merchant."
Effective Oct. 1, 2007, acquirers whose transactions qualify will be eligible to get lower interchange rates for both Visa and Interlink tiers for merchants generating PCI-compliant transactions.
The PCI CAP includes acquirer fines for data compromises involving merchants of any size. Fines also will be assessed on acquirers that failed to confirm that full-track data is not retained or did not provide a PCI compliance plan for their level 1 merchants by Sept. 30, 2006.
Visa reported it had to date levied $4.6 million in fines in 2006, up from the 2005 total of $3.4 million. The company is adding new fines to acquirers whose level 2 merchant customers retain full-track data, CVV2 data or PIN data after transaction authorization.
"For prohibited data storage, acquirers failing to provide confirmation that their level 1 and 2 merchants are not storing full track data, CVV2 or PIN data by March 31, 2007, will be eligible for fines up to $10,000 a month per merchant, subject to escalation in the event material progress toward compliance is not made in a timely manner," Visa stated.
"Acquirers will be fined between $5,000 and $25,000 a month for each of its level 1 and 2 merchants who have not validated by Sept. 30, 2007, and Dec. 31, 2007, respectively."
Here are some of the other back-office and card Association issues ISOs and merchant service providers should expect to address in 2007.
Illegal transactions
ISOs should be especially concerned about processing Internet gambling and other illegal transactions in light of the Unlawful Internet Gambling Enforcement Act of 2006, which makes Internet gambling illegal throughout the United States.
The act states that no person "engaged in the business of betting or wagering may knowingly accept any money transfers in any way from a person participating in unlawful Internet gambling. This includes credit cards, electronic fund transfers and even paper checks."
While the law does not appear to cover payment processors directly (except under a theory of aiding and abetting), the transactions are illegal. Both Visa and MasterCard rules prohibit the processing of any illegal transactions. They will continue to enforce these rules.
Both card Associations have issued fines for processing transactions they have identified as illegal, including gambling, prescription drugs, pornography and the sale of cigarettes over the Internet. The prudent ISO should not be processing for any merchants doing these types of transactions in 2007.
Offshore merchants
U.S.-based merchants selling products primarily to Americans but processing transactions offshore have been on the card Associations' radar for some time. Expect a heightened level of card Association scrutiny in this area in 2007.
Acquirer liability for fraudulent merchants
Card issuers are likely to file compliance cases to transfer their losses due to acquirers signing up fraudulent merchants. (If a member has no chargeback or re-presentment right, it may file a written complaint against another member for a violation of card Association rules and regulations. That is, if the filing member incurred or will incur a financial loss as a direct result of the violation and if said member would not have incurred the loss had the violation not occurred.)
For example, card Association rules require acquiring members to enter directly into a written merchant agreement with each merchant from which they acquire transactions. They may not submit into interchange any transactions from merchants lacking valid merchant agreements.
Members are also responsible for merchant compliance with card Association rules and regulations. They must ensure that all their merchants comply with applicable standards. And members are responsible to the card Associations as well as other members for merchants' failure to do so.
Members must take all necessary and appropriate actions to ensure merchant compliance, such as reviewing merchant deposit records and transaction procedures.
Before entering into, extending or renewing a merchant agreement, members must verify that the merchant involved is a bona fide business and that the transactions will reflect legitimate business between the merchant and the cardholder. This means you'd better get that site inspection done and do the appropriate underwriting.
Another rule requires that merchants present to acquirers only valid transactions between them and bona fide cardholders. Merchants must not present transactions that they know or should have known are fraudulent or not authorized by cardholders, or that are authorized by a cardholder who is in collusion with the merchant for fraudulent intent.
As you can see, it is not difficult for an issuer to find violations that enable it to transfer its losses to ISOs and merchant level salespeople. Review the card Association rules and regulations to ensure that your underwriting and risk monitoring processes are up to snuff.
David H. Press is Principal and President of Integrity Bankcard Consultants Inc. Call him at 630-637-4010, e-mail him at dhpress@ibc411.com
or visit www.ibc411.com
|