As your payments partner, we are committed to keeping you up-to-date with industry changes and card brand developments. There are 7 updates and reminders included here. To avoid potential inclusion in a non-compliance programme and potential non-compliance fees please scroll to ensure you act upon all which are relevant to you and your payments processing.
All card brands have agreed an industry-wide transition from 3D Secure (3DS) 1 to EMV 3D Secure 2.x since the EMV 3DS specification was published in October 2016.
The final sunset date for 3DS 1 is October 15, 2022, after which Visa and Mastercard will no longer support 3DS 1 transactions for cardholder authentication.
The key milestones leading up to the sunset date have been:
· Visa discontinued support of 3DS 1.0.2 Attempts Server for non-participating issuers from October 16, 2021. If an issuer continues to support 3DS 1.0.2, the issuer can respond to 3DS requests with a fully authenticated response and a Cardholder Authentication Verification Value (CAVV) with merchants obtaining fraud liability protection.
· Mastercard also stopped generating attempts transactions from October 2021, however issuers can still generate attempts transactions from their own ACS servers. 3DS 1.0 fully authenticated transactions will continue to be supported after this date with issuer fraud liability.
With technological improvements and a growing demand for sustainable energy, electric vehicles are becoming more widely used. Charging stations are being deployed in a variety of environments, including both private and public locations such as fuel stations, grocery stores and parking lots.
Before October 2019, transactions involving electric vehicle charging (EVC) fitted under two MCC categories, either
· MCC 5542—Automated Fuel Dispensers, or
· MCC 7523—Parking Lots, Parking Meters and Parking Garages
Since October 2019, Visa instituted MCC 5552—Electric Vehicle Charging for global use. If a merchant charges for both parking and EVC, you should use the MCC that reflects your primary business or highest sales volume. It is also acceptable to use two MCCs (MCC 7523—Parking and MCC 5552—EV Charging) separately, if preferred, to make it more transparent for the cardholder.
EV charging merchants will have two options for authorising transactions:
· Authorising for a known amount
· Authorising for an estimated amount (pre-authorisation) and using incremental authorisations
Pre-authorisations should be used to reflect the anticipated amount of the transaction when the final amount is not known.
What you need to do:
Ensure you are using the correct MCC code if you are offering electric vehicle charging services to customers.
If you are using a third-party point-of-sale (POS) terminal, you should contact your service provider to ensure they are aware and have implemented the processing rules above.
Between 2024 and 2033, Mastercard will gradually retire the physical magnetic stripe from the back of cards, improving the security of card payments.
From April 2024, all chip-capable POS terminals in Europe must be able to correctly process cards that contain a chip but not a physical magnetic stripe. This is to ensure that there are no acceptance issues for the duration of the retirement schedule.
The schedule for retiring the issuance of chips cards with no physical magnetic stripe is as follows:
· From April 2024, newly issued EMV chip cards in the Canada, Europe, Latin America and the Caribbean, Middle East/Africa, and Asia/Pacific may optionally not have a physical magnetic stripe
· From April 1, 2027, issuers will be allowed to issue new chip cards without the magnetic stripe in the U.S region
· From April 1, 2029, issuers will be allowed to issue new chip cards without the magnetic stripe globally.
· From April 1, 2033, all cards in circulation globally must support the EMV chip technology and must not have a physical magnetic stripe.
Pre-paid cards (both reloadable and non-reloadable) in the U.S. and Canada regions, and non-reloadable prepaid cards in all other regions, are exempt from this requirement. Cards issued in Switzerland are also exempt from these requirements.
What you need to do:
If you are using an Elavon POS terminal, you have no action to take, as we look after this for you. If you are using a third-party POS terminal, you should contact your service provider to ensure they are updating their systems and your POS terminals to correctly process chip cards without the physical magnetic stripe from April 2024.
Mastercard is implementing new requirements to help ensure a more positive cardholder experience and to mitigate negative practices associated with the use of subscription/recurring payments and negative option billing.
The negative option billing model refers to merchants offering free or low-cost digital goods (e.g. streaming service, club membership) for a trial period, after which the cardholder is automatically enrolled into a subscription plan. High-risk negative option billing merchants are merchants that operate this model for physical goods such as dietary supplements and healthcare products.
What you need to do:
If you offer your customers subscription/recurring payments, negative option billing for digital or physical products you must familiarise yourself and ensure you comply with all requirements below.
All requirements will become effective from March 22, 2022, except the requirement regarding disclosure at the point of payment. The requirement regarding disclosure at the point of payment will become effective from September 22, 2022.
Mastercard is rolling out a Europe region-wide roadmap to achieve a network migration from EMV 3DS 2.1 to EMV 3DS 2.2 effective from October 14, 2022. As part of this announcement, Mastercard not only requires support for EMV 3DS 2.2, Mastercard also require the support of relevant EMV 3DS features to strengthen support of the Payment Services Directive 2 (PSD2) regulation and deliver performance improvements not delivered since the introduction of EMV 3DS.
These additional mandated features will include:
· Authentication app re-direction, eliminating the need for additional cardholder interaction to complete the out of band app transactions
· Additional insights on the challenge flow performance to facilitate monitoring and problem resolution
While Mastercard will require customers to support EMV 3DS 2.2, it will not require that all transactions are sent using this version of the protocol.
Following a recent review of authentication and fraud performance, Visa have reclassified cardholder-initiated, device-based secure element token transactions with Electronic Commerce Indicator (ECI) 05 (Fully Authenticated Transaction).
These transactions were previously classified as ECI 07 (Non-secure ecommerce) with merchant liability.
Visa rules no longer permit disputes for fraud-related disputes on cardholder-initiated ecommerce transactions where:
· The Token Authentication Verification Value (TAVV) is included in the authorisation request from the acquirer, and successfully validated by the Visa Token Service (VTS), and
· The token type is 02 (secure element)
Visa may choose to suspend this ECI 05 classification and allow issuer disputes if fraud rates are seen to increase.
What you need to do:
You should contact your gateway support team to ensure they submit the ECI value provided by VTS with the TAVV token cryptogram when submitting the transaction to authorisation and ensure the same ECI value is used in the Elavon settlement file.
Each Visa chip or contactless card supporting offline data authentication (ODA) or offline enciphered PIN, must contain an issuer public key (IPK) certificate that is provided to the issuer by the Visa Smart Debit / Credit (VSDC) Certificate Authority (CA) and signed by a VSDC CA private key. To validate the certificate and recover the data it contains for the successful completion of ODA or offline enciphered PIN, the terminal needs to contain the corresponding VSDC CA public key. Visa continually assesses the expiration date of public keys, based on EMVCo recommendations and its own security reviews. This is to schedule the expiration dates of the VSDC CA keys while they are still considered secure.
The VSDC CA provides three key certificate lengths to issuers:
· 1536-bit (for host card emulation in support of transit only)
Visa issuers may personalise certificates signed by the 1408-bit or the 1984-bit CA key on their cards when the expiration date of the card does not exceed the expiration date of the certificate.
The Visa Smart Debit / Credit Certificate Authority (CA) has extended the expiration date of the 1984-bit CA key. The expiration date of the 1408-bit CA key has not changed.
Effective immediately, the expiration dates are as follows:
· December 31, 2024: For the production VSDC CA 1408-bit public key (expiration date unchanged)
· December 31, 2031: For the production VSDC CA 1984-bit public key (expiration date extended by one year; previous expiration date was December 31, 2030)
What you need to do:
If you are using an Elavon POS terminal, you have no action to take as we look after this for you. If you are using a third-party POS terminal, you should contact your service provider to ensure they have the correct Visa public keys with correct expiration dates loaded into the terminals supporting ODA or Offline Enciphered PIN.