Card brand changes: February 2021

In 2020, we advised you of new requirements from Visa which updated acceptance, disclosure and dispute policies for transactions that offer free trials or introductory promotions as part of an ongoing subscription service.

American Express has issued matching requirements for this sector. With effect from April 2021, you must:

• Disclose the material terms of the offer clearly and conspicuously, including a simple and expeditious cancellation process that allows cancellation before first billing occurs.
• Obtain express consent to enter into the terms and conditions of offer.
• Send a confirmation notification in writing upon enrolment.
• Send a reminder notification before the first billing occurs, which allows a reasonable amount of time to cancel.

Visa’s original announcement also called for the inclusion of an ‘enhanced descriptor’ in the Merchant Name field of the Clearing Record, from April 2021.  Visa has now removed this requirement.
 

Action required:

With Visa removing the requirement for the new descriptor, it is no longer necessary to re-certify your solutions.

You should, however, review your joining processes immediately. Visa’s flyer on the subject is still available and provides an overview of the requirements.

To enable greater transparency and reduce fraud, Mastercard is introducing a requirement for all merchants to be referred to Mastercard’s new Logo Microsite, where you can provide business logos that can be used to provide enriched post-transaction data to cardholders to help them identify valid purchases and reduce billing problems.
 

You can use the site to share your business logos and other information, such as physical business addresses, contact information and sales policies.
 

Participating issuers can then use an API to obtain digital logos and display them with corresponding transactions in their digital banking applications. This transparency should ultimately result in fewer chargebacks associated with unnecessary billing disputes when a cardholder does not recognise a merchant.

Action required:

Elavon asks that you consider entering your business’ logo at the Logo Microsite.

• Logos can be in SVG (recommended), JPG or PNG formats, with a file size up to 5Mb.
• Square logos or images with a square background will work best.

Elavon is pleased to announce that we have made our systems ready to support China UnionPay eCommerce transactions with the new EMV 3D Secure 2.0 version.
 

We are looking for a payments partner that wishes to use this functionality to help us complete our end-to-end certification, so that we may begin supporting merchants with this new functionality.
 

Action required:

Interested partners can contact Elavon to arrange accreditation through your relationship manager.

Visa has published a guide designed to assist you in securing your eCommerce websites and protect your customer’s payment card data.
 

With the recent end of support for the Magento platform, some online stores will lose all access to new features, functionality updates, bug fixes and support from Adobe. Most importantly, any future vulnerabilities will no longer be addressed with new security patches from the company, leaving the unsupported versions of Magento exposed to security or data-compromise incidents.
 

However, Magento is not the only targeted website platform and so the purpose of this guide is to provide recommendations on keeping your websites secure.

Account enumeration is a prolific problem that affects issuers, merchants and acquirers globally.
 

Cybercriminals are taking advantage of big data and artificial intelligence to find and exploit new vulnerabilities. To conduct fraudulent eCommerce transactions, cybercriminals use scalable and programmatic automated testing of common payment fields, a method also known as account enumeration.
 

Visa has provided a white paper that gives a merchant overview on implementing mitigation techniques to help bolster their merchant website and ensure they are not susceptible to these enumeration attacks.

Deferred authorisation occurs when a merchant cannot complete an authorisation at the time of the transaction due to connectivity, systems issues or other limitations, and completes the authorisation later.
 

As we advised previously, Visa has created a new indicator to be included in all deferred authorisation requests from April 2021.
 

Action required:

Elavon systems were updated to support the indicator from mid-October 2019. You are required to include a deferred authorisation indicator in any deferred authorisations by April 2021 at the latest. Elavon will support earlier implementations.
 

If you’re using a third-party solution, you should contact the vendor to validate timeframes and any code or process changes that apply to your point-of-sale environment.
 

You are also reminded to ensure adherence to general rules for the submission of deferred authorisations, namely:

• Deferred authorisation must be submitted within one day of the actual transaction date.
• Exceptions to this are businesses with a Merchant Category Code (MCC) of 4111 (Local and Suburban Commuter Passenger Transportation, Including Ferries); MCC 4112 (Passenger Railways); and MCC 4131 (Bus Lines). For these MCCs, transactions should be submitted for authorisation within four days of the actual transaction date.

Following the European Banking Authority’s clarification that, in order to meet dynamic linking requirements, the final authorised amount of a transaction cannot be higher than the originally authenticated amount, Visa made the following changes within the European Economic Areas (EEA):

• Removed authorisation tolerance limits that allowed merchants to clear an amount greater than the authorised amount (for example, adding up to 20% when a gratuity is applied).
• Allowing all eCommerce merchants in the EEA to use pre-authorisations in the event that the final transaction amount is anticipated to differ from the initial authorised and authenticated amount.  Historically this function was only available to customers in the Travel & Entertainment (T&E) sectors.

In the UK, all eCommerce merchants will be extended the permission to use estimated authorisations where applicable, from 17 October 2021.
 

Discussions are underway with the UK Financial Conduct Authority regarding a reasonable variation to authorisation amounts in the UK. Until those discussions conclude, UK customers are still permitted to clear up to 15% greater than the authenticated amount.
 

If you’re a T&E customer, you’ll be well versed already on the use of pre-authorisations. If you are not, Elavon would like to share some basic considerations if you’re considering their use:
 

Handling amount variations when cardholder can no longer authenticate.
 

You have two options when dealing with an unknown final transaction amount in a Cardholder Initiated Transaction (CIT) where the final amount increases due to circumstances not initiated by the cardholder:
 

Option 1: Perform a Merchant Initiated Transaction (MIT) incremental authorisation (preferred)
 

When you know that a final amount may vary and the cardholder is no longer available to authenticate the increase, you can process the initial authorisation with the “known” amount at check-out and add an additional unauthenticated authorisation amount as an MIT (submit the transaction in two parts, the initial CIT pre-authorisation and an MIT top-up)
 

Option 2: Perform initial authentication for the highest estimated amount
 

When you perform the initial pre-authorisation, authenticate for the highest possible estimated amount that would cover any anticipated amount variation.
 

This option may cause customer confusion or cart abandonment if the cardholder is unclear why they are being asked to authenticate for a higher amount than the checkout value of the goods or services, so it is essential that if you’re pursuing this option you clearly communicate to the customer, prior to authentication, that:

• They are being authenticated for a maximum authorisation amount.
• They will only be charged for what they purchase (which may be lower than the authenticated amount) and for any other relevant charges not yet known (e.g. shipping and taxes).
• No charges will appear on their card statement until the order is finalised.

Option 2 relies heavily on your ability to generate an electronic reversal message, along with the clearing message. While the clearing message advises the Issuer of the exact final amount, the reversal message is needed to release the remaining part of the reserved funds.  Without this, the funds can remain reserved indefinitely, causing cardholder frustration.
 

SCA considerations
 

Under PSD2 Strong Customer Authentication (SCA) rules, an exemption may apply to some transactions under Option 2 above, where exemption qualification criteria are met.
 

For transactions where SCA is applied, you cannot simply process an additional authorisation or top-up without the customer initiating a new transaction—even if a transaction for the additional amount would qualify for an exemption—because exemptions can only be applied to CITs.
 

MITs cannot be processed without prior customer consent and authentication. Upon contacting the cardholder, you have the choice to:

• Authenticate for the new total final amount and submit one final authorisation with this amount (exemptions can be used if applicable), in which case any initial authorisation prior to this must be reversed in full, or
• Authenticate only for the additional amount (exemptions can be used if applicable) and submit two authorisations, for the initial amount and the additional amount, each with their respective authentication value or exemptions indicators, as applicable.

Mastercard’s Identity Check solution (previously ‘SecureCode’) helps ensure continued security of eCommerce devices and the growing volume of transactions.
 

In order to ensure systematic protection for recurring transactions authorised through the Mastercard Identity Check Directory Server, Mastercard has created additional authentication solutions beyond fully authenticated (SLI 212) and attempts processing (SLI 211).
 

These new solutions include IDC Insights (SLI 214), acquirer exemption (SLI 216) and recurring transactions (SLI 217).
 

Insights and exemptions do not have chargeback protections. They must, however, have the SLI values matched between the authorisation and clearing systems.
 

Recurring transactions do carry chargeback rights similar to fully authenticated and must also have SLI values matched between the authorisation and clearing systems.
 

This is especially important for customers that split their transactions through two different processors/acquirers.
 

Action required:

Ecommerce customers are asked to ensure you are sending matching SLI values in your authorisation and clearing messages.

Credential-on-file (COF) is the process where cardholder details are stored against an account for use in future purchases.
 

With immediate effect and in order to support the continued implementation and standardisation of COF, Visa has introduced a revised logo which customers and partners need to add or replace on websites that are offering COF functionality to the cardholder.

Action required:

Ecommerce card-on-file customers should make this change immediately.

The artwork files can be obtained by emailing us here.