Customer Resource Centre
News and insights
Elavon Customer Service: 0818 20 21 20
Opayo Product Support: 01 240 8731
News and insights
As your payments partner, we are committed to keeping you up-to-date with industry changes and card brand developments. There are 7 updates and reminders included here. To avoid potential inclusion in a non-compliance programme and potential non-compliance fees please scroll to ensure you act upon all which are relevant to you and your payments processing.
All card brands have agreed an industry-wide transition from 3D Secure (3DS) 1 to EMV 3D Secure 2.x since the EMV 3DS specification was published in October 2016
The final sunset date for 3DS 1 is October 15, 2022, after which Visa and Mastercard will no longer support 3DS 1 transactions for cardholder authentication.
The key milestones leading up to the sunset date have been:
If you are unsure whether you are processing on EMV 3DS 2.x, you should contact your gateway support team to ensure readiness ahead of the October 2022 3DS 1 sunset date. Visa have issued two useful documents to support you in this infographic and Best Practice Guide.
With technological improvements and a growing demand for sustainable energy, electric vehicles are becoming more widely used. Charging stations are being deployed in a variety of environments, including both private and public locations such as fuel stations, grocery stores and parking lots.
Before October 2019, transactions involving electric vehicle charging (EVC) fitted under two MCC categories, either
Since October 2019, Visa instituted MCC 5552—Electric Vehicle Charging for global use. If a merchant charges for both parking and EVC, you should use the MCC that reflects your primary business or highest sales volume. It is also acceptable to use two MCCs (MCC 7523—Parking and MCC 5552—EV Charging) separately, if preferred, to make it more transparent for the cardholder.
EV charging merchants will have two options for authorising transactions:
Pre-authorisations should be used to reflect the anticipated amount of the transaction when the final amount is not known.
Ensure you are using the correct MCC code if you are offering electric vehicle charging services to customers.
If you are using a third-party point-of-sale (POS) terminal, you should contact your service provider to ensure they are aware and have implemented the processing rules above.
Between 2024 and 2033, Mastercard will gradually retire the physical magnetic stripe from the back of cards, improving the security of card payments.
From April 2024, all chip-capable POS terminals in Europe must be able to correctly process cards that contain a chip but not a physical magnetic stripe. This is to ensure that there are no acceptance issues for the duration of the retirement schedule.
The schedule for retiring the issuance of chips cards with no physical magnetic stripe is as follows:
Pre-paid cards (both reloadable and non-reloadable) in the U.S. and Canada regions, and non-reloadable prepaid cards in all other regions, are exempt from this requirement. Cards issued in Switzerland are also exempt from these requirements.
If you are using an Elavon POS terminal, you have no action to take, as we look after this for you. If you are using a third-party POS terminal, you should contact your service provider to ensure they are updating their systems and your POS terminals to correctly process chip cards without the physical magnetic stripe from April 2024.
Mastercard is implementing new requirements to help ensure a more positive cardholder experience and to mitigate negative practices associated with the use of subscription/recurring payments and negative option billing.
The negative option billing model refers to merchants offering free or low-cost digital goods (e.g. streaming service, club membership) for a trial period, after which the cardholder is automatically enrolled into a subscription plan. High-risk negative option billing merchants are merchants that operate this model for physical goods such as dietary supplements and healthcare products.
If you offer your customers subscription/recurring payments, negative option billing for digital or physical products you must familiarise yourself and ensure you comply with all requirements below.
All requirements will become effective from March 22, 2022, except the requirement regarding disclosure at the point of payment. The requirement regarding disclosure at the point of payment will become effective from September 22, 2022.
No less than 3 days and no more than 7 days before the end of the trial period, or whenever terms and conditions change, the merchant must send a reminder to the cardholder advising that the subscription plan will automatically commence if the cardholder does not cancel. This notification must include the terms of the subscription and instructions about how to cancel, and the notification may be sent via email or any electronic method.
All subsequent recurring payment transactions must be processed using the same Merchant ID and Merchant name as used for the initial payment transaction.
After the trial period has expired, you must provide the following information to the cardholder and receive the cardholder’s explicit consent in relation to this information before you submit an authorisation request for the initial recurring payment transaction:
After the cardholder has provided consent, you may not change this date; however, a later payment date may be offered prior to consent, if the authorisation is declined due to insufficient funds.
Each time you receive an approved authorisation request, you must provide the cardholder with a transaction information document (TID) through an email or other electronic communication method (such as an SMS text message) including instructions for terminating the recurring payment transaction cycle.
If you provide a cardholder with a TID after a declined authorisation request, the TID must state the reason for the decline response.
You must provide the cardholder with written confirmation in either hard copy or electronic format when either or both of the following events occur:
Note: a trial period means a pre-set length of time during which the cardholder may evaluate the characteristics of the product, such as its quality or usefulness, to determine whether the cardholder wants to either:
Purchase the product on a one-time basis or recurring basis, or
Return the product (if possible) to the negative option billing merchant.
You must clearly disclose the basic terms of the subscription at the point of payment and capture the cardholder’s acceptance of such terms. The disclosure must include the price that will be billed and the frequency of the billing (for example, "You will be billed GBP 9.95 per month until you cancel the subscription"). Merchants that use a negative option billing model must also disclose the terms of the trial, including any initial charges, the length of the trial period, and the price and frequency of the subsequent subscription (for example, "You will be billed GBP 2.99 today for a 30-day trial. Once the trial ends, you will be billed GBP 19.99 each month thereafter until you cancel.")
You must send a confirmation by email, or any other electronic method, at the time of enrolment in a subscription/recurring billing plan that provides the terms of the subscription, including the terms of a trial period when applicable, and clear instructions about how to cancel the subscription.
You must send a receipt by email, or any other electronic method, after every billing that includes clear instructions for how to cancel the subscription.
You must provide an online or electronic cancellation method (like unsubscribing from email or any other electronic method).
For any subscription/recurring payment plan that bills a cardholder less frequently than every six months (180 days), the merchant must send a notification no less than three days and no more than seven days before the billing date that includes the terms of the subscription and instructions about how a cardholder may cancel the subscription.
Mastercard is rolling out a Europe region-wide roadmap to achieve a network migration from EMV 3DS 2.1 to EMV 3DS 2.2 effective from October 14, 2022. As part of this announcement, Mastercard not only requires support for EMV 3DS 2.2, Mastercard also require the support of relevant EMV 3DS features to strengthen support of the Payment Services Directive 2 (PSD2) regulation and deliver performance improvements not delivered since the introduction of EMV 3DS.
These additional mandated features will include:
While Mastercard will require customers to support EMV 3DS 2.2, it will not require that all transactions are sent using this version of the protocol.
You should contact your gateway support team to ensure they are ready to meet the October 2022 EMV 3DS 2.2 readiness date.
Following a recent review of authentication and fraud performance, Visa have reclassified cardholder-initiated, device-based secure element token transactions with Electronic Commerce Indicator (ECI) 05 (Fully Authenticated Transaction).
These transactions were previously classified as ECI 07 (Non-secure ecommerce) with merchant liability.
Visa rules no longer permit disputes for fraud-related disputes on cardholder-initiated ecommerce transactions where:
Visa may choose to suspend this ECI 05 classification and allow issuer disputes if fraud rates are seen to increase.
You should contact your gateway support team to ensure they submit the ECI value provided by VTS with the TAVV token cryptogram when submitting the transaction to authorisation and ensure the same ECI value is used in the Elavon settlement file.
Each Visa chip or contactless card supporting offline data authentication (ODA) or offline enciphered PIN, must contain an issuer public key (IPK) certificate that is provided to the issuer by the Visa Smart Debit / Credit (VSDC) Certificate Authority (CA) and signed by a VSDC CA private key. To validate the certificate and recover the data it contains for the successful completion of ODA or offline enciphered PIN, the terminal needs to contain the corresponding VSDC CA public key. Visa continually assesses the expiration date of public keys, based on EMVCo recommendations and its own security reviews. This is to schedule the expiration dates of the VSDC CA keys while they are still considered secure.
The VSDC CA provides three key certificate lengths to issuers:
Visa issuers may personalise certificates signed by the 1408-bit or the 1984-bit CA key on their cards when the expiration date of the card does not exceed the expiration date of the certificate.
The Visa Smart Debit / Credit Certificate Authority (CA) has extended the expiration date of the 1984-bit CA key. The expiration date of the 1408-bit CA key has not changed.
Effective immediately, the expiration dates are as follows:
If you are using an Elavon POS terminal, you have no action to take as we look after this for you. If you are using a third-party POS terminal, you should contact your service provider to ensure they have the correct Visa public keys with correct expiration dates loaded into the terminals supporting ODA or Offline Enciphered PIN.