Spring Visa Rule Changes: Part Three
You’ve made it to the final blog post in our series on the April 2022 Visa Core Rule changes! Before continuing on, we recommend checking out the first two posts in this series:
- Spring Visa Rule Changes: Updates to the Visa Acquirer Monitoring Program (VAMP)
- Spring Visa Rule Changes: Part Two
For this final installment, we’ll conclude with a few of the less obvious upcoming changes. Some of these updates serve as examples of how the card brands modify their rules based on changes to regionally specific regulations or from operational policy that evolve into warnings and ultimately enforcement.
Changes in Enforcement
As referenced in part two in this blog series, Visa implemented a change to section 10.3.1.4, which addresses requirements for members—specifically those in the Europe region—to cooperate to protect against data compromise. There are specific steps defined in the complete description of the rules which merchants should consider, as some of these steps extend to the actions a merchant will be expected to take. Comparing the October 2021 and April 2022 Visa Core Rules publications, this rule is essentially the same, but now has the added context that it’s only ”effective through October 14, 2022.” This doesn’t mean the issue is no longer applicable after that date, however. The change is due to Visa eliminating regional differences and enforcement.
A new section (126.96.36.199) modifies the potential for the assessment of non-compliance fees from EUR 100.000 to $100.000 USD. This change will essentially move the rules in 10.3.1.4 into the Global Compromised Account Recovery (GCAR) program, and will revise the steps needed in the event of a compromise. Currently there is a separate “What To Do If Compromised: Visa Europe Data Compromise Procedures.” When these rules become effective, only one guide will be used.
About the Global Compromised Account Recovery (GCAR) Program
In May 2012, Visa consolidated all their regional account data compromise programs into the Global Compromised Account Recovery (GCAR) program. GCAR is a loss allocation program intended to balance the needs of clients following material breaches of cardholder data, which usually includes a compromise of card numbers, but can also include other cardholder data if it puts the members at risk of loss. GCAR defines how issuers are compensated in the event of a material breach. The cornerstone of this policy depends on members and sponsored members (e.g. merchants, processors, and service providers) following the “What To Do If Compromised” guides.
Announcements for 2024
To wrap things up, let’s take a look at the changes announced for 2024. You might be wondering why Visa announces changes so far ahead of the effective dates. Ultimately, it comes down to the fact that change takes time and requires multiple parties—merchants included—to modify their technology and operations in response.
Visa Scheme Transaction Identifiers And Brand Marks
Visa Scheme Transaction Requirements for the Europe region (section 188.8.131.52) becomes effective April 13, 2024. The rules in this section state that an acquirer must ensure that a Visa scheme Transaction Identifier is present throughout the transaction processing lifecycle for a Visa scheme transaction. A Transaction Identifier is defined as a unique value assigned to each transaction and returned to the acquirer in the authorization response. Visa uses this value to maintain an audit trail throughout the lifecycle of the transaction and all related transactions, such as reversals, adjustments, confirmations, and disputes.
With this change, you may want to ensure that your processor passes Transaction Identifiers to you as well as the acquirer, especially if you use multiple processors or merchant service providers. This is especially true if you will be making changes to your your point-of-sale (POS) devices in response to other requirements, including:
- Section 184.108.40.206 – A merchant must display and use the Visa-Owned Marks (e.g. Visa logo) at the POS (physical location, acceptance device, website, application) as specified in the Visa Product Brand Standards. The Visa-Owned Marks must not appear less prominently than any other payment marks.
- Section 220.127.116.11 – Changes in Europe under rule ID# 0002868 state that a merchant’s chip-enabled POS must display choice and the merchant must honor the choice a customer makes in how their co-branded or co-badged card is processed.
With planned logo changes, this could mean you need to open up time for your UI and mobile app developers to make changes.
Visa Electron Cards
Starting April 2024, Visa Electron Cards in many countries will no longer support cash back transactions. If your business supports cash back transactions, you may want to start thinking about what this change means for your business operations and what type of training you might need to introduce and prepare to support. See Table 5-15 in the Visa Core Rules document for details.
Visa Digital Authentication Framework Performance Requirements and Non-Compliance
There was one very curious update that we found to be a bit of a mystery. In the Summary of Changes section of the Visa Core Rules document, there is a reference to upcoming changes to the Visa Digital Authentication Framework Performance Requirements and Non-Compliance assessments, but the impacted rules sections don’t include a reference to 2024. While we don’t know for certain, perhaps this was due to last minute changes Visa made after publishing the April 2022 Core Rules. These Included:
- E-Commerce Transactions with Fully Authenticated Tokens Will Be Classified as ECI 05 in Canada and the U.S (May 12, 2022) – This is pretty big news and includes dispute rights for Dispute Condition 10.4, titled “Other Fraud—Card-Absent Environment,” and removes some conditions in which disputes are allowed. The announcement includes program performance requirements that merchants and Token Requestors must meet in order to qualify for the liability shifts. Monthly fraud amounts cannot exceed $100,000 and the fraud rate must be below 10 pbs or 0.1% of fraud divided by Digital Authentication Framework (DAF) qualified sales.
- Dispute Rule Updates (June 16, 2022) – Visa is expanding their dispute rules to address the evolving definition of what’s considered compelling evidence.
New dispute rules become effective April 15, 2023 that will offer some chargeback protection for merchants under the rules if all required conditions are met. The change is based on a data exchange between merchants and issuers to aid in the identification of trusted customers, which is key to securing payments in today’s digital payments landscape.
The changes above should further incentivize merchants and issuers to adopt secure data sharing. You can do so by utilizing 3D Secure 2.0 (or higher) and network tokenization. Looking for a quick way to develop a network tokenization strategy? Consider integrating with Toucan by Pagos!
We Did It!
That’s it, folks! You made it to the end of our series of what you need to know about Visa’s Spring Core Rule changes. We encourage you to consider all of these changes before their effective dates, begin educating yourselves on the changes, and talk to your processors about how to prepare. We also encourage you to follow Pagos on LinkedIn and check the Pagos Blog often for more updates on card brand rules and changes that impact your customers’ experiences and your revenue optimization.
At Pagos Solutions we are here to make things easier for you! Contact us with any questions for concerns:
We’ve provided the content in this blog post solely to inform and educate. Pagos doesn’t provide legal advice and this content shouldn’t be taken as such. You’re strongly encouraged to consult with your payments partners and legal teams before implementing any changes based on the content in this post.