You’ve made it to the final blog post in our series on the April 2022 Visa Core Rule changes! Before continuing on, we recommend checking out the first two posts in this series:
For this final installment, we’ll conclude with a few of the less obvious upcoming changes. Some of these updates serve as examples of how the card brands modify their rules based on changes to regionally specific regulations or from operational policy that evolve into warnings and ultimately enforcement.
As referenced in part two in this blog series, Visa implemented a change to section 10.3.1.4, which addresses requirements for members—specifically those in the Europe region—to cooperate to protect against data compromise. There are specific steps defined in the complete description of the rules which merchants should consider, as some of these steps extend to the actions a merchant will be expected to take. Comparing the October 2021 and April 2022 Visa Core Rules publications, this rule is essentially the same, but now has the added context that it’s only ”effective through October 14, 2022.” This doesn’t mean the issue is no longer applicable after that date, however. The change is due to Visa eliminating regional differences and enforcement.
A new section (184.108.40.206) modifies the potential for the assessment of non-compliance fees from EUR 100.000 to $100.000 USD. This change will essentially move the rules in 10.3.1.4 into the Global Compromised Account Recovery (GCAR) program, and will revise the steps needed in the event of a compromise. Currently there is a separate “What To Do If Compromised: Visa Europe Data Compromise Procedures.” When these rules become effective, only one guide will be used.
In May 2012, Visa consolidated all their regional account data compromise programs into the Global Compromised Account Recovery (GCAR) program. GCAR is a loss allocation program intended to balance the needs of clients following material breaches of cardholder data, which usually includes a compromise of card numbers, but can also include other cardholder data if it puts the members at risk of loss. GCAR defines how issuers are compensated in the event of a material breach. The cornerstone of this policy depends on members and sponsored members (e.g. merchants, processors, and service providers) following the “What To Do If Compromised” guides.
To wrap things up, let’s take a look at the changes announced for 2024. You might be wondering why Visa announces changes so far ahead of the effective dates. Ultimately, it comes down to the fact that change takes time and requires multiple parties—merchants included—to modify their technology and operations in response.
Visa Scheme Transaction Requirements for the Europe region (section 220.127.116.11) becomes effective April 13, 2024. The rules in this section state that an acquirer must ensure that a Visa scheme Transaction Identifier is present throughout the transaction processing lifecycle for a Visa scheme transaction. A Transaction Identifier is defined as a unique value assigned to each transaction and returned to the acquirer in the authorization response. Visa uses this value to maintain an audit trail throughout the lifecycle of the transaction and all related transactions, such as reversals, adjustments, confirmations, and disputes.
With this change, you may want to ensure that your processor passes Transaction Identifiers to you as well as the acquirer, especially if you use multiple processors or merchant service providers. This is especially true if you will be making changes to your your point-of-sale (POS) devices in response to other requirements, including:
With planned logo changes, this could mean you need to open up time for your UI and mobile app developers to make changes.
Starting April 2024, Visa Electron Cards in many countries will no longer support cash back transactions. If your business supports cash back transactions, you may want to start thinking about what this change means for your business operations and what type of training you might need to introduce and prepare to support. See Table 5-15 in the Visa Core Rules document for details.
There was one very curious update that we found to be a bit of a mystery. In the Summary of Changes section of the Visa Core Rules document, there is a reference to upcoming changes to the Visa Digital Authentication Framework Performance Requirements and Non-Compliance assessments, but the impacted rules sections don’t include a reference to 2024. While we don’t know for certain, perhaps this was due to last minute changes Visa made after publishing the April 2022 Core Rules. These Included:
New dispute rules become effective April 15, 2023 that will offer some chargeback protection for merchants under the rules if all required conditions are met. The change is based on a data exchange between merchants and issuers to aid in the identification of trusted customers, which is key to securing payments in today’s digital payments landscape.
The changes above should further incentivize merchants and issuers to adopt secure data sharing. You can do so by utilizing 3D Secure 2.0 (or higher) and network tokenization. Looking for a quick way to develop a network tokenization strategy? Consider integrating with Toucan by Pagos!
That’s it, folks! You made it to the end of our series of what you need to know about Visa’s Spring Core Rule changes. We encourage you to consider all of these changes before their effective dates, begin educating yourselves on the changes, and talk to your processors about how to prepare. We also encourage you to follow Pagos on LinkedIn and check the Pagos Blog often for more updates on card brand rules and changes that impact your customers’ experiences and your revenue optimization.
At Pagos Solutions we are here to make things easier for you!
We’ve provided the content in this blog post solely to inform and educate. Pagos doesn’t provide legal advice and this content shouldn’t be taken as such. You’re strongly encouraged to consult with your payments partners and legal teams before implementing any changes based on the content in this post.