Pagos Solutions is dedicated to demystifying payments by providing universal access to information and greater payments knowledge. As part of this mission, we monitor card brand changes to not only ensure we’re prepared to support our clients, but also so we can share this knowledge and insight with merchants. If you’ve been following our series of posts on Visa’s spring rule changes, you know each card brand network has their own bi-annual publications and these have traditionally been the go-to source for planned changes—although, not the only source.
The bi-annual rules changes used to be a one stop publication for merchant rules and regulations, but a lot has changed. Mastercard’s bi-annual changes don’t come out at the same time as the other brands; instead of releasing spring rule changes like Visa, Mastercard has released a June 2022 Rules publication. As you will learn from our summary, the June 2022 Rules from Mastercard end up being more of an index and preface to a library of publications, specifications, and rules. This wasn’t always the case, but as payments technology advancements emerge and the digital economy grows, different types of entities are now involved in delivering payment processing, and the collection of Mastercard rules reflect this change.
As we work to complete our merchant awareness series for the Spring 2022 card network operating rules changes, we’re sharing links to these various publications. We’re adding the June 2022 Rules to our library as well as other key network documents, which include:
As a merchant, what you need to know might vary depending on your market, your primary method of sale, and the complexity and volume of payment service providers you use to get your sales approved, settled, or defended in the case of chargebacks. The more entities you rely on to deliver on these key events, the more you may need to understand the fundamental changes and rules that those entities must achieve, adapt, and adopt.
Mastercard refers to entities and activities involved in payment processing differently than the other card brands; these differences help explain why there are different publications. For example, what the industry labels as an acquirer, Mastercard further defines as a principle or affiliate. They also further define their rules based on the type of “activity” they’re supporting. This is an important construct when reading Mastercard’s published rules and announcements. The June 2022 Rules document establishes the rules for several activities (a list and definition of these can be found on pages 26-27) and addresses these activities most commonly referred to as authentication, authorizations, and settlement. Additional publications are referenced in these rules.
Mastercard released a bulletin—AN 5928—describing the retirement of MasterPass as a type of card-not-present, remote electronic transaction product, which they’re largely replacing with Click to Pay. The official sunset date for MasterPass was November 16, 2021, and issuers sent emails about this to their cardholders; if you still have MasterPass as a payment link on your website or app, or referenced in any of your “ways to pay” content, you can take it down. Mastercard goes on to say that Click to Pay is not a required replacement but was included as a recommendation.
On December 14, 2021, Mastercard published AN 5942, which announced changes to the Mastercard Rules, Security Rules and Procedures, and Information-Based Program Standards Manual that were effective immediately. These changes included the deletion of some content and clarifications on how notifications of personal data breach should be handled. These changes are now formally part of the respective publications.
For example in Chapter 2 under section 2.4 of the June 2022 Rules, Mastercard added the term “disagreements” to their right but not obligations, and they added “as applicable” to activities. This expands the potential for entities in the payment ecosystem to raise their case to Mastercard, though as the section states, not as a rule, but as an option.
In section 2.1.5 under Certification, Mastercard added the requirement for senior executives of affiliates (if requested) to certify their compliance or non-compliance with Mastercards compliance standards, adding programs to which these obligations apply. Furthermore, in the Information Security Program section 2.2.7, it adds requirements for Mastercard issuers and acquirers (were relevant) to maintain comprehensive written information security programs that comply with section 3.13 of the Merchant Rules document. It also adds a new requirement to ensure anyone acting under their authority who has access to personal data is subject to a duly enforceable contractual or statutory confidentiality obligation.
In Chapter 3, section 3.12.1, Mastercard added a new disclosure requirement which essentially provides rights to Mastercard if an acquirer, issuer, or direct entity provides any feedback to Mastercard regarding any specifications, designs, or other technical information. This now includes that Mastercard will have the right to use such feedback without restriction.
Chapter 4, section 4.1.1 adds an entity type of affiliate to parties that are prohibited from registering or making use of a Mastercards logos or “Marks” that would be a derivative of to dilutive of Mastercards Marks on any Card, device, or applications associated with a payment service that Mastercard might deem competitive. Mastercard has certainly embraced and invested in new innovation; this rule likely is needed to ensure everyone working for a better payment experience understands how to correctly use Marks, names, and logos.
Mastercard added section 1.5 to the 2022 Security Rules and Procedures publication which is a companion document to the June 2022 Rules. In this change, it adds requirements for compliance with applicable data protection laws. This is a critical section to reference when you’re defining your data privacy, refining your fraud and security policies, or looking for a service provider which Mastercard defines as:
“A person that performs Program Service. The Corporation has the sole right to determine whether a person is or may be a Service Provider and if so, the category of Service Provider. A Service Provider is an agent of the Customer that receives or otherwise benefits from Program Service, whether directly or indirectly, performed by such Service Provider.”
Why does this matter? There are lots of companies out there who have great ideas and products to help merchants, but not all of them build their vision to meet or exceed card network standards and rules. Pagos Solutions does. We are an “agent” of our sponsor acquirer who is a “customer” of the corporation that is Mastercard. At Pagos, we’re building our technology to meet or exceed the card brand standards and include best practices in our products and services that are compatible with PCI-DSS, SOC Type 2 and ISO27001.
Returning to the changes in the June 2022 Rules publication, we see Mastercard made changes to instruct merchants on surcharging in Canada. As part of the settlement in 2019 between a group of merchants and card brands, Visa and Mastercard agreed to adopt identical surcharge rules. For Mastercard, these rules are defined in the June 2022 Rules in section 5.12 of Chapter 12.
Merchants who successfully adopt the new rules can begin recouping some of the card transaction expenses after October 2022. Below are some of the key requirements included in this new section of the rules:
If you’re a merchant in Canada, you may well be thinking about applying surcharges. Analysis of your historical sales by card type and product would be helpful. Let’s say 60% of your sales are on debit cards; by seeking to recoup processing costs on the 40% of your sales that come from credit card, you might alienate your base of debit card customers (to whom you wouldn’t apply a surcharge, but the required notifications might leave the impression of added fees). At the credit card product level, the same is true; if you only planned to apply surcharges on the cards with the higher interchange, but your historical sales on these cards are less than 20% of all your credit card sales, customers might just see “surcharge” as a barrier to purchase.
If only you had a way to match your historical sales data by card type and product or monitor sales by card brand and type after launching surcharging in October! Well, we have some birds for that:
Most of the changes in this chapter are things issuers must do. For example, section 6.1 of the June 2022 Rules—which will be effective October 14, 2022—states that an issuer must enroll all of its ecommerce-enabled Mastercard and Maestro BIN ranges in EMV 3DS 2.2. If an issuer uses a service provider for issuance or an Access Control Server (ACS), they must ensure their provider also supports the changes such that merchant initiated 3-D authentication requests—known as “Requestor Initiated (3RI)”—include the EMV 3DS 2.2 authentication to merchant app redirection (also called 3DS Requestor App URL). This rule change for issuers in Europe should improve the responses merchants receive from Non-Payment and Payment 3DS and Identity Checks and help improve order success rates.
Effective October 14, 2023, issers and their service providers must also use the Trusted Merchant Listing (TML). The TML is essentially a centralized list all issuers must use to define their customers who have added a merchant as a known and trusted relationship.
Changes to section 4 define requirements for card issuers in select countries in Europe to support Enhanced Merchant Data. The date had previously been announced to go into effect October 14, 2022, but now pushed until October 14, 2023. Enhanced Data helps customers recognize transactions. There are also changes to how Mastercard refers to these select counties (e.g. Mastercard replaced “The Channel Islands” with separate listings for Guernsey and Jersey).
The American Library Association defined “Library” as:
“a collection of resources in a variety of formats that is (1) organized by information professionals or other experts who (2) provide convenient physical, digital, bibliographic, or intellectual access and (3) offer targeted services and programs (4) with the mission of educating, informing, or entertaining a variety of audiences (5) and the goal of stimulating individual learning and advancing society as a whole.”
We don’t know your business as well as you do, but we know payments and we know how to collect data. Data that represents your payment traffic, approval, declines, disputes and the resources that set the rules of engagement in the payment ecosystem. We hope you found this summary helpful and will continue to come back and check out more of our coverage of card brand rules and regulations.
Contact us to learn more about how Pagos can help you!
We’ve provided the content in this blog post solely to inform and educate. Pagos doesn’t provide legal advice and this content shouldn’t be taken as such. You’re strongly encouraged to consult with your payments partners and legal teams before implementing any changes based on the content in this post.