Elavon Customer Service: 0345 850 0195
Opayo Product Support: 0191 313 0299
As your payments partner, we are committed to keeping you up-to-date with industry changes and card brand developments. There are 20 updates and reminders included here. Please scroll to ensure you act upon all which are relevant to you and your payments processing, to avoid potential inclusion in a non-compliance program and potential non-compliance fees.
Although the Financial Conduct Authority (FCA) has extended the deadline for full enforcement of Strong Customer Authentication (SCA) in the UK for eCommerce transactions until 14 March 2022, the ramp-up has already started and non-compliant transactions now risk soft decline.
The FCA announcement, here in full, states the extension is to “ensure minimal disruption to merchants and consumers, and recognises ongoing challenges facing the industry to be ready by the previous deadline.”
You need to be ready to process SCA-compliant transactions right away in accordance with the agreed UK Finance roadmap. Although full enforcement has been pushed-out, the ramp-up to implementation started June 1, 2021. For example 70% of all in scope transactions will need to be SCA-compliant by September 2021. Transactions will be increasingly checked by issuers and non-compliant transactions risk soft decline. If you aren’t ready to process SCA-compliantly, speak to your Gateway provider.
Strong Customer Authentication (SCA) means cardholders are better protected from fraud but it has introduced an element of friction into the consumer journey. SCA exemption for qualifying, low-risk online transactions - through Transaction Risk Analysis (TRA) - can eliminate that friction.
TRA can identify the balance between increased security and sales – alleviating cart abandonment brought on by additional security steps at the checkout. Elavon TRA showed transaction approval rates 3.6% above industry averages.
3D Secure (3DS) was designed to make online payments more secure by allowing cardholders to authenticate themselves and prove they are the owner of the payment account being used. 3DS 1.0.2 is the original version that was introduced over 15 years ago. The updated version of the specification, EMV® 3DS, was published in October 2016. It offers an improved approach to authentication, a wider range of data which allows for better fraud management and authorisation decision making and an improved online experience, particularly for mobile devices.
From October 2022, Visa, Mastercard and Amex will discontinue support for 3DS 1.0.2 and all related technology. JCB and Diners will also phase out support for EMV 3DS but a sunset date has yet to be announced.
If you are using an Elavon gateway, you have no action to take as we look after this for you. If you are using a third party gateway and aren’t already processing EMV 3DS, speak to your gateway provider to plan to support EMV 3DS 2.0 in advance of October 2022.
Mastercard and NatWest Group recently announced that NatWest Group were converting all the Banking Group’s retail and business debit cards to Mastercard. The agreement includes all NatWest Group brands: NatWest, Royal Bank of Scotland, Ulster Bank and Coutts, totalling 16 million cards. To facilitate the NatWest launch targeted for September 1, 2021, Mastercard have updated their bin files with the new NatWest consumer and commercial Debit Mastercard BINs. A production pilot is already underway, having started June 1, 2021.
A Bank Identification Number (BIN) is a unique reference assigned to an issuer for the purpose of issuing a card product. Each BIN is unique to one specific offering that a bank has in its portfolio, whether credit, debit, prepaid, commercial. The BIN is currently shown as the first six digits of the long card number on the front of each card product.
To aid customers that process recurring payments and card-on-file payments, Mastercard has updated the Mastercard Account Billing Updater (ABU) database with both the new Mastercard bins and the legacy Visa bins. Mastercard ABU helps card-not-present (CNP) merchants maintain the continuity of card-on-file and recurring payments, increasing customer satisfaction and reducing customer attrition due to payment disruptions.
Mastercard is anticipating a concentrated and focused migration of accounts within a relatively short period of time. It is vital you update your systems with the new Mastercard bins as soon as possible to minimise the risk of authorisation declines on 16 million National Westminster Bank cards.
If you’re using Mastercard’s ABU you’re strongly recommended to submit the legacy Visa bins (below) in their Mastercard ABU Enquiry files as soon as possible to update your systems with the updated card details.
Visa Bins
NATWEST Visa Debit → DMC |
|
VISA BIN |
MC BIN |
475747 |
537301 |
475751 |
537301 |
431937 |
537302 |
475746 |
537303 |
475113 |
537305 |
475113 |
537305 |
459668 |
537307 |
459668 |
537307 |
475114 |
537308 |
475114 |
537308 |
475115 |
537309 |
475115 |
537309 |
428583 |
537310 |
475110 |
537310 |
475111 |
537310 |
475112 |
537310 |
431931 |
537313 |
431932 |
537313 |
431933 |
537313 |
475748 |
537315 |
475750 |
537315 |
476239 |
537316 |
476238 |
537316 |
408376 |
537317 |
475116 |
537317 |
475117 |
537317 |
475118 |
537317 |
475119 |
537317 |
475126 |
537317 |
475123 |
537318 |
475124 |
537318 |
476237 |
537323 |
428586 |
537410 |
475127 |
537410 |
475128 |
537410 |
475129 |
537410 |
475130 |
537410 |
475131 |
537410 |
475132 |
537410 |
Mastercard is updating its standards for the Mastercard Site Data Protection (SDP) Program. It’s applicable to you as merchants and service providers, providing clarification around forensic investigations conducted by a Payment Card Industry Security Standards Council (PCI SSC) Forensic Investigator (PFI) following an account data compromise (ADC) event or potential ADC event.
The updates will also introduce the PCI Software Security Framework (SSF) that will eventually replace the PCI Payment Application Data Security Standard (PA-DSS), which will expire in October 2022.
The update also outlines a new risk based approach to the Level 2 Merchant compliance requirements and the PCI Data Security Standard (PCI DSS) Validation Exemption Program’s eligibility requirements.
The new PCI Software Security Standard will replace the Payment Application Data Security Standard (PA DSS) by 2022. All PCI Level 1 and Level 2 Service Providers must validate that any third party-provided payment application or payment software that they use is listed on the PCI SSC website as compliant with either the PA-DSS or the PCI Secure Software Standard, as applicable.
You should also note:
Enhancements to Level 2 Merchant Requirements and PCI DSS Validation - Exemption Program Eligibility Requirements
There is no longer a requirement for you to conduct an annual on-site assessment or self-assessment with a PCI SSC-approved Qualified Security Assessor (QSA) or PCI SSC-certified Internal Security Assessor (ISA) if you are using EMV1 payment tokens from token service providers (TSPs) compliant with Mastercard TSP Standards
Revisions Relating to Forensic Investigations
Be ready to provide all required information to support PFI investigations. Timescales for the provision of PCI Forensic reports to card schemes in the event of data breach will be shortened from 20-10 business days within which Mastercard must be provided with a final forensic report detailing the findings, conclusions, and recommendations of the PFI at the conclusion of the PFI’s investigation.
Mastercard has initiated monitoring for the correct usage of the Credential on File (COF) indicator across all the Mastercard programs
COF is the process where cardholder details are stored against an account for use in future purchases and the COF indicator was adopted across the industry to allow you to communicate this pre-existing relationship with a cardholder to the issuer. The presence of the COF indicator will improve cardholder experience in eCommerce with higher approval rates and fewer false declines at digital merchants used frequently by a given cardholder.
Mastercard’s monitoring is to ensure that all Recurring Payments are flagged with the COF indicator.
You should ensure that all Recurring Payments you process are flagged with the COF Indicator to avoid inclusion in compliance programs. If you are using an Elavon gateway or POS Terminal, you have no action to take as we look after this for you. If you are using a third party gateway or POS Terminal, you should contact your service provider to ensure you are already compliant with this article.
Mastercard has initiated monitoring for the correct usage of the Digital Secure Remote Payment (DSRP) cryptogram.
In August 2020, Mastercard announced the introduction of a new field to carry the DSRP cryptogram generated during authentication of remote commerce transactions such as via a mobile phone, key fob or any other token. This was to allow for the separation of the DSRP Cryptogram and the 3-D Secure Cryptogram also known as the UCAF data or Accountholder Authentication Value (AAV). This separation enables you to take advantage of the security of both the token and 3D Secure cryptographic data by allowing for the validation of both the authentication of the cardholder and the authentication of the token.
Mastercard’s monitoring is to ensure the correct population of the DSRP Cryptogram and the 3D Secure Cryptogram when a transaction contains both a token-generated cryptogram and an Identity Check AAV.
If you are using an Elavon gateway, you have no action to take as we look after this for you. If you are using a third party gateway you should contact your gateway provider to ensure that the In-App Digital Payment Cryptogram Field is being used to carry the DSRP Cryptogram and the standard AAV field is being used to carry the 3D Secure Cryptogram when a transaction contains both a token-generated cryptogram and an Identity Check AAV.
Contactless magnetic-stripe data (MSD) transaction processing has been discontinued in Europe on new terminals since January 2012, and on new or replacement card issuance since September 2014.
This industry change was driven by the higher incidence of fraud associated with these payments.
This is a reminder that acceptance devices should not accept transactions using the contactless MSD path and should not flag transactions (sales or refunds) as if they had been processed as contactless MSD.
You should ensure transactions (sales and refunds) are not flagged as Contactless MSD.
If you are using an Elavon POS Terminal, you have no action to take as we look after this for you. If you are using a third party POS Terminal, you should contact your service provider to ensure you are already compliant with this article.
After 20 years of industry-wide investment and proliferation of increased security, including contactless payments, card issuers are now declining unsecure face-to-face transactions (those performed by mag-stripe or keyed, where Chip & PIN would have been expected).
While general exceptions exist for transport, parking and toll-related merchants, all other card-present (face-to-face) environments are expected to have contactless-enabled terminals in place.
We are seeing relatively high approval rates on keyed and magnetic stripe transactions today, these decline rates are expected to increase throughout the remainder of 2021.
If you are using an Elavon POS Terminal, you have no action to take as we look after this for you. If you are using a third party POS Terminal, you should contact your service provider to ensure you are properly certified to reduce the risk of fraud and subsequent declines.
If you have not yet deployed Chip & PIN or contactless technologies, you should do so as soon as possible to avoid declines and minimise fraud risk.
Below are some additional recommendations to optimise your approval rates for face-to-face transactions.
Problem |
Recommended Actions |
---|---|
Chip reading device dirty. |
Ensure your POS terminals are regularly cleaned. |
Device faulty or incorrectly configured for a particular card brand’s chip cards. |
If you believe your terminals are not able to process chip transactions for one or more card schemes, you should contact your service provider as soon as possible. |
You complete a Mag-stripe/Swipe transaction or key in the transaction instead of inserting for PIN or tapping for contactless. |
Ensure your point-of-sale staff are appropriately trained to insert card for PIN (or contactless tap) whenever a chip card is presented. |
Fraudulent Behaviour. |
You should contact Elavon customer support if you believe you are subject to fraudulent activity. |
Problem
Recommended Actions
Chip reading device dirty.
Ensure your POS terminals are regularly cleaned.
Device faulty or incorrectly configured for a particular card brand’s chip cards.
If you believe your terminals are not able to process chip transactions for one or more card schemes, you should contact your service provider as soon as possible.
You complete a Mag-stripe/Swipe transaction or key in the transaction instead of inserting for PIN or tapping for contactless.
Ensure your point-of-sale staff are appropriately trained to insert card for PIN (or contactless tap) whenever a chip card is presented.
Fraudulent Behaviour.
You should contact Elavon customer support if you believe you are subject to fraudulent activity.
From April 16, 2022, acquirers and merchants in the European Economic Area (EEA) and the UK must ensure that point-of-sale (POS) devices comply with the latest contactless terminal implementation guidelines. This mandate does not apply to unattended POS terminals for transit fares and parking fees.
Visa previously announced that
Since the SCA face-to-face regulation took effect in the majority of countries, Visa has monitored the usage of these response codes and their effectiveness at the point of sale. The outcome at the POS is generally positive with a contactless soft decline being followed by a successful PIN verified transaction.
Visa is requiring all POS devices across the EEA to be updated to comply with Visa Europe Contactless—Terminal Requirements and Implementation Guidelines, Version 1.5 no later than 16 April 2022; however, Visa strongly advises clients to update POS terminals as early as possible. Early adoption will as non-compliant transactions risk soft decline.
If you are using an Elavon POS Terminal, you have no action to take as we look after this for you. If you are using a third party POS Terminal you should contact your provider to schedule upgrade to Version 1.5 as soon as possible; as early adoption optimises the customer experience at the POS and reduces unnecessary customer friction and declines, thereby benefiting both retailers and consumers. If early adoption is not possible, you should schedule this upgrade before April 2022.
The POS Terminal Capability must be set only once for each terminal, and never changed. It should be based on the most sophisticated transaction type the terminal will be handling. All transactions – whatever type – must have that same POS Terminal Capability recorded against them.
For example, if the terminal device capability is for Contactless transactions, but processing occasional MOTO transactions. Even those MOTO transactions should be tagged to correspond to the POS Terminal Capability of Contactless.
Mastercard issued this reminder as correct usage of POS Terminal Capability is checked by some compliance programs.
If you are using an Elavon gateway or POS device, you have no action to take as we look after this for you. If you are using a third party gateway or point-of-sale terminal provider, you should check with your service provider to ensure you are properly certified and sending these values correctly to reduce the risk of increased fees or inclusion in non-compliance programs.
Mastercard is launching a new program to optimise approval rates of eCommerce transactions that are subject to Payment Service Directive 2 (PSD2). Under PSD2 most eCommerce transactions require SCA unless an exemption or exclusion (like Merchant Initiated Transactions) is applied. Mastercard will monitor all intra-European Economic Area (EEA), plus UK, eCommerce transactions to check if EMV 3DS is used subsequent to a valid authorisation soft decline to avoid soft declines resulting in lost sales.
It’s important that you implement a mechanism to automatically retry with an EMV 3DS authentication following a soft decline or always using EMV 3DS before sending an authorisation to avoid breaching performance thresholds, implemented June 1, 2021, which may result in your business being included in a non-compliance program.
If you are using an Elavon gateway you have no action to take as we look after this for you. If you are using a third party gateway, you should contact your service provider to discuss these changes.
Mastercard has revised the rules relating to the point of interaction (POI) currency conversion, also referred to as Dynamic Currency Conversion (DCC), for eCommerce and unattended transactions. The main rule changes are as follows:
For eCommerce:
When POI currency conversion is offered for an eCommerce transaction and the currency conversion option is pre-selected, the cardholder must be informed of the pre-selection and provided with the means to decline the currency conversion.
Before the cardholder is asked to select a currency in which the transaction is to be completed, the merchant’s website must clearly disclose the following language, verbatim, to the cardholder during the checkout process:
“Make sure you understand the costs of currency conversion as they may be different depending on whether you select your home currency of the transaction currency.”
For Priority/Express checkout:
Before initiating POI currency conversion for a priority check-out transaction, you must have an agreement with the cardholder that specifies all of the following:
The cardholder has been offered a choice of currencies for payment, whether a transaction should be completed in either the local currency or the billing currency;
If the cardholder actively chooses POI currency conversion, the transaction receipt must include the same disclosures previously provided to the cardholder.
If you are using an Elavon gateway or POS device, you have no action to take as we look after this for you. If you are using a third party gateway or point-of-sale terminal provider, you should contact your service provider to discuss these changes.
Visa is providing information about common account takeover fraud techniques, along with best practices to mitigate the risk of such fraud.
Familiarise yourself with the most common account takeover fraud techniques and how you can best protect your business and customers here.
Visa is launching its Consumer Bill Payment Service (CBPS) - an optional service for third party consumer bill pay providers who aggregate a consumer’s electricity, gas, phone, broadband, etc.
Currently, consumers often have to log on to multiple sites to pay their bills, many of which do not accept card payments. CBPS providers simplify the process by allowing consumers to pay all bill payments via card and via a single channel.
The CBPS program is intended to provide greater visibility and accuracy of transactions and will be governed by rules that are similar to those covering payment facilitators (aka aggregators).
CBPS has a participation fee and offers a set interchange rate (varies by region and country).
If you are offering consolidated bill payments to consumers, please contact Elavon through your relationship manager or our customer service channels.
Deferred authorisation occurs when a merchant cannot complete an authorisation at the time of the transaction due to connectivity, systems issues or other limitations, and completes the authorisation later.
As we advised previously, Visa has created a new indicator to be included in all deferred authorisation requests, with an implementation date from April 2021.
Elavon systems were updated to support the indicator from mid-October 2019. If you are using an Elavon gateway, you have no action to take as we look after this for you. If you are using a third party gateway, you should contact your service provider to discuss these changes.
You are also reminded to ensure adherence to general rules for the submission of deferred authorisations, namely:
With cloud infrastructure gaining popularity, if you outsource payment-related services to cloud service providers, it is important to understand the roles that both they and service providers play in the protection of Visa account data.
For example, cloud service providers typically maintain the physical security of the infrastructure, but you may be responsible for protecting the way the information is accessed. When moving payment-related activities to the cloud, an organisation must maintain a clear view on the scope of the cloud service provider’s involvement with regard to storing, processing or transmitting Visa account data. While the customer may outsource the maintenance of some controls to the cloud service provider, the overall responsibility for securing Visa account data remains with the customer.
When moving payment-related activities to the cloud, customers must be aware of PCI DSS responsibilities that are shared across services and system components in order to ensure coverage in those areas. To avoid ambiguity and disputes, roles and responsibilities of each party must be assigned and agreed upon in writing. You are advised to document policies and procedures to support these agreements.
It is critically important that an evaluation by a PCI Qualified Security Assessor (QSA) or a knowledgeable staff member is performed to adequately determine PCI DSS scope. To document PCI DSS compliance, you may provide an Attestation Of Compliance (AOC) for your own environment along with an AOC from the cloud service provider demonstrating how data is protected in both. Together, these AOCs should cover the entire Cardholder Date Environment (CDE) and associated PCI DSS responsibilities. Taking these steps will help your business to avoid liability for losses resulting from an account data compromise.|
Visa is requiring that all partners, acquirers and online merchants update outdated Visa marks used for credential-on-file, stored credential and online transactions.
In 2017, Visa introduced the updated Visa Brand Marks below (solid Visa Blue against a white card shape or solid white against a Visa Blue card shape) to be used for credential-on-file (COF), stored credential or online transactions. Merchants were given until April 2018 to implement the COF Visa marks.
A recently conducted audit on eCommerce merchants around the world found that half (50%) are still displaying outdated versions of Visa brand marks (Visa Blue with Visa Gold wing).
New COF Visa Marks For Immediate Implementation
Immediate action is required from all partners and online merchants to implement either version of the new Visa COF mark above in their stored credential / COF / online checkout locations as soon as possible if this has not already been done. This action will avoid the possibility of inclusion in any future compliance programs.
Up-to-date digital marks and brand guidelines can be downloaded from the Visa Merchant Fulfilment website here.
A Bank Identification Number (BIN) is a unique reference assigned to an issuer for the purpose of issuing a card product. Each BIN is unique to one specific offering that a bank has in its portfolio, whether credit, debit, prepaid, commercial. The BIN is currently shown as the first six digits of the long card number on the front of each card product.
Due to a shortage of available numbers, all card brands are now working towards expanding the available ranges by implementing 8-digit BIN codes across their networks, beginning in April 2022.
By this date, all acceptance points will be expected to be able to correctly recognise an 8-digit BIN series, and to process the card accordingly.
Elavon is already working towards this goal with both our internal systems and the products we offer.
If you use BINs to drive your promotions and other solutions, you will need to ensure that your process can handle both 6- and 8-digit BINs in order to correctly identify new card products and most effectively target your promotions.
Examples of potential impact areas where six-digit BINs are used are listed below. Please note that this is not a comprehensive list.
Visa has developed a Numerics Initiative page as an additional resource to help prepare for this change.
Effective since April 2021, Visa has introduced new rules which:
In October 2021 Visa increases the rule to:
o Acquirer or Merchant Country
o Merchant Category Code (MCC)
o POS Condition Code
o POS Environment Field
o POS Entry Mode
o Electronic Commerce Indicator (ECI) codes
You will find all changes here, including new decline response reason codes, as advised by Visa. Please refer to the manual for the actions that you will need to implement to ensure compliance with the new Visa rules.
Please ensure that you amend your procedures and potentially systems to reflect the new Visa rules and to prevent re-attempting declines that may break the rules and result in increased fees. If you are using an Elavon gateway or POS device, you have no action to take as we look after this for you. If you are using a third party gateway or point-of-sale terminal provider, you should contact your service provider to discuss these changes.
(Sole trader, or partnership with 3 or less partners)
(All other customers)
(Multi-national customers)
(Opayo gateway only)