FTC Orders an End to Illegal Mastercard Business Tactics and Requires it to Stop Blocking Competing Debit Card Payment Networks

Company violated the Durbin Amendment to the Dodd-Frank Act and Fed regulations, agency alleges

The Federal Trade Commission is ordering an end to illegal business tactics that Mastercard has been using to force merchants to route debit card payments through its payment network, and is requiring Mastercard to stop blocking the use of competing debit payment networks.

Under a proposed FTC order, Mastercard will have to start providing competing networks with customer account information they need to process debit payments, reversing a practice the company allegedly had been using to keep them out of the ecommerce debit payment business and, according to the FTC, that violated provisions of the 2010 Dodd-Frank Act known as the Durbin Amendment and its implementing rule, Regulation II.

“This is a victory for consumers and the merchants who rely on debit card payments to operate their businesses,” said Holly Vedova, Director of the FTC’s Bureau of Competition. “Congress directed the FTC to enforce this part of the Dodd-Frank Act and prevent precisely this kind of illegal behavior. We take this responsibility seriously, as demonstrated by our action today.”

Debit Card Payment Networks

With more than 80 percent of American adults carrying at least one debit card and over $4 trillion in debit card purchases made every year, debit cards occupy a significant place in the current payment landscape. The popularity of debit cards has been growing especially quickly for purchases consumers make using their personal devices equipped with ewallet applications such as Apple Pay, Google Pay, and Samsung Wallet.

Payment card networks play a critical role in those debit card transactions. When a customer presents their debit card to make a purchase, the network transmits the payment information to the card’s corresponding bank for approval, and then transfers the payment approval or denial back to the merchant. Payment card networks compete for the business of banks that issue cards and for the business of merchants that accept card payments.

Mastercard, along with Visa, is one of the two leading payment card networks in the United States. The processing fees charged by networks total billions of dollars every year, affecting every purchase made with a debit card, according to the FTC. Most of these fees are paid by the merchants to the card-issuing banks and the payment card networks.

To spur more competition among payment card networks, Congress enacted a provision of the 2010 Dodd-Frank Act known as the Durbin Amendment, which required banks to enable at least two unaffiliated networks on every debit card, thereby giving merchants a choice of which network to use for a given debit transaction. The Durbin Amendment—along with its implementing rule, Regulation II—also bars payment card networks from inhibiting merchants from using other networks.

Mastercard’s Illegal Tactics

With the post-Durbin rise of debit ecommerce and ewallet debit transactions, Mastercard was flouting the law by setting policies to block merchants from routing ecommerce transactions using Mastercard-branded debit cards saved in ewallets to alternative payment card networks, including networks that may charge lower fees than Mastercard, the FTC alleged.

Specifically, Mastercard used its control over a process called “tokenization” to block the use of competing payment card networks, the agency alleged. Transactions commonly are “tokenized” by replacing the cardholder’s primary account number with a different number to protect the account number during some stages of a debit transaction.

Tokens are stored in ewallets such as Apple Pay, Google Pay, and Samsung Wallet and serve as a substitute credential to provide additional protection for a cardholder’s account number.

When a debit cardholder makes a debit purchase using an ewallet, the merchant receives a token from the cardholder’s device and sends it to the merchant’s bank, which in turn sends the token to a payment card network for processing. For the transaction to proceed, however, the network must be able to convert the token to its associated account number.

Mastercard’s policy requires use of a token when a cardholder loads a Mastercard-branded debit card into an ewallet, while banks issuing Mastercard-branded debit cards nearly universally use Mastercard to generate the tokens and store the corresponding primary account numbers in its Mastercard “token vault,” the FTC alleged. Since competing networks do not have access to Mastercard’s token vault, merchants are dependent on Mastercard’s converting the token to process ewallet transactions using Mastercard-branded debit cards.

According to the FTC, Mastercard refuses to provide conversion services to competing networks for remote ewallet debit transactions (i.e., online and in-app transactions, as opposed to in-person transactions made by the customer in a store), thereby making it impossible for merchants to route their ewallet transactions on a network other than Mastercard.

Under the FTC consent order, when a competing network receives a token to process a debit card payment, Mastercard is required to provide them with the customer’s personal account number that corresponds to the token. The order also bans Mastercard from taking any action to prevent competitors from providing their own payment token service or offer tokens on Mastercard-branded debit cards and requires Mastercard to comply with provisions of Regulation II.

The Commission vote to issue the administrative complaint and to accept the consent agreement was 4-0. The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment, after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments appear in the published notice. Comments must be received 30 days after publication in the Federal Register. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $46,517.

The Federal Trade Commission works to promote competition, and protect and educate consumers.

Federal Trade Commission Proposes Small Business Protections Against Telemarketing Tricks and Traps

Agency Also Seeks Public Comment on Combatting Tech-support Scams and Adding Click-to-Cancel Requirements

April 28, 2022

The Federal Trade Commission today proposed extending protections against telemarketing tricks and traps to small businesses and strengthening safeguards against other pernicious telemarking tactics plaguing consumers. The agency is seeking comments on updates to the Telemarketing Sales Rule that would protect small businesses against business-to-business telemarking schemes, address tech-support scams that target seniors, and extend click-to-cancel requirements to telemarketing. 

“Today we are taking aggressive action to protect small businesses and consumers from telemarketing tricks and traps,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “We look forward to hearing from the public about how we can further strengthen this rule to hold telemarketing scammers accountable.”

Both the notice of proposed rulemaking and advance notice of proposed rulemaking announced today stem from the Commission’s regulatory review of the Telemarketing Sales Rule and address public comments the FTC has received as part of that review.

The current regulatory review of the Telemarketing Sales Rule began with the publication of a 2014 Federal Register notice seeking comments on general issues such as whether to retain, eliminate, or modify the rule. It also sought comment on specific issues, such as whether the rule should provide additional protections to consumers from telemarketing calls involving use of previously acquired account information and negative option offers, as well as recordkeeping requirements for sellers and telemarketers.

The Telemarketing Sales Rule

The FTC’s Telemarketing Sales Rule became law in 1995 and applies to virtually all “telemarketing” activities, both in the United States and international sales calls to consumers in the U.S. With several notable exceptions, the rule generally applies only to outbound calls made by telemarketers to consumers and protects consumers in a range of ways. For example, the rule requires telemarketers to make certain disclosures and prohibits misrepresentations during sales calls.

The Telemarketing Sales Rule ensures that telemarketers obtain a consumer’s authorization before billing or collecting payment, and prohibits telemarketers from requesting advance payments for services, such as credit repair, “guaranteed” loans, and debt settlement programs. The rule also prohibits credit card laundering by or on behalf of telemarketers and generally prohibits them from calling phone numbers on the Do Not Call Registry or plaguing consumers with robocalls, among other things.

Proposal to Protect Small Businesses and Strengthen Enforceability

The notice of proposed rulemaking announced today proposes amending the recordkeeping requirements of the Telemarketing Sales Rule and prohibiting deception in business-to-business telemarketing calls. Specifically, the notice seeks public comment on:

  • Business-to-business schemes: Whether the FTC should amend the Telemarketing Sales Rule to prohibit misrepresentations in business-to-business calls, as the Commission’s experience has shown that small businesses continue to be harmed by deceptive telemarketing, and
  • Recordkeeping requirements: Whether the FTC should amend the rule’s recordkeeping provisions to require telemarketers to retain information in seven new categories, such as keeping recordings of robocalls.

Addressing Other Telemarking Tactics and Scams

The advance notice of proposed rulemaking announced today seeks information on a range of issues, some of which were identified during the previous comment period. Specifically, the agency seeks public comment on:

  • Tech-support scams: Whether the Telemarketing Sales Rule should add additional provisions to address the rise in tech-support scams. These are scams where telemarketers trick consumers into purchasing unnecessary computer technology services to fix phantom problems. Generally, telemarketers who induce consumers to call them by placing deceptive internet ads are currently exempt from Telemarketing Sales Rule requirements. The advance notice of proposed rulemaking seeks comment on whether those calls should be covered by the rule.
  • Click-to-cancel requirements: Whether the rule should require telemarketers to provide consumers with a simple notice and cancelation, such as click-to-cancel, when they sign up for subscription plans; and
  • Robocalls and other telemarketing to small businesses: Whether the Telemarketing Sales Rule broadly should stop treating telemarketing calls made to businesses differently from those made to consumers. Generally, such calls currently are exempt from certain provisions of the rule.

The Commission vote approving publication of the notice of proposed rulemaking and advance notice of proposed rulemaking in the Federal Register was 4-0.

The Federal Trade Commission works to promote competition and protect and educate consumers. Learn more about consumer topics at consumer.ftc.gov, or report fraud, scams, and bad business practices at ReportFraud.ftc.gov.

FTC Takes Action Against CafePress for Data Breach Cover Up

March 15, 2022- Commission orders e-commerce platform to bolster data security and provide redress to small businesses.

The Federal Trade Commission today took action against online customized merchandise platform CafePress over allegations that it failed to secure consumers’ sensitive personal data and covered up a major breach. The FTC alleges that CafePress failed to implement reasonable security measures to protect sensitive information stored on its network, including plain text Social Security numbers, inadequately encrypted passwords, and answers to password reset questions. The Commission’s proposed order requires the company to bolster its data security and requires its former owner to pay a half million dollars to compensate small businesses.

“CafePress employed careless security practices and concealed multiple breaches from consumers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “These orders dial up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information.”

In a complaint filed against Residual Pumpkin Entity, LLC, the former owner of CafePress, and PlanetArt, LLC, which bought CafePress in 2020, the FTC alleged that CafePress failed to implement reasonable security measures to protect the sensitive information of buyers and sellers stored on its network. In addition to storing Social Security numbers and password reset answers in clear, readable text, CafePress retained the data longer than was necessary. The company also failed to apply readily available protections against well-known threats and adequately respond to security incidents, the complaint alleged. As a result of its shoddy security practices, CafePress’ network was breached multiple times.

According to the complaint, a hacker exploited the company’s security failures in February 2019 to access millions of email addresses and passwords with weak encryption; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates. Some of the information was later found for sale on the Dark Web.

After being notified a month later that it had a security vulnerability and that hackers had obtained consumer data, CafePress patched the vulnerability but failed to properly investigate the breach for several months despite additional warnings, the complaint alleged. This included a warning in April 2019 from a foreign government, which notified the company that a hacker had illegally obtained CafePress customer account information and urged the company to notify affected customers. The company, however, withheld this essential information, and instead only told customers to reset their passwords as part of an update to its password policy.

The complaint alleges CafePress did not inform affected customers until September 2019—one month after the breach was reported widely. The company’s lax security practices, however, still left many consumers at risk. For example, the company continued to allow people to reset their passwords on the website by answering security questions associated with customer email addresses—the same information that had been previously stolen by hackers.

According to the complaint, CafePress was aware of problems with its data security prior to the 2019 data breach. Through at least January 2018, when CafePress determined that certain accounts of shopkeepers had been hacked, CafePress closed the accounts and charged the victims a $25 account closure fee. The company also experienced several malware infections to its network prior to the 2019 hack but failed to investigate the source of such attacks.

In addition to its security failures, the FTC alleged the company misled users by using consumer email addresses for marketing despite its promises that such information would only be used to fulfill orders consumers had placed.

As part of the proposed settlement, Residual Pumpkin and PlanetArt will be required to implement comprehensive information security programs that will address the problems that led to the data breaches at CafePress. This includes replacing inadequate authentication measures such as security questions with multi-factor authentication methods; minimizing the amount of data they collect and retain; and encrypting Social Security numbers.

In addition, the proposed settlement requires Residual Pumpkin to pay $500,000 in redress to victims of the data breaches. PlanetArt will be required to notify consumers whose personal information was accessed as a result of CafePress’s data breaches and provide specific information about how consumers can protect themselves. Both companies will be required to have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.

The Commission voted 4-0 to issue the proposed administrative complaint and to accept the consent agreement with the companies.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $46,517.

https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover

Colorado introduces bill to change credit card surcharge law in 2021

Can merchants surcharge in Colorado in 2021? A pending bill may make it possible for all merchants in 2021 or 2022. The current law says a seller, lessor, or company issuing a credit or charge card is prohibited from imposing a surcharge against a person who elects to pay for a sales or lease transaction by using a credit or charge card.

5-2-212. Surcharges on credit transactions – prohibition

(1) Except as otherwise provided in sections 24-19.5-103 (3) and 29-11.5-103 (3), C.R.S., no seller or lessor in any sales or lease transaction or any company issuing credit or charge cards may impose a surcharge on a holder who elects to use a credit or charge card in lieu of payment by cash, check, or similar means. A surcharge is any additional amount imposed at the time of the sales or lease transaction by the merchant, seller, or lessor that increases the charge to the buyer or lessee for the privilege of using a credit or charge card. For purposes of this section, charge card includes those cards pursuant to which unpaid balances are payable on demand.(2) A discount offered by a seller or lessor for the purpose of inducing payment by cash, check, or other means not involving the use of a seller or lender credit card shall not constitute a finance charge if such discount is offered to all prospective buyers and its availability is disclosed to all prospective buyers clearly and conspicuously in accordance with regulations of the administrator.

The proposed bill:

  • Repeals the prohibition; and
  • Limits the maximum surcharge amount per transaction to 2% of the total cost to the buyer for the sales or lease transaction or the merchant discount fee , which is defined as the actual fee that a seller or lessor (merchant) pays its processor or service provider to process the transaction .

Summary: A merchant is required to display notice regarding the surcharge on the merchant’s premises or, for online purchases, before an online customer’s completion of the sales or lease transaction.The bill prohibits applying the surcharge on debit or gift cards. If a merchant imposes a surcharge in violation of the bill, an individual consumer aggrieved by the violation may seek enforcement of the violation as an excess charge under the “Uniform Consumer Credit Code – Remedies and Penalties”.

In my opinion, this is a great start, however, BILL 21-091 conflicts with card network rules allowing charge up to 4% IF that’s actual cost. If merchants sell in multiple states, the 2% Colorado cap presents a challenge if the merchant average cost is higher. Most merchants will be forced to collect less for all states due to technology limitations, whereby they can only specify one rate and cannot distinguish by state.

Also, it could be interpreted that surcharge must be actual cost for EACH transaction vs avg, which few businesses have technology capability. The bill would be better if it just revoked surcharge ban, requiring businesses comply with card network rules.

  • https://leg.colorado.gov/bills/sb21-091
  • https://3dmerchant.com/blog/merchant-bulletins-downloads.

Call now for current information specific to your situation. Neither Christine Speedy nor this web site provide legal advice. Consult an attorney for all your legal questions.

Does your company want to surcharge? Call Christine Speedy right now at 954-942-0483, 9-5 ET for a compliant solution. Please share your surcharge insights for others and ask any questions below. The information herein is based upon public information available at the time written and may change.

Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI)

Over the course of the past several days, the FBI, CISA, and ODNI have become aware of a significant and ongoing cybersecurity campaign. Pursuant to Presidential Policy Directive (PPD) 41, the FBI, CISA, and ODNI have formed a Cyber Unified Coordination Group (UCG) to coordinate a whole-of-government response to this significant cyber incident. The UCG is intended to unify the individual efforts of these agencies as they focus on their separate responsibilities. This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government.

As the lead for threat response, the FBI is investigating and gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors. The FBI is engaging with known and suspected victims, and information gained through FBI’s efforts will provide indicators to network defenders and intelligence to our government partners to enable further action.

As the lead for asset response activities, CISA took immediate action and issued an Emergency Directive instructing federal civilian agencies to immediately disconnect or power down affected SolarWinds Orion products from their network. CISA remains in regular contact with our government, private sector and international partners, providing technical assistance upon request, and making needed information and resources available to help those affected recover quickly from this incident. CISA is engaging with our public and private stakeholders across the critical infrastructure community to ensure they understand their exposure and are taking steps to identify and mitigate any compromises.

As the lead for intelligence support and related activities, ODNI is helping to marshal all of the Intelligence Community’s relevant resources to support this effort and share information across the United States Government.

To report suspicious or criminal activity related to information found in this statement, contact your local FBI field office at https://www.fbi.gov/contact-us/field-offices. To request incident response resources or technical assistance related to this statement, visit https://www.us-cert.gov/report.