Visa, Mastercard reach $6.2B settlement in class-action lawsuit

The largest-ever class action settlement of an antitrust case appears to be nearing an end. Visa Inc, MasterCard Inc, and banks including Bank of America, J.P. Morgan Chase and Citigroup, have agreed to pay $6.2 billion as part of the settlement.

The class-action lawsuit was filed in 2005 by merchants who alleged card companies set credit-card fees and card-acceptance rules that benefit the banks, which owned Visa and MasterCard at the time. Both are now public companies. It was previously settled in US District Court but thrown out on appeals. After throwing out the the settlement, the court divided the merchants’ claims into two separate classes, one for monetary damages and the other for Visa and Mastercard’s business practices. This settlement is for the class focused on monetary damages.

What do merchants need to do? Nothing. The settlement must still be approved by a court. Further information will be released at a later date.

GovPayNow.com Data Breach

Government Payment Service Inc., a company used by thousands of U.S. state and local governments to accept online payments, leaked over 14 million customer records, including names, addresses, phone numbers and the last four digits of the payer’s credit card. GovPayNet, doing business online as GovPayNow.com, did not leak any sensitive information, as the leak pertained to just customer credit card payment receipts, which has since been resolved.

For the full story, read it on Krebs Security https://krebsonsecurity.com/2018/09/govpaynow-com-leaks-14m-records/.

 

Recurly Visa Stored Credential Framework blog omission

A Recurly blog article “How Recurly is Supporting Visa’s Stored Credential Framework” has some misinformation. The cited dates are incorrect and merchant responsibilities are understated. Why is that important? Most payment gateways and technology solution providers are not keeping up with the rapid pace of rules and compliance changes, impacting merchant profits and risk. Therefore, payment technology vendor selection, including payment gateway selection, is critical.

Recurly, like others in the cloud solutions space, is partially dependent on their partners to keep their clients in compliance with a myriad of rules. When should technology partners alert their integrated solutions partners about industry changes affecting their mutual clients? Solutions providers and merchants are getting inaccurate advice, or none at all, from trusted advisors, technology providers, and consultants of all sizes and sources.

As soon as Visa released the news in their Merchant Business News Digest in August 2017, Recurly began reaching out to our gateway partners to get ahead of the work required to fulfill the mandates.” The real dates were much earlier than cited. Visa typically announces at least one year in advance of due dates for any significant change, which this update is. Updates were in the October 2016 Visa Core Rules and Visa Product and Service Rules rules, citing changes coming in April and October 2017. On April 27, 2017 Visa published further information for merchants via the Stored Credential Framework document, which also references prior articles published on the subject dating back to 2016.

For most merchants, the mandate went into effect October 14, 2017, not April 2018, however, Visa did announce a delay in compliance action to April 2018.

From Recurly, “There is no action needed from our customers.” While technology solutions and payment gateways manage technical aspects for compliance, there’s much that’s left to merchants. Here’s an excerpt from the Stored Credential Framework document:

Merchants and their third-party agents, payment facilitators, or stored digital wallet operators that offer cardholders the opportunity to store their credentials on file must:
• Disclose to cardholders how those credentials will be used.
• Obtain cardholders’ consent to store the credentials.
• Notify cardholders when any changes are made to the terms of use.
• Inform the issuer via a transaction that payment credentials are now stored on file.
• Identify transactions with appropriate indicators when using stored credentials.

I strongly recommend reading Visa Core Rules Table 5-20: Requirements for Prepayments and Transactions Using Stored Credentials and Disclosure to Cardholder and Cardholder Consent. For example, how will you provide proof of cardholder consent (think time and date stamp) upon request? Are you providing the required receipt with proper format for zero dollars when storing a card without running a transaction?

Note: This article is not a review, endorsement or complaint about the quality of Recurly services which I have never used. It is simply identifying errors and omissions related to the stored credential mandate that may impact merchant profits, risk and decision making. I would have written in their blog comments, but it wasn’t available. When choosing a payment gateway, consider how agile they’ve been in meeting deadlines for changes, and how they’ll help reduce compliance burden, among other factors.

Christine Speedy, CenPOS Authorized Reseller, 954-942-0483 is a PCI Council QIR certified professional based out of South Florida, near Fort Lauderdale, and Rochester, NY, with extensive payment gateway experience. Christine can uniquely help merchants and technology providers navigate the complexities of PCI, acquirer, and card brand compliance rules.

MasterCard Processing Integrity Final Auth Alert

Compliance is not just about payment security. Each card brand has a set of rules for payment processing. Follow them and get rewarded with increased authorizations, reduced fraud risk, and lower merchant fees. The cost of non-compliance is heavy and getting worse.

Look at this MasterCard PROCESSING INTEGRITY FINAL ATH Fee on a recent Chase Paymentech merchant statement.

mastercard PROCESSING INTEGRITY FINAL ATHOver $536,000 multiplied by .25% penalty fee for a total of $1,340.10 in avoidable costs. This is due to not properly authorizing and settling transactions, including reversals for unused authorizations. It’s too complicated to get into why this happens, but I’ve written multiple articles related to authorization validity, including one about the Visa Stored Credential Mandate.

The new fee of 0.25%, minimum $0.04 is assessed for each approved final authorization when*:

  • Authorization expired. The Final Authorization transaction is not cleared within 7 calendar days of authorization date, nor has it been fully reversed.
  • Authorization mismatch. The Final Authorization amount does not equal the clearing amount.
  • Unused Authorization. The Final Authorization transaction did not clear and full authorization reversal was not submitted. What’s really painful about this one, is if an order is cancelled, you can lose .25% of the transaction amount so you lost money not making a sale!
  • Final authorization currency code does not match the clearing currency code.

How can merchants avoid the MasterCard Processing Integrity fee?

Technology to manage the authorization and settlement process is the only way. Leaving it up to employees to figure out when an authorization is expiring and when a reversal is needed is a recipe for compliance fees like the above. Plus, chances are whatever system they’re using doesn’t even support the required data messages that need to go with the transaction.

The payment gateway plays a crucial role in authorization validity. A common misconception is that using a popular gateway, or even one owned by a card brand, or acquirer, will automatically get your transactions compliant. That is not the case.

I have extensive knowledge of many payment gateways. In my opinion, the CenPOS cloud commerce platform with suite of business solutions, including payment gateway, offers the best tools to automate authorization validity so you can avoid the MasterCard processing integrity final authorization fee as well as other penalty fees and assessments by multiple card brands.

Source: MasterCard Transaction Processing Rules 28 June 2018 TPR, Wells Fargo Payment Network Pass-Through Fee Schedule April 2016.

Christine Speedy, CenPOS Global Sales, 954-942-0483 is based out of South Florida, near Fort Lauderdale, and Rochester, NY. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

FRAUDSTERS TARGETING CALL CENTER CHAT AND NON-VOICE CHANNELS

Visa Security Alert to the risk of online chat solutions and non-voice channel services within call centers and merchant online environments, which are expected to increase along with artificial intelligence. There are known instances where threat actors compromised online chat service providers and were able to distribute malware to merchant clients designed to intercept payment card data during checkout.

Read the story here in the Visa library for merchants. https://usa.visa.com/support/merchant/library.html

The Visa alert also points out the importance of verifying your technology partners are secure and compliant. This is especially interesting in the context of this article.

The Visa Global Registry of Service Providers is Visa’s designated source for information on registered and PCI DSS-validated agents that provide payment-related services to Visa clients and merchants. Service providers that store, process or transmit Visa payment data must be registered with Visa and demonstrate PCI DSS compliance. All of the links in this article can be found on the merchant rules and  PCI compliance links

Christine Speedy, CenPOS Global Sales, 954-942-0483 is a PCI Council QIR certified professional based out of South Florida, near Fort Lauderdale, and Rochester, NY.