As your payments partner, we are committed to keeping you up to date with industry changes and card brand developments. There are six updates and reminders included here. To avoid potential inclusion in a non-compliance programme and potential non-compliance fees please ensure you act upon all which are relevant to you and your payments processing.
The details below are quite technical but that is the nature of the information being shared in such a complex industry. If you need support then in the ‘what you need to do’ section we suggest who is best placed to help, as appropriate. Depending on the element involved and your payments model that could include your payments provider or gateway support team, in case elements of your payments system aren’t provided to you by Elavon.
-
Sensory branding is a type of marketing that appeals to all the senses. Retailers use sensory branding to create strong emotional associations between customers and their brand by appealing to customers on multiple senses: visual, sound and feeling.
In a digital world where payment experiences are increasingly automatic and invisible, delivering consumer confidence in a payment transaction can be a challenge. Visa has developed a suite of sensory brand marks (animation, sound, and haptic (force/vibration)) for use with digital payment services to trigger the same emotions of trust and security that are associated with the traditional Visa logo.
Visa Sensory Branding is used to signal that an ‘event’, or activity, has occurred with their Visa card. Examples of a Visa ‘event’ that would trigger a signal (animation, sound or haptic) are
- Successful in-app transactions
- Using Visa technology to send or receive money via an issuer wallet or third-party apps
- Successful enrolment in services that require Visa credentials such as Click to Pay, Tap to Phone and more.
From 1 November 2022, Visa Sensory Branding must be integrated into all new payment experiences (excluding physical POS terminals) to signal a Visa ‘event’ on supported devices.
From 1 November 2023, Visa Sensory Branding must be integrated into all payment experiences (excluding physical POS terminals) to signal a Visa event on supported devices.
Examples of payment experiences in scope for the Visa Sensory Branding requirement include, but are not limited to, those involving eCommerce, transit, Connected Commerce and Internet of Things (IoT) devices, wearables, digital wallets and person-to-person (P2P) apps. Payment experiences involving digital POS, such as Tap to Phone (where you can pay by tapping an enabled-smartphone with a card), are also in scope for the Visa Sensory Branding requirement.
What you need to do:
You should contact your gateway support team or payment provider to ensure they are ready to support the Visa Sensory Branding on the timescale outlined.
-
Host card emulation (HCE) is a technology for securing a mobile phone such that it can be used to make credit or debit transactions at a physical point-of-sale (POS) terminal. Visa currently allows cardholder-initiated eCommerce transactions initiated from a mobile phone, using HCE technology, to be processed with an Ecommerce Indicator (ECI) 05 (Secure eCommerce) and giving merchants fraud liability protection.
From 14 October 2022, eCommerce transactions performed with HCE tokens can only be designated as ECI 05 if the transaction is performed within the Digital Authentication Framework (DAF).
A transaction can only be submitted under the Visa Digital Authentication Framework if either:
- Strong customer authentication has been completed under either of the following:
- The Visa Delegated Authentication Program (VDAP) which allows an Issuer to ‘delegate authority’ for authentication to a third-party (e.g., wallet provider, merchant).
- An agreement in force with issuers for strong customer authentication delegation
- The Transaction is eligible for an acquirer strong customer authentication exemption
What you need to do:
Gateways/Customers must continue to use the ECI value received with the Token Authentication Verification Value (TAVV) cryptogram when submitting a transaction for authorisation and use the ECI value returned in the authorisation response when submitting a transaction to clearing.
-
Mastercard Identity Check™ is Mastercard's global authentication program that supports the newly released EMV®1 3-D Secure (3DS) protocol to provide additional security for digital transactions and facilitate higher approval rates on e-commerce transactions. Mastercard supports a data integrity check to monitor ecommerce transactions where 3DS has not been performed and no exemption flag has been set. These transactions will have an increased risk of issuer declines and may incur additional data integrity fees.
What you need to do:
You should contact your gateway support team to ensure they are ready to support 3DS and all available exemptions.
-
An access control server (ACS) is part of the 3-D secure (3DS) protocol and is deployed by issuers to use different secure forms of transaction authentication based on what was initiated by the user. Mastercard’s Smart Authentication Stand-in services makes authentication decisions when an issuer’s Access Control Server (ACS) is not available.
On 14 July 2022, Mastercard will modify its Smart Authentication Stand-In Service so that Smart Authentication Stand-In no longer applies when an ACS responds to an authentication request with a response that a challenge request has been cancelled. A new Transaction Status Reason (transStatusReason) value of 84 has been introduced to indicate that a challenge was cancelled and the transaction was not sent to Mastercard’s Smart Authentication Stand-In Service
This ensures that the ACS/issuer's original intention to challenge the transaction is maintained by not allowing for a successful frictionless authentication to occur.
What you need to do:
You should contact your gateway support team to ensure the 3DS server is able to receive a new value for Transaction Status Reason (transStatusReason) of 84 from 14 July 2022. Value 84 is a Mastercard Directory Server defined value: "challengeCancel populated therefore did not route to Smart Authentication Stand-In."
-
A Purchase Account Status Inquiry (ASI) request is an Authorization Request used to obtain an issuer's validation that a cardholder's account is open and active. Previously ASI Purchase transactions would have contained a value of one major unit of currency (e.g. 1 EUR or 1 GBP) or any other small test amount that did not represent an actual purchase amount. Mastercard is clarifying that Purchase Account Status Inquiry messages should either contain a zero amount or an amount that represents an actual purchase amount in the Transaction Amount field.
What you need to do:
Ensure that you do not process ASI Purchase transactions with a value of one major unit of currency or any other nominal test amount that does not represent an actual purchase amount in the Transaction Amount field.
-
JCB is renewing the current version of their J/Secure 2.0 Directory Server (DS2.0) in 2022. Their updated Directory Server was released on 26 April 2022 and will continue to run in parallel until the end of September 2022. The current Directory Server (DS2.0) is scheduled to be terminated in October 2022.
What you need to do:
You should contact your gateway support team to ensure they already have or have plans to complete the necessary changes to migrate from the current JCB Directory Server to the updated JCB Directory Server by 1 October 2022.