Card brand changes: March 2022

A Bank Identification Number (BIN) is a unique reference assigned to an issuer for the purpose of issuing a card product.  Each BIN is unique to one specific offering that a bank has in its portfolio, whether credit, debit, prepaid, or commercial.  The BIN is currently shown as the first six digits of the long card number on the front of each card product.
 

Due to a shortage of available numbers, all card brands are now working towards expanding the available ranges by implementing 8-digit BIN codes across their networks, beginning in April 2022.

From April 2022, no new 6-digit bins will be issued, and 8-digit bins will already be in circulation. By this date, all acceptance points will be expected to be able to correctly recognise an 8-digit BIN series, and to process the card accordingly.

What you need to do:

Elavon internal systems and products are ready for this change.

If you use BINs to drive your promotions and other solutions, you will need to ensure that your process can handle both 6- and 8-digit BINs to correctly identify new card products and most effectively target your promotions.

Examples of potential impact areas where 6-digit BINs are used are listed below. Please note that this is not a comprehensive list.

• Transaction processing
• Merchant servicing and disputes
• Fraud management
• Data warehousing and reporting

Single Tap & PIN was introduced to enable an issuer to request Online PIN (personal identification number) verification on low value contactless transactions, without the need to insert the card via chip reader. Visa and Mastercard currently mandate that Single Tap & PIN is supported for all point-of-sale (POS) devices in Central and Eastern Europe.
 

From 16 April 2022, Visa is mandating that acquirers and merchants in the European Economic Area (EEA) and the UK, ensure that POS devices comply with Version 1.5 of their - Terminal Requirements and Implementation Guidelines. The guidelines also include the details of the Single Tap & PIN requirements, noting that the UK is an offline-PIN market where a point-of-sale device will need to switch interface to insert the card to capture PIN when an issuer prompts for PIN verification to comply with SCA requirements. The Visa mandate does not apply to unattended POS terminals for transit fares and parking fees.

Mastercard have mandated support for Single Tap & PIN on all POS devices as outlined in the table below. 

New and existing terminals

The Mastercard mandate does not apply to

• Unattended POS terminals for transit fares and parking fees
• Mobile point-of-sale (mPOS) Software-based PIN Entry devices or
• The following MCCs
   

–       6010 – Manual Cash Disbursements – Customer Financial Institution

–       6011 – Automated Cash Disbursements – Customer Financial Institution

–       6012 – Merchandise and Services – Customer Financial Institution

–       4814 – Telecommunication Services

–       4900 – Utilities – Electric, Gas, Heating, Oil, Sanitary Water

–       6050 – Quasi-Cash – Customer Financial Institution

–       5542 – Fuel Dispenser, Automated

–       5552 – Electric Vehicle Charging

What you need to do:

If you are using an Elavon POS terminal, you have no action to take as we look after this for you. If you are using a third-party POS terminal, you should contact your provider to ensure Single Tap & Pin will be supported by 16 April 2022.  

Mastercard is rolling out a Europe region-wide roadmap to achieve a network migration from EMV 3D-secure (3DS) 2.1 to EMV 3DS 2.2 effective from 14 October 2022.  As part of this announcement, Mastercard also requires the support of relevant EMV 3DS features to strengthen support of the Payment Services Directive 2 (PSD2) regulation and the introduction of performance improvements not delivered since the introduction of EMV 3DS.

These additional mandated features will include

• Authentication app re-direction, eliminating the need for additional cardholder interaction to complete the Out of Band (OOB) app transactions
• Additional insights on the challenge flow performance to facilitate monitoring and problem resolution

While Mastercard will require customers to support EMV 3DS 2.2, it will not require that all transactions are sent using this version of the protocol.

What you need to do:

You should contact your gateway support team to ensure they are ready to meet the October 2022 EMV 3DS 2.2 readiness date.

Under the Payment Services Directive 2 (PSD2), most ecommerce transactions require Strong Customer Authentication (SCA) unless an exemption or exclusion (like merchant-initiated transactions (MITs)) is applied. To satisfy these PSD2 SCA requirements, customers are required to use the EMV 3DS or any other SCA compliant method to avoid issuer SCA soft declines. A SCA soft decline is a declined authorisation where the issuer requests SCA to make it successful. In this case, the merchant should re-submit the authorisation after successfully authenticating their customer with 3DS.
 

Mastercard launched the PSD2 Optimisation Program to monitor intra-European Economic Area (EEA), plus United Kingdom, ecommerce transactions to check if EMV 3DS was used after a SCA soft decline.

What you need to do:

You should contact your gateway support team to ensure that when transactions are soft declined, the transaction is retried with 3DS v1 as a minimum but preferably EMV 3DS v2.

Mastercard is introducing a new indicator to specify the type of cardholder-initiated transaction (CIT) or merchant-initiated transaction (MIT) within authorisation requests from October 2022. The new CIT and MIT indicators convey to the issuer that the merchant and the cardholder have an established relationship and an agreement to use stored payment credentials as part of the transaction process, making it easier for issuers to identify legitimate transactions, and make better informed authorisation decisions.

The new indicators will distinguish the following CIT and MIT types of ecommerce transactions and aligns with the existing Visa MIT framework.

Cardholder-initiated transaction (CIT) is any transaction where the cardholder is actively participating in the transaction. Transactions may be performed based on credentials provided by the cardholder at the time of transaction or a stored credential-on-file (COF) from a previous interaction. Transactions can occur as an in-store point-of-sale (POS) transaction, an ecommerce transaction, a mail order/telephone order transaction (MOTO), or an ATM transaction.

Merchant-initiated transaction (MIT) is a transaction where the cardholder is not actively participating in the transaction. MITs may often be preceded by either a CIT or an Account Status Inquiry (ASI).

Recurring Payment or Instalment MIT:

A transaction arising from an agreement between the cardholder and the merchant whereby the cardholder agrees for the merchant to store the cardholder’s credential and to use that stored credential-on-file (COF) for a subsequent purchase of goods or services. These transactions may be classified as

• standing order
• subscription
• instalment, or
• unscheduled credential-on-file.

Industry Practice MIT:

A transaction initiated by the merchant to fulfil a business practice that most often occurs after an initial interaction with the cardholder. Industry practice transactions may be performed with credentials that are stored on file, or credentials that are not stored on file, but are rather temporarily retained by the merchant as agreed to by the consumer. These industry practice MITs may be classified as

• partial shipments
• related or delayed charge
• no show, or
• resubmission
  
   

What you need to do:

If you are using a third-party integrated POS solution or gateway provider, you should contact your service provider to ensure they will be ready to support these new indicators for Mastercard MIT and CITs for October 2022.

Digital Secure Remote Payments (DSRP) bring tokenisation and dynamic cryptograms to ecommerce with a transaction flow that utilises the mobile device capabilities and includes elements such as authentication, token retrieval, and cryptogram generation. DSRP uses dynamic cryptograms unique to each transaction, the generated cryptograms will only be valid for one single transaction and cannot be reused once it has been utilised.

From June 2022, Mastercard will validate the DSRP cryptogram when present in all ecommerce cardholder-initiated transactions (CIT) and merchant-initiated transactions (MIT) to ensure authenticity of the transaction and the integrity of the data used in the generation of the DSRP cryptogram. From 7 June 2022, Mastercard will start declining transactions that have replayed/non-unique DSRP cryptograms.

Although DSRP cryptograms are not required currently in MITs due to the lack of cardholder interaction, some merchants choose to submit DSRP cryptograms to strengthen the security of the transactions. If DSRP cryptograms are provided they must be unique for each transaction request.

What you need to do:

You should contact your gateway support team to ensure that DSRP cryptograms are never replayed and will always be unique.

Maestro-branded cards don’t provide cardholders with the features that they expect in a digital economy, as a large portion of Maestro-branded cards are still not enabled for ecommerce. Mastercard is announcing plans to replace Maestro-branded cards with the Mastercard brand in the Europe region. From 1 July 2023 new cards, renewals and replacements of Maestro-branded cards must be issued as Mastercard card programs.
 

What you need to do:

If you are using an Elavon point-of-sale (POS) terminal or ecommerce gateway you have no action to take as we look after this for you. If you are using a third party your POS or Gateway provider, you should contact your provider to ensure they can support Mastercard Debit acceptance.

The support of PIN Entry Bypass on terminals is currently optional for Mastercard contact transactions at attended terminals. Mastercard is announcing that the support of PIN Entry Bypass will not be allowed on newly deployed point-of-sale (POS) terminals in Europe from 12 April 2022 and on all POS terminals from 12 October 2022.

Bypassing the PIN and moving to signature cardholder verification method (CVM) increases the risk of fraud on a transaction. Customers will benefit from a reduced risk of fraud on card payments with the removal of the option to bypass the PIN and use signature as the CVM. Chip migration is sufficiently mature in the Europe region that PIN bypass is no longer needed to ensure successful transactions.

What you need to do:

If you are using an Elavon POS terminal, you have no action to take as we look after this for you. If you are using a third-party POS terminal, you should contact your provider to ensure Single Tap & Pin will be supported by 16 April, 2022.

Purchase with CashBack (PWCB) allows merchants to provide cashback amounts in addition to sales or purchase amounts to the customer. Mastercard is mandating that contactless PWCB is supported on attended POS terminals whenever this service is offered on the contact interface for the countries below.

Applicable countries Albania, Austria, Bulgaria, Cyprus, Czech Republic, Greece, Hungary, Kosovo, Macedonia, Malta, Montenegro, Poland, Romania, Serbia, Slovakia, and Slovenia

Domestic and international PWCB transactions in these countries must be authorised with online PIN or offline PIN for contact transactions as today, and online PIN or Consumer Device Cardholder Verification Method (CDCVM) for contactless transactions. Authorisation must be for the full amount, including both the purchase and cash back amounts.

These rules come into effect from 15 July 2022 on new terminals and from 30 June 2023 on all terminals for the listed countries. 

What you need to do:

If you are using an Elavon point of sale (POS) terminal, you have no action to take as we look after this for you. If you are using a third-party POS terminal, you should contact your service provider to ensure they are updating their systems and your POS terminals in line with the dates above.

Mastercard previously introduced new mobile point-of-sale (mPOS) indicators to differentiate between the type of reader an mPOS terminal requires (internal or external) and the type of personal identification number (PIN) entry support (hardware-based on a physical external keypad, or software-based on the touch screen of the consumer off-the shelf (COTS) device).

Implementation of these indicators will be mandatory for all new and existing pilots and deployments of software-based mPOS solutions from 31 December 2021. The indicators will differentiate the following combinations of reader types and PIN entry support.

• External reader and software PIN entry (also known as SPoC)
• Embedded reader and no PIN entry (also known as CPoC with no PIN or Tap on Phone)
• Embedded reader and software PIN entry (also known as Tap on Phone with PIN)
• External reader and hardware PIN entry (previously known either as hybrid mPOS or chip-only mPOS) 
• External contact-only reader and no PIN entry (previously known either as chip-capable mPOS or chip-only mPOS)

This mandate will not apply to legacy implementations of mPOS terminals making use of an external reader (with optional physical keypad for PIN entry) paired with a mobile device to accept magnetic stripe, chip, or contactless payment cards (using the mobile device solely for communication) that are already in service.

What you need to do:

If you are using an Elavon mPOS terminal, you have no action to take as we look after this for you. If you are using a third-party mPOS terminal, you should contact your provider to ensure these indicators are supported. 

Mastercard is announcing the sunset of MasterPass by Mastercard in the Europe region. MasterPass was a Mastercard digital wallet that supported a checkout process across purchases online, in-app, and in-store with one secure account. Since 16 November 2021, if the MasterPass button is still on merchant websites and a cardholder uses it, Mastercard will display a message to the cardholder informing him or her that MasterPass is no longer available.
 

What you need to do:

Elavon does not anticipate any disruption because of this product sunset as Mastercard had already disabled new MasterPass user registrations and any cardholders that still had active MasterPass accounts, will already have received an email message from Mastercard regarding the sunset.

You should, however, ensure that the MasterPass button is removed from your websites and any references are removed from your marketing materials.

Under the Payments Services Directive 2 (PSD2), strong customer authentication (SCA) is required on transactions in the European Economic Area (EEA) and the UK. Merchant-initiated transactions (MITs), which are sent when the cardholder is not available, must use Visa’s MIT framework to indicate they are out of scope of the PSD2 SCA regulation.

Merchants commonly perform MITs without the active participation of the cardholder to:

• Perform a transaction as a follow-up to a cardholder-initiated transaction (CIT)
• Perform a pre-agreed instruction from the cardholder for the provision of goods or services

The MIT framework covers two types of MITs:

Industry-Specific Business Practice MITs

MITs defined under this category are performed to fulfil a business practice as a follow-up to an original cardholder-merchant interaction that could not be completed with one single transaction.

The following transaction types are industry-specific transactions.

• Incremental Authorisation Transaction
• Resubmission Transaction
• Delayed Charges Transaction
• Reauthorisation Transaction
• No Show Transaction
• Prepayment Transaction

Standing-Instruction MITs

MITs defined under this category are performed to address pre-agreed standing instructions from the cardholder for the provision of goods or services.

The following transaction types are standing-instruction transactions.

• Instalment and Prepayment (partial & full) Payment Transaction
• Recurring Payment Transaction
• Unscheduled COF Transaction

There are two important requirements to correctly process a MIT transaction. The transaction must be flagged correctly to distinguish which of the MIT transaction types described above apply.

Secondly, the MIT transaction must contain the Original Transaction Identifier (OTID) of the initial cardholder-initiated transaction (or previous MIT). This requires that the Original Transaction Identifier is stored and subsequently retrieved and populated in the appropriate field of MIT transactions.  As they were preparing to comply with the PSD2 regulation, several merchants were not yet able to do this.  Visa provided European acquirers with an Interim Transaction Identifier (under a waiver) to allow additional time for merchants’ outstanding integration changes. Elavon populates this Interim Transaction Identifier in MITs where the Original Transaction Identifier is not provided by the customer/gateway.

Visa is discontinuing support for the Interim Transaction Identifier from 31 October 2022; however, Visa will begin to accrue non-compliance penalty fines from August 2022. Visa will cease acceptance of the Interim Transaction Identifier in transactions starting 1 November 2023.

What you need to do:

Transitioning to the use of a valid transaction identifier in MITs is critical to avoid non-compliance penalties. If you are using a third-party integrated POS solution or gateway provider, you should contact your service provider to ensure they will be ready to capture a valid transaction ID returned in an authorisation response so that it can be populated in the OTID field for subsequent MITs before August 2022.

Standing instruction MITs are transactions that address pre-agreed instructions from cardholders for the provision of goods and services and are performed as follow-ups to a cardholder-initiated transaction (CIT).

Other than by using primary account numbers (PANs), a popular method to initiate a standing instruction MIT is done by the merchant accepting a token payload provided by a digital wallet (e.g. Apple Pay and Google Pay). From 16 October 2022, Visa will restrict standing instruction MITs initiated by tokens to card-on-file (COF) tokens only, set up of standing instruction MITs via a token payload from a digital wallet will no longer be allowed.

This change is being implemented to provide a higher level of security as COF tokens are domain-restricted to the merchant and provide a higher level of security and better visibility of the end-merchant to the issuer.

Tokens will continue to be supported for CITs and industry-standard MITs as usual.

What you need to do:

You should contact your gateway support team to initiate the process to support COF tokens for Standing Instruction MIT set up. 

Visa has determined through a series of investigations involving fraud events that fraudsters use the Merchant IDs (MIDs), Card Acquirer IDs (CAIDs) and Terminal IDs (TIDs) printed on transaction receipts for illicit purposes.

Visa rules are being updated to restrict the printing requirements for cardholder receipts and merchant copies. While many acquirers and processors have already discontinued this practice as a security precaution, printing MIDs, CAIDs and TIDs on transaction receipts is still a common practice throughout the payments system.

From 15 October 2022, only the last four digits of MIDs, TIDs and CAIDs are allowed to be printed on the cardholder’s receipt for new devices or gateways. All digits can be printed on the merchant’s copy. From 16 October 2027, these rule changes extend to all devices or gateways.

What you need to do:

If you are using an Elavon point-of-sale (POS) terminal or ecommerce gateway, you have no action to take as we look after this for you. If you are using a third-party POS or Gateway provider, you should contact your provider to ensure they can support Mastercard Debit acceptance.

What you need to do:

Ensure that the updated Visa brand mark is used in physical displays to indicate acceptance at point of purchase, in-store signage, on terminals and in other signage or advertising by 1 November 2023.