Card brand changes: March 2023

All card brands have announced changes to minor units for Icelandic Krona. All transactions must be processed with zero minor units. Transactions that are submitted after 14 April 2023 must be submitted with zero minor units.

What you need to do: 

If you are using an Elavon point-of-sale (POS) terminal or ecommerce gateway you have no action to take as we look after this for you. If you are using a third-party POS or Gateway provider, you should contact your provider to make sure they can support the change to minor units.

​Mastercard – EMV 3DS2.2 ecommerce roadmap

Mastercard rolled out a Europe region-wide roadmap to achieve a network migration from EMV 3DS 2.1 to EMV 3DS 2.2 effective from 14 October 2022.  As part of this announcement, Mastercard not only required support for EMV 3DS 2.2, Mastercard also requires the support of key EMV 3DS features as outlined below:

• All ecommerce businesses must support EMV 3DS v2.2 as of 14 October 2022. Mastercard have announced a compliance program to support use of the latest available versions of the 3DS protocol. Mastercard will begin monitoring on 1 May 2023, with assessments beginning on 24 September 2023. Mastercard will consider a 3DS request to be non-compliant when the 3DS version used is lower than 2.2 when the card issuer can support 2.2 or higher.

• All ecommerce businesses must support and perform authentication app re-direction through the merchant app, the 3DS SDK and EMC 3DS v2.2 transactions if the cardholder authentication method is OOB (out of band).

• 3RI payments are optional however they offer you the option to system-generate a payment transaction when the cardholder is not in session. These transactions are used for use cases where there is an initial purchase transaction while the cardholder is in session, called consumer-initiated transaction (CIT), followed by subsequent transactions that are 3RI MIT (Merchant-initiated Transaction). With 3RI payments, you can provide evidence, using the DS Transaction ID field, that SCA has been performed where the customer was involved and maintain your fraud liability protection for the full amount that has been authenticated. 

What you need to do: 

In order to avoid potential non-compliance penalties, you should contact your gateway support team to make sure they are correctly supporting EMV 3DS 2.2 in line with the above requirements. 

Under PSD2, most ecommerce transactions require Strong Customer Authentication (SCA) unless an exemption or exclusion (like merchant-initiated transactions (MITs)) is applied.

To satisfy these PSD2 SCA requirements, customers are required to use the EMV 3DS or any other SCA-compliant method to avoid issuer SCA soft declines. A SCA soft decline is a declined authorisation where the issuer requests SCA to make it successful. In this case, you should re-submit the authorisation after successfully authenticating your customer with 3DS.

Mastercard launched the PSD2 optimisation program to monitor transactions to check if EMV 3DS 2.x was used after a SCA soft decline. Where a customer is identified as failing this check, under this programme, non-compliance penalties could apply.

What you need to do:  

You should contact your gateway support team to make sure that when transactions are soft declined, the transaction is retried with EMV 3DS 2.x. 

Visa, AMEX and Diners have all announced changes to enhance authorisation processing:

• Visa have made changes to allow all merchants to use pre-authorisations and incremental authorisations for purchase transactions, with some specific exclusions including cash disbursements, recurring/installment payments and Account Funding Transactions (AFTs).

• AMEX have announced an expansion of the merchant category codes that can avail of pre-authorisations for purchase transactions. Merchant category codes added are:
  • Beauty and Barber Shops – MCC7230
  • Health and Beauty Spas – MCC7298
  • Truck Rentals – MCC7513
  • Motor Home and Recreational Vehicle Rentals – MCC7519

• Diners have clarified that the pre-authorisation option is available for Hotels, Car Rental and Taxi-Cab Merchants in addition to Automated Fuel Dispensers (AFDs). They have also announced changes to AFD limits with an increase from USD$100 to USD$175.

What you need to do:

If you are interested in any of these enhancements to authorisation processing, please contact Elavon to discuss obtaining certification.

Single Tap & PIN was introduced to enable an issuer to request Online PIN (Personal Identification Number) verification on low-value contactless transactions, without the need to insert the card via a chip reader.

Visa currently mandate that Single Tap & PIN is supported for all point-of-sale (POS) devices in the European Economic Area (EEA) and the UK. The Visa guidelines include the details of the Single Tap & PIN requirements, noting that the UK is an offline-PIN market where a point-of-sale device will need to switch interface to insert the card to capture PIN when an issuer prompts for PIN verification to comply with SCA requirements. The Visa mandate does not apply to unattended POS terminals for transit fares and parking fees. Visa have a program in place to monitor compliance with this mandate. Failure to comply with this may result in potential non-compliance penalties.

Mastercard currently mandate that Single Tap & PIN is supported for all POS devices in Europe with the exception of Finland, France, Italy, Monaco, San Marino and Vatican City. These markets are mandated to support from 31 December 2023.

The Mastercard mandate does not apply to

• Unattended POS terminals for transit fares and parking fees
• Mobile point-of-sale (mPOS) software-based PIN entry devices or
• he following MCCs:
  • 6010 – Manual Cash Disbursements – Customer Financial Institution
  • 6011 – Automated Cash Disbursements – Customer Financial Institution
  • 6012 – Merchandise and Services – Customer Financial Institution
  • ​4814 – Telecommunication Services
  • 4900 – Utilities – Electric, Gas, Heating, Oil, Sanitary Water
  • 6050 – Quasi-Cash – Customer Financial Institution
  • ​5542 – Fuel Dispenser, Automated
  • ​5552 – Electric Vehicle Charging

What you need to do:

If you are using an Elavon-provided POS terminal, you have no action to take as we look after this for you. If you are using a third-party POS terminal, you should contact your provider to make sure Single Tap & PIN is currently supported for Visa and Mastercard, or, for Mastercard only, by 31 December 2023 for the listed markets.  

From 28 March 2023, in line with the Payment Services Directive 2 (PSD2), there is a change needed to the way Merchant Initiated Transactions (MIT) are processed.

From this date, MITs with the Interim Transaction Identifier may not be used.  The original transaction ID must be used. If this change is not implemented these transactions will be declined.  In addition, fines levied by Visa for non-compliance may be passed onto you.  

There are two options to obtain a valid Original Transaction Identifier (OTID) to replace the Interim transaction ID:

•  Request a Cardholder Initiated transaction (reauthenticate) and store OTID for future use.
• Use Transaction ID of any previous MIT within the same merchant-cardholder agreement

What you need to do:

If you have not already spoken to your gateway provider about this change, you need to contact them immediately.  It is important that you know what the implementation plan is for your business, so that you do not end up with declined MITs from 28 March 2023 and potential fines.

Visa has announced that the Visa Directory Server (DS) will be hosted by an additional two data centres: one in Basingstoke in the UK from 24 April 2023 and another in India in June 2023. This will help ensure resilience and availability of Visa services.

To prepare for enablement of the DS instance in the Basingstoke, UK data centre, all gateways must add and/or update any firewall rules or allow lists with the new UK IP addresses before 24 April 2023 to avoid service interruptions. Additionally a Domain Name System (DNS) lookup should be always be performed to determine the Visa Secure EMV 3DS DS IP addresses. The existing global URL will remain the same with the addition of the new DS instance in the UK and will continue to be used for all transactions (except for those initiated by India-located 3DS Servers).

What you need to do:

If you are using a third-party gateway provider, you should contact your service provider to make sure they are aware of this improvement and have conducted self-testing to determine their ability to connect inbound to the new DS instances. Failure to complete the required actions before these changes are implemented will result in service interruptions.

Purchase with CashBack (PWCB) allows merchants to provide cashback amounts in addition to the purchase amount itself to the customer. Mastercard is mandating that contactless PWCB is supported on attended POS terminals whenever this service is offered on the contact interface for the countries below.

Applicable countries

• Albania
• Austria
• Bulgaria
• Cyprus
• Czech Republic
• Greece 
• Hungary
• Kosovo
• Macedonia
• Malta
• Montenegro
• Poland
• Romania
• Serbia
• Slovakia
• Slovenia

All PWCB transactions in these countries must be authorised with online PIN or offline PIN for contact transactions as today, and online PIN or Consumer Device Cardholder Verification Method (CDCVM) for contactless transactions. Authorisation must be for the full amount, including both the purchase and cash back amounts.

These rules came into effect from 15 July 2022 on new terminals and are coming into effect from 30 June 2023 on all terminals for the listed countries.

What you need to do:

If you are using an Elavon-provided point of sale (POS) terminal, you have no action to take as we look after this for you. If you are using a third-party POS terminal, you should contact your service provider to ensure they are updating their systems and your POS terminals in line with the dates above.

A payment transaction is defined as a disbursement or payout transaction from businesses to consumers, for example crediting for gaming or gambling winnings or payment of insurance settlements to cardholders.

Mastercard is introducing an edit to support compliance for payment processing rules. This edit will reject first presentments for payment transactions that do not have an approved final authorisation for the same amount.

What you need to do:

To prevent declined or rejected transactions, you are reminded to ensure you obtain an approved authorisation response before first presentments are made.