Visa Merchant Business News Digest

The Visa Merchant Business News Digest is an online publication, providing a summary of recent Visa Business News articles. We know how important it is for you to have the pertinent information quickly and clearly, and our mission is to make that as simple as possible.  The digest provides highlights of key merchant-related publications, but is not intended to be a complete list. As always, please work with your acquirer for further information on released publications and applicable announcements.

Connection and Encryption Policies for Verified by Visa Transactions

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
16 NOV 2017

To increase security for Verified by Visa (VbV) transactions, Visa is requiring TLS version 1.2 to connect to all VBV hardware. Clients may need to make changes to their VbV infrastructure to meet the new security requirements.

In the 4 February 2016 edition of the Visa Business News, Visa announced support of the Payment Card Industry Security Standards Council (PCI SSC) bulletin on migrating from Secure Sockets Layer (SSL) and early versions of Transport Layer Security (TLS) on all Verified by Visa (VbV) endpoints. Version 3.2 of the PCI Data Security Standard (DSS) was released in April 2016 and now requires all endpoints stop the use of SSL and early versions of TLS.

To ensure Visa meets its compliance commitments for PCI, Visa is requiring that all VbV merchant server plug-in and access control server providers that connect to VbV production infrastructure, including the Visa directory server and the authentication history server, meet the following requirements by the specified date:

  • Effective 28 January 2018, Visa will disable the use of TLS version 1.0, 1.1 and 3DES cipher and require that secure connections to all VbV production hardware use TLS version 1.2 encryption.

Version 2.1.0 of 3-D Secure 2.0 Specifications Now Available

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
02 NOV 2017

A new 3-D Secure Protocol and Core Functions Specification v2.1.0 can be downloaded from EMVCo’s website.

3-D Secure is a messaging protocol that allows the merchant, card issuer and consumer to exchange data during an e-commerce transaction for consumer authentication purposes.

EMVCo has released 3-D Secure 2.0 Protocol and Core Functions Specification Version 2.1.0 and Bulletin 196. Bulletin 196 provides updates, clarification and errata that are incorporated into the October 2017 version 2.1.0 specification. The new 3-D Secure 2.0 specification and Bulletin 196 are available to the general public from the EMVCo website.

Global Expansion of Debt Repayment on Debit and Prepaid Cards

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
02 NOV 2017

Visa allows debt repayment to occur on debit and prepaid cards in all regions. In addition, debt repayment rules will be refined in Australia, Canada, New Zealand, the U.S. and Europe.

Visa is expanding the use of debit and prepaid cards for debt repayment. The following rules will take effective in 2018.

Effective 14 April 2018: 

  • Cardholders in all regions will be able to repay debt with debit and prepaid cards.
  • The debt repayment rules will be refined in Australia, Canada, New Zealand and U.S.

Effective 13 October 2018, the debt repayment rules will be refined in the Europe region.

Debt Defined

The Visa Rules define debt as money owed by one party (debtor) to another party (creditor), including the obligation to repay money in connection with the following:

  • Loans
  • Credit card balances
  • Funding of the purchase of goods and/or services by a third party

According to the Visa Rules, the following are not treated as debt:

  • Lease payments where ownership of the goods does not automatically pass to the lessee at the end of the lease
  • Installment or delayed payment for the purchase of goods or services under terms provided to the cardholder by the seller of the goods or services

Additional Requirements 

For additional requirements, including changes for existing markets in Canada, Europe and the U.S. regions, as well as in Australia and New Zealand, refer to the October publication of Visa Rules found on

Global Dynamic Currency Conversion Compliance Programme Expands to Europe; International Transactions Guide Updated

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
26 OCT 2017

The Dynamic Currency Conversion Compliance Programme now includes European acquirers. The Visa Rules and the International Transactions Guide have been updated to provide additional information about regulations, best practices and compliance procedures.

Updated Processing Requirements for Business Application Identifier and Other Clarifications for Staged Digital Wallets

19 OCT 2017

Effective 13 April 2018, acquirers must send the value of “WT” in the business application identifier field in purchase transactions and Account Funding Transactions performed with staged digital wallets.

Delay in Compliance Action for Stored Credential Framework

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
17 OCT 2017

In the 1 September 2016 edition of the Visa Business News, Visa introduced new rules related to credential-on-file transactions, including merchant disclosure requirements and transaction identifier requirements went into effect for merchants and acquirers on 14 October 2017.

However, based on stakeholder feedback, and after assessing market readiness and taking into account the holiday season system freeze, Visa will extend the time to make the necessary system changes until 30 April 2018.

While the rule is still effective as of 14 October 2017, Visa will not take any compliance action or assess non-compliance assessments to non-compliant entities prior to 30 April 2018. Entities that comply with the rule by 30 April 2018 will not be required to submit a waiver request to Visa.

New Android-based Mobile Application Available for Convenient Test Card Creation

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
12 OCT 2017

Visa has released a new Android-based mobile app that combines the ability to personalise chip test cards for various testing toolkits, including the Acquirer Device Validation Toolkit, Visa Contactless Device Evaluation Toolkit, Global Host Test Cards, and other specialised test cards. This new app requires the use of a mobile handset with near-field communication capability, as well as a Visa-supplied VMCP Utility Card.

Updated Global ADVT, CDET and VpTT Versions Released

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
28 SEP 2017

Version 7.0 of the Acquirer Device Validation Toolkit and Version 2.3 of the Contactless Device Evaluation Toolkit have now been released by Visa to third-party test tool providers.

In the coming weeks, Visa will begin working with these providers to ensure test tools are available that meet the requirements of these newly released toolkit versions.

An updated Version 4.3.0 of the Visa payWave Test Tool is also available from the tool vendor for use in the Europe region.

VSDC CA 1152-bit Key Will Expire and Must Be Removed From Terminals

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
14 SEP 2017

The Visa Smart Debit/Credit (VSDC) Certificate Authority 1152-bit key will expire on 31 December 2017. After its expiration and no later than 1 July 2018, this key must be removed from VSDC terminals.

Each Visa Smart Debit/Credit (VSDC) or Visa contactless card that supports Offline Data Authentication (ODA) or Offline Enciphered PIN must contain an Issuer Public Key (IPK) Certificate that is signed by a VSDC Certificate Authority (CA) private key and provided to the issuer by the VSDC CA. These keys are validated by VSDC terminals using the associated public key.

In order to ensure that expired keys are no longer used at terminals, Visa requires that only valid, non-expired public keys be loaded into VSDC terminals.

Minor Unit Currency Changes for Icelandic Króna Cancelled

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
14 SEP 2017

Effective immediately, Visa is cancelling minor unit currency changes for the Icelandic króna that were to take effect with the October 2017 VisaNet Business Enhancements release. Clients and processors that have already changed the minor units in their processing systems must revert those changes.

Mobile Contactless Cardholder Verification Method Prioritisation Introduced

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
24 AUG 2017

Visa will partner with Visa Digital Enablement Programme participants, including issuer-branded and third-party wallet providers compliant with the Consumer Device Cardholder Verification Method (CDCVM) Requirements and Best Practices, to prioritise the CDCVM for mobile contactless payment transactions.

Visa reminds acquirers that they must support the correct version of Visa Contactless Payment Specification or EMV equivalent.

About the CDCVM

In addition to signing a receipt or entering a PIN on a merchant’s PIN pad, a contactless payment allows cardholders to verify that they are the legitimate user on the consumer’s own device via the CDCVM, which offers the following benefits to consumers and merchants:

  • Consumers are familiar with the equipment (e.g. their phones) and in most cases, the CDCVM is the same mechanism they use to gain access to their phones.
  • Consumers typically verify themselves prior to the transaction occurring, which improves throughput at checkout.
  • Consumers may verify the transaction securely and discreetly.

Recommendations for Upcoming E-commerce Regulation in Turkey

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
24 AUG 2017

This article originally ran in the 25 May 2017 edition of the Visa Business News. It is being republished, as the original effective date of 17 August 2017 has been postponed to 31 December 2017.

Please refer to below to summary 25 May 2017 for further details.

Obligation to Report Suspected or Confirmed Account Data Compromises

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
10 AUG 2017

As Visa continually monitors network intrusions involving service providers (re-breaches of merchant payment environments and skimming incidents involving POS device overlays), we are alerting clients and entities of their obligations to investigate and immediately report all data compromise events.

Virtual Cards Will Be Allowed for Lodging Reservations and Compelling Evidence

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
20 JUL 2017

Effective 14 April 2018, the Visa Payables Automation (VPA) platform will begin supporting a secure fax delivery method for issuers to validate their customer’s Visa card to a lodging merchant (e.g. hotel).

The Visa Rules will be updated to allow provision of an issuer VPA-generated fax or electronically delivered form for the lodging merchant to accept the virtual card, and to allow the virtual card to serve as compelling evidence in the event of chargebacks under Reason Code 81—Fraud: Card-Present Environment and Reason Code 83—Fraud: Card-Absent Environment.

New Implementation Date for Purchase Return Authorisation Messages

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
20 JUL 2017

Visa is postponing the implementation date for clients to support purchase return authorisation messages on credit vouchers/purchase returns and introducing a phased rollout of the requirement for merchants.

New Merchant Date Requirements:

Merchants with the largest return volumes must send authorisation messages on credit vouchers/purchase returns effective with the October 2018 VisaNet Business Enhancements release. This extends the time requirement from April 2018 to October 2018 for merchants with the largest return volumes.

Merchants with the following Visa Purchase Return volumes are included in this first phase:

Region Annualised Visa Purchase Return Volume Minimum
AP USD 1 million
Canada USD 5 million
CEMEA USD 1 million
Europe USD 5 million
LAC USD 1 million
USA USD 10 million

Effective with the April 2019 VisaNet Business Enhancements release, all remaining merchants in all regions will be required to send an authorisation on a credit voucher/purchase return. This extends the time requirement from April 2018 to April 2019 for all remaining merchants. Please note the following:

  • All merchants may choose to adhere to the earlier issuer implementation schedule
  • Airline merchants will have the option to delay implementation until April 2019

Global Compromised Account Recovery Programme Will Be Modified

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
13 JUL 2017

To address the growing number of card-not-present (CNP) compromises and accelerate case processing, effective 14 October 2017, Visa will modify the Global Compromised Account Recovery Programme to include operating expense recovery for CNP account data compromises and eliminate incremental fraud recovery.

In May 2012, Visa consolidated its regional account data compromise recovery programmes into the Global Compromised Account Recovery (GCAR) Programme, which is a loss-allocation programme designed to balance the needs of Visa clients following a large-scale account data compromise event. It provides a fair and efficient process to help issuers recover a portion of the estimated incremental fraud and operating expenses associated with the account data compromise event and establishes certain limits on potential acquirer liability under the Visa Rules.

Advance Copy of Rules for Stored Credential Transaction Framework

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
15 JUN 2017

Visa is providing an advance copy of the Visa Rules related to its previously announced Stored Credential Transaction Framework updates.

Additional information found in the April 2017 announcement Stored Credential Transaction Framework Clarifications and Mandates

All Merchant-Supported Card Acceptance Interfaces Must Be Available to Cardholders

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
15 JUN 2017

New or upgraded acceptance devices must make all merchant-supported card acceptance interfaces for Visa transactions available to the cardholder when a transaction is initiated.

Preventing Brute-Force Authorisation Attacks

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
8 JUN 2017

Visa is providing an overview of brute-force attacks and best practices on how merchants and clients can identify and mitigate them. Issuers, acquirers and merchants are ultimately responsible for preventing this type of attack.

A brute-force attack is a trial-and-error method used by fraudsters to obtain, within seconds, payment card information such as an account number, card expiration date, PIN or Card Verification Value 2 (CVV2), as well as a user password for online account access. In a brute-force attack, automated software commonly known as a “botnet” is used as a downloader or a credential-collection tool that generates a large volume of consecutive guesses of account data.

Best Practices for Merchants:

Merchants use different criteria in their fraud-prevention strategies than issuers or acquirers. Merchants’ risk priorities are based on product type, history of chargebacks, delivery time for goods in the retail environment, time to departure in the airline industry, etc. Therefore, Visa recommends all merchants consider the following best practices:

Process Recommendation
Real-time fraud detection
  • Where available, use a layered validation approach that employs CVV2 and Address Verification Service (AVS).
  • All online merchants should manage fraud-detection systems that support device fingerprint, email validation and botnet detection.
  • Analyse time zone differences and browser language consistency from the cardholder’s IP address and device. The transaction may be classified as a higher risk and be sent for manual review instead of bypassing the automatic approval process.
  • Look for multiple tracking elements in a purchase linked to the same device. For example, multiple transactions with different cards, using same the email address and same device ID, may be a trigger for fraud classification or review.
  • Look for logins for a single card account coming from many IP addresses.
  • Look for excessive usage and bandwidth consumption from a single user.
  • Review logins with suspicious passwords that hackers commonly use. For example, today some merchants are detecting fraud based on a grey list with set or combinations of passwords commonly used in fraudulent transactions.
Payment gateway
  • Payment gateways should implement tracking rules to alert simultaneous transactions testing with low amounts at the merchant ID level.
Front-end controls
  • Consider using Three-Domain Secure (3DS) authentication and captcha controls to prevent automated transaction initiation by robots or scripts (for example, five authorisations from one IP address or card).
  • Lock out an account if a user guesses the user name/password and any account authentication data incorrectly on “x” number login attempts.
  • Include IP address with multiple failed card payment data in a fraud detection’s black-list database for manual review.
  • In addition to velocity checks for small and large transactions, use velocity checks for low amounts or authorisation-only transactions.
  • Create a Management Information System (MIS) or report based on “Invalid Account Number” fraud detection attempts at the issuer BIN level, the account number or terminal ID level, or the IP address or device ID level.

Verified by Visa Requirement for Travel Agencies Will Be Introduced

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
1 JUN 2017

To ensure Verified by Visa programme eligibility, Visa will require that airline transactions booked through travel agencies include the name of the airline in the authentication message.

Effective 14 October 2017, to ensure airline transactions purchased through a travel agency can qualify for Verified by Visa (VbV) programme benefits (including liability protection), travel agencies that use VbV must include the airline name in the VbV authentication message when an airline is the merchant of record in authorisation.

Visa Claims Resolution: Launch of Client Information Questionnaire and Testing Availability

1 JUN 2017

Visa has published an updated Best Practices for Visa Claims Resolution Migration Guide and client information questionnaire to help clients activate Visa Claims Resolution Visa Resolve Online-initiated financials and perform testing as they migrate to the new dispute process.

Recommendations for Upcoming E-commerce Regulation in Turkey

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
25 MAY 2017

Based on new e-commerce regulations in Turkey, effective 17 August 2017, all Turkish issuers are required to obtain consent from their cardholders to enable their cards to perform e-commerce transactions.

In cases where the cardholders have not yet given their consent, issuers are required to decline e-commerce transactions performed with these cards. Visa suggests certain actions be taken by the Turkish issuers and all global acquirers to address the potential impacts. Examples include actions such as using decline response “Transaction Cannot Be Completed: Violation of Law” when declining an e-commerce transaction on a card that has not received consent for this type of transaction from the cardholder.

Merchants may also customise their messages for Turkey issued cards when they are declined with ‘Transaction Cannot Be Completed: Violation of Law’, they may suggest card holders to contact their issuer banks and give their consent for e-commerce transactions.

Visa Chargeback and Fraud Monitoring Programmes Will Be Updated

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
18 MAY 2017

Effective 1 October 2017, Visa will update its merchant and acquirer level fraud and chargeback monitoring programmes to improve the efficiency of the Visa Chargeback Monitoring Programme (VCMP), update the VCMP reimbursement policy, and restrict the number of disputes that an account number can contribute to a programme identification.

Taxi Authorisations Enhanced and New Limit Set for Aggregated Transactions

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
4 MAY 2017

Effective 14 October 2017, card-absent taxi service transactions may use an estimated authorisation request and an incremental authorisation request. These authorisations will be valid for the same day.

Separately, Visa will also reduce the maximum amount of an aggregated transaction in the card-absent environment to USD 15 for all regions.

Implementation Date Change for PCI PIN Security Key Bundling Requirement

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
4 MAY 2017

The Payment Card Industry Security Standards Council has revised the implementation date for its Key Bundling requirement.

In December 2014, Version 2.0 of the Payment Card Industry (PCI) PIN Security Requirements introduced a requirement: 18-3, Key Bundling. The requirement, sometimes referred to as “key blocks” or “key bundling”, greatly improved the protection of symmetric keys that are shared among payments system participants to protect PINs and other sensitive data.

Effective 1 January 2018, encrypted symmetric keys must be managed in structures called key blocks. The key usage must be cryptographically bound to the key using accepted methods.

Stored Credential Transaction Framework Clarifications and Mandates

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
27 APR 2017

Visa is clarifying the definition of and requirements for its Stored Credential Transaction framework, including mandates to identify initial storage and subsequent usage of payment credentials. Visa is also clarifying the definition and identifiers for Unscheduled Credential-on-File transactions.

Growth in digital commerce, together with the emergence of new business models, has increased the number of transactions where a merchant or its agent, a payment facilitator or a staged digital wallet operator uses cardholders’ payment credentials (i.e. account details) that they previously stored for future purchases. Effective with the October 2017 VisaNet Business Enhancements release, merchants and acquirers must use certain data values in the authorisation message.

Reminder: PCI PIN Entry Devices Version 2.x Approval Is Expiring

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
13 APR 2017

The PCI Security Standards Council (SSC) and Visa recognise that expired devices are more vulnerable to compromise and may contribute to the theft of cardholder and PIN data. Effective 30 April 2017, Payment Card Industry PIN Entry Devices Version 2.x security approval will expire.

Visa Claims Resolution Implementation Date Change

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
11 APR 2017

The announced VCR implementation date was October 2017 initially. In response to client feedback, and to help ensure the readiness of stakeholders around the world, Visa has adjusted the VCR implementation date to coincide with the April 2018 VisaNet Business Enhancements release.

Merchant POS Branding Requirements Will Be Updated

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
2 FEB 2017

To provide additional flexibility to merchants and simplify existing rules, Visa will modify the display requirements for the Visa Point-of-Sale (POS) Graphic.

Effective 22 April 2017, Visa is modifying the display requirements for the Visa POS Graphic at the physical point of sale and at e-commerce checkouts, including application-based payments. Merchants that choose to accept Visa for one form factor are reminded that they also must do so for all Visa account payment credentials presented using the same underlying technology (e.g. near-field communication [NFC]).

Merchant Outlet Location Matching Will Be Required Throughout the Transaction Life Cycle

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
12 JAN 2017

To ensure data integrity and appropriate processing, the Visa Rules require that data elements must match between the authorisation and clearing stages of a transaction. Effective 22 April 2017, Visa will expand these rules to require that the merchant country location match throughout the rest of the transaction’s life cycle.

It is important that the same merchant country location be used in the initial purchase and in all subsequent transactions tied to the purchase. Changing the merchant country location in the purchase or subsequent transactions negatively affects the cardholder experience and can lead to unnecessary customer service calls.

Visa is introducing a compliance programme to ensure that acquirers accurately assign and disclose merchant outlet location.

Rules for Authorisation Currency Will Be Updated

REGIONS: US, AP, Canada, CEMEA, LAC, Europe
1 DEC 2016

To ensure a positive cardholder experience and increase approval rates, Visa is updating rules related to authorisation currency used for cross-border transactions, effective 1 January 2017 for acquirers in the AP, Canada, CEMEA, LAC and US regions, and effective 1 April 2017 for acquirers in the Europe region.

Visa will allow those acquirers to also send authorisation requests in their merchant’s local currency. Acquirers that wish to use this option must update their host systems. Acquirers that choose not to use this option will not be affected.

This digest consists of summaries only and does not supersede or modify Visa Business News publications. Please contact your Acquirer for further information about any publications. Actual Visa Business News articles are not public materials and should not be treated as public documents e.g. posting on merchant website, etc.

The Visa Business News was launched to Europe clients on 11 August 2016. Prior to that, announcements were communicated via Visa Europe Member Letter.