New Rules and Fees to Enhance Ecosystem Risk Performance
Effective Date: October 2021
Overview: Visa is introducing new rules, non-compliance assessments and fees to ensure clients properly use and action declined transaction response codes that will serve to improve authorization and mitigate invalid transactions. These changes are designed to drive improvements across the payments ecosystem by encouraging good business practices which will reduce fraud, improve authorization approval rates and reduce operational costs for the ecosystem.
Securing Payment Environments
EMV has rolled out in most countries and has reached a high level of maturity. Global Visa-processed data for the year ending December 2018 shows that 85% of issuer traffic at the point of sale, excluding CNP and cash, was EMV-based. This EMV adoption is delivering an unprecedented level of security as well as high approval rates. However, in almost all markets, a small proportion of magnetic-stripe issuance and acquiring continues to attract increased fraud, lower approval rates and higher costs.
In order to promote the deployment and acceptance of EMV, Visa will introduce non-compliance assessments or fees for the following high-risk transaction criteria:
• Non-Chip Card Use: Visa will apply an issuer fee for transactions on magnetic-stripe only cards, with the exception of non-reloadable magnetic-stripe gift cards, effective October 2021. This will occur when a transaction is processed using a non-chip card, recognizing the increased risk to the system as a result of the issuer failing to offer an operating chip solution.
• No Domestic Fallback: In April 2018, Visa introduced a rule that required issuers in Canada to decline a chip card domestic transaction that occurred at a chip-enabled terminal but was processed as a magnetic-stripe transaction (POS entry mode 90). Visa is introducing a non-compliance assessment for each chip card transaction that is a fallback to magnetic-stripe at a domestic chip-enabled terminal, effective October 2021.
• Non-Chip Terminal Use: To further increase EMV acceptance, Visa introduced a rule, effective in October 2020, requiring that all merchants in Canada be EMV enabled. The effective date was extended to October 2022 for Unattended Cardholder Acceptance Terminal (UCAT) merchants. Visa is introducing an acquirer non-compliance assessment for transactions at terminals unable to support effective October 2021 for POS merchants and effective October 2023 for UCAT merchants.
Securing CNP Primary Account Number Key-Entered Transactions
In Canada in the first quarter of 2019, 20% of issuers reported fraud was identified as miscellaneous CNP. Miscellaneous CNP is a manually key-entered transaction, with POS entry mode 01 and no electronic commerce indicator (ECI) value affixed. This is a data quality issue that leads to lower approval rates and higher fraud rates. Effective October 2021, Visa will assess an acquirer fee applied to all CNP transactions that are key-entered as a POS 01 transaction. This fee will not apply to correctly flagged CNP transactions.
Visa will assess on a per-transaction basis the following fees for each of the above criteria.
Enhancing Decline Code Management
Authorization processing requires a careful balance among participants. Ensuring appropriate information flow is critical to creating optimal behavior.
An extensive review of the authorization approach highlighted that decline codes currently provide limited value, as many issuers default to selecting a single code for all declines or use codes that provide minimal value to acquirers and merchants.
This practice is creating a high volume of poorly focused merchant retry attempts, since merchants cannot easily tell a low-risk decline (e.g., lack of funds or small processing glitch) from a high-risk one (e.g., blocked card or incorrect data submitted), which results in increased costs, damaged detection processes and confused consumers.
Visa will reposition decline response codes to make them more useful while minimizing cost-creating or damaging behaviors. The existing decline codes will be grouped into categories and issuers will be expected to operate across these groups when handling authorization requests, which will require changes to response code processing.
Following consultation with clients and merchants, Visa will cluster the decline codes already in the system into the four useful categories listed below. The introduction of clustering decline codes will drive improved behavior.
• Category 1—Issuer will never approve: A sub-set of decline codes that indicates the card is blocked for use or never existed and means there is no circumstance in which the issuer will grant an approval—for example, in the case of a lost or stolen card. Effective 1 April 2021, acquirers and merchants must not retry an authorization that receives a decline response from this category. Effective 1 April 2022 attempts to authorize a transaction that has previously received a Category 1 decline will be subject to a per-transaction non-compliance assessment as outlined in the table below.
• Category 2—Issuer cannot approve at this time: A sub-set of decline codes that indicates the issuer may approve, but cannot do so now, perhaps due to a system issue, detection action or a lack of funds. This cluster covers temporary decline decisions made by issuers that may change over time. It occurs when the issuer is prepared to approve a transaction, but is unable to do so at the time and would welcome a further authorization attempt in the future—for example, as in the case of a non-sufficient funds decline code.
• Category 3—Issuer cannot approve with these details: A sub-set of decline codes that indicates the issuer cannot approve based on the details provided, such as an invalid account number, incorrect Card Verification Value (CVV), CVV2 or incorrect expiration date.
• Category 4—Generic response codes: While the great majority of declines fall into the above categories, issuers may use some specialized codes for certain circumstances. However, their usage should remain minimal. This category includes all other decline codes, many of which are of a technical nature or provide little value to acquirers and merchants. Visa will expect issuers to use appropriate and balanced response codes between the three categories, limiting the use of Category 4 to no more than 10% of their total declines. Issuers that only respond to authorization requests with a Category 4 decline and exceed the 10% limit will be subject to per-transaction non-compliance assessments for volume in excess of the limit.
Ensuring Authorization Consistency
It has become common practice among some merchants and acquirers to amend various data fields following an issuer decline to seek a gap in issuer authorization controls and detection systems in order to achieve an approval. This data manipulation is damaging to the Visa system as well as the issuer’s ability to authorize transactions effectively and consistently.
Decline Response Codes by Categories
An issuer must attempt to approve or partially approve an authorization request for any valid account number in good standing. If an issuer is unable to approve a transaction, it must use a decline response code that most accurately reflects the reason for the decline.
A VisaNet processor must not alter an issuer’s decline response code to ensure acquirers and merchants are able to identify the reason for a declined transaction. Processors must be capable of supporting an issuer’s decline response mapping according to the categories below. All other response codes are defined as Category 4.