Nacha governs the ACH Network, the payment system that drives Direct Deposits and Direct Payments with the capability to reach all U.S. bank and credit union accounts. Nacha builds a guide to the rules and regulations that users should abide by to ensure the network is secure for both consumers and non-consumers.
Nacha provides ACH Operations Bulletins for the latest information on changes impacting the ACH Network. Click the below link to learn more about the recent updates that may affect you as a Partner or Merchant processing ACH transactions.
[REMINDER] Mastercard Announces Timeline to Retire Physical Magnetic Stripe from Cards
Posted on
[REMINDER] Mastercard Announces Timeline to Retire Physical Magnetic Stripe from Cards
The Change: As the markets become more EMV mature there is little to no benefit to continue support of the magstripe technology (which increases the opportunity for fraud). Mastercard has announced their timetable to retire the physical magnetic stripe from the back of cards.
The Impact/Action Required: Newly issued EMV chip cards and POS devices will be required to adhere to the guidelines and effective dates outlined in the table below:
April 1, 2024: APAC, Canada, Europe (minus Switzerland), LAC, Middle East Chip-capable ATM and POS terminals must correctly process cards that are chip but not mag stripe Newly issued EMV chip cards may optionally omit the mag stripe
April 1, 2027 United States Chip-capable ATM and POS terminals must correctly process cards that are chip but not mag stripe Newly issued EMV chip cards may omit the mag stripe
[UPDATE] Mastercard Requires Support of Current Contactless Cardholder Verification Method (CVM) Limits for All Regions
Posted on
[UPDATE] Mastercard Requires Support of Current Contactless Cardholder Verification Method (CVM) Limits for All Regions
The Program: Mastercard periodically reviews and may revise the Contactless Cardholder Verification Method (CVM) limits for certain regions.
The Change: As part of their Data Integrity Monitoring Program, Mastercard is actively reviewing merchant terminal data to ensure the device’s contactless CVM limits are set in accordance with their published values (MC Edit Number 15).
The Impact/Action Required: To provide for a frictionless cardholder experience, merchant terminals must be configured with the correct contactless CVM limits by region as outlined below.
Update: Non-compliance fees will be charged to merchants identified by Mastercard as having incorrect CVM limits set in their payment terminals. All merchants should ensure proper contactless CVM limits are set in their devices no later than June 30, 2024, to avoid potential non-compliance fees.
The Program: Terminal Entry Capability (TEC) is a value that indicates the highest level of card entry a terminal is capable of accepting. To ensure compliance with processing requirements; including EMV
fraud liability and data integrity edits, it is imperative the TEC value is correct.
The Impact/Action Required: Merchants are reminded to provide the proper TEC values in both their authorization and settlement messages. Brand edits have been established to monitor and ensure that the TEC provided aligns with what the terminal actually supports. Failure to submit a proper TEC value may result in non-compliance assessments.
As an example, a transaction is considered out of compliance when the TEC sent indicates that the terminal only supports contact EMV, but the transaction was performed as contactless EMV. In this example the TEC should have properly indicated that the terminal is capable of contactless EMV.
*EMD settlement merchants are reminded of their requirement to ensure the TEC values obtained during authorization are also sent in settlement.
EMV
Posted on
EMV
[UPDATE] Certificate Authority Public (CAP) Key Requirement
The Program: The EMV standard uses Public Key technology to perform certain functions related to offline authentication, some aspects of online transactions and offline PIN encryption. Each of the card brands publish sets of these keys for use with their EMV applications. Public keys are distributed to acquirers, merchants, and solution providers to load into their terminals.
On an annual basis, EMVCo reviews the keys and makes recommendations on the expected life span (on a rolling 10-year projection window) of the different key lengths. Once EMVCo determines a key length is beginning to approach a point where it may become vulnerable, they will set the key’s expiration date.
The Change: Outlined below are the active (production) CAP key lengths and their projected expiration dates:
• 1408-bit keys have an expiry date of 12/31/2024
• Visa 1984-bit keys expiration date updated to 12/31/2033
• Mastercard 1984-bit keys expiration date updated to 12/31/2033
• Amex 1984-bit keys expiration date updated to 12/31/2033
• Discover 1984-bit keys expiration date updated to 12/31/2030
Note: Although expiration dates can change, they should not be stored on terminals.
The Impact/Action Required: When a key expires it must be removed from the terminal within six months. At this time there should only be two keys (1408-bit and 1984-bit) loaded in devices, any older/expired keys must be removed. Failure to remove expired keys may result in non-compliance assessments to merchants.
Assessments are slated to begin at $25.00 per merchant location identified as non-compliant (based upon January 2024 Mastercard data) and may continue to increase each month thereafter.
In order to avoid fees, merchants or their POS providers/ISV partners must ensure all expired keys are removed from devices and that the proper current keys are loaded.
Visa defers restrictions on standing instruction MITs until further notice
Posted on
For: All merchants
Effective date: To be determined
In the December 2022 issue of this newsletter, we announced Visa’s plan to delay restrictions on standing instruction merchant-initiated transactions (MITs) initiated by tokens to only credential-on-file (COF) tokens to February 2024. Visa has now deferred this plan indefinitely until further notice. We will notify you when Visa announces a new effective date.
CSG Forte – PCI-DSS Webinar for Merchants and Partners
Posted on
Please join CSG Compliance in Partnership with CSG Forte’s PCI Vendor – Aperia for an upcoming PCI 101 Webinar
The Account Status Inquiry (ASI) service is an optional non-financial transaction used to confirm that a cardholder’s account is open and valid, and it optionally confirms the address and Card Validation Code 2 (CVC2). Mastercard is enhancing the ASI service to allow merchants to also confirm the cardholder’s name. As a reminder, use of the ASI Service will incur a payment network pass through fee refer to the Payment Network Pass-Through Fee Schedule(PDF) – the Payment Network Pass-Through Fee Schedule(PDF).
Mastercard introduces new Merchant Advice Codes
Posted on
Effective date: November 7, 2023
Mastercard is introducing two new Merchant Advice Code (MAC) values for authorization responses. The new MAC values will inform merchants that the card product is a consumer non-reloadable prepaid card or a consumer single-use virtual card number. This information will help merchants improve card-not-present transaction management by properly identifying transactions that should not be reattempted.
Depending on the technology used to process transactions, one or more actions, such as contacting the independent software vendor (ISV), re-coding to First Data specifications (if coded directly), and updating terminals or other products and applications, may be necessary and at an added fee.
Visa introduces Account Screen in North America to help issuers block activity on closed accounts
Posted on
Effective date: October 14, 2023
Visa will introduce Account Screen, a new comprehensive global solution to enable issuers to quickly and efficiently block list accounts to stop future authorization and transaction clearing activity. Block listed accounts include those with the following action codes:
• 04—Pick up card (no fraud)
• 05—Do not honor
• 07—Pick up card, special condition (fraud account)
• 14—Invalid account number (no such number)
• 41—Lost card, pick up (fraud account)
• 43—Stolen card, pick up (fraud account)
• 46—Closed account
• 54—Expired card or expiration date missing
Merchants continuing to try to process a card after receiving one of these action codes will be subject to payment network pass through fees and potential non-compliance fees.
You are currently browsing the archives for the Compliance Updates category.
