Initiatives of the Payments Industry

Electronic Payments Industry Information

This section is provided by Global Payments Inc. as an informational tool to help you stay informed on pertinent industry information, Visa® and MasterCard® compliance requirements and other information about the electronic payments industry.

Securing Cardholder Account Information

Industry Regulations

Payment Card Industry Security Standards Council (PCI SSC)

The PCI SSC is the membership organization responsible for three important security standards related to safeguarding payment transaction data.

  • PCI DSS - Payment Card Industry Data Security Standard
  • PA DSS - Payment Application Data Security Standard
  • PCI PTS - Point of Sale PIN Transaction Security Standard

All parties involved in payment card acceptance must safeguard payment transaction data and comply with the applicable standard(s). If a system with payment card information is hacked or stolen, then the compromised party must take steps to report the data security breach and work with forensics investigators, law enforcement, merchant acquiring stall and others to report findings. The best defense is to implement data security operating policies, limit stored payment card data and safeguard data that is necessary.

Merchant Obligations

The card associations developed the PCI DSS to help strengthen data security at the merchant level and combat credit card data compromises. Merchants with point-of-sale (POS) systems and computers with an internet connection are at significant risk for having sensitive data - such as customer credit card data - stolen. This kind of theft from security breaches at merchant locations - both large and small - has cost merchants millions of dollars in fines, restitution and reputation. All merchants with internal systems that store, process or transmit cardholder data must comply with Payment Card Industry (PCI) Security Standards.

PCI DSS Program for Level 4 Merchants

To demonstrate our level of commitment, Global Payments has engaged with a Qualified Payment Application Security Company to help Level 4 Merchants determine their risk and provide direction to solutions. To participate in Global Payments' PCI DSS Compliance Program, merchants should click here.

Merchant Obligation Quick Tips

Here are three quick tips to reference to help explain your responsibilities as a merchant to ensure you comply with all PCI DSS/PA DSS mandates:

  • Complying with PCI DSS is a merchant's responsibility. If you don't need it, then don't store it. Merchants, agents and service providers should not store cardholder data unless there is a legitimate business need.
  • To ensure you as a merchant use secure payment applications - Visa mandate indicates all required merchants use PA DSS compliant applications by 7/1/2010. LINK
  • The easiest and most efficient method to ensure you as a merchant are PCI DSS/PA DSS compliant is to consult a Qualified Security Assessor (QSA) . The QSAs are companies that can guide and assist you through each step of the PCI DSS/PA DSS process. Your responsibility as a merchant to be secure is a requirement and the QSAs can ensure you have everything you need and answer all your questions concerning PCI DSS/PA DSS.

For more detailed information and steps to ensure you are complying with PCI DSS/PA DSS mandates click the Payments Card Industry Security Standards for Merchants link below.

Payment Card Industry Security Standards for Merchants

Click here for more information.

All third parties with internal systems that store, process or transmit cardholder data on behalf of merchants must comply with Payment Card Industry (PCI) Security Standards. Compliance validation is required for all third parties that store, process or transmit cardholder data on behalf of merchants and member financial institutions.

Payment Card Industry Data Security Standards for Service Providers

Visa and MasterCard have collaborated in creating payment card industry standard security requirements and alignment of Visa USA Cardholder Information Security Program (CISP) and MasterCard Site Data Protection (SDP) programs in the United States and alignment of SDP and Visa's Accountholder Information Security (AIS) Program outside of the United States. In December 2004, Visa US and MasterCard announced the alignment of their programs re-branded as Payment Card Industry (PCI) Data Security Standards. The MasterCard SDP, Visa USA CISP and Visa Canada AIS Programs have the similar goal of protecting payment card account data stored by merchants and service providers and include both a review of policies, procedures and safeguards in addition to network scans. These goals have been endorsed by Discover, JCB, and Diners Club and are under review by American Express.

All third parties with internal systems that store, process or transmit cardholder data on behalf of merchants must comply with Payment Card Industry (PCI) Security Standards. Compliance validation is required for all third parties that store, process or transmit cardholder data on behalf of merchants and member financial institutions. Validation requires regular network scans and annual validation of policies and procedures. Level 1 and Level 2 Service Providers must engage a qualified independent security assessor to prepare a Report on Compliance and Level 3 Service Providers may complete the self-assessment or utilize self-assessment tools available through qualified independent security assessors.

Network scanning tools map the Web site's configuration and check a database of more than 1,200 known vulnerabilities. Network scan may also include intrusion detection services, firewall monitoring and additional web insurance. Network scans must be performed by a qualified independent scan vendor.

The Level 1 Service Provider group includes all processors that are connected to VisaNet and MasterCard networks. Global Payments has met the PCI requirements for 2005. Level 1 Service Provider group includes all payment gateways that operate between merchant and Global Payments or between merchant and other processors. Level 1 Service Providers was expanded to include Data Storage Entities (DSEs) for Level 1 Merchants (more than 6 million MasterCard or Visa transactions regardless of acceptance channel) and Level 2 Merchants (more than 150,000 and less than 6,000,000 electronic commerce transactions).

The Level 2 and Level 3 Service Provider group includes all third party service providers (example: Third-Party Servicer (TPS), Independent Sales Organizations (ISO), merchant vendor, Web hosting company or shopping cart, media back-up company, Loyalty program vendor, Risk management vendor, chargeback vendor, and credit bureau) not in Level 1 that store, process or transmit transactions. The number of transactions will be determined based on the gross number of Visa transactions stored, processed or transmitted--not just for the merchant or Member supported but for all entities supported by a service provider. The Level 2 and Level 3 Service Provider group also includes third party Data Storage Entities storing data on behalf of Level 3 Merchants (more than 20,000 and less than 150,000 electronic commerce transactions) or Level 4 Merchants (all other merchants, regardless of acceptance channels).

Visa requires service providers to provide compliance validation results directly to Visa. After a Level 1, 1, 2 or 3 Service Provider has provided compliance documentation demonstrating full compliance to Visa USA, they will be included on the list of Compliant Service Providers. To view current Visa list, click here.

Third parties that receive, pass and store transaction data for merchants should have agreements with merchants.

The following is a summary of the compliance validation steps required for third parties (including ISOs, loyalty, etc.) that store cardholder data.

Level Description Compliance Validation Requirements Compliance Validation Tools
Available at
https://www.pcisecuritystandards.org
Level 1

Processors or any service provider that stores, processes and/or transmits over 300,000 transactions per year

Note: Eliminates payment gateway definition from several existing regional programs

Complete an annual on-site assessment using the PCI DSS Requirements and Security Assessment Procedures. On-site assessment must be performed by a Qualified Security Assessor.

Complete Quarterly Network Vulnerability Scans performed by an Approved Scanning Vendor (ASV)

PCI DSS Requirements and Security Assessment Procedures v1.2

List of PCI SSC Qualified Security Assessors (QSA)

List of PCI SSC Approved Scanning Vendors (ASV)

Level 2

Any service provider that stores, processes and/or transmits less than 300,000 transactions per year

Note: Effective January 1, 2009, MasterCard will no longer list those Service Providers who have only submitted an SAQ. The posting will contain only those entities who have successfully completed an annual onsite review

Note: Effective February 1, 2009, Level 2 service providers will not longer be listed on Visas' List of PCI DSS Compliant Service Providers. Entities that wish to be on the List of PCI DSS Compliant Service Providers must validate as a Level 1 provider

Annual PCI Self-Assessment Questionnaire

Quarterly Network Scan

 

American Express and Discover's Service Providers Regulations

American Express Data Security Operating Policy for U.S. Service Providers

Service Providers must adhere to American Express Data Security Policies.

Review this article for detailed information on Data Security Operating Policy for U.S. Service Providers. Link

Discover Service Provider Compliance Validation and Reporting Requirements

All service providers that process, store or transmit cardholder data on the Discover network are required to report their compliance status to Discover Network on an annual basis. In order to validate and report their compliance status to Discover Network, service providers must complete and submit one of the following:

On-site assessment
Service providers that completed an on-site assessment using PCI DSS v1.2 are required to submit Appendix E of the PCI DSS Requirements and Security Assessment Procedures v1.2: Attestation of Compliance - Service Providers, as well as the Executive Summary of the Report on Compliance (ROC).
Note: Discover requires service providers that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" section of the Attestation of Compliance.1

Self-Assessment
Service Providers that completed an on-site assessment using PCI DSS v1.1 are required to submit the Executive Summary from their Report on Compliance (ROC). Please note: all assessments that commence after January 1, 2009 must use PCI DSS v1.2.
Service providers that perform a self-assessment are required to complete PCI DSS Self-Assessment Questionnaire D and submit the Service Provider Version of the Attestation of Compliance.
Note: Discover requires service providers that are not fully compliant with the PCI DSS to also complete the "Action Plan for Non-Compliant Status" Section of the Attestation of Compliance.1
All compliance reports must be submitted by December 31 for the current year*. For more information visit Discover's Information Security and Compliance (DISC) Web site. Link

Additional Service Providers

For more information on Service Providers, visit the card schemes' links.

Validation procedures and documentation

Effective February 1, 2009, Visa will only require submission of an executed Attestation of Compliance Form https://www.pcisecuritystandards.org/documents/pci_dss_aoc_service_providers.doc and the “Executive Summary” section of the service provider's Report on Compliance (ROC) to demonstrate PCI DSS compliance as a Level 1 service provider. Level 2 service providers will submit version D of the Self-Assessment Questionnaire (SAQ).

Here are some additional industry links regarding PCI DSS:

EMV U.S. Migration

The card schemes have all implemented mandates to ignite the movement of EMV technology in the U.S. to help reduce credit card fraud and move towards the next level of technology.

Card Schemes Mandates

American Express

American Express will work alongside other industry participants to drive interoperability across the U.S. and other countries and support chip-based technology for chip and PIN, chip and Signature, contactless and mobile transactions. The company's key policy requirements and dates are:

  • Processors must be able to support American Express EMV chip-based contact, contactless and mobile transactions.
  • A merchant is eligible to receive relief from PCI Data Security Standard (DSS) reporting requirements if the merchants' point-of-sale (POS) acceptance locations, where 75% of its transactions occur, are enabled to process American Express EMV chip-based contact and contactless transactions.
  • Effective October 2015, American Express instituted a Fraud Liability Shift (FLS) policy that transferred liability for certain types of fraudulent transactions away from the party that has the most secure form of EMV technology. U.S. fuel merchants will have an additional two years.
  • Effective October 2017, the FLS takes effect for transactions generated from automated fuel dispensers.

For more information, visit American Express' website.
http://about.americanexpress.com/news/pr/2012/emv_roadmap.aspx


Discover

Discover announced it is implementing a US EMV mandate.

  • Acquirers/processors and direct-connect merchants in the U.S., Canada and Mexico must have the ability to accept contact and contactless EMV transactions. Discover's approach to EMV is both universal and choice-centric, meaning it will not restrict any channel, verification process or transaction type.
    • Discover will support:
      • All card authentication channels - including online and offline
      • All cardholder verification methods - including both chip & PIN or chip & Signature transactions
      • All commerce channels - including contact and contactless (which includes mobile)
  • Discover has granted PCI Audit Waivers for the annual PCI DSS audits for a merchant that processes 75% of both contact and contactless transactions.
  • Discover has instituted a fraud liability shift for all POS terminals excluding Automated Fuel Dispenser (AFD) merchants. This liability shift benefits the issuer or merchant that leverages the highest level of available payments security.
  • Effective October 2017: AFD merchants are eligible for the liability shift.

 

For more information, visit Discover's website.
http://www.discovernetwork.com/chip-card/index.html


MasterCard

MasterCard announce their U.S. EMV Roadmap which included all card authentication channels, all cardholder verification methods and all commerce channels.

For more information, visit MasterCard's website.
https://www.mastercard.us/en-us/merchants/safety-security/emv-chip.html

 

Visa

Visa announced their Accelerate U.S. EMV Chip Migration Strategy.


For more information, visit Visa's website.
http://usa.visa.com/merchants/payment_technologies/chip_card.html

Global Payments is striving to meet the industry mandates and assist our clients throughout their migration process.
- See more at: https://www.globalpaymentsinc.com/us/accept-payments/in-person/emv-card-acceptance

Merchant Class Action Litigation Settlement

In November 2012, the federal district court overseeing In re Payment Card Interchange Fee and Merchant Discount Antitrust Litigation (MDL 1720), the merchant class action interchange litigation against MasterCard, Visa and other defendants, preliminarily approved a class settlement agreement that resolves antitrust claims involving MasterCard and Visa's interchange and merchant acceptance rules in the U.S. and its territories.

Please see https://www.paymentcardsettlement.com/en for additional information and requirements.

MasterCard and Visa Changes

Following the class action litigation settlement, U.S. merchants are now allowed surcharge MasterCard and Visa Credit card transactions (not debit or pre-paid card transactions) at the "brand level" (i.e. MasterCard or Visa) or at the "product level," but not both, subject to the following requirements:

  • First, a U.S. merchant's surcharges on MasterCard and Visa Credit card transactions cannot exceed certain levels.
  • Second, for U.S. merchants that accept credit or charge cards of other payment network brands (i.e. American Express, Discover), surcharging practices are subject to a competitive "level playing field" limitation that depends on whether those payment network brands impose surcharge restrictions on credit cards and the merchants' costs of accepting those credit cards.
  • Third, a U.S. merchant that chooses to surcharge (MasterCard and Visa) Credit card transactions must satisfy notification and disclosure requirements to both the payment card network [MasterCard and Visa (beginning December 20, 2012)] and the merchant's acquirer at least 30 days prior to surcharging, which must identify whether the merchant intends to impose surcharges at the brand or product level.
  • Fourth, a U.S. merchant who surcharges must provide clear disclosure to the merchant's customers (1) at the point of store entry or in an online environment on the first page that references credit card brands, that the merchant imposes a surcharge that is not greater than its applicable merchant discount rate for MasterCard and Visa Credit card transactions; (2) at the point of interaction or sale with the customer, of the merchant's surcharging practices (including the amount of any surcharges that the merchant imposes and a statement that the surcharge is being imposed by the merchant), in a manner that does not disparage the brand, network, issuing bank or the payment card product being used; and (3) of the dollar amount of the surcharge on the transaction receipt provided by the merchant to its customers.

    Notification Procedures:

Merchant's Obligations - Federal and State Laws

Merchants must continue to respect a cardholder's decision to pay with MasterCard and Visa. The settlement does not impact merchants' existing obligation to accept for payment properly presented MasterCard and Visa cards, including rewards cards. In addition, the rule changes that MasterCard and Visa are implementing under the settlement do not affect any obligation of a U.S. merchant to comply with all applicable state or federal laws, including state laws regarding surcharging of credit or debit card transactions and federal and state laws regarding deceptive or misleading disclosures.

11 states or territories prohibit surcharging:

  • California
  • Colorado
  • Connecticut
  • Florida
  • Kansas
  • Maine
  • Massachusetts
  • New York
  • Oklahoma
  • Texas
  • Puerto Rico

Merchant Other Rules and Regulations

Merchant Rules and Regulations Important Dates

Current Calendar Dates

1/1/2012

B Notices:
Under the American Recovery and Reinvestment Act of 2009, merchants whose Tax Identification Number and/or Legal Name does not match IRS records will be subject to 28% backup withholding on transactions processed on and after 1 January 2012. The IRS will inform Global Payments of applicable merchants and we will mail a B Notice and form W-9 to each merchant. We will have 30 days after the first notice to update the merchant's information; failure to update information will result in backup withholding.
Visit the IRS website for more information.
http://www.irs.gov/efile/article/0,,id=98145,00.html

IRS

10/1/2012

MasterCard PCI DSS Relief - MasterCard introduces its Payment Card Industry Security Standard (PCI DSS) Compliance Validation Exemption Program for qualifying MasterCard and Maestro Level 1 and 2 Merchants in the U.S. region. This will provide only for qualifying Level 1 and 2 Merchants located in the U.S. region to be eligible for revised PCI DSS compliance validation procedures in which the qualified Merchants are exempt from the requirement to annually validate compliance with PCI DSS if they satisfy all program requirements associated with the revised Standards. [MasterCard EMV]

MasterCard

10/1/2012

Visa Technology Innovation Program - "Visa will expand the Technology Innovation Program (TIP)1 to the U.S. TIP will eliminate the requirement that eligible merchants annually validate their compliance with the PCI DSS for any year in which at least 75 percent of the merchant's Visa transactions originate from dual-interface EMV chip-enabled terminals, in addition to meeting other qualification criteria." [Visa CHIP Card]

Visa

Future Calendar Dates

4/1/2013

Visa Expands Technology Innovation Program for U.S. Merchants to Adopt Dual-Interface Terminals - Visa is requiring all VisaNet processors and sub-processors to support EMV transactions. [Visa's Roadmap to Chip Migration]

Visa

4/19/2013

Discover announced it is implementing an April 19, 2013 EMV mandate, whereby acquirers/processors and direct-connect merchants in the U.S., Canada and Mexico must have the ability to accept contact and contactless EMV transactions. Discover's approach to EMV is both universal and choice-centric, meaning it will not restrict any channel, verification process or transaction type. Discover will support:

  • All card authentication channels - including online and offline
  • All cardholder verification methods - including both chip & PIN or chip & Signature transactions
  • All commerce channels - including contact and contactless (which includes mobile) [Discover EMV]

Discover

4/19/2013

MasterCard U.S. EMV Transaction readiness: MasterCard mandates Acquirers and Sub-processors to be capable to fully process EMV Transactions. [MasterCard EMV]

MasterCard

4/19/2013

MasterCard Revised Standards for Support of the Device Type Indicator - MasterCard is requiring issuers, acquirers and merchants to support the device type indicators. These indicators are values that can identify the non-card form factors used at the POS such as key fobs, smartphones and wristbands. [MasterCard EMV]

MasterCard

4/30/2013

American Express EMV Roadmap to Advance Contact, Contactless and Mobile Payments - processors must be able to support American Express EMV chip-based contact, contactless and mobile transactions. [AMEX Press Release]

American
Express

10/1/2013

American Express PCI DSS Relief - a merchant will be eligible to receive relief from PCI Data Security Standard (DSS) reporting requirements if the merchants' point-of-sale (POS) acceptance locations, where 75% of its transactions occur, are enabled to process American Express EMV chip-based contact and contactless transactions. [AMEX Press Release]

American
Express

10/1/2013

Discover PCI Audit Waivers: Discover will grant a waiver for the annual PCI DSS audits for a merchant that processes 75% of both contact and contactless transactions. [Discover EMV]

Discover

10/1/2013

MasterCard Account Data Compromise Relief 50% October 2013: This relief will reduce 50% of the Operations Reimbursement and Fraud Recovery exposures in the event of account data compromises for EMV compliant merchants if 75 percent or more of the merchant transactions are captured at hybrid EMV terminals. [MasterCard EMV]

MasterCard

10/1/2015

American Express Fraud Liability Shift - American Express will institute a Fraud Liability Shift (FLS) policy that will transfer liability for certain types of fraudulent transactions away from the party that has the most secure form of EMV technology. U.S. fuel merchants will have an additional two years, until October 2017. [AMEX Press Release]

American
Express

10/1/2015

Discover EMV Liability Shift October 2015: Discover announced a fraud liability shift for all POS terminals excluding AFD merchants. This liability shift will benefit the issuer or merchant that leverages the highest level of available payments security. [Discover EMV]

Discover

10/1/2015

MasterCard Account Data Compromise Relief 100% October 2015: This relief will then reduce up to 100% of the Operations Reimbursement and Fraud Recovery exposures in the event of account data compromises, if at least 95 percent of the merchant transactions are captured at hybrid EMV terminals. [MasterCard EMV]

MasterCard

10/1/2015

MasterCard Liability Shift - MasterCard liability shift mandates that either the issuer or merchant, whichever does not support EMV, assumes liability for counterfeit card transactions, excluding AFD merchants. [MasterCard EMV]

MasterCard

10/1/2015

Visa Debit/Credit U.S. Domestic and Cross-Border Counterfeit Liability Shift for POS Transactions: Visa will implement a liability shift for domestic and cross-border counterfeit transactions. This liability shift will assign liability to the party that has not made the investment in EMV chip cards (issuers) or terminals (merchant acquirers), accept for AFD merchants. [Visa's Roadmap to Chip Migration]

Visa

10/1/2017

American Express Automated Fuel Dispensers Fraud Liability Shift - U.S. fuel merchants Fraud Liability Shift takes effect for transactions generated from automated fuel dispensers. [AMEX Press Release]

American
Express

10/1/2017

Discover EMV Liability Shift: AFD merchants are eligible for the liability shift. [Discover EMV]

Discover

10/1/2017

MasterCard Automated Fuel Dispensers Fraud Liability - MasterCard liability shift takes effect for fuel dispensers. [MasterCard EMV]

MasterCard

10/1/2017

Visa will extend the liability shift for AFD merchants. [Visa's Roadmap to Chip Migration]

Visa

Past Calendar Dates

2/1/2009

Visa Zero Dollar Account Verification Fee--Effective on this date, acquirers may notice changes in their Visa billing. Previously excluded declined, AVS and SMS-acquired Account Verification transactions will now be included in this fee calculation.

Visa

4/17/2009

Required Support of Partial Authorization Approvals
You and your Processor shall obtain Certification from Discover Network before April 17, 2009 of your respective systems' ability to receive Authorization Responses in an amount that is different than the amount in the Authorization Request (Partial Authorization Approvals). Each Authorization Request that you submit to us on behalf of your Merchants shall indicate whether your systems are capable of accepting Partial Authorization Approvals. Details regarding the technical support for Partial Authorization Approvals are provided in Release 9.1 of the Technical Specifications.

Details regarding the technical support for Partial Authorization Approvals are provided in Release 9.1 of the Technical Specifications.

Discover

7/1/2009

Zero Floor Limit Fee (Clearing Without Authorization)--A new transaction fee will be applied for any Visa clearing transaction submitted without proper authorization. Since April 2007, all transactions acquired in the U.S., in all merchant environments, have moved to a zero floor limit and must be authorized. This fee will help reduce the number of clearing transactions that are not properly authorized. Unauthorized clearing transactions adversely impact the integrity of the Visa payment system by circumventing both acquirer and issuer real time risk and fraud control systems.

Visa

10/1/2009

Visa Misuse of Authorization System Fee--A new acquirer fee of $0.045 fee per transaction will be applied to authorization transactions that are not followed by a matching Visa clearing transaction (or, in the case of a cancelled or timed out transaction, are not properly reversed) goes into effect. This fee is being implemented to reduce the occurrence of "ghost authorizations" (authorizations that are approved but never cleared), which can unnecessarily restrict a cardholder's open to buy, leading to increased declines and confusion at the merchant's point of sale. Authorizations will be matched with corresponding clearing or authorization reversal transactions by means of the Transaction Identifier (Field 62.2). The clearing or authorization reversal will be required within specific time frames following the original authorization transaction. These time frames are still being finalized The Misuse of the Authorization System Fee will be billed by Visa to the acquirer identified in the transaction via the Global Member Billing Solutions (GMBS) System.

Visa

10/16/2009

Discover Financial Services acquired Dines Club International - deadline for certification and testing of compliance by Network clients with Diners Club International requirements in Program Documents. Hosts must be reconfigured at this time to avoid Diners Club International transaction failures.

Discover

10/16/2009

Visa Automated Fuel Dispensers - A Partial Authorization Non-Participation Fee of $0.01 per nonparticipating Automated Fuel Dispenser transaction takes effect.

Visa

4/1/2010

Section 9.1.8, Partial Authorization Approvals: You and your Acquirer Processor, if any, must obtain Certification from us before April 17, 2009 of your respective systems' ability to support Partial Authorization Approvals. Your Merchants' systems, including POS Devices and Authorization procedures, are required to support Partial Authorization Approvals, in accordance with the Technical Specifications, before April 1, 2010. Please explain to your Merchants that if the Merchant receives a Partial Authorization Approval and subsequently submits Sales Data in an amount different from the Partial Authorization Approval, the amount by which the Sales Data exceeds the Partial Authorization Approval may be subject to Dispute.

For more information contact your Discover Network Relationship Manager.

Discover

4/16/2010

Sales tax exempt transactions will no longer be eligible for the Level 2 incentive rate from MasterCard. Tax exempt commercial card transactions with Line Item Detail will continue to be eligible for the Level 3 incentive rate from MasterCard.

MasterCard

5/1/2010

MasterCard announced a mandate for acquirers in the U.S. region to support partial approvals, support sending a reversal request or advice to update the cardholder's open-to-buy balance and support sending account balance responses within the Banknet(R) telecommunications network and the MasterCard(R) Debit Switch (MDS) for debit and prepaid transactions.

NOTE – Global Payments has received an extension from MasterCard until 1 May 2011 for all MCCs. Please see May, 2011

MasterCard

6/1/2010

Federal Reserve Board - The Department of the Treasury and the Federal Reserve Board today announced the release of a joint final rule to implement the Unlawful Internet Gambling Enforcement Act of 2006. The Act prohibits gambling businesses from knowingly accepting payments in connection with unlawful Internet gambling, including payments made through credit cards, electronic funds transfers and checks.

For more information review these links:
FRB Unlawful Internet Gambling Enforcement Act1
Extension of Compliance Date for Final Rule to Implement Unlawful Internet Gambling Enforcement Act

Federal Reserve Board

7/1/2010

To ensure you as a merchant use secure payment applications - Visa mandate indicates all required merchants use PA DSS compliant applications by 7/1/2010.

For more information visit this link

Visa

7/1/2010

Visa Triple Data Encryption Standard (TDES) Implementation Requirements: All transactions originating at POS PIN-Entry Devices must be encrypting PINs using TDES from the point of transaction to the Issuer (end-to-end).

Visa

12/31/2010

MasterCard mandates POS terminals that currently mask the PAN on the cardholder receipts (reflecting only the last four digits) may implement the truncation of the expiration date - from cardholder and merchant receipts - with future software updates, no later than December 31, 2010.

For more information visit this the Card Account Information Truncation Requirements: Transactions Receipts section below.

MasterCard

1/1/2011

1099K:
Under the American Recovery and Reinvestment Act of 2009, the volume of payment card transactions processed on and after 1 January 2011 must be reported to the IRS by Global Payments. The IRS has introduced a new information reporting form for this purpose:the1099 K. Read more about Payment Card Transactions Reporting.

IRS

5/1/2011

MasterCard announced a mandate for acquirers in the U.S. region to support partial approvals, support sending a reversal request or advice to update the cardholder's open-to-buy balance and support sending account balance responses within the Banknet(R) telecommunications network and the MasterCard(R) Debit Switch (MDS) for debit and prepaid transactions.

NOTE – Global Payments has received an extension from MasterCard until 1 May 2011 for all MCCs.

For a list of MCCs and more information visit this the MasterCard Rules, section:11.5C.3 Additional U.S. Region Rules

MasterCard

Government Regulations for Merchants

This section is provided by Global Payments Inc. as an informational tool to help you stay informed on pertinent Government and Regulatory requirements. Click on a topic below for more information:

The Housing and Economic Recovery Act of 2008 - RS Tax Identification Number (TIN) Matching

Financial Reform

  • Dodd-Frank Wall Street Reform and Consumer Protection Act
    The Dodd-Frank Act gives the Federal Reserve Board authority to regulate debit card interchange rates, allows credit card acceptors to set minimum transaction amounts and allows card acceptors to offer a discount/incentive for their payer to use a preferred form of payment.

The Government Accountability Office (GAO)

Federal Financial Institutions Examination Council (FFIEC)

Federal Reserve Board (FRB)

  • Unlawful Internet Gambling Enforcement Act of Regulation GG - The U.S. Department of the Treasury and the Board of Governors of the Federal Reserve System have issued regulations implementing the Unlawful Internet Gambling Enforcement Act1 requiring U.S. financial institutions and certain "participants in designated payment systems" to establish and implement policies and procedures reasonably designed to identify and block or otherwise prevent or prohibit unlawful internet gambling transactions covered by this Act. Compliance by these participants is required by December 1, 2009. NOTE: Internet gambling is prohibited under established credit policy.

Truncation

State and federal statutes and card association regulations are requiring a limit to the amount of cardholder information allowed on printed transaction receipts provided to cardholder. Must suppress or mask (X. *, #, etc.) expiration date and mask all but last 4 digits of card number on cardholder receipt. Card association dates are included below.

Truncation Effective Dates For Electronically Printed Receipts
  New Merchant or New Deployment Cardholder Copy Only Existing Merchants Cardholder Copy Only
MasterCard04/01/2005See Visa Date
Visa USA07/01/200307/01/2006
Visa CA04/01/200704/01/2007
US Public Law 108-15912/04/200312/04/2006
  New Merchant or New Deployment Both Copies Existing Merchants Both Copies
MasterCard10/01/200812/31/2010
Alaska07/01/200907/01/2009
California01/01/200901/01/2009
Colorado07/01/200607/01/2006
Nevada07/01/200912/31/2009
New Mexico01/04/200401/04/2004
Tennessee05/13/200501/01/2007
Washington State07/26/200907/26/2009

NOTE: Other state legislatures (i.e. IN, MS, NJ or, VT, CT) have legislation in process requiring truncation of merchant copy of printed transaction receipt and merchants should be cognizant of state requirements that may be more restrictive than federal law and carry strict penalties.

Federal Account Number Truncation Requirements

On December 4, 2003, President Bush approved a federal law which preempts existing state laws requiring truncation of account numbers on customer receipts, thereby creating a uniform national standard. This legislation, called the Fair and Accurate Credit Transactions Act of 2003, provides (among many other things) that "no person accepting credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of sale or transaction. The law governs electronically printed receipts and does not apply to transactions in which the sole means of recording the credit or debit card account number is by handwriting or by an imprint. The effective date for merchant equipment in use before January 1, 2005 to be compliant was December 4, 2006. The effective date for merchant equipment that went into use on or after January 1, 2005 to be compliant was January 1, 2005.

MasterCard Account Number Truncation Requirements

Effective October 1 2008, MasterCard requires that the cardholder and merchant receipt generated by all electronic POS terminals - whether attended or unattended - mask the card expiration date. In addition, cardholder receipts must only display only the last four (4) digits of the primary account number (PAN). All preceding digits of the PAN must be replaced with fill characters that are neither blank spaces nor numeric characters, such as "X," "*," or "#."

MasterCard strongly suggests that the merchant copy generated by all electronic POS terminals, whether attended or unattended, reflect only the last four (4) digits of the PAN and that all preceding digits be replaced with fill characters that are neither blank spaces nor numeric characters, such as "X," "*," or "#."

POS terminals that currently mask the PAN on the cardholder receipts (reflecting only the last four digits) may implement the truncation of the expiration date - from cardholder and merchant receipts - with future software updates, no later than December 31, 2010.

NOTE: Effective April 1, 2005 MasterCard required all cardholder receipts generated by newly installed, replaced or relocated ATM and point-of-interaction (POI) terminals, whether attended or unattended, reflect only the last four digits of the primary account number (PAN). Fill characters that are neither blank spaces nor numeric characters, such as X, * or #, must replace all preceding digits.

If your current terminal(s) cannot truncate the expiry date on the merchant receipt, you will need to upgrade your payment application in advance of the December 2010 deadline. Global Payments has numerous applications that offer this feature. Check with your account representative or call 1 800 929-1245 for information.

Visa Account Number Truncation Requirements

Effective July 1, 2003, for all new terminals, Visa USA mandated that all but the last four digits of the cardholder account number and the entire expiration date, be suppressed on the cardholder copy of all transaction receipts generated from electronic (including cardholder-activated) terminals.

Effective July 1, 2006, for all existing terminals, Visa USA mandated that all but the last four digits of the cardholder account number and the entire expiration date, be suppressed on the cardholder copy of all transaction receipts generated from electronic (including cardholder-activated) terminals.

Effective 1 October 2011 for new terminals and effective 1 October 2014 for existing terminals, Visa will require that all but the last four (4) digits of a PAN be suppressed on cardholders' copies of transaction receipts generated from electronic terminals, including ATMs and cardholder-activated terminals.

Commercial Card Acceptance

Commercial Card Acceptance

Industry Educational Webinars

  • Global Payments Inc. Card Acceptance Guide

    • Limited Acceptance Merchants For a definition on limited card acceptance, please refer to the Global Payments Card Acceptance Guide link above.

The information contained herein is for informational purposes only and Global Payments Inc. does not warrant the accuracy or completeness of the information. Although we believe the information to be reliable, we cannot guarantee that it will not be subsequently amended as a result of intervening factors such as rules changes from the card associations. The information contained herein is subject to change without notice and Global Payments Inc. does not undertake any responsibility to update this information after the date hereof. Global Payments Inc. does not endorse any external sites linked herein.