MasterCard Fraud Loss Control Program Standards

In order to be eligible for counterfeit loss reimbursement, a member bank must make a good-faith attempt to demonstrate the existence and use of meaningful controls to limit total fraud losses and losses for all fraud types.

Acquirer Fraud Loss Control Programs

An acquirer's fraud loss control program must meet the following minimum requirements, and preferably will include the recommended additional parameters. The program must automatically generate daily fraud monitoring reports or real-time alerts. Acquirer staff trained to identify potential fraud must analyze the data in these reports within 24 hours. To comply with the fraud loss control standards, acquirers also must transmit complete and unaltered data in all card-read authorization request messages, and also CVC 2 for all card not present (formerly MO / TO), voice, and e-commerce transactions.

Additionally, acquirers with high fraud levels must:

• Install "read and display" terminals in areas determined to be at high risk for fraud or counterfeit activity, or
  
• Install EMV chip terminals.
  

Acquirer Authorization Monitoring Requirements

Daily reports or real-time alerts monitoring merchant authorization requests must be generated at the latest on the day following the authorization request, and must be based on the following parameters:

• Number of authorization requests above a threshold set by the acquirer for that merchant.
• Ratio of non-card-read to card-read transactions that is above the threshold set by the acquirer for that merchant.
• PAN key entry ratio that is above threshold set by the acquirer for that merchant.
• Repeated authorization requests for the same amount or the same cardholder account.
• Increased number of authorization requests.
• "Out of pattern" fallback transaction volume.
  

Acquirer Merchant Deposit Monitoring Requirements

Daily reports or real-time alerts monitoring merchant deposits must be generated at the latest on the day following the deposit, and must be based on the following parameters:

• Increases in merchant deposit volume.
• Increase in a merchant's average ticket size and number of transactions per deposit.
• Change in frequency of deposits.
• Frequency of transactions on the same cardholder account, including credit transactions.
• Unusual number of credits, or credit dollar volume, exceeding a level of sales dollar volume appropriate to the merchant category.
• Large credit transaction amounts, significantly greater than the average ticket size for the merchant's sales.
• Credits issued subsequent to the receipt of a chargeback with the same account number and followed by a second presentment.
• Credits issued to an account number not used previously at the merchant location.

90-day Rule

The acquirer must compare daily deposits against the average transaction count and amount for each merchant over a period of at least 90 days, to lessen the effect of normal variances in a merchant's business. For new merchants, the acquirer should compare the average transaction count and amount for other merchants within the same merchant code (MCC) assigned to the merchant. In the event that suspicious credit or refund transaction activity is identified, if appropriate, the acquirer should consider the suspension of transactions pending further investigation.

150% Recommendation

To optimize the effectiveness of fraud analysis staff, merchants that appear in the monitoring reports should exceed the average by 150% or more. However, the amount over the average is at the acquirer's discretion.

Recommended Additional Acquirer Monitoring

MasterCard recommends that acquirers additionally monitor the following parameters:

• Fallback methods.
• Credit transactions (such as refunds) and merchant authorization reversals.
• Transactions conducted at high-risk merchants.
• Personal account number (PAN) key-entry transactions exceeding ratio.
• Abnormal hours or seasons.
• Inactive merchants.
• Transactions with no approval code.
• Transactions that were declined.
• Inconsistent authorization and clearing data elements for the same transactions.

Reporting Fraudulent Use of Cards

All MasterCard member banks must report accurately and completely the fraudulent use of MasterCard cards to the System to Avoid Fraud Effectively (SAFE) at least once a month and within 60 days from the date of the transaction, or 30 days from the date of cardholder notification. If there are no fraudulent transactions to report during the month, member banks must submit a Fraud Negative Report (FDN) Record when transmitting their transactions to SAFE or use the Report No Fraud feature of SAFE OnLine.

Reporting by the Issuer

MasterCard issuers must submit all fraudulent transactions on its MasterCard accounts to SAFE on a monthly basis. For the benefit of all members, MasterCard analyzes the data and produces statistics relating to the fraudulent use of MasterCard accounts and all chargebacks that originate from transactions using accounts with a fraud status.

An issuer must report fraudulent transactions even if it recovered losses through chargebacks, compliance cases, restitution, insurance, or any other means.

Reporting by the Acquirer

An acquirer receiving a transaction that cannot be identified by a MasterCard BIN or member ID is liable for that transaction. If it is determined that the transaction is a fraudulent or counterfeit MasterCard transaction, the acquirer must notify, in writing, the Security and Risk Management Department of such an occurrence. This notification must include all mandatory information as described in the Security Systems Specifications manual.

MasterCard Rewards for Capturing a Card

The acquirer may pay the merchant reward for capturing a MasterCard card in accordance with local practices. The acquirer must follow these Standards when paying a reward:

• Pay no less than $50 to the merchant capturing a card listed on the Electronic Warning Bulletin file or in the Warning Notice.
• Pay the merchant $100, if a merchant initiates an authorization call because of a suspicious transaction or captures a card not listed in the Electronic Warning Bulletin file or in the Warning Notice.
• Pay a reward to a financial institution for the capture of another issuer's card if it is the acquirer's practice to pay its tellers rewards for picking up its own cards. The amount of the reward should be the same amount paid for the capture of the acquirer's own cards.
• Charge the issuer for reimbursement of the reward paid upon dispatching each captured card. The Fee Collection / 1740 message with an IPM message reason code (data element 25) equal to 7601 will settle the reward.

Reward Amounts

The acquirer should follow these guidelines for determining reward amounts.

IF the capture…	THEN pay this amount…
Resulted from a “Merchant Suspicious” phone call	$ 100
Did not result from a “Merchant Suspicious” phone call	$50
Leads to the capture of additional cards	$ 50 for each card captured, with a maximum total of $250 for any one incident

The recovering member bank may collect an administrative fee of $15 for expenses incurred in processing the captured card. The capturing member may add this fee to the amount of the reward reimbursement or collect the fee independently, using the Fee Collection / 1740 message.

Reimbursement of Rewards

The following specifications apply to reward reimbursement:

• Upon returning the card to the issuer, the acquirer will obtain reimbursement for the reward paid and the $15 fee by processing the Fee Collection / 1740 message.
• If an acquirer returns a card to an issuer and a reward is not paid, the acquirer may collect a $15 fee by processing a Fee Collection / 1740 message record.
• Upon receipt of the Interchange Card Recovery Form (ICA-6), the issuer should match it to the Fee Collection / 1740 message record based on the acquirer member ID, account number, and recovery date comparisons.
• If an exempt member has an electronic reward payment processed, clearing receives the record by an information slip. The transaction is part of the Net Settlement System for settlement purposes.

Point-of-Sale (POS) Card Retention

Acquirers and merchants are required to recover a card by reasonable and peaceful means if:

• The card issuer advises the acquirer or merchant to recover the card in response to an authorization request.
• The Electronic Warning Bulletin file or an effective regional Warning Notice lists the account number.

After recovering a card, the merchant must notify its authorization center or its acquirer and receive instructions for returning the card. If mailing the card, the merchant first should cut the card in half through the magnetic stripe.

Returning Recovered Cards

The acquirer must follow these procedures when returning a recovered card to the issuer:

• If the merchant has not already done so, the acquirer must cut the card in half vertically through the magnetic stripe.
• The acquirer must forward the recovered card to the issuer within five calendar days of receiving the card along with the first copy (white) of the Interchange Card Recovery Form (ICA-6). The additional copies are file copies for the acquirer's records. A recovered card must be returned to the security contact of the issuer.
  

Returning Counterfeit Cards

The acquirer or merchant must return counterfeit cards to the issuer by following the instructions provided by its authorization center. The following information identifies an issuer:

• The issuers bank identification number (BIN) embossed on the front of the card.
• The member ID imprinted in the Card Source Identification area on the back of the card.

Sales Receipt Requirements

Below is a list of the types of sales receipts discussed in this post:

• Retail sale.
• Credit.
• Cash disbursement.
• Information.

If the merchant uses a manual imprinter, the produced sales receipt is called a formset or slip. If a transaction begins at an electronic terminal, the merchant may substitute a terminal receipt for a formset. Terminal receipts have no prescribed physical specifications but must be numbered sequentially for reference purposes.

Formset Contents

Each copy of a retail sale, credit, or cash disbursement formset must satisfy minimum statutory and regulatory requirements in the jurisdiction in which the slip originates and any applicable regulations, issued by the U.S. Board of Governors of the Federal Reserve System or other regulatory authorities, and must contain the following:

• In the case of retail sale and credit slips, a space for the description of goods, services, or other things of value sold by the merchant to the customer and the cost thereof, in sufficient detail to identify the transaction.
• Adequate spaces for:
  
  • Customer's signature.
  • Card imprint and the merchant or bank identification plate imprint.
  • Date of the transaction.
  • Authorization number (except on credit slips).
  • Sales clerk's or teller's initials or department number.
  • Currency conversion field.
  • Merchant's signature on credit slips.
  • Description of the ID supplied by the cardholder on cash disbursements and retail sale slips for certain unique transactions.
• A legend clearly identifying the slip as a retail sale, credit, or cash disbursement and identifies the receiving party of each copy.
• On the customer copy of the formset, the words (in English, local language, or both): "IMPORTANT—retain this copy for your records," or words to similar effect.
• Such other contents as are not inconsistent with these rules.

It is recommended that each retail sale, credit, and cash disbursement slip identify the member bank that distributed the slip to the merchant.

Terminal Receipt Contents

A terminal or other device at a point of sale (POS) must not display magnetic stripe track data other than card account number, expiration date, and cardholder name. Each copy of a POS terminal receipt must contain the following information:

• Doing Business As (DBA) merchant name, city and state, country, or the point of banking location.
• Transaction date.
• Card account number.
• Transaction amount in the original transaction currency.
• Adequate space for the customer's signature (required on merchant copy only).
• Authorization approval code (except on credit receipts). Optionally, the acquirer also may print the transaction certificate, the application cryptogram, or both for EMV chip card transactions.
• Merchant's signature on credit receipts only.

Each receipt must clearly identify the transaction as a retail sale, credit, or cash disbursement.

Primary Account Number Truncation

ATM acquirers must truncate a minimum of four digits of the Primary Account Number (PAN). PAN truncation is also required for all receipts generated at Cardholder-Activated Terminals (CATs). PAN truncation is permitted for receipts generated at all other points of sale.

The cardholder receipt generated by point of sale (POS) terminals, whether attended or unattended, must reflect only the last four (4) digits of the PAN. All preceding digits must be replaced with fill characters that are neither blank spaces nor numeric characters, such as "X," "*," or "#."

Truncation Considerations

Truncating a greater number of digits, when compared to the total number of digits in the PAN, increases the effectiveness of the effort. However, it also increases the confusion and difficulty that cardholders may have reconciling their ATM terminal receipts to their monthly statements. The following practices are recommended:

• Truncation of the routing BIN alone, while helpful, may not prevent duplication of the PAN. It is possible to observe the card in use in order to obtain issuer identification.
• Truncating the check digit and several other digits does not improve PAN security. Absent the check digit, calculation of several missing digits within the PAN, especially if the routing BIN also is truncated, is substantially more complicated and time consuming.
• Truncating a small number of digits, when compared to the total number of digits in the PAN, reduces the effectiveness of the effort. It is possible to reconstruct a few missing digits by using a trial-and-error approach.
• Truncating a greater number of digits, when compared to the total number of digits in the PAN, increases the effectiveness of the effort.

Electronic Signature Capture Technology (ESCT)

An acquirer using Electronic Signature Capture Technology (ESCT) must ensure that:

• Proper electronic data processing (EDP) controls and security are in place, so that digitized signatures are recreated on a transaction-specific basis. The acquirer may recreate the signature captured for a specific transaction only in response to a retrieval request for the transaction.
• Appropriate controls exist over employees with authorized access to digitized signatures maintained in the acquirer or merchant computers. Only employees and agents with a "need to know" should be able to access the stored, electronically captured signatures.
• Digitized signatures are not accessed or used against applicable standards and regulations.

In-flight Commerce Terminals / Level 4 Requirements

The following requirements apply to In-flight Commerce Terminals / Level 4.

1. Acquirer / Service Provider requirements and transaction identification specifications:
   
   • Acquiring banks must ensure timely delivery and installation of the IFC Blocked Gaming File to gaming service providers. IFC Blocked Gaming File access is required before every gaming transaction.
   • The acquiring bank must identify in-flight commerce services or merchandise with the most appropriate merchant category code (MCC) in the authorization message and merchant business code (MCC) in First Presentment / 1240 messages. If an airline also acts as the service provider, the acquiring bank may not use an airline MCC but must assign the proper MCC for each type of IFC transaction. The following list of IFC transaction types must be identified with the designated MCC.
     
     

     IFC Transaction Type	MCC
     Catalog card acceptor	5964
     Duty-free store	5309
     Gaming	7995
     Miscellaneous services	7299
     Video game	7994

     
     
   • Transactions must be consolidated by MCC, per flight, for each MasterCard cardholder account. "Flight" is defined as one or more segments of a continuous air flight with the same flight number.
   • The acquiring bank must identify the transaction with the most appropriate transaction category code (TCC) in the authorization request message.
     
     

     IF the IFC transaction is for…	THEN the acquirer must use TCC…
     Gaming	U for Unique Transaction.
     Anything other than gaming	R for Retail Purchase

     
     
   • The Merchant Name / Location (DE 43) must include the service provider's name and flight identification. The flight identification must be a recognizable identification of the airline (not necessarily the airline alphabetic International Air Transport Association [IATA] indicator).
   • The city field description should contain the following:
     
     

     For…	The city field description…
     Mailed purchases and gaming transactions	Must include the service provider’s customer service telephone number. It is not required to be a toll-free number.
     All IFC transactions other than mailed purchases and gaming	Optionally may be a customer service telephone number.

     
     
   • For all IFC transactions except IFC mailed purchase transactions, the transaction date is defined as the date that the flight departs from the originating city. The transaction date for mailed purchases is defined as the shipment date unless otherwise disclosed to the cardholder.
   • The acquiring bank must ensure that the service provider provides full disclosure to the cardholder via the video monitor screen prior to the initiation of any IFC transactions, as detailed below. The screen must prompt the cardholder to acknowledge these disclosure terms before initiating transaction. The disclosure must include the following:
     
     • Full identification of the service provider and provision for recourse in terms of cardholder complaints or questions.
     • Notification that transactions will be billed upon the card issuer's approval of the authorization request.
     • For mailed purchases only, any additional shipping or handling charges.
     • Policy on refunds or returns.
     • Provision for a paper receipt.
     
     For IFC gaming transactions, service providers must additionally disclose the following:
     
     
     • Maximum winnings ($3,500) and maximum losses ($350).
     • Notification that total net transaction amount (whether a net win or loss) will be applied against the cardholder's account
     • Notification that cardholder must be at least 18 years of age to play.
     • Notification that some card issuers may not allow gaming.
   • The acquiring bank must ensure that the service provider is capable of providing an itemized receipt to the cardholder for all IFC transactions and that, at the cardholder's option, the service provider can effect this offer in one of three ways:
     
     • Printing a receipt at the passenger's seat.
     • Printing a receipt from a centralized printer on the plane.
     • Mailing a receipt to the cardholder.
     
     The mailed receipt offer is to be made available via the video monitor and must require the cardholder to input his or her name and address. For IFC gaming transactions the service provider must provide a receipt to the cardholder by one of the first two methods, described above.
     
     The receipt must contain the following elements:
     
     
     • Identification of the passenger's flight, seat number, and date of departure.
     • Itemized transaction detail.
     • Gaming transaction specified as a net win or net loss.
     • The cardholder's account number truncated on the receipt. Acquirers must ensure that transaction receipts provided to cardholders reflect a minimum of four and a maximum of 12 digits of the cardholder account number. The remaining digits are to be truncated, or rendered indeterminable. In all cases, at least four digits must be truncated. It is recommended that the receipt reflect only the last four digits of the primary account number, and that all preceding digits are truncated. It is also recommended that truncated digits are replaced with fill characters such as "X", "*", or "#" and not with blank spaces or numeric characters.
   • For IFC terminals, the assurance and demonstration of security of the transmission of authorization and clearing data between the on-board client server and the acquiring bank and the physical controls over hardware and operating software. Encryption of transmitted data is advised.
     
2. Transaction requirements.
   
   • No maximum transaction amount applies to any IFC transaction, with the exception of IFC gaming transactions.
   • An IFC terminal that also is a hybrid terminal is prohibited from performing fallback procedures from chip to magnetic stripe.
3. Additional requirements for IFC gaming transactions.
   
   • Net gaming losses cannot exceed $350 per flight per cardholder account. Net payouts to cardholders for gaming wins cannot exceed $3,500 per flight per cardholder account. This must be monitored throughout the flight by the service provider to ensure compliance.
   • A gaming win transaction will result in posting of net winnings (credit) to the cardholder's account. Under no circumstance may winnings be paid in cash or other form of payment.
   • Before participating in IFC gaming activity, the acquiring bank must take all reasonable and necessary steps to ensure that all IFC gaming activity will be effected in full compliance with all applicable laws and regulations.
4. Cardholder account number verification - in-flight verification prior to transaction initiation.
   
   • The acquirer must ensure that the service provider conducts a Mod-10 check digit routine to verify card authenticity.
   • The acquirer must ensure that the service provider confirms that the card account number is a valid one.
   • For IFC gaming transactions, the acquirer must ensure that the cardholder's account number is checked against the IFC Blocked Gaming File. Cardholders whose account numbers are listed on the IFC Blocked Gaming File must be prohibited from initiating any IFC gaming transaction.
5. Authorization requirements for all IFC transactions.
   
   • The Authorization Request / 0100 message must include the cardholder-activated terminal level 4 indicator.
   • The acquirer must read and transmit full, unaltered card-read data. An IFC authorization request may not contain a key-entered account number or expiration date.
   • Transactions are either authorized air-to-ground during the transaction or authorized in a delayed batch. All are authorized on a zero floor limit basis.
   • The acquirer must convert all "refer to card issuer" and "capture card" messages received from issuers to "declines."
6. Additional authorization requirements for IFC gaming transactions. All IFC gaming losses authorized post-flight must be submitted for authorization for the net amount. All gaming transactions authorized during the flight will be for the full wager amount ($350 or a lower amount predetermined by the airline and gaming service provider). No gaming wins will be submitted for authorization.
7. Clearing requirements for all IFC transactions.
   
   • An acquirer is not permitted to submit declined transactions (including those defined in 5.d. above) into clearing.
   • No surcharges or service fees may be assessed on any IFC transaction, including IFC gaming transactions.
     
8. Additional clearing requirements for IFC gaming transactions.
   
   • IFC gaming transactions submitted for clearing must be for the net amount that is won or lost.
   • IFC gaming win transactions will be submitted as a credit transaction. Interchange will be paid to issuers by acquirers on gaming win transactions.
   • An acquirer may resubmit a gaming transaction for a different amount within the specified transaction limits if it was previously rejected for exceeding the specified transaction limits $3,500 for wins and $350 for losses.
9. Effective date of the IFC blocked gaming file. Updates to the IFC Blocked Gaming File will be effective on the first and the 15th day of each month. MasterCard must receive account ranges or BINs that issuers choose to list on the next effective updated IFC Blocked Gaming File at least two weeks before the effective date.