Saturday, December 26, 2009

MasterCard Fraud Loss Control Program Standards

In order to be eligible for counterfeit loss reimbursement, a member bank must make a good-faith attempt to demonstrate the existence and use of meaningful controls to limit total fraud losses and losses for all fraud types.

Acquirer Fraud Loss Control Programs

An acquirer's fraud loss control program must meet the following minimum requirements, and preferably will include the recommended additional parameters. The program must automatically generate daily fraud monitoring reports or real-time alerts. Acquirer staff trained to identify potential fraud must analyze the data in these reports within 24 hours. To comply with the fraud loss control standards, acquirers also must transmit complete and unaltered data in all card-read authorization request messages, and also CVC 2 for all card not present (formerly MO / TO), voice, and e-commerce transactions.

Additionally, acquirers with high fraud levels must:
  • Install "read and display" terminals in areas determined to be at high risk for fraud or counterfeit activity, or
  • Install EMV chip terminals.
Acquirer Authorization Monitoring Requirements

Daily reports or real-time alerts monitoring merchant authorization requests must be generated at the latest on the day following the authorization request, and must be based on the following parameters:
  • Number of authorization requests above a threshold set by the acquirer for that merchant.
  • Ratio of non-card-read to card-read transactions that is above the threshold set by the acquirer for that merchant.
  • PAN key entry ratio that is above threshold set by the acquirer for that merchant.
  • Repeated authorization requests for the same amount or the same cardholder account.
  • Increased number of authorization requests.
  • "Out of pattern" fallback transaction volume.
Acquirer Merchant Deposit Monitoring Requirements

Daily reports or real-time alerts monitoring merchant deposits must be generated at the latest on the day following the deposit, and must be based on the following parameters:
  • Increases in merchant deposit volume.
  • Increase in a merchant's average ticket size and number of transactions per deposit.
  • Change in frequency of deposits.
  • Frequency of transactions on the same cardholder account, including credit transactions.
  • Unusual number of credits, or credit dollar volume, exceeding a level of sales dollar volume appropriate to the merchant category.
  • Large credit transaction amounts, significantly greater than the average ticket size for the merchant's sales.
  • Credits issued subsequent to the receipt of a chargeback with the same account number and followed by a second presentment.
  • Credits issued to an account number not used previously at the merchant location.
90-day Rule

The acquirer must compare daily deposits against the average transaction count and amount for each merchant over a period of at least 90 days, to lessen the effect of normal variances in a merchant's business. For new merchants, the acquirer should compare the average transaction count and amount for other merchants within the same merchant code (MCC) assigned to the merchant. In the event that suspicious credit or refund transaction activity is identified, if appropriate, the acquirer should consider the suspension of transactions pending further investigation.

150% Recommendation

To optimize the effectiveness of fraud analysis staff, merchants that appear in the monitoring reports should exceed the average by 150% or more. However, the amount over the average is at the acquirer's discretion.

Recommended Additional Acquirer Monitoring

MasterCard recommends that acquirers additionally monitor the following parameters:
  • Fallback methods.
  • Credit transactions (such as refunds) and merchant authorization reversals.
  • Transactions conducted at high-risk merchants.
  • Personal account number (PAN) key-entry transactions exceeding ratio.
  • Abnormal hours or seasons.
  • Inactive merchants.
  • Transactions with no approval code.
  • Transactions that were declined.
  • Inconsistent authorization and clearing data elements for the same transactions.

Monday, December 14, 2009

Reporting Fraudulent Use of Cards

All MasterCard member banks must report accurately and completely the fraudulent use of MasterCard cards to the System to Avoid Fraud Effectively (SAFE) at least once a month and within 60 days from the date of the transaction, or 30 days from the date of cardholder notification. If there are no fraudulent transactions to report during the month, member banks must submit a Fraud Negative Report (FDN) Record when transmitting their transactions to SAFE or use the Report No Fraud feature of SAFE OnLine.

Reporting by the Issuer

MasterCard issuers must submit all fraudulent transactions on its MasterCard accounts to SAFE on a monthly basis. For the benefit of all members, MasterCard analyzes the data and produces statistics relating to the fraudulent use of MasterCard accounts and all chargebacks that originate from transactions using accounts with a fraud status.

An issuer must report fraudulent transactions even if it recovered losses through chargebacks, compliance cases, restitution, insurance, or any other means.

Reporting by the Acquirer

An acquirer receiving a transaction that cannot be identified by a MasterCard BIN or member ID is liable for that transaction. If it is determined that the transaction is a fraudulent or counterfeit MasterCard transaction, the acquirer must notify, in writing, the Security and Risk Management Department of such an occurrence. This notification must include all mandatory information as described in the Security Systems Specifications manual.

Friday, December 4, 2009

MasterCard Rewards for Capturing a Card

The acquirer may pay the merchant reward for capturing a MasterCard card in accordance with local practices. The acquirer must follow these Standards when paying a reward:
  • Pay no less than $50 to the merchant capturing a card listed on the Electronic Warning Bulletin file or in the Warning Notice.
  • Pay the merchant $100, if a merchant initiates an authorization call because of a suspicious transaction or captures a card not listed in the Electronic Warning Bulletin file or in the Warning Notice.
  • Pay a reward to a financial institution for the capture of another issuer's card if it is the acquirer's practice to pay its tellers rewards for picking up its own cards. The amount of the reward should be the same amount paid for the capture of the acquirer's own cards.
  • Charge the issuer for reimbursement of the reward paid upon dispatching each captured card. The Fee Collection / 1740 message with an IPM message reason code (data element 25) equal to 7601 will settle the reward.
Reward Amounts

The acquirer should follow these guidelines for determining reward amounts.

IF the capture…
THEN pay this amount…
Resulted from a “Merchant Suspicious” phone call
$ 100
Did not result from a “Merchant Suspicious” phone call
Leads to the capture of additional cards
$ 50 for each card captured, with a maximum total of $250 for any one incident

The recovering member bank may collect an administrative fee of $15 for expenses incurred in processing the captured card. The capturing member may add this fee to the amount of the reward reimbursement or collect the fee independently, using the Fee Collection / 1740 message.

Reimbursement of Rewards

The following specifications apply to reward reimbursement:
  • Upon returning the card to the issuer, the acquirer will obtain reimbursement for the reward paid and the $15 fee by processing the Fee Collection / 1740 message.
  • If an acquirer returns a card to an issuer and a reward is not paid, the acquirer may collect a $15 fee by processing a Fee Collection / 1740 message record.
  • Upon receipt of the Interchange Card Recovery Form (ICA-6), the issuer should match it to the Fee Collection / 1740 message record based on the acquirer member ID, account number, and recovery date comparisons.
  • If an exempt member has an electronic reward payment processed, clearing receives the record by an information slip. The transaction is part of the Net Settlement System for settlement purposes.

Wednesday, December 2, 2009

Point-of-Sale (POS) Card Retention

Acquirers and merchants are required to recover a card by reasonable and peaceful means if:
  • The card issuer advises the acquirer or merchant to recover the card in response to an authorization request.
  • The Electronic Warning Bulletin file or an effective regional Warning Notice lists the account number.
After recovering a card, the merchant must notify its authorization center or its acquirer and receive instructions for returning the card. If mailing the card, the merchant first should cut the card in half through the magnetic stripe.

Returning Recovered Cards

The acquirer must follow these procedures when returning a recovered card to the issuer:
  • If the merchant has not already done so, the acquirer must cut the card in half vertically through the magnetic stripe.
  • The acquirer must forward the recovered card to the issuer within five calendar days of receiving the card along with the first copy (white) of the Interchange Card Recovery Form (ICA-6). The additional copies are file copies for the acquirer's records. A recovered card must be returned to the security contact of the issuer.
Returning Counterfeit Cards

The acquirer or merchant must return counterfeit cards to the issuer by following the instructions provided by its authorization center. The following information identifies an issuer:
  • The issuers bank identification number (BIN) embossed on the front of the card.
  • The member ID imprinted in the Card Source Identification area on the back of the card.