Merchant Bank Account Fraud Liability

To replace the current data compromise recovery compliance process with one that minimizes retailers' exposure while it is cost-efficient and equitable for all involved parties, merchant bank account providers have developed the Account Data Compromise Recovery (ADCR) process.

ADCR is used predominantly for mag-stripe data that have been discovered or suspected to be compromised. It caps counterfeit fraud liability for credit card processing companies to a time frame that is limited at 13 months, whereas the current process where data exposure risk can extend up to the date of expiration of the compromised cards. Moreover, ADCR enables the partial recovery of some expenses incurred by issuers.

Under the ADCR rules, merchant bank account providers first determines the processor's mag-stripe read fraud liability resulting from inadequate data storage by estimating the amount of the counterfeit fraud that would have resulted in the system for the duration of the 13-month event window if the data breach had never occured. This base-line sets the expected level of fraud for which a processor is not liable. The merchant bank account provider then deducts the baseline from the final confirmed amount of mag- stripe read counterfeit fraud that took place during the event window. This gives you the so-called "incremental fraud" assessment of the processor's liability. This is the fraud loss that exceeds the normal level and is so attributable to the mag-stripe exposure. Moreover, any card number that was in a previous mag-stripe exposure event within the previous 12 months is excluded.

Issuers enrolled in the ADCR procedure can recoup $1 per account involved in the compromise to cover some of their operating expenses, such as the re-issuing of the cards and the higher volume of incoming customer service calls. Any card number involved in a previous mag-stripe exposure event within the past 12 months is excluded.

Merchant bank account providers are only liable for up to 80 percent of the entire number of card accounts involved in a magnetic-stripe information type of compromise. The other 20 percent is the approximate share of accounts that will require some or no work by the issuing institutions. Put another way, these are account numbers that have expired or were closed, reissued, or blocked before the time they appeared on the fraud alert.

The Visa Compromised Account Management System (CAMS) provides a secure and effective way for merchant bank account providers, retailers, law enforcement entities, and issuing banks to communicate compromised and stolen or card account data to and from the Associations through an encrypted site.