Information about this New Document

Transcription

1 Information about this New Document New document This Security Rules and Procedures Merchant Edition, dated January 2008 is an entirely new document. Contents This document contains excerpts from the January 2008 edition of the Security Rules and Procedures manual. The portions of the Security Rules and Procedures manual included in this Merchant Edition address certain responsibilities of a MasterCard member, particularly those regarding any merchant from which the member acquires MasterCard transactions. The included portions also describe programs that MasterCard administers, such as merchant audit, monitoring and registration to ensure that its members and merchants are acting in an appropriate fashion so as to protect cardholder information and reduce chargebacks and fraud.

2 Using this Document Purpose The Security Rules and Procedures Merchant Edition provides merchants with MasterCard rules applicable to merchant acceptance of MasterCard cards and Maestro cards. MasterCard believes that merchants are important participants in the MasterCard and Maestro payment programs and are vital to the continued success of the MasterCard and Maestro brands. MasterCard also believes that merchants and consumers benefit if merchants have access to, and are encouraged to be aware of and conform to, rules that pertain to merchants acceptance of MasterCard cards and Maestro cards. A MasterCard member is obligated at all times to comply with MasterCard rules and to cause any merchant from which it acquires MasterCard transactions to at all times comply with MasterCard rules. A MasterCard member may require a merchant to adhere to additional and/or more stringent standards than MasterCard rules require. Audience MasterCard provides this manual for the benefit of any merchant that has entered into or is contemplating entering into an agreement with a MasterCard member for the purpose of accepting either MasterCard cards, Maestro cards, or both. Excerpted Text This document consists entirely of text excerpted from other MasterCard manuals as published on the dates noted. The text of the sundry MasterCard manuals is amended from time to time, as requirements are added, deleted, and modified. While we will endeavor to keep the text appearing in this document current, in the event of a discrepancy between text set forth in this Merchant Edition and the referenced source document, the text set forth in the referenced source document shall be afforded precedence. Because only excerpts of text of manuals are included in this Merchant Edition, a reader may not be afforded a complete or accurate understanding of a subject that is referenced or addressed. Merchants should direct any questions to its acquiring or prospective acquiring member. 1

3 MasterCard International MasterCard International ( MasterCard ) is a leading global payment solutions company that manages a family of well-known, widely accepted payment card brands, including MasterCard, MasterCard Electronic, Maestro and Cirrus, which MasterCard licenses to its members. The principal members of MasterCard and its affiliates are approximately 2,600 financial institutions worldwide that participate in MasterCard payment programs. In addition, there are over 22,000 affiliate members of MasterCard that participate indirectly in MasterCard payment programs through one or more principal members. MasterCard is structured as an open bankcard association in which cardholder and merchant relationships are managed principally by the members. MasterCard Rules MasterCard business is managed by or under the direction of a board of directors and MasterCard rules are approved by that board or pursuant to authority delegated by that board. MasterCard rules are applicable to MasterCard members. If a member acquires MasterCard-branded transactions from a merchant, MasterCard rules will impact how that merchant conducts business. Each MasterCard member is obligated to conduct MasterCard activity in compliance with applicable MasterCard rules and law and to protect, indemnify and hold harmless MasterCard and other members with respect to any claim, demand, loss, cost, liability and/or expense resulting from the member s (and its affiliate members ) MasterCard activity and compliance with MasterCard rules. For the reasons set forth above, any person that uses this document or any portion thereof does so at his or her exclusive risk and with the express understanding that MasterCard makes no representations or warranties of any kind whatsoever as to the accuracy or completeness of the text set forth in this document. 2

4 Contact Us MasterCard is listening... Please take a moment to provide MasterCard with your feedback about the Security Rules and Procedures Merchant Edition. MasterCard continually strives to improve user documents. User feedback helps MasterCard accomplish this goal. Please provide feedback about this document to Manuals and Publications at publications@mastercard.com. Support If you have questions about this manual, please contact the Customer Operations Services team or your regional help desk. If you are a merchant, please contact your acquirer. 1

5 Security Rules and Procedures Merchant Edition January 2008

6 Proprietary Rights The information contained in this document is proprietary and confidential to MasterCard International Incorporated, one or more of its affiliated entities (collectively MasterCard ), or both. This material may not be duplicated, published, or disclosed, in whole or in part, without the prior written permission of MasterCard. Trademarks Trademark notices and symbols used in this document reflect the registration status of MasterCard trademarks in the United States. Please consult with the Customer Operations Services team or the MasterCard Law Department for the registration status of particular product, program, or service names outside the United States. All third-party product and service names are trademarks or registered trademarks of their respective owners. Media This document is available on Address MasterCard Worldwide 2200 MasterCard Boulevard O Fallon MO USA SPME January 2008 Security Rules and Procedures Merchant Edition

7 Table of Contents Chapter 1 Omitted... 1-i This chapter has been omitted Chapter 2 Omitted... 2-i This chapter has been omitted Chapter 3 MasterCard Card and TID Design Standards... 3-i 3.6 Card Validation Code (CVC) Acquirer Requirements for CVC Service Codes Issuer Information Acquirer Information Valid Service Codes Additional Service Code Information Service Code Value Recommendations Transaction Information Documents (TIDs) Formset Contents Terminal Receipt Contents Primary Account Number Truncation Electronic Signature Capture Technology (ESCT) Chapter 4 Terminal and PIN Security Standards... 4-i 4.1 Personal Identification Numbers (PINs) PIN Usage Standards PIN at the Point of Interaction PIN-based Terminal Standards Security Provisions for EMV Hybrid Terminals Supporting Offline PIN PIN Encryption Standards PIN Encryption at ATMs PIN Encryption at POI Terminals Triple DES Migration Standards PIN Entry Device Standards PIN Key Management Hierarchical Structuring of Keys Key Management Standards On-behalf Key Management PIN Key Exchange and Replacement Standards Key Exchange Key Replacement PIN Generation and Verification Component Authentication Security Rules and Procedures Merchant Edition January 2008 i

8 Table of Contents 4.12 Organizational Procedures Documented Procedures Security Records Hybrid Terminal Security Standards Wireless and Internet/IP POS Terminal Security Standards Chapter 5 Omitted... 5-i This chapter has been omitted Chapter 6 Fraud Loss Control Standards... 6-i 6.2 Fraud Loss Control Program Standards Acquirer Fraud Loss Control Programs Counterfeit Card Fraud Loss Control Standards Counterfeit Card Notification Chapter 7 Merchant Screening and Monitoring Standards... 7-i 7.1 Screening New Merchants Evidence of Compliance with Screening Procedures Retention of Investigative Records Assessments for Noncompliance with Screening Procedures Screening Limitations Ongoing Merchant Monitoring and Education Merchant Monitoring Additional Requirements for Certain Merchant Categories Merchant Education Chapter 8 Merchant Fraud Control Programs... 8-i 8.1 Presenting Valid Transactions Notifying MasterCard Acquirer Responsibilities Notifying MasterCard Issuer Responsibilities MasterCard Audit Merchant Audit Program Excessive Counterfeit Merchant Program Global Merchant Audit Program Acquirer Responsibilities Tier 3 Special Merchant Audit Chargeback Responsibility Exclusion from the Global Merchant Audit Program Notification of Merchant Identification Merchant Online Status Tracking (MOST) System Acquirer Fraud and Chargeback Liability Program ii January 2008 Security Rules and Procedures Merchant Edition

9 Table of Contents 8.6 Excessive Chargeback Program Definitions Reporting Requirements Assessments Issuer Reimbursement Cardholder-Merchant Collusion (CMC) Program Issuer Notification to MasterCard MasterCard Audit Acquirer Investigation and Response MasterCard Notification to Issuers Issuer Obligation to Assist in MasterCard Audit MasterCard Evaluation Issuer Post-Audit Reporting Procedures Issuer Recovery Claim Filing Process Chapter 9 MasterCard Registration Program... 9-i 9.1 MasterCard Registration Program Overview General Registration Requirements Merchant Registration Fees and Noncompliance Assessments MSP Registration Noncompliance Assessments General Monitoring Requirements Additional Requirements for Specific Merchant Categories Key-entry Telecom Merchants Other Telecom Merchants and Transactions Electronic Commerce Adult Content (Videotext) Merchants Internet Gambling Merchants Prescription Drug and Tobacco Merchants Chapter 10 Account Data Protection Standards and Programs i 10.1 Card and Cardholder Data Protection Standards Working with Third Parties Transaction Data Protection Standards Card-read Data Storage Standards CVC 2 Data Storage Standards Use of Wireless Local Area Network (LAN) Technology Account Data Compromise Events MasterCard Evaluation Acquirer Responsibilities Notification to Affected Issuers Issuer Responsibilities Compliance with Payment Card Industry Data Security Standard Noncompliance Assessments Security Rules and Procedures Merchant Edition January 2008 iii

10 Table of Contents 10.4 Common Point of Purchase (CPP) Investigations Issuer Investigation Request MasterCard Action Acquirer Response MasterCard Site Data Protection (SDP) Program Payment Card Industry Data Security Standard Compliance Validation Tools Acquirer Compliance Requirements Implementation Schedule SDP Program Registration Connecting to MasterCard Physical and Logical Security Requirements Minimum Security Requirements Additional Recommended Security Requirements Chapter 11 MATCH System i 11.1 MATCH Overview System Features How does MATCH Search when Conducting an Inquiry? MATCH Standards Certification When to Add a Merchant to MATCH Inquiring about a Merchant Merchants Listed by MasterCard Questionable Merchants Merchant Removal from MATCH MATCH Reason Codes Reason Codes for Merchants Listed by the Acquirer Reason Codes for Merchants Listed by MasterCard Requesting Access to and Using MATCH Chapter 12 Omitted i This chapter has been omitted Chapter 13 Risk Assessment Management Program (RAMP) i 13.1 About RAMP RAMP Level 3 MSP Reviews Chapter 14 Omitted i This chapter has been omitted Chapter 15 Omitted i iv January 2008 Security Rules and Procedures Merchant Edition

11 Table of Contents This chapter has been omitted Appendix A Omitted...A-i This chapter has been omitted....a-1 Appendix B Omitted... B-i This chapter has been omitted....b-1 Appendix C Formset Specifications... C-i C.1 MasterCard Formset Specifications...C-1 C.1.1 Formset Physical Dimensions...C-1 C.1.2 Number of Copies and Retention Requirements...C-1 C.1.3 Paper Stock Characteristics...C-1 C.1.4 Color of Interchange Copy...C-1 C.1.5 Carbon...C-1 C.1.6 Registration Mark...C-2 C.1.7 Formset Numbering...C-2 C.1.8 Standard Wording...C-3 C.1.9 Information Slip Specifications...C-3 C.2 Formset Printing Standards...C-4 C.2.1 Retail Sale, Credit, and Cash Disbursement Formsets...C-4 C.2.2 Information Slip Formsets...C-5 C.2.3 Imprinters...C-5 Appendix D Omitted...D-i This chapter has been omitted.... D-1 Appendix E Omitted... E-i This chapter has been omitted.... E-1 Security Rules and Procedures Merchant Edition January 2008 v

12 Chapter 1 Omitted This chapter has been omitted Security Rules and Procedures Merchant Edition January i

13 Chapter 2 Omitted This chapter has been omitted Security Rules and Procedures Merchant Edition January i

14 Chapter 3 MasterCard Card and TID Design Standards This chapter may be of particular interest to members and MasterCard certified vendors responsible for the design, creation, and control of MasterCard cards. It provides specifications for all MasterCard consumer and corporate card programs worldwide. 3.6 Card Validation Code (CVC) Acquirer Requirements for CVC Service Codes Issuer Information Acquirer Information Valid Service Codes Additional Service Code Information Service Code Value Recommendations Transaction Information Documents (TIDs) Formset Contents Terminal Receipt Contents Primary Account Number Truncation Truncation Considerations Electronic Signature Capture Technology (ESCT) Security Rules and Procedures Merchant Edition January i

15 MasterCard Card and TID Design Standards 3.6 Card Validation Code (CVC) 3.6 Card Validation Code (CVC) Acquirer Requirements for CVC 2 When the merchant provides the indent-printed CVC 2 value, the acquirer must include the CVC 2 value in DE 48, subelement 92 of the Authorization Request/0100 message. All non-face-to-face gambling transactions (MCC 7995) must include the indent-printed CVC 2 value in DE 48, subelement 92 of the Authorization Request/0100 message. The acquirer is responsible for ensuring that the merchant receives the CVC 2 response code provided by the issuer in DE 48, subelement 87 of the Authorization Request Response/0110 message. For CVC 2 data storage Standards, refer to section of this manual. 3.7 Service Codes NOTE The service code, a three-digit number that complies with ISO 7813 (Identification Cards Financial Transaction Cards), is encoded on Track 1 and Track 2 of the magnetic stripe of a MasterCard card and indicates to a magnetic stripe-reading terminal the transaction acceptance parameters of the card. Each digit of the service code represents a distinct element of the issuer s transaction acceptance policy. However, not all combinations of valid digits form a valid service code, nor are all service code combinations valid for all MasterCard card programs. Issuers may encode only one service code on cards, and the same value must be encoded on both Track 1 and Track 2 in their respective, designated positions. Service codes provide issuers with flexibility in defining card acceptance parameters, and provide acquirers with the ability to interpret issuers card acceptance preferences for all POI conditions. Service codes apply to magnetic stripe-read transactions only. In the case of EMV chip cards used in chip card or hybrid terminals, the terminal uses the data encoded in the chip to complete the transaction. A value of 2 or 6 in position 1 indicates that a chip is present on a card Issuer Information Currently, MasterCard recommends using service code value 101 (international card, normal authorization, normal cardholder verification, no restrictions) for most applications. For more information, refer to Table 3.6 in this chapter. Security Rules and Procedures Merchant Edition January

16 MasterCard Card and TID Design Standards 3.7 Service Codes NOTE MasterCard Electronic issuers must encode a value of 2 (positive online authorization required) in position 2. Issuers may use service codes to support issuance of integrated circuit card (ICC) applications and PIN requirements Acquirer Information Acquirers must ensure that their hybrid POI terminals do not reject or otherwise decline to complete a transaction solely because of the service code encoded on the magnetic stripe. Acquirers are not required to act on the service codes at this time unless a value of 2 or 6 is present in position 1 for a MasterCard payment application. The hybrid POI terminals must first attempt to process the transaction as a chip transaction Valid Service Codes The table shown in Table 3.6 defines service code values for MasterCard, MasterCard Electronic, Maestro, and Cirrus payment applications and each position of the three-digit service code. Service codes are three positions in length. To identify valid service code values, combine the valid numbers for each of the three positions in this table. Table 3.1 Service Code Values Definition Position 1 Position 2 Position 3 International Card 1 International Card Integrated Circuit Card 2 National Use Only 5 National Use Only Integrated Circuit Card 6 Private Label or Proprietary Card 7 Normal Authorization 0 Positive Online Authorization Required 2 PIN Required 0 Normal Cardholder Verification, No Restrictions Normal Cardholder Verification Goods and services only at point of interaction (no cash back) January 2008 Security Rules and Procedures Merchant Edition

17 MasterCard Card and TID Design Standards 3.7 Service Codes Definition Position 1 Position 2 Position 3 ATM Only, PIN Required 3 PIN Required Goods and services only at point of interaction (no cash back) 5 Prompt for PIN if PIN Pad Present 6 Prompt for PIN if PIN Pad Present Goods and services only at point of service (no cash back) 7 NOTE In the Authorization Release 06.2, support of Purchase of Goods and Services with Cash Back transactions was mandated for Debit MasterCard cards. Position 3, values 5 and 7 are not valid values applicable for Debit MasterCard transactions Additional Service Code Information The following information explains the service code values in Table 3.6. Normal authorization is an authorized transaction according to the established rules governing transactions at the point of interaction. Positive Online Authorization Required service codes (value of 2 in position 2) indicate that an electronic authorization must be requested for all transactions. This service code value must be used on MasterCard Electronic cards, but is optional for MasterCard Unembossed cards. Normal cardholder verification indicates that the cardholder verification method must be performed in accordance with established rules governing cardholder verification at the point of interaction. ICC-related service codes (value of 2 or 6 in position 1) are permitted only on EMV chip cards containing a MasterCard or Cirrus payment application type-approved by MasterCard or its agent. ICC-related service codes (value of 2 or 6 in position 1) may not be used for stand-alone stored value (purse) applications that reside on MasterCard or Cirrus cards. In these instances, a value of 1 must be placed in the first position. National Use Only service codes (value of 5 or 6 in position 1) are permitted only on National Use Only Cards approved by MasterCard. This includes PIN-related service codes on National Use Only cards (for example, 506) governed by local PIN processing rules. Private label or proprietary service codes (value of 7 in position 1) on cards that contain a valid MasterCard BIN are permitted only on private label or proprietary cards approved by MasterCard. Members may not use PIN-related service codes for MasterCard card programs unless MasterCard has approved the indicated use of a PIN. Security Rules and Procedures Merchant Edition January

18 MasterCard Card and TID Design Standards 3.8 Transaction Information Documents (TIDs) NOTE As indicated in Table 3.6, members may use a service code value other than 101 if they have received approval from MasterCard to issue the type of card that corresponds to those service codes values (for example, MasterCard Electronic cards, EMV chip cards, private label, or proprietary cards) Service Code Value Recommendations Unless issuing a card for National Use Only, an EMV chip card, or a private label or proprietary card, MasterCard recommends that: MasterCard cards and Debit MasterCard cards issued in the U.S. region use the service code value 101. Cirrus payment applications use service code values 120 and 126. Maestro payment applications use service code values 120 and 220. Acquirers and issuers also may refer to the Cirrus Worldwide Operating Rules and Maestro Global Rules manuals for information pertaining to the acceptance of online debit cards. 3.8 Transaction Information Documents (TIDs) NOTE Transaction Information Documents (TIDs) used in interchange transactions must comply with the Standards set forth in this section. Below is a list of the types of TIDs discussed in this section: Retail sale Credit Cash disbursement Information The acquirer must retain a copy of the TID for at least 18 months. If the merchant uses a manual imprinter, the TID produced is called a formset or slip. For MasterCard formset specifications, refer to Appendix C. If a transaction begins at an electronic terminal, the merchant may substitute a terminal receipt for a formset. Terminal receipts have no prescribed physical specifications but must be numbered sequentially for reference purposes. A TID must not reflect the following information: The PIN, any part of the PIN, or any fill characters representing the PIN The CVC 2, which is indent-printed in a white panel adjacent to the signature panel of the card MasterCard prohibits the recording of PIN data and CVC data in any manner for any purpose. 3-4 January 2008 Security Rules and Procedures Merchant Edition

19 MasterCard Card and TID Design Standards 3.8 Transaction Information Documents (TIDs) Formset Contents Each copy of a retail sale, credit, or cash disbursement formset shall satisfy minimum statutory and regulatory requirements in the jurisdiction in which the slip originates and any applicable regulations, issued by the U.S. Board of Governors of the Federal Reserve System or other regulatory authorities, and shall contain the following: In the case of retail sale and credit slips, a space for the description of goods, services, or other things of value sold by the merchant to the customer and the cost thereof, in sufficient detail to identify the transaction. Adequate spaces for: Customer s signature Card imprint and the merchant or bank identification plate imprint Date of the transaction Authorization number (except on credit slips) Sales clerk s or teller s initials or department number Currency conversion field Merchant s signature on credit slips Description of the positive identification supplied by the cardholder on cash disbursements and retail sale slips for certain unique transactions. A legend clearly identifying the slip as a retail sale, credit, or cash disbursement and identifies the receiving party of each copy. On the customer copy of the formset, the words (in English, local language, or both): IMPORTANT retain this copy for your records, or words to similar effect. Such other contents as are not inconsistent with these rules. MasterCard recommends that each retail sale, credit, and cash disbursement slip bear a means of identifying the member that distributed the slip to the merchant. Security Rules and Procedures Merchant Edition January

20 MasterCard Card and TID Design Standards 3.8 Transaction Information Documents (TIDs) Terminal Receipt Contents A terminal or other device at a point of interaction must not display magnetic stripe track data other than card account number, expiration date, and cardholder name. Each copy of a terminal receipt shall satisfy all requirements of applicable law, and shall contain the following information: Doing Business As (DBA) merchant name, city and state, country, or the point of banking location Transaction date MasterCard account number Transaction amount in the original transaction currency Adequate space for the customer s signature (required on merchant copy only) Authorization approval code (except on credit receipts). Optionally, the acquirer also may print the transaction certificate, the application cryptogram, or both for EMV chip card transactions. Merchant s signature on credit receipts only Each receipt shall clearly identify the transaction as a retail sale, credit, or cash disbursement Primary Account Number Truncation MasterCard requires ATM acquirers to truncate, or render indeterminable on printed ATM receipts, a minimum of four digits of the PAN. MasterCard also requires PAN truncation for all receipts generated at cardholder-activated terminals (CATs). PAN truncation is permitted for receipts generated at all other points of interaction. MasterCard strongly recommends that all cardholder receipts generated by POI terminals, whether attended or unattended, reflect only the last four (4) digits of the PAN, replacing all preceding digits with fill characters that are neither blank spaces nor numeric characters, such as X, *, or #. The cardholder receipt generated by newly installed, replaced, or relocated POI terminals, whether attended or unattended, must reflect only the last four (4) digits of the PAN. All preceding digits must be replaced with fill characters that are neither blank spaces nor numeric characters, such as X, *, or #. 3-6 January 2008 Security Rules and Procedures Merchant Edition

21 MasterCard Card and TID Design Standards 3.8 Transaction Information Documents (TIDs) Truncation Considerations Truncating a greater number of digits, when compared to the total number of digits in the PAN, increases the effectiveness of the effort. However, it also increases the confusion and difficulty that cardholders may have reconciling their ATM terminal receipts to their periodic statements, therefore a satisfactory balance must be reached. 1. Truncation of the routing BIN alone, while helpful, may not prevent duplication of the PAN. It is possible to observe the card in use in order to obtain issuer identification. 2. Truncating the check digit and several other digits does not improve PAN security. Absent the check digit, calculation of several missing digits within the PAN, especially if the routing BIN also is truncated, is substantially more complicated and time consuming. 3. Truncating a small number of digits, when compared to the total number of digits in the PAN, reduces the effectiveness of the effort. It is possible to reconstruct a few missing digits by using a trial-and-error approach. 4. Truncating a greater number of digits, when compared to the total number of digits in the PAN, increases the effectiveness of the effort Electronic Signature Capture Technology (ESCT) An acquirer using Electronic Signature Capture Technology (ESCT) must ensure the following: That proper electronic data processing (EDP) controls and security are in place, so that digitized signatures are recreated on a transaction-specific basis. The acquirer may recreate the signature captured for a specific transaction only in response to a retrieval request for the transaction. That appropriate controls exist over employees with authorized access to digitized signatures maintained in the acquirer or card acceptor host computers. Only employees and agents with a need to know should be able to access the stored, electronically captured signatures. That the digitized signatures are not accessed or used in a manner contrary to the Standards. MasterCard reserves the right to audit members to ensure compliance with these sections and may prohibit use of ESCT if it identifies inadequate controls. Security Rules and Procedures Merchant Edition January

22 Chapter 4 Terminal and PIN Security Standards This chapter may be of particular interest to all MasterCard, Maestro, and Cirrus issuers and to acquirers of PIN-based transactions. 4.1 Personal Identification Numbers (PINs) PIN Usage Standards PIN at the Point of Interaction PIN-based Terminal Standards Security Provisions for EMV Hybrid Terminals Supporting Offline PIN PIN Encryption Standards PIN Encryption at ATMs PIN Encryption at POI Terminals Triple DES Migration Standards PIN Entry Device Standards PIN Key Management Hierarchical Structuring of Keys Key Management Standards On-behalf Key Management PIN Key Exchange and Replacement Standards Key Exchange Key Replacement PIN Generation and Verification Component Authentication Organizational Procedures Documented Procedures Security Records Hybrid Terminal Security Standards Wireless and Internet/IP POS Terminal Security Standards Security Rules and Procedures Merchant Edition January i

23 Terminal and PIN Security Standards 4.1 Personal Identification Numbers (PINs) 4.1 Personal Identification Numbers (PINs) MasterCard requires issuers to give their cardholders a personal identification number (PIN) in conjunction with card issuance, or offer them the option of receiving a PIN. The PIN allows cardholders to access the MasterCard ATM Network accepting the MasterCard, Maestro, and Cirrus brands, and to conduct transactions at cardholder-activated terminal (CAT) 1 devices. A PIN also may be used at certain other point-of-interaction (POI) terminals. All members must comply with the security requirements for PIN and key management as specified in the following International Organization for Standardization (ISO) documents: ISO , Personal Identification Number management and security, Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems ISO , Personal Identification Number management and security, Part 2: Approved algorithms for PIN encipherment Each member also must comply with the security requirements for PIN and key management set forth in the following documents published by MasterCard Worldwide: Payment Card Industry PIN Security Requirements Issuer PIN Security Policy and Requirements Payment Card Industry POS PIN Entry Device Security Requirements Payment Card Industry POS PIN Entry Device Security Requirements Version 2 Payment Card Industry Encrypting PIN Pad Security Requirements Payment Card Industry Encrypting PIN Pad Security Requirements Version 2 For additional information about PIN key management and related services, refer to the manuals listed in Table 4.1, which are available through the MasterCard OnLine Member Publications tool. Table 4.1 PIN Key Management References For transaction authorization request messages routed through Banknet telecommunications network MasterCard Debit Switch (MDS) EPS-Net Refer to Authorization System Manual MDS Online Specifications EPSS Security Platform (ESP) Document Set Security Rules and Procedures Merchant Edition January

24 Terminal and PIN Security Standards 4.3 PIN Usage Standards For transaction authorization request messages routed through Regional Service Center MasterCard Key Management Centre via the On-behalf Key Management (OBKM) Interface Refer to Network Security Platform (NSP) Document Set On-behalf Key Management (OBKM) Document Set 4.3 PIN Usage Standards Members must comply with the following PIN Usage Standards established by MasterCard PIN at the Point of Interaction MasterCard may authorize the use of a PIN at selected merchant types, terminal types, or merchant locations in specific countries. MasterCard requires the use of a PIN at CAT 1 devices. Acquirers that support PIN-based transactions must provide MasterCard cardholders with the option of a signature-based transaction, unless the transaction occurs at a CAT 1 device or at a CAT 3 device with offline PIN capability for EMV chip transactions. MasterCard requires merchants to provide a terminal that meets specific requirements for PIN processing wherever an approved implementation takes place. When applicable, each transaction must be initiated with a card in conjunction with the PIN entered by the cardholder at the terminal. The acquirer must be able to transmit the PIN in the Authorization Request/0100 message in compliance with all applicable PIN security Standards. MasterCard acquirers and merchants must not require a cardholder to disclose his or her PIN, other than by private entry into a secure PIN entry device (PED) as described in section 4.6 of this manual. Acquirers must control POI terminals equipped with PIN pads. If a terminal is capable of prompting for the PIN, the acquirer must include the PIN and full magnetic stripe-read data in the Authorization Request/0100 message. MasterCard will validate the PIN when processing for issuers that provide the necessary keys to MasterCard pursuant to these rules. All other POI transactions containing PIN data will be declined in Stand-In processing. 4-2 January 2008 Security Rules and Procedures Merchant Edition

25 Terminal and PIN Security Standards 4.4 PIN-based Terminal Standards 4.4 PIN-based Terminal Standards NOTE All PIN-based terminals must have the capability to: 1. Read and transmit unaltered, full track data (Track 1 or 2), 2. Display messages on the terminal indicating the different steps to be taken by the merchant during the transaction, 3. Mandate that the standard message language be English, and offer optional local language, 4. Have an online connection to the acquirer for the authorization of all PIN-based magnetic stripe transactions, 5. Ensure to the cardholder the privacy of PIN entry, 6. Prevent additional transactions from being entered into the system when the transaction is being processed, 7. Maintain a terminal transaction log that does not include the cardholder s PIN information or derived PIN data, and 8. Provide a transaction information document (TID) either automatically or upon customer request. The TID must include the transaction time, trace number, terminal number, and other MasterCard terminal receipt content requirements Security Provisions for EMV Hybrid Terminals Supporting Offline PIN Hybrid terminals support both magnetic stripe and Europay-MasterCard-Visa (EMV) chip cards. The following Standards address all EMV hybrid terminals supporting offline PIN transactions: 1. All new terminals that support offline PIN transactions must support both clear text and enciphered offline PIN options. 2. Retrofitted terminals that support offline PIN transactions should support both clear text and enciphered offline PIN options, if possible. Hybrid terminals must support online dynamic card authentication methodology (CAM) for all chip-read transactions. All terminals that support offline PIN transactions must support both clear text and enciphered offline PIN options. Security Rules and Procedures Merchant Edition January

26 Terminal and PIN Security Standards 4.5 PIN Encryption Standards 4.5 PIN Encryption Standards DEFINITION Whenever the PIN is electronically transmitted outside a secure cryptographic device, it must be cryptographically protected using the approved algorithm(s) for PIN encipherment listed in ISO MasterCard must approve the use of other algorithms. For online PIN transmission, the encrypted PIN block format must comply with ISO format 0, format 1, or format 3. For offline PIN verification by a smart card (either plain text or enciphered), ISO PIN block format 2 must be used. For ISO format 0 and 3, the cleartext PIN block and the Primary Account Number (PAN) must be Exclusive-OR ed (XOR ed) together and then Triple DES encrypted in Electronic Code Book (ECB) mode to form the 64-bit output cipherblock (the reversibly encrypted PIN block). ISO formats 1 and 2 are formed by the concatenation of the plaintext PIN field and the filler field. MasterCard must approve the use of alternative equivalent formats. Any alternative format used in a local network must produce different enciphered PIN block results when the same PIN is associated with different accounts. The PIN will remain encrypted until the issuer or the MDS receives it for verification. Members must adhere to the following Standards for PIN encryption: 1. Perform all PIN encryption, translation, and decryption for the network using hardware encryption by using physically secure devices (PSDs). 2. Do not perform PIN encryption, translation, or decryption under Triple Data Encryption Standard (DES) software routines. 3. Acquirers must never log, even in encrypted form, issuers PINs on journals, computer records, magnetic tapes and disks, or on any printed records resulting from interchange authorization of transaction records. 4. Use the Triple DES algorithm to perform all encryption PIN Encryption at ATMs For PIN security Standards applicable to ATMs, refer to section 8.4 of the Cirrus Worldwide Operating Rules. Physically secure device A type of tamper-resistant security module that protects any cryptographic key or PIN resident within the device against penetration attacks. Penetration of a physically secure device (PSD) will cause the automatic and immediate erasure of all PINs, cryptographic keys, and all useful residue of PINs and keys contained within the device. A device is considered to be a PSD only when the device s internal operation cannot be and has not been modified to allow penetration. Also called a tamper-responsive device. 4-4 January 2008 Security Rules and Procedures Merchant Edition

27 Terminal and PIN Security Standards 4.5 PIN Encryption Standards DEFINITION Tamper-Resistant Security Module (TRSM) A hardware device that meets the requirements of a physically secure device as defined in ISO The TRSM is used to ensure that the cardholder PIN and the PIN keys used to encrypt and decrypt the PINs are protected against external attacks. DEFINITION PIN Encryption at POI Terminals At a minimum, all merchant POI terminals must use Single DES technology with a method of key management that derives one unique key per transaction. Preferred methods of key management include the use of Triple DES encryption and certain implementations of public key cryptography. Where public key cryptography is used, MasterCard will review and approve each implementation. The POI terminal must encrypt the PIN in: a tamper-responsive or physically secure device (PSD); or a tamper-evident or minimum acceptable PIN entry device (PED). Tamper-evident device A type of tamper-resistant security module in which any attempt to penetrate the device will be obvious. Such a device can be used only for PIN encryption and key management schemes where penetration of the device will offer no information on previously entered PINs or secret keys. Also called a minimum acceptable PED Triple DES Migration Standards Triple DES, minimum double key length (hereafter referred to as Triple DES ), must be implemented as follows: 1. All newly installed PEDs, including replacement and refurbished PEDs that are part of POS terminals, must be Triple DES capable. This requirement applies to POS terminals owned by members and non-members. 2. All member and processor host systems must support Triple DES. 3. It is strongly recommended that all PEDs that are part of POS terminals be Triple DES compliant and chip-capable. MasterCard recognizes that members may elect to use other public key encryption methods between their POS terminals or ATMs and their host(s). In such instances, MasterCard must approve the alternate method chosen in advance of its implementation and use. Approval will be dependent, in part, on whether MasterCard deems that other method to be as secure as or more secure than Triple DES. Approval is required before implementation can begin. All transactions routed to the MasterCard system must be Triple DES compliant. Security Rules and Procedures Merchant Edition January

28 Terminal and PIN Security Standards 4.6 PIN Entry Device Standards DEFINITION Point-of-sale (POS) terminal An attended or unattended device located in or at a card acceptor s (merchant s) premises that permits the effecting of a transaction for the purchase of goods or services sold by the merchant. A POS terminal is connected to the acquiring financial institution s system through telecommunications lines and is designed to capture and forward transaction information by electronic means. It is capable of capturing data from a magnetic stripe, an EMV chip, or both, and it may or may not have key-entry capabilities for manual data capture. 4.6 PIN Entry Device Standards WARNING! Acquirers must ensure that all PEDs that are part of POS terminals meet the following requirements: 1. All PEDs must be compliant with the Payment Card Industry PIN Security Requirements manual. 2. All newly-installed, replaced, or refurbished PEDs must be compliant with the Payment Card Industry (PCI) POS PED Security Requirements and Evaluation Program. 3. Effective 1 July 2010, all PEDs must be in compliance with the PCI POS PED Security Requirements and Evaluation Program or appear on the MasterCard list of approved devices. As a requirement for PED testing under the PCI PED Security Evaluation Program, the PED vendor must complete the forms in the Payment Card Industry POS PIN Entry Device Security Requirements manual, along with the Payment Card Industry POS PIN Entry Device Evaluation Vendor Questionnaire. The vendor must submit all forms together with the proper paperwork, including the required PED samples, to the evaluation laboratory. If a member or MasterCard questions a PED with respect to physical security attributes (those that deter a physical attack on the device) or logical security attributes (functional capabilities that preclude, among other things, the output of a clear text PIN or a cryptographic key), MasterCard has the right to effect an independent evaluation performed at the manufacturer s expense. MasterCard will conduct periodic security reviews with selected acquirers and merchants. These reviews will ensure compliance with MasterCard security requirements and generally accepted best practices. The physical security of the PED depends on its penetration characteristics. Virtually any physical barrier may be defeated with sufficient effort. For secure transmission of the PIN from the PED to the issuer host system, the PED must encrypt the PIN using the approved algorithm(s) for PIN encipherment listed in ISO and the appropriate PIN block format as provided in ISO January 2008 Security Rules and Procedures Merchant Edition

29 Terminal and PIN Security Standards 4.7 PIN Key Management If the PIN pad and the secure component of the PED are not integrated into a single tamper-evident device, then for secure transmission of the PIN from the PIN pad to the secure component, the PIN pad must encrypt the PIN using the approved algorithm(s) for PIN encipherment listed in ISO PIN Key Management DEFINITION Key management is the process of creating, distributing, maintaining, storing, and destroying cryptographic keys, including the associated policies and procedures used by processing entities Hierarchical Structuring of Keys Cryptographic keys may be structured hierarchically; for example, by using Master File Key, Key Exchange Keys, and PIN Encryption Keys, as described in the following examples: 1. Master File Key The processor may use a master file key (MFK) to encrypt all other keys in the processor database. A random or pseudo-random process generates the MFK using dual control procedures (for example, a condition under which two or more individuals separately have key components, each of which alone conveys no knowledge of the resulting cryptographic key). 2. Key Exchange Key Key exchange keys (KEKs) encrypt PIN encryption keys (PEKs) for purposes of synchronizing keys between network nodes, or between network nodes and merchant terminals. The processor uses a unique KEK for each PIN network device directly connected to the processor that sends or receives PINs and is connected directly to the processor. The processor uses the KEK to encrypt working keys, such as a PIN source or destination connection, generating the KEK using a random or pseudo-random key generator with dual control. The processor must retire the KEK after 12 months of use and replace it with a new KEK. 3. PIN Encryption Key The processor must exchange and hold a unique PIN encryption key (PEK) with each connected entity for the purposes of secure PIN transmission. This requirement enables the processor to decrypt the PIN and re-encrypt a PIN block in the shared key of the destination. This requirement also allows issuers to receive PIN blocks encrypted in a shared key with the switch, and to decrypt and verify the PIN. Intermediate network facility (INF) Any message processing entity positioned between the acquirer of a transaction and the issuer, including processors and the interchange system. Security Rules and Procedures Merchant Edition January

30 Terminal and PIN Security Standards 4.7 PIN Key Management Key Management Standards The following minimum security Standards regarding cryptographic keys are consistent across all brands, services, and programs. 1. Keys must exist only in the following forms: a. in clear form in at least two (2) separate components protected by the techniques of split knowledge and at least dual control. The resulting key must be a function of all key components. Key components must be stored in such a way that unauthorized access has a high probability of being detected; b. in clear form in a TRSM; c. encrypted under a KEK. 2. Keys must be used only for their sole intended purpose and must never be shared between production and test systems. 3. Each key and key component must be generated by a random or pseudo-random process, which prevents prediction of any key, or determination that certain keys are more probable than other keys, from the set of possible keys. 4. Key components must be handled according to the following Standards: a. If a component is not in humanly comprehensible form (for example, in a programmable read-only memory [PROM] module), it must be in the physical possession of only one person or group of persons, and for the minimum practical time; b. If a component is in humanly comprehensible form (for example, printed), it must be known at one point in time to only one person, and only for the duration of the time required for this person to enter the key component into a physically secure device or minimum acceptable PED; and c. If a component is stored for future retrieval, then it must be either encrypted under a KEK or stored within a device such as a minimum acceptable PED. 5. No one person must have the capability to access or ascertain any clear text secret key or key material. Access to clear text secret key or key material must be limited to a need-to-know basis; 6. Systems must prevent and detect: a. attempted disclosure of any secret key; b. attempted use of a secret key for anything other than its intended purpose; c. unauthorized modification, substitution, deletion or insertion of any key. 7. A key (for example, a PEK, KEK, or MFK) must be used for only one function. In a unique key-per-transaction scheme, a single key may be used for different security services in the same transaction, provided that it can be shown that no misuse is possible in a given implementation. A unique key must be used for each identifiable link between host computer systems. 4-8 January 2008 Security Rules and Procedures Merchant Edition

31 Terminal and PIN Security Standards 4.7 PIN Key Management 8. A transformed key must be used only at the same level as the original key, or the level immediately below that of the original key. 9. A variant of a key may be used for a different function from that of the original key, but only in those devices that possess or possessed the original key. A variant key is a secret key obtained from another secret key by applying a simple (fixed) function to it (for example, by inverting every other bit or, more generally, by Exclusive-ORing (XORing) the original key with a fixed mask ). 10. Any key that exists in a PED or other transaction-originating device must be unique and therefore not exist in any other such device except by chance. 11. Any KEK or PEK must be known only in the location where the PEK or PIN is encrypted and the location where the PEK or PIN is decrypted. 12. Any key used to encrypt a PIN in a PED must be known only in that PED or in other TRSMs at the minimum number of locations consistent with effective system operation (such that a terminal may interface with more than one processor). 13. A key must be replaced with a new key within the time deemed feasible to determine the old key, or to perform a successful dictionary attack. 14. A key must cease to be used when its compromise is known or suspected. 15. A compromised key must not provide any information to enable the determination of its replacement. 16. A key must only be loaded into a device when it can be reasonably assured that the device is secure and has not been subjected to unauthorized modification or substitution. If such reasonable assurance cannot be obtained, the device must not be placed into service. 17. A device must be protected against unauthorized use of encrypted keys or key components by: a. dual access controls used to enable the key encryption function; or b. physical protection of the equipment under dual control, or c. both a and b above. 18. Procedures for key distribution and replacement must be adequate in terms of timeliness and level of control applied. 19. Backups of secret keys must exist only for the purpose of reinstating keys that are accidentally destroyed. The backups must exist only in one of the allowed storage forms for that key. Procedures must exist to prevent or detect the unauthorized substitution of one key for another or the operation of any cryptographic device without legitimate keys. Encrypting the stored key as a function of the users identities with the KEK before encrypting the PEK is a cryptographic method of PIN substitution prevention. When prevention is not feasible, an adversary must not be able to ascertain plain text from cipher text encrypted under the KEK. MasterCard strongly recommends the use of double-length keys. Security Rules and Procedures Merchant Edition January

32 Terminal and PIN Security Standards 4.8 PIN Key Exchange and Replacement Standards On-behalf Key Management MasterCard offers the On-behalf Key Management (OBKM) service to Europe region members as a means to ensure the secure transfer of member cryptographic keys to the MasterCard Key Management Center. OBKM services offer members three key exchange options: One-Level Key Hierarchy Members deliver their cryptographic keys in three clear text components to three MasterCard Europe security officers. The security officers then load the key components into the Key Management Center. Two-Level Key Hierarchy The Key Management Center generates and delivers transport keys to members in three separate clear text components. Members use the transport keys to protect and send their cryptographic keys to Key Management Services in Waterloo, Belgium. Key Management Services then loads the member keys into the Key Management Center. Three-Level Key Hierarchy The Key Management Center uses public key techniques to deliver transport keys to members in three separate clear text components. Members use the transport keys to protect and send their cryptographic keys to Key Management Services in Waterloo, Belgium. Key Management Services then loads the member keys into the Key Management Center. MasterCard recommends that members use the Two-Level or Three-Level key hierarchy, both of which use transport keys to establish a secure channel between the member and the Key Management Center. MasterCard has developed a Cryptography Self Test Tool to assist members in meeting OBKM interface requirements. Members must use the CSTT before exchanging keys with Key Management Services using the Two-Level and Three-Level hierarchies. Members must register to participate in the OBKM service. For more information, contact key_management@mastercard.com or refer to the On-behalf Key Management (OBKM) Document Set, available via the MasterCard OnLine Member Publications tool. 4.8 PIN Key Exchange and Replacement Standards The Standards in the following sections apply to PIN key exchange and PIN key replacement Key Exchange In a single message processing environment, dynamic exchange of PIN encryption keys (PEKs) is required: Between the acquirer host systems (with a direct connection to the MDS) and the MDS at least every 12 hours, and Between the acquirer host systems (exclusive of the connection to the MDS) every 2,500 PIN-based transactions or weekly, whichever occurs first January 2008 Security Rules and Procedures Merchant Edition

33 Terminal and PIN Security Standards 4.8 PIN Key Exchange and Replacement Standards In a dual message processing environment, dynamic exchange of PEKs between the processor and the interchange system is required as described in Table 4.2. Alternatively, terminals may use a method of key generation that establishes a unique PEK for each transaction based on a mutual set of parameters. This provides a predictable key between the terminal and merchant processor, but does not allow interception or prediction of the key value except between the PIN-exchanging entities. Table 4.2 Key Exchange Processors must exchange PEKs at the terminal Acquirer/Processor to Banknet or Banknet to Issuer PEKs At the following frequency Every 2,500 PIN-based transactions or six months, whichever occurs first Every 2,500 PIN-based transactions or 24 hours, whichever occurs first MasterCard strongly recommends that keys be exchanged at least every 24 hours (unless a shorter time frame is required), or by using a unique key per PIN-based transaction. Processors must establish a new communication key with the interchange system once every three years. It is strongly recommended that processors establish a new communication key with the interchange system once a year. Refer to the following manuals for information about static and dynamic PIN Encryption Key (PEK), also known as working key, exchange methods between members and the MDS: Authorization System Manual, Chapter 9 Authorization Services Details, PIN Authorization Requests, PEK Exchange Methods MDS Online Specifications, Chapter 6 Encryption Key Replacement A cryptographic key must be replaced with a new key whenever the compromise of the original key is known or suspected. It must never be possible to determine any information about the replacement key from the original key, or vice versa. Security Rules and Procedures Merchant Edition January

34 Terminal and PIN Security Standards 4.9 PIN Generation and Verification 4.9 PIN Generation and Verification Issuers are responsible for generating, storing, processing, and supporting the change of PINs. As part of its function, the issuer must support and manage the PIN through its lifecycle. Several standardized PIN generation methods compliant with ISO 9564 allow for the verification of the PIN on platforms without the need to store the PIN. These methods eliminate the need for expanded secure storage and permit the PIN verification to be based on computing a value rather than comparing the decrypted PIN against a stored value. Acquirers must never disclose, store, print, or expose PINs, except within a TRSM. All acquirer and INF keys must be generated and stored within the TRSM. Refer to PIN Verification in the Authorization System Manual, Chapter 9 Authorization Services Details for more information about the MasterCard PIN verification service, in which the MDS performs PIN verification on behalf of MasterCard card issuers, and the two PIN verification methods (IBM 3624 and ABA) that the PIN verification service supports. Refer to PIN Generation Verification in MDS Online Specifications, Chapter 6 Encryption for more information about PIN verification that the MDS performs directly for Debit MasterCard card and Maestro- and Cirrus-branded card issuers Component Authentication All components actively participating in the MasterCard interchange system must authenticate each other by means of cryptographic procedures, either explicitly by a specific authentication protocol or implicitly by correct execution of a cryptographic service possessing secret information (for example, the shared key or the logon ID). A component actively participates in the MasterCard interchange system if, because of its position in the system, it can evaluate, modify, or process security-related information January 2008 Security Rules and Procedures Merchant Edition

35 Terminal and PIN Security Standards 4.12 Organizational Procedures 4.12 Organizational Procedures The following areas require specific, documented procedures in place to prevent fraud and minimize risk Documented Procedures Appropriate documented procedures must exist to prevent unauthorized: personalization of security equipment; replacement of hardware or software; key generation; and initial key loading. Documented procedures also must be used and audit trails must be maintained to ensure the security and integrity of all processes related to: key administrative operations and loading activities; key transmission and conveyance processing; the destruction of keys or key components that have been replaced or are no longer in use. This requirement applies to keys used within any cryptographic devices that have been removed from service; the replacement of any known or suspected compromised key and its subsidiary keys to a value not feasibly related to the original key; and the initialization, deployment, use and decommission of equipment that handles keys Security Records Members must keep records for all activities related to the removal from storage or loading into a TRSM of the key, key components, or related materials. The parties manufacturing or installing secure cryptographic devices or loading secure cryptographic devices with the initial keys must be responsible for maintaining up-to-date records of each device s life cycle. Security Rules and Procedures Merchant Edition January

36 Terminal and PIN Security Standards 4.13 Hybrid Terminal Security Standards 4.13 Hybrid Terminal Security Standards A hybrid terminal is a POS terminal or ATM that accepts chip cards in addition to cards that use magnetic stripe technology. For interchange operations, MasterCard requires that all hybrid terminals and devices follow these Standards: All hybrid terminals and devices must be EMV-compliant. All hybrid terminals and devices must be included on the List of Approved Chip Terminals section of the M/Chip Approved Products manual as published by MasterCard from time to time. All hybrid terminals and devices that read and process EMV-compliant payment applications must read and process EMV-compliant MasterCard payment applications. All hybrid terminals and devices must be full-grade and Terminal Integration Process (TIP)-approved. Acquirers of hybrid terminals and devices must comply with all applicable Standards, including but not limited to the M/Chip Functional Architecture for Debit and Credit manual Wireless and Internet/IP POS Terminal Security Standards MasterCard has established security requirements for the encryption of sensitive data by POS terminals. These requirements apply to POS terminals that use wide area wireless technologies, such as general packet radio service (GPRS) and code division multiple access (CDMA), to communicate to hosts and stand-alone IP-connected terminals that link via the Internet. All wireless POS terminals and Internet/IP-enabled POS terminals must support the encryption of transaction and cardholder data between the POS terminal and the server system with which they communicate, using encryption algorithms approved by MasterCard. If the deployed Internet/IP-enabled POS terminals are susceptible to attacks from public networks, acquirers must ensure that they are approved by the MasterCard IP POS Terminal Security (PTS) Testing Program. Internet/IP-enabled POS terminals may be submitted for security evaluation at laboratories recognized by the MasterCard IP PTS Testing Program for subsequent approval. All acquirers deploying wireless POS terminals or Internet/IP-enabled POS terminals must refer to the following required security documents: POS Terminal Security Program Program Manual, POS Terminal Security Program Security Requirements, POS Terminal Security Program Derived Test Requirements, POS Terminal Security Program Vendor Questionnaire, Payment Card Industry Data Security Standard (produced by the PCI Security Standards Council), and Any other related security documents that MasterCard may publish from time to time January 2008 Security Rules and Procedures Merchant Edition

37 Chapter 5 Omitted This chapter has been omitted Security Rules and Procedures Merchant Edition January i

38 Chapter 6 Fraud Loss Control Standards This chapter may be of particular interest to personnel responsible for fraud loss control programs, counterfeit loss procedures and reimbursement, and acquirer counterfeit liability. 6.2 Fraud Loss Control Program Standards Acquirer Fraud Loss Control Programs Acquirer Authorization Monitoring Requirements Acquirer Merchant Deposit Monitoring Requirements Recommended Additional Acquirer Monitoring Counterfeit Card Fraud Loss Control Standards Counterfeit Card Notification Notification by Acquirer Failure to Give Notice Security Rules and Procedures Merchant Edition January i

39 Fraud Loss Control Standards 6.2 Fraud Loss Control Program Standards 6.2 Fraud Loss Control Program Standards To be eligible for counterfeit loss reimbursement, a member must make a good-faith attempt to demonstrate to the satisfaction of MasterCard the existence and use of meaningful controls to limit total fraud losses and losses for all fraud types. This section describes minimum requirements for issuer and acquirer fraud loss control programs Acquirer Fraud Loss Control Programs An acquirer s fraud loss control program must meet the following minimum requirements, and preferably will include the recommended additional parameters. The program must automatically generate daily fraud monitoring reports or real-time alerts. Acquirer staff trained to identify potential fraud must analyze the data in these reports within 24 hours. To comply with the fraud loss control Standards, acquirers also must transmit complete and unaltered data in all card-read authorization request messages, and also CVC 2 for all Card Not Present (formerly MO/TO), voice, and e-commerce transactions. Additionally, acquirers with high fraud levels must: Install read and display terminals in areas determined to be at high risk for fraud or counterfeit activity, or Install EMV chip terminals Acquirer Authorization Monitoring Requirements Daily reports or real-time alerts monitoring merchant authorization requests must be generated at the latest on the day following the authorization request, and must be based on the following parameters: Number of authorization requests above a threshold set by the acquirer for that merchant Ratio of non-card-read to card-read transactions that is above the threshold set by the acquirer for that merchant PAN key entry ratio that is above threshold set by the acquirer for that merchant Repeated authorization requests for the same amount or the same cardholder account Increased number of authorization requests Out of pattern fallback transaction volume Security Rules and Procedures Merchant Edition January

40 Fraud Loss Control Standards 6.2 Fraud Loss Control Program Standards Acquirer Merchant Deposit Monitoring Requirements Daily reports or real-time alerts monitoring merchant deposits must be generated at the latest on the day following the deposit, and must be based on the following parameters: Increases in merchant deposit volume Increase in a merchant s average ticket size and number of transactions per deposit Change in frequency of deposits Frequency of transactions on the same cardholder account, including credit transactions Unusual number of credits, or credit dollar volume, exceeding a level of sales dollar volume appropriate to the merchant category Large credit transaction amounts, significantly greater than the average ticket size for the merchant s sales Credits issued subsequent to the receipt of a chargeback with the same account number and followed by a second presentment Credits issued to an account number not used previously at the merchant location 90-day Rule The acquirer must compare daily deposits against the average transaction count and amount for each merchant over a period of at least 90 days, to lessen the effect of normal variances in a merchant s business. For new merchants, the acquirer should compare the average transaction count and amount for other merchants within the same card acceptor business code (MCC) assigned to the merchant. In the event that suspicious credit or refund transaction activity is identified, if appropriate, the acquirer should consider the suspension of transactions pending further investigation. 150 Percent Recommendation To optimize the effectiveness of fraud analysis staff, merchants that appear in the monitoring reports should exceed the average by 150 percent or more. However, the amount over the average is at the acquirer s discretion Recommended Additional Acquirer Monitoring MasterCard recommends that acquirers additionally monitor the following parameters: Fallback methods Credit transactions (such as refunds) and merchant authorization reversals Transactions conducted at high-risk merchants PAN key-entry transactions exceeding ratio Abnormal hours or seasons Inactive merchants Transactions with no approval code Transactions that were declined Inconsistent authorization and clearing data elements for the same transactions 6-2 January 2008 Security Rules and Procedures Merchant Edition

41 Fraud Loss Control Standards 6.3 Counterfeit Card Fraud Loss Control Standards Web Site Monitoring Recommendation MasterCard recommends that acquirers use a Web site monitoring solution to review their electronic commerce (e-commerce) merchants activity to avoid processing illegal or brand-damaging transactions. 6.3 Counterfeit Card Fraud Loss Control Standards MasterCard actively assists law enforcement in the pursuit of organized and informal criminal groups engaged in counterfeit fraud. Although MasterCard has achieved substantial success in this area, including numerous convictions of counterfeiters and seizures of their physical plants, organized criminal elements continue to expand, with new groups emerging almost daily. In addition to implementing the fraud loss controls described in section 6.2, members must also make a good-faith attempt to limit counterfeit losses. At a minimum, issuers are required to incorporate the card security features described in Chapter 3 on all MasterCard cards, and acquirers must transmit full magnetic stripe or chip data on all POI card-read transactions Counterfeit Card Notification All members must notify MasterCard immediately upon suspicion or detection of counterfeit cards Notification by Acquirer An acquirer detecting or suspecting a counterfeit card bearing neither a valid BIN nor a valid member ID immediately must notify its regional Security and Risk Services representative and the issuer by phone, , or telex communication. MasterCard will add the account number to the Account Management System Failure to Give Notice Failure by the acquirer or issuer to give notice within 24 hours of detecting a counterfeit card relieves MasterCard of any responsibility for any resulting loss incurred by any party failing to give notice. Security Rules and Procedures Merchant Edition January

42 Chapter 7 Merchant Screening and Monitoring Standards This chapter may be of particular interest to member personnel responsible for screening and monitoring merchants. 7.1 Screening New Merchants Evidence of Compliance with Screening Procedures Retention of Investigative Records Assessments for Noncompliance with Screening Procedures Screening Limitations Ongoing Merchant Monitoring and Education Merchant Monitoring Additional Requirements for Certain Merchant Categories Merchants Alleged to Sell Products that Infringe on Intellectual Property Rights Noncompliance Assessments Merchant Education Security Rules and Procedures Merchant Edition January i

43 Merchant Screening and Monitoring Standards 7.1 Screening New Merchants 7.1 Screening New Merchants NOTE Before signing a merchant agreement, each member must verify that the merchant from which it intends to acquire MasterCard transactions is a valid business, as described in section 9.2 of the MasterCard Rules manual. Such verification must include at least all of the following: Credit check, background investigations, and reference checks of the merchant. If the credit check of the merchant raises questions, the member also should conduct a credit check of: a. The owner, if the merchant is a sole proprietor; or b. The partners, if the merchant is a partnership; or c. The principal shareholders, if the merchant is a corporation. Inspection of the premises and records to ensure the merchant has the proper facilities, equipment, inventory, agreements and personnel required and if necessary, license or permit and other capabilities to conduct the business. If the merchant has more than one outlet, the member must inspect at least one outlet from which it will acquire MasterCard transactions. Inquiry to the MasterCard Member Alert to Control (High-risk) Merchants (MATCH ) system. Investigation of the merchant s previous merchant agreements. No member financial institution is exempt from participation in the MATCH system. A member is not required to conduct a credit check of a public or private company that has annual sales revenue in excess of USD 50 million (or the foreign currency equivalent), provided the member reviews, and finds satisfactory for purposes of the acquiring being considered, the most recent annual report of the merchant, including audited financial statements. A private company that does not have a recent audited financial statement is subject to a credit check and inspection even if its annual sales revenue exceeds USD 50 million. Security Rules and Procedures Merchant Edition January

44 Merchant Screening and Monitoring Standards 7.1 Screening New Merchants NOTE Evidence of Compliance with Screening Procedures As evidence that the member is in compliance with the screening requirements set forth in this chapter, MasterCard requires, at a minimum, the following information: A report from a credit bureau, or, if the credit bureau report is incomplete or unavailable, the written results of additional financial and background checks of the business, its principal owners, and officers A written inspection report of the merchant premises, including verification by the inspector that the merchant is conducting business in accordance with its agreement; that the merchant, if required, has a valid license or permit; and that staff and stock levels are adequate Proof of the member s inquiry into the MATCH system, including a copy of the inquiry record A statement from the merchant about previous payment card merchant agreements, including the name(s) of the entity(ies) where the merchant has or had the agreement(s) and the reason(s) for terminating the agreement(s), if applicable Retention of Investigative Records The acquirer must retain all records concerning the investigation of any merchant with which it has entered into a merchant agreement for a minimum of two years after the date the agreement is terminated. MasterCard recommends that acquirers retain the following records as a best practice: Signed merchant agreement Previous merchant statements Corporate or personal banking statements Credit reports Site inspection report, to include photographs of premises, inventory verification, and the name and signature of the inspector of record Merchant certificate of incorporation, licenses, or permits Verification of references, including personal, business, or financial Verification of the authenticity of the supplier relationship for the goods or services (invoice records) that the merchant is offering the cardholder for sale Date-stamped MATCH inquiry records Date-stamped MATCH addition record All member correspondence with merchant All correspondence relating to issuer, cardholder, or law enforcement inquiries concerning the merchant or any associated Member Service Provider (MSP) Signed MSP contract, including the name of agents involved in the due diligence process Acquirer due diligence records concerning the MSP and its agents MasterCard recommends that acquirers retain these records to verify compliance in the event of an audit, according to section January 2008 Security Rules and Procedures Merchant Edition

45 Merchant Screening and Monitoring Standards 7.2 Ongoing Merchant Monitoring and Education Assessments for Noncompliance with Screening Procedures MasterCard may audit an acquirer for compliance with merchant screening procedures, and each member must comply with and assist any such audit. MasterCard will review the applicable records retained by the acquirer to determine whether an acquirer has complied with merchant screening procedures. If MasterCard determines that an acquirer has not complied with merchant screening procedures, and if the acquirer does not correct all deficiencies that gave rise to the violation to the satisfaction of MasterCard within 30 days of knowledge or notice of such deficiencies, MasterCard may assess the acquirer up to USD 100,000 for each 30-day period following the aforementioned period, with a maximum aggregate assessment of USD 500,000 during any consecutive 12-month period. Any such assessment(s) will be in addition to any other financial responsibility that the acquirer may incur, as set forth in the Standards. Violators will also be subject to chargebacks of fraudulent transactions. Failure to inquire to the MATCH system before signing a merchant agreement may result in an assessment of up to USD 5,000 for each instance of noncompliance Screening Limitations Screening merchants, as required by the Standards, does not relieve a member from the responsibility of following good commercial banking practices. The review of an annual report or an audited statement, for example, might suggest the need for further inquiry. 7.2 Ongoing Merchant Monitoring and Education Once a merchant agreement is established, an acquirer must institute an ongoing relationship of fraud prevention, including an education process consisting of periodic visits to merchants, distribution of related educational literature, and participation in merchant seminars. The acquirer regularly, as reasonably appropriate in light of all circumstances, must review and monitor the merchant s Web site(s) and business activities to confirm and to reconfirm regularly that any merchant activity related to or using a MasterCard mark is conducted in a legal and ethical manner and in full compliance with the Standards. As a best practice, MasterCard recommends that acquirers use a Web site monitoring solution to review their electronic commerce (e-commerce) merchants activity to avoid processing illegal or brand-damaging transactions. Security Rules and Procedures Merchant Edition January

46 Merchant Screening and Monitoring Standards 7.2 Ongoing Merchant Monitoring and Education Merchant Monitoring An acquirer must monitor each of its merchant s MasterCard transaction activity (sales, credits, and chargebacks) in an effort to deter fraud. Monitoring must focus on changes in activity over time, activity inconsistent with the merchant s business, or exceptional activity relating to the number of transactions and transaction amounts outside the normal fluctuation related to seasonal sales. Specifically, ongoing monitoring includes, but is not limited to, the acquirer fraud loss controls relating to merchant deposit (including credits) and authorization activity described in section Additional Requirements for Certain Merchant Categories Acquirers of key-entry telecom merchants, electronic commerce adult content (videotext) merchants, Internet gambling merchants, non face-to-face prescription drug and tobacco merchants, and merchants identified under the Excessive Chargeback Program must comply with the merchant registration and monitoring requirements of the MasterCard Registration Program (MRP) for each such merchant, as described in Chapter 9. A member that acquires for a merchant in any of the categories listed above or for merchants alleged to sell products that infringe on intellectual property rights actively must monitor its ongoing compliance with the financial soundness and risk requirements as described in section 2.7 of the MasterCard Rules manual and in the Global Risk Management Policies and Procedures booklet Merchants Alleged to Sell Products that Infringe on Intellectual Property Rights From time to time, a person may notify MasterCard that a merchant is alleged to infringe the intellectual property rights of such person. In such event, MasterCard may notify the acquirer for such merchant of the allegation. Within 30 days of receipt of such notice by MasterCard, the acquirer(s) must conduct an investigation of the allegation and provide a thorough and reasonably detailed response to such allegation both to MasterCard and to the person who alleged the infringement. For clarity, the term acquiring, as used in section 7.2.2, is acquiring business as such term is used in Rule 1.1 of the rules portion of the MasterCard Rules manual Noncompliance Assessments Failure of an acquirer to comply with section shall subject the acquirer to a noncompliance assessment of up to USD 5,000, plus up to USD 1,000 per day until compliance is achieved. 7-4 January 2008 Security Rules and Procedures Merchant Edition

47 Merchant Screening and Monitoring Standards 7.2 Ongoing Merchant Monitoring and Education An acquirer that has acquired transactions for a merchant that has infringed on the intellectual property rights of another is subject, at MasterCard discretion, to any one or more of the following: A Risk Assessment Management Program (RAMP) Level 3 review An audit, by a third party acceptable to MasterCard, of the acquirer s acquiring practices. Noncompliance assessments up to USD 100,000, other disciplinary action, or both Merchant Education Once an acquiring relationship is established, an acquirer must institute a fraud prevention program, including an education process consisting of periodic visits to merchants, distribution of related educational literature, and participation in merchant seminars. Instructions to merchants must include card acceptance procedures, use of the Electronic Warning Bulletin file or Warning Notice, authorization procedures including Code 10 procedures, proper completion of transaction information documents (TIDs) (including primary account number [PAN] truncation), timely presentment of the transaction to the acquirer, and proper handling pursuant to card capture requests. Members must thoroughly review with merchants the Standards against the presentment of fraudulent transactions. In addition, members must review the data security procedures to ensure that only appropriate card data is stored, magnetic stripe data never is stored, and any storage of data is done in accordance with the Standards for encryption, transaction processing, and other prescribed practices. Security Rules and Procedures Merchant Edition January

48 Chapter 8 Merchant Fraud Control Programs This chapter may be of particular interest to member personnel responsible for identifying merchant violations. 8.1 Presenting Valid Transactions Notifying MasterCard Acquirer Responsibilities Notifying MasterCard Issuer Responsibilities MasterCard Audit Initiation of MasterCard Audit Information Required by MasterCard Notification to Members of Chargeback Period Merchant Audit Program Excessive Counterfeit Merchant Program Global Merchant Audit Program Acquirer Responsibilities Tier 3 Special Merchant Audit Chargeback Responsibility Exclusion from the Global Merchant Audit Program Systematic Exclusions Exclusion after GMAP Identification Notification of Merchant Identification Distribution of Reports Merchant Online Status Tracking (MOST) System MOST Mandate MOST Registration Acquirer Fraud and Chargeback Liability Program Excessive Chargeback Program Definitions Reporting Requirements Chargeback-Monitored Merchant Reporting Requirements CMM Report Contents Late CMM Report Submission Assessment Excessive Chargeback Merchant Reporting Requirements ECM Report Contents Late ECM Report Submission Assessment Assessments Security Rules and Procedures Merchant Edition January i

49 Merchant Fraud Control Programs ECP Assessment Calculation Issuer Reimbursement Cardholder-Merchant Collusion (CMC) Program Issuer Notification to MasterCard MasterCard Audit Acquirer Investigation and Response Merchant Termination MasterCard Notification to Issuers Issuer Obligation to Assist in MasterCard Audit MasterCard Evaluation MasterCard Post-Audit Procedures Issuer Post-Audit Reporting Procedures Issuer Recovery Claim Filing Process Form for Issuer Recovery Claim Filing Under the CMC Program Required Acknowledgement ii January 2008 Security Rules and Procedures Merchant Edition

50 Merchant Fraud Control Programs 8.1 Presenting Valid Transactions 8.1 Presenting Valid Transactions A merchant must present to its acquirer only valid transactions between itself and a bona fide cardholder. A merchant must not present a transaction that it knows or should have known to be fraudulent or not authorized by the cardholder, or authorized by a cardholder who is in collusion with the merchant for a fraudulent purpose. Within the scope of this rule, the merchant is responsible for the actions of its employees Notifying MasterCard Acquirer Responsibilities An acquirer must immediately notify Merchant Fraud Control staff in writing when, in regard to a merchant with whom it has entered into a merchant agreement: The acquirer may have reason to believe that the merchant is engaging in collusive or otherwise fraudulent or inappropriate activity, or The acquirer determines that the merchant s ratio of chargebacks, credits to sales exceeds criteria established by MasterCard. An acquirer must accept chargebacks for all fraudulent transactions that took place during the period when the merchant was in violation of section of the MasterCard Rules manual. Moreover, if an acquirer fails to identify and declare a merchant in violation of the Standard, MasterCard may do so after an audit of the member s merchant file and records Notifying MasterCard Issuer Responsibilities If an issuer becomes aware of any merchant in violation of section of the MasterCard Rules manual, through cardholder complaints or otherwise, the issuer immediately must notify Merchant Fraud Control staff at the address and fax number provided in Appendix D MasterCard Audit MasterCard, in its sole discretion, and either itself or by use of a third party, may conduct an audit of an acquirer s merchant files and records to determine whether the merchant is a questionable merchant. Merchant Fraud Control staff will notify the acquirer of a decision to conduct such an audit. An acquirer and its merchants must cooperate fully. During the audit, MasterCard may list the merchant on the Member Alert to Control High-risk (Merchants) (MATCH ) system under MATCH reason code 00 (Questionable Merchant). Security Rules and Procedures Merchant Edition January

51 Merchant Fraud Control Programs 8.1 Presenting Valid Transactions In the course of the audit, staff will develop allegations from any available sources, including, but not limited to, internal studies, analyses, member input and complaints, and from information derived from compliance actions regarding activities by merchants which would raise serious concerns as to whether such merchants have caused to be entered into interchange transactions which the merchants knew or should have known were fraudulent or resulted in excessive costs to the industry. It is the obligation of the acquirer to monitor each merchant closely. MasterCard may assess the acquirer for costs and expenses incurred related to the audit Initiation of MasterCard Audit If MasterCard suspects that a merchant may be in violation of section of the MasterCard Rules manual, MasterCard will send a letter to the Security Contact listed in the Member Information Manual. The Security Contact is responsible for distributing the letter to the person responsible for the acquirer s merchant audit programs. The letter explains why MasterCard is conducting the audit and the assessments associated with violations of section Members must return the requested information to Merchant Fraud Control for each merchant listed in the letter within 30 calendar days of the date of the cover letter Information Required by MasterCard The following is a list of some of the items that MasterCard may require acquirers to provide during the course of an audit, initiated by MasterCard to determine whether an acquirer s merchant was in violation of section of the MasterCard Rules manual: 1. A detailed statement of facts explaining whether, when, and how the member became aware of fraudulent activity or chargeback or customer service issues, the steps taken by the member to control the occurrence of fraud, and the circumstances surrounding the merchant s termination. 2. All internal documents about the opening and signing of the merchant including its application, merchant agreement, credit report, and certified site inspection report. (The acquirer should include the merchant s opening and closing dates.) 3. All internal member documents regarding the due diligence procedures followed before signing the merchant, including background checks of the company and its principals, and the telephone logs for trade and bank references that the member verified during the due diligence procedure. 4. Internal reports, where applicable, confirming inquiry by the member into the MATCH system before signing the merchant and, if applicable, input of the merchant to the MATCH system database within five business days after its decision to close the merchant as specified in these rules. 8-2 January 2008 Security Rules and Procedures Merchant Edition

52 Merchant Fraud Control Programs 8.2 Merchant Audit Program If a Member Service Provider (MSP) of an acquirer facilitates the signing of a merchant, the MSP must include the due diligence documents. (If an MSP facilitates the signing of a merchant for an acquirer, the acquirer must distinguish between the due diligence conducted by its employees and its MSP s employees. This rule applies only to members in the U.S. region.) Additionally, if an acquirer s MSP assisted in the signing of the merchant, the member must provide all MSP due diligence documents regarding the representative that signed the merchant. Staff will establish an audit (review) period for which the member must provide the following supporting documentation: 1. Authorization logs for the merchant. 2. If requested to do so, the acquirer must provide a monthly breakdown of chargeback and credits by count, amount, and issuer bank identification number (BIN) for the suspected violation period, as specified by MasterCard. 3. A complete record of the merchant sales volume, including the number of transactions at the location, for the period for which MasterCard requests the authorization logs. Members outside the U.S region that do not report their local fraud to the System to Avoid Fraud Effectively (SAFE) may not include local sales in the merchant s sales volume. MasterCard may require the member to provide additional information deemed relevant to the audit. In the event that a member refuses to disclose information requested by MasterCard, MasterCard may, in its sole discretion for the purpose of the audit, presume that the information would not be favorable to the acquirer and declare the merchant in violation of section of the MasterCard Rules manual Notification to Members of Chargeback Period If MasterCard determines that a merchant is a questionable merchant, MasterCard will publish a Global Security Bulletin identifying the merchant and specifying the appropriate chargeback period. The issuer has 120 calendar days from the date of the Global Security Bulletin to charge back transactions to the acquirer (using IPM message reason code 4849 Questionable Merchant Activity). In the case of transactions occurring after the date of the Global Security Bulletin, but within the dates specified, the issuer has 120 calendar days from the date of the transaction to charge back the transactions. The issuer must include the number of the Global Security Bulletin (for example, Global Security Bulletin No. XXX ) in the Data Record Text (IPM Data Element 72) when processing the chargeback. 8.2 Merchant Audit Program MasterCard replaced this program with the Global Merchant Audit Program (GMAP). Please proceed to section 8.4 of this manual for details about the GMAP. Security Rules and Procedures Merchant Edition January

53 Merchant Fraud Control Programs 8.3 Excessive Counterfeit Merchant Program 8.3 Excessive Counterfeit Merchant Program MasterCard replaced this program with the Global Merchant Audit Program (GMAP). Please proceed to section 8.4 of this manual for details about the GMAP. 8.4 Global Merchant Audit Program The Global Merchant Audit Program (GMAP) uses a rolling six months of data to identify merchant locations that, in any calendar month, meet the criteria set forth in Table 8.1. Table 8.1 Fraud Criteria for Global Merchant Audit Program Tier Classification A merchant location is classified in the following GMAP tier... If in any calendar month, the merchant location meets the following fraud criteria... Tier 1 Informational Fraud Alert Three fraudulent transactions At least USD 3,000 in fraudulent transactions A fraud-to-sales dollar volume ratio minimum of 3% and not exceeding 4.99% Tier 2 Suggested Training Fraud Alert Four fraudulent transactions At least USD 4,000 in fraudulent transactions A fraud-to-sales dollar volume ratio minimum of 5% and not exceeding 7.99% Tier 3 High Fraud Alert Five fraudulent transactions At least USD 5,000 in fraudulent transactions A fraud-to-sales dollar volume ratio minimum of 8% NOTE If a merchant location is identified in multiple tiers during any rolling six-month period, GMAP will use the highest tier for the merchant identification. If a merchant has more than one location (or outlet), the program criteria apply to each location independently Acquirer Responsibilities MasterCard will notify an acquirer of the identification of a Tier 1, Tier 2, or Tier 3 merchant via the Merchant OnLine Status Tracking (MOST) tool. GMAP merchant identifications are provided for information only and no acquirer response is necessary. If MasterCard notifies an acquirer via MOST that a Tier 3 special merchant audit has been initiated, the acquirer must respond as described in section January 2008 Security Rules and Procedures Merchant Edition

54 Merchant Fraud Control Programs 8.4 Global Merchant Audit Program When a merchant is identified in Tier 1, Tier 2, or Tier 3, the acquirer should evaluate the fraud control measures and merchant training procedures in place for the merchant. MasterCard strongly recommends that the acquirer act promptly to correct any identified deficiencies. Suggested enhancements are described in the GMAP Best Practices Guide for Acquirers and Merchants to Control Fraud. MasterCard, in its sole discretion, may conduct an audit to determine whether a merchant location is in violation of Rule , Valid and Invalid Transactions, of the MasterCard Rules (a questionable merchant ), as described in section 8.1.3, and may assign chargeback liability Tier 3 Special Merchant Audit If GMAP identifies a merchant location in Tier 3, MasterCard will determine whether to initiate an audit of the merchant location ( a Tier 3 special merchant audit ). If MasterCard decides to conduct a Tier 3 special merchant audit, the audit will proceed as follows: 1. MasterCard notifies acquirer. The acquirer will receive notification from MasterCard, through MOST, that a Tier 3 special merchant audit has been initiated. 2. Acquirer response due within 30-day response period. No later than 30 days after the Tier 3 special merchant audit notification date ( the 30-day response period ), the acquirer must respond to the audit notification through MOST by either: a. Notifying MasterCard that the acquirer has terminated the merchant (if the acquirer determines that the merchant must be reported to the MATCH system, the acquirer may do so through MOST), or; b. Completing the online questionnaire, if the acquirer did not terminate the merchant. This questionnaire is used to inform MasterCard of 1) any exceptional or extenuating circumstances pertaining to the identified merchant s fraud and 2) the fraud control measures in place at the merchant location. Security Rules and Procedures Merchant Edition January

55 Merchant Fraud Control Programs 8.4 Global Merchant Audit Program Upon review of the completed online questionnaire, MasterCard, at its sole discretion, may: Grant the merchant location an exclusion for the merchant identification, or; Provide the acquirer with the opportunity to implement additional fraud control measures ( the fraud control action plan ), as directed by MasterCard, at the merchant location, or; Assign chargeback responsibility to the acquirer for the merchant location. 3. Fraud control action plan required within 90-day action period. If MasterCard requires the acquirer to implement a fraud control action plan, MasterCard will provide the plan to the acquirer through MOST. The acquirer has 90 days from the first day of the month following the month in which the merchant was identified in GMAP ( the 90-day action period ) to take all required actions, including but not limited to confirmation that such fraud control action plan has taken effect. MasterCard may extend the 90-day action period at its sole discretion. For acquirers that implement a fraud control action plan, the identified merchant is again eligible to be newly identified in GMAP commencing on the sixth month following the month in which the merchant was first identified in GMAP. Fraudulent transactions reported to SAFE will be reviewed under the program commencing on the fourth and fifth months following the month in which the merchant was first identified in GMAP, and will continue incrementally thereafter until the merchant resumes a six-month rolling review period, provided the merchant does not exceed the GMAP Tier 1, 2, or 3 thresholds. The acquirer of a merchant subject to a Tier 3 special merchant audit must provide satisfactory documentation to substantiate that reasonable controls to combat fraud have been implemented, including implementation of a MasterCard directed fraud control action plan. Refer to Figure 8.1 for a sample timeline of a Tier 3 special merchant audit. 8-6 January 2008 Security Rules and Procedures Merchant Edition

56 Merchant Fraud Control Programs 8.4 Global Merchant Audit Program Figure 8.1 Tier 3 Special Merchant Audit Sample Timeline Chargeback Responsibility MasterCard will review each merchant location subject to a Tier 3 special merchant audit on a case-by-case basis and determine, at the sole discretion of MasterCard, if a chargeback liability period is applicable. The chargeback liability period is for six months and begins on the first day of the fourth month following the GMAP Tier 3 identification. MasterCard, at its sole discretion, may extend the chargeback liability period to 12 months. MasterCard reserves the right to list the merchant name, location, and chargeback liability period of any Tier 3 merchant in a Global Security Bulletin. Security Rules and Procedures Merchant Edition January