Visa Extends Fraud-Recovery Process to PIN-Debit Transactions

Visa Inc. is extending to PIN debit cards a process for reporting and recovering fraud losses from data breaches. In effect for credit cards and the Visa check cards since October 2006, the process, dubbed Account Data Compromise Recovery, will apply to Visa's Interlink point-of-sale debit and Plus ATM networks beginning Nov. 1. The extension of ADCR's provisions is not the result of any spike in PIN-debit fraud, according to Dave Van Horn, senior business leader, global fraud risk products. Rather, it's an effort to streamline the fraud-recovery process for issuers and make it more it predictable for merchant acquirers, he says. “What we're trying to do is align and simplify the process on behalf of our members,” Van Horn tells Digital Transactions News. “The process that used to exist for signature-based transactions exists for PIN-based ones.” Recently enhanced fraud-reporting systems for the debit networks make extending ADCR to Interlink and Plus transactions feasible, a Visa release says. Both systems govern the process of issuers filing claims against acquirers whose merchants prove to be the source of data breaches resulting in fraud losses from counterfeit cards made as a result of obtaining magnetic-stripe data?something merchants are prohibited from storing under the Payment Card Industry data-security standard, or PCI. The older system is transaction-based and involves considerable research before an issuer can make a recovery from the liable acquirer. It's suitable for smaller cases, but is a chore for larger breaches, according to Van Horn. Instead, the newer system makes estimates to determine an acquirer's so-called “incremental fraud” as the basis of its financial responsibility. “The ADCR process … looks at information in an aggregate rather than transaction by transaction,” says Van Horn. ADCR's provisions apply to data compromises involving 10,000 or more U.S. accounts. The process kicks in when, upon learning of a breach at one of its merchants, the acquirer uploads the stolen Visa account numbers to Visa's Compromised Account Management System, or CAMS. Visa then informs the affected issuers, which would be expected to quickly begin monitoring or shutting the accounts down as they see fit. Visa also makes a preliminary estimate of the acquirer's potential liability. The estimate creates a baseline of mag-stripe fraud that the affected acquirer would have likely experienced on Visa transactions 12 months before and one month after the CAMS alert had there been no breach. Acquirers have 30 days to appeal Visa's estimate, which includes a percentage of fraud losses and the issuers' resulting operating expenses. After the deadline for issuers to report breach-related losses, the baseline is subtracted from the actual amount shown to have occurred during the event window. The result is what Visa calls incremental fraud resulting from the breach. “We only hold the acquirer responsible for that portion above the normal rate of fraud,” says Van Horn. Also, acquirers only are liable for up to 80% of the compromised accounts; Visa assumes the remaining 20% of accounts would have been expired, closed, or blocked before the CAMS alert. Eligible issuers?they must be enrolled in a Visa expense-reporting system and be able to receive CAMS alerts?can recoup $1 per affected account to cover card re-issuance and operating expenses, such as fielding more customer-service calls from cardholders. The advantage for acquirers is a predictable estimate of financial liability and a limitation on losses once the 13-month window closes, according to Van Horn. “It puts the future onus on the issuer,” he says. Visa would not say how many recoveries issuers have made on signature-based accounts since ADCR took effect in late 2006. In the record-breaking TJX Cos. data breach, which involved at least 45 million cards of all major payment brands and possibly more than 90 million, Visa reached a $40.9 million settlement with the retailer on behalf of its issuers (Digital Transactions News, Dec. 3, 2007). TJX publicly disclosed the breach in January 2007 after discovering it a month earlier, but the intrusions into its systems started as far back as 2005. Apart from their ADCR liabilities, Visa's acquirers also face fines for their merchants' PCI violations.