If You Take Credit Cards By Phone or Mail - You Need to Read About Visa's October Mandate

PCI Rules Aren't the Only Ones You Need to Comply With

Most organizations concerned with payment compliance are focused on the PCI Data Security Standard (DSS), but PCI is only part of the story. Every card brand and payment association has their own operating rules and regulations that also need to be followed. Many of these rules and regulations fly below the radar of most people and organizations. However, sometimes these rule changes have far reaching impacts.

These rule changes most commonly impact card Issuers, Acquirers, and Processors.  These organizations need to understand, evaluate, and implement new requirements. In many cases,  the changes are nearly transparent to merchants and cardholders. This article looks at a few recent of the requirements that will impact merchants and cardholders.

October's Mandates

Visa is introducing a number of changes starting this October that will affect all merchants that take mail order and telephone (MOTO) transactions. This currently affects Canadian merchants but will also expand to other markets. Specifically, the rule changes when you need to include (or not include) the CVV2 security codes when processing transactions.  Failure to follow the new rules may result in declined transactions.

For many merchants this will mean changes inside call centers and mail order operations. For example:

• For call centers, existing systems may not allow for collection of CVV2. This will require changes to support CVV2 collection and could increase your scope, compliance footprint, and costs.
• For mail order, the collection of CVV2 will be prohibited. This may require changes to forms and systems.
• And in both cases, your systems will need to provide more information about the type of transaction being processed. This may also require system changes.

If you are looking for more information on any of these additional requirements, we've provided some links for further reading below.

We recommend that you reach out to your acquirer or assessor for assistance in understanding how this regulation will affect you. Or you can give us a call, we’d be happy to help.

Further Reading

Visa Canada

• Payments Security RoadMap https://www.visa.ca/content/dam/VCOM/regional/na/canada/security/security-documents/visa-canada-security-road-map-en.pdf
• Expand use of CVV2 security codes https://www.visa.ca/content/dam/VCOM/regional/na/canada/security/security-documents/expanded-cvv2-one-pager-en.pdf

Visa International

• Merchant Business News feed https://usa.visa.com/support/merchant/library/visa-merchant-business-news-digest.html
• Stored Credential Transaction Framework Clarifications and Mandates https://usa.visa.com/dam/VCOM/global/support-legal/documents/stored-credential-transaction-framework-vbs-10-may-17.pdf
• Visa's Core rules (current, approximately 900 pages) https://usa.visa.com/dam/VCOM/download/about-visa/visa-rules-public.pdf
• Visa's Rules (2015) https://usa.visa.com/dam/VCOM/download/about-visa/15-April-2015-Visa-Rules-Public.pdf

General PCI Guidance

• Call Centers and PCI Compliance: Things You Need to Know https://controlgap.com/blog/call-centers-pci-compliance/
• PCI Compliance Footprints: 7 Ways To Simplify Compliance, Reduce Risk And Save Money https://controlgap.com/blog/pci-compliance-footprints/