Card brand changes: December 2022

All card brands have agreed an industry-wide sunset of 3D Secure (3DS) version 1 to EMV 3D Secure 2.x. The final sunset date for 3DS 1 was 15 October 2022, after which 3DS 1 transactions are no longer supported for cardholder authentication.
 

What you need to do: 

If you’re unsure whether you are processing on EMV 3DS 2.x, contact your gateway support team immediately to make sure the changeover has been completed. 

Mastercard and Visa have updated the cash-back limit for Poland. In the case of Mastercard the limit has increased from 500 PLN to 1,000 PLN. For Visa, it has risen from 300 PLN to 1,000 PLN.

What you need to do: 

In our October updates we promised to provide further updates on the implementation of this change. Updates to all Elavon point-of-sale (POS) devices will start from mid-January 2023. If you’re using a third party for your POS, contact your provider to make sure they can support this change.

Croatia will officially join the Eurozone from 1 January 2023.

The Croatian National Bank has confirmed that the exchange rate to convert the Croatian Kuna (HRK) to Euro (EUR) has been set at 7.53450 HRK to 1 EUR.

Visa and Mastercard have also announced the contactless limit for Croatia will be denominated in the euro (EUR) and will be increased to EUR 40 for contactless transactions effective 1 January 2023.

Points to note: 

• Authorisation and settlement for Croatia’s domestic currency (HRK) will change to the Euro (EUR). 

• Authorisation requests using the Croatian Kuna submitted after 12.00am on 1 January 2023 will be rejected.

• Global and regional providers of in-flight currency conversion services such as Dynamic Currency Conversion (DCC) and Multi Currency Conversion (MCC) should make sure that Croatian cardholders are not offered or guided to pay in HRK after 31 December 2022.

What you need to do:  

If you are using an Elavon POS terminal or eCommerce gateway you have no action to take, as we look after this for you. If you are using a third party as your POS or Gateway provider, you should contact your provider to make sure they’re ready for this change.

Visa has announced the end of support for Interim Transaction Identifier issued in EEA and UK relative to Merchant Initiated Transactions (MITs). 

As you may know, to successfully process a MIT transaction it must contain the Original Transaction Identifier (OTID) of the initial cardholder-initiated transaction or previous MIT. This requires that the OTID is stored and subsequently retrieved and populated in the appropriate field of MIT transactions. To comply with the requirements of the second Payment Services Directive (PSD2), Visa had provided European acquirers with an Interim Transaction Identifier (under a waiver) that could be used where OTID was not provided by the customer or gateway. 

The Visa OTID waiver expired on 31 October 2022. 

Visa has also announced non-compliance assessment (NCA) fees starting from August 2022. Therefore, we recommend migrating to a valid OTID as soon as possible in accordance with the Visa Rules to avoid non-compliance fees. The use of the Interim Transaction Identifier will be technically disabled in the Visa authorisation system effective 31 October 2023. 

Businesses that currently use the Interim Transaction Identifier must start migrating to a valid transaction ID as soon as possible.

There are two options on how you can obtain a valid Original Transaction Identifier (OTID) to replace the Interim transaction ID: 

1.  Request a Cardholder Initiated Transaction (CIT), effectively reauthenticate, and store OTID for future use.

2. Use Transaction ID of any previous MIT within the same merchant-cardholder agreement. 
    

Below is guidance on how merchants can migrate from use of the Interim Transaction ID to a valid Transaction ID.

Mastercard has rolled out a Europe region-wide roadmap to achieve a network migration from EMV 3DS 2.1 to EMV 3DS 2.2 effective from 14 October 2022.  As part of this announcement, Mastercard not only requires support for EMV 3DS 2.2, Mastercard also requires the support of key EMV 3DS features as outlined below:

• All eCommerce businesses must be ready for EMV 3DS v2.2 as of 14 October 2022. Mastercard does not require that all transactions are sent using EMV 3DS v2.2. and EMV 3DS 2.1 must continue to be supported until Mastercard formally announces its sunset. 

• All eCommerce businesses must support and perform authentication app re-direction through the merchant app, the 3DS SDK and EMC 3DS v2.2 transactions if the cardholder authentication method is Out of Band (OOB). Example forms of OOB authentication include codes sent to a mobile device via SMS or codes sent to a mobile app via push notifications.

• All eCommerce customers must support 3RI payments. 3RI payments offer you the option to system-generate a payment transaction when the cardholder is not in session. These transactions are used for use cases where there is an initial purchase transaction while the cardholder is in session, called consumer-initiated transaction (CIT), followed by subsequent transactions that are 3RI MIT. With 3RI payments, you can provide evidence, using the DS Transaction ID field, that SCA has been performed where the customer was involved and maintain their fraud liability protection for the full amount that has been authenticated. 

What you need to do:

You should contact your gateway support team to make sure they have met the October 2022 EMV 3DS 2.2 readiness date. 

If your gateway has already been certified for EMV 3DS 2.2, additional functional testing is required to make sure the mandatory features defined in the roadmap are properly implemented. Mastercard will not require a new EMV 3DS 2.2 certification for this purpose.

Mastercard Identity Check™ is Mastercard's global authentication program that supports EMV®1 3-D Secure (3DS) protocol to provide additional security for digital transactions and facilitate higher approval rates on eCommerce transactions. Mastercard supports a data integrity check to monitor eCommerce transactions where 3DS has not been performed and no exemption flag has been set. These transactions will have an increased risk of issuer declines and may incur additional data integrity fees.
 

What you need to do:

You should contact your gateway support team to ensure they are ready to support 3DS and all available exemptions.

Under PSD2, most eCommerce transactions require Strong Customer Authentication (SCA) unless an exemption or exclusion (like merchant-initiated transactions (MITs)) is applied. To satisfy these PSD2 SCA requirements, customers are required to use the EMV 3DS or any other SCA-compliant method to avoid issuer SCA soft declines. A SCA soft decline is a declined authorisation where the issuer requests SCA to make it successful. In this case, you should re-submit the authorisation after successfully authenticating your customer with 3DS.

Mastercard launched the PSD2 optimisation programme to monitor transactions to check if EMV 3DS 2.x was used after a SCA soft decline. Under this program where a customer is identified as failing this check non-compliance penalties could apply.
 

What you need to do:

You should contact your gateway support team to make sure that when transactions are soft declined, the transaction is retried with EMV 3DS 2.x.