Visa and Mastercard have started issuing compliance fees and per-transaction charges for specific issues. Visa has indicated they will defer some of these fees until April 30, 2022 if we can supply them with an acceptable migration plan and bring our network of sites into compliance. Your contract currently requires you to keep your site(s) software up to date for security and functionality purposes. Equipping your site(s) with the most up-to-date software offers the latest virus protection and the latest functionality that is often needed to participate in brand promotions. We have laid out the two main compliance issues currently being reported and the information you need to take action.
1. Excessive fallback to mag stripe processing
Description:
When your payment terminal is unable to read the chip on payment cards, the terminal software is certified according to card brand specifications to process transactions using specific logic. It prompts the consumer to swipe the card as a magnetic stripe payment to continue the sale, which is known as fallback to mag stripe processing, or simply fallback processing. Mastercard mandates that the overall percentage of fallback transactions will not exceed 1% based on normal processing. They are now identifying sites and issuing non-compliance fees for sites with excessive fallback counts and percentage. Visa has also started assessing a fee per transaction for any site with over 10% fallback.
Resolution:
This issue is likely to be a known issue to sites and easily identifiable. It is important for your site to identify and correct any in-store PIN pad that is not accepting chip cards, and frequently (or always) asks consumers to swipe their card instead because it cannot read the chip. Sites with issues should contact their local installer/technician to make arrangement to have the affected PIN pad(s) replaced.
2. Non-compliance in supporting contactless EMV on inside transactions.
Description:
Sites that process inside contact EMV transactions (Chip read) are expected to also support contactless EMV (tap-to-pay) transactions. Some sites are still processing using only contactless magnetic stripe data (MSD) functionality at the PIN pad. Contactless EMV functionality for inside transactions was certified with each newer version of software as it was certified with the outside contact EMV functionality.
Resolution:
Upgrade to one of the minimum software versions listed on the chart below. These versions are certified for inside contactless EMV and outside contact EMV.
New software compliance fee
In addition to any fees for the above items, for each of the Customer’s sites running EPOS software older than the minimum supported version shown on the chart below will begin receiving a $500 per month fee beginning February 1, 2022. Additionally, any site with either of the above conditions could receive additional fee(s) or may be debranded for being out of compliance with bank card rules. Any non-compliance fee(s) will be passed along to a site through the non-fuel billing process. It is the responsibility of the marketer/site to ensure the software meets minimum version standards as outlined in the chart below:
The software version chart is updated as new software becomes available and can be found along with more EMV related information on Bizlink.
*Gilbarco Passport:
- All versions prior to V20.xx are running on Windows 7 on the Manager Work Station and Cashier Work Station. This is an expired Operating System and is no longer being patched by Microsoft for any vulnerabilities or security issues.
- Gilbarco is no longer producing security updates for the Passport or third-party components in these versions.
- While there are no known vulnerabilities that present exposure to Passport, without the required patching indicated above, the risk of future issues goes up considerably. The first two items could result in Merchants failing their yearly PCI DSS audits.
*Verifone
- Verifone only supports applications that are current production release or one release prior. If something goes wrong with the older applications, the helpdesk will instruct sites to upgrade before assisting them. Will soon be Base 51 and Base 53 only.
- From a PCI perspective all locations are supposed to run the latest PCI certified software. Base 44 software was certified on PA-DSS 3.1 standards. Base 51 software was certified on PA-DSS 3.2 software.
- All security updates/patches are only available on the new software.
- EZR EOL in Oct. 2021. Sites must have MNSP for PCI-DSS certification