TAGGED:
For issuers to participate in the ADCR process, they must—for each Business ID (BID)—be registered to receive CAMS alerts. Additionally to receive recovery of a portion of their operating expenses, they are required—for each BID—to enroll in the Operating Expense Recovery process.
To receive CAMS alerts issuers must submit an email to visariskmanager@visa.com and request a CAMS alert registration form.
Enrollment for participation in the Operating Expense Recovery process is done at the BID level. Issuers that license BINs must complete and submit the Account Data Compromise Recovery Process Operating Expense Recovery Enrollment Form for each of their BIDs.
There are no enrollment fees.
Each qualifying CAMS event will have separate credits. All credits issued, whether for recovery of counterfeit fraud losses or operating expenses will be distributed on a quarterly basis and each credit will be net of the appropriate administration fee.
No. Analysis of the magnetic-stripe (POS 90) counterfeit fraud will be considered in determining whether an event is eligible for operating expense recovery, however it is not a minimum requirement.
Since the ADCR process requires a significant amount of administration, Visa needed to establish a minimum number of account numbers so that the process would not be applied to small events involving relatively small amounts of fraud. Based on analysis of previous events, only 0.16 percent of account numbers in qualifying events experience magnetic-stripe (POS 90) counterfeit fraud. Therefore, an event with 10,000 account numbers would only have approximately 16 fraudulent accounts and seemed to be a reasonable minimum.
No. If the compromise event does not meet the ADCR eligibility requirements, there is no alternative process available. In those situations, the fraud is the issuers’ responsibility.
Once Visa makes a final decision that an event qualifies for ADCR, all impacted issuers will be notified. Visa is still working out the details of how that communication will be distributed. Please note that in a best case scenario, that determination will be approximately four to five months after the date of the CAMS alert. This is because Visa must first make a preliminary determination of eligibility, then provide the acquirer 30 days to appeal. At the end of the appeal timeframe, Visa then evaluates all information before making a final decision.
The following transactions qualify for recovery:
For magnetic-stripe (POS 90) counterfeit fraud transactions to qualify for recovery for a specific compromise event, their transaction dates must fall within the start and end date established for each compromise event. This timeframe is called an event window. Each compromise event that qualifies for participation in the ADCR process has its own event window. The event window is based on the date of the related CAMS alert and can be up to 12 months prior to the CAMS alert date and one month post the CAMS alert date.
An event qualifies for ADCR based on Visas’ analysis of the forensic reports, information provided by issuers, information provided by the acquirer/merchant involved in the compromise event and analysis of fraud reporting. Additionally, account numbers that were involved in a prior event within the previous 12 months are excluded. Only the remaining account numbers that incurred magnetic-stripe (POS 90) counterfeit fraud losses are eligible for recovery.
There are very few chargeback rights associated with magnetic-stripe (POS 90) counterfeit transactions. Given that liability is calculated at an aggregate basis for incremental fraud only, Visa is not accounting for chargebacks at this time. Visa will continue to monitor the activity to evaluate whether it makes sense to change this policy in the future.
The Operating Expense Recovery process provides some relief for accounts that had to be “worked” once a CAMS alert is issued. At the time of a CAMS alert, many account numbers on the alert are no longer active. They have already been closed, reissued, are expired, blocked, etc. Therefore there are no, or very little, incremental operating expenses that are incurred. An issuer survey conducted reflected that 80 percent of account numbers on CAMS alerts are actually worked.
Enrollment must occur prior to the date of a given CAMS alert.
This is an open enrollment process. Issuers can sign up at any time and once enrolled will remain eligible for recovery until such time the process is no longer supported.
Issuers vary widely on the processes they implement when a CAMS alert occurs. Some automatically reissue all or some of the account numbers listed. Some simply implement monitoring or enhance their current monitoring programs. Others do a combination of these. Still others do nothing. The current recovery amount of $1 is a reasonable starting point and may be reevaluated in the future.
Baseline percentage is the percentage of magnetic-stripe (POS 90) counterfeit fraud to total fraud in the Visa system excluding accounts in the event being evaluated.
Baseline Fraud is the amount of magnetic-stripe (POS 90) counterfeit fraud that would have been expected on the event account population if the compromise event had not occurred, in other words business as usual. It is calculated by multiplying the Baseline Percentage by the total fraud for the event.
Incremental Fraud is the total magnetic-stripe (POS 90) counterfeit fraud for an event minus Baseline Fraud. In other words, it represents the fraud amount that exceeds the Baseline Fraud amount.
Yes. The baseline and incremental calculations will be included in the reporting that is provided to all impacted issuers.
The baseline percentage is the percentage of magnetic-stripe (POS 90) counterfeit fraud to total fraud in the Visa system, excluding only those accounts in the event being evaluated.
After the close of the event window and when the fraud reporting period has elapsed, Visa will calculate each issuer’s respective liability or reimbursement amount and submit the results via email. Issuers will receive an Account Data Compromise Recovery - Issuer Recovery Statement. Acquirers will receive an Account Data Compromise Recovery – Acquirer Liability Statement. (CO-OP will receive for all shared clients)
Issuer statements will be emailed to both the Primary Center Manager and Fraud Manager(s) using the email addresses currently available in Visa’s corporate database, or to the designee provided through the Operating Expense Recovery enrollment process.
Send an email request to USMembercontacts@visa.com or contact Franchise Communications at (650) 432-7064.
CAMS alert registration and ADCR enrollment is done at the BID level. Only institutions that license their own BINs can register for CAMS.
Once the event window is closed, there will not be any adjustments made to the Baseline. One of the guiding principles of the ADCR process is to place a cap on the liability for which the acquirer is held liable. Issuers are encouraged to follow best practices and monitor and control fraud or re-issue accounts that are impacted by these events.
No. Visa will process these credits through the Global Member Billing Solution; also know as Integrated Billing.
Issuers would not receive recovery of magnetic-stripe (POS 90) counterfeit fraud losses for the following reasons:
Visa will pay (through GMBS) the member of record at the time of the calculation.
It is cost prohibitive to administer small recovery amounts.
No. Visa’s decision is final. If you believe there is an error, you may want to consider reviewing your fraud reporting practices to ensure they align with Visa U.S.A. Inc. Operating Regulations. Only issuers who have properly reported magnetic-stripe (POS 90) counterfeit fraud (Fraud Type 4) transactions within 90 days of the trans-action date, and whose transaction date falls within the event window, will be eligi-ble for recovery. You may also want to validate that none of your fraud transactions were returned (rejected) by Visa due to failed Fraud Reporting System edits.
Participation in the ADCR process does not relinquish any legal rights that may exist outside of the Visa system unless otherwise agreed upon by both the issuer and the point of compromise. Example: TJX compromise
This new process replaces the compliance right that existed prior to October 1, 2006 covering a violation for storing magnetic-stripe data that resulted in a financial loss for an issuer. Since chargeback rights exist for card-not-present transactions, they are not included in this process.
Yes. Visa does plan on monitoring issuers fraud reporting.
The event performance window does not affect the fraud reporting window at all. Regardless of when a fraud transaction occurred, the full 90-day fraud reporting window is allowed. Calculation of issuer recovery amounts does not occur until the 90-day fraud reporting window has elapsed.
Visa analyzes trends of magnetic-stripe (POS 90) counterfeit fraud for the accounts in the event and compares that to norms for the Visa system overall. The data used for all calculations is obtained from the Visa Fraud Reporting System that is reported in accordance with the Visa U.S.A. Inc. Operating Regulations.
Common points of purchase can be identified from a variety of sources including the merchant themselves, the acquirer, issuers, or Visa internal analysis. The Visa Fraud Control team will send a CAMS alert if it determines, based on all available information, that account numbers have been placed at risk. The ADCR process will only apply to a subset of CAMS alerts. See the Transaction Recovery Qualification section for more information.
If the issuer properly reported the transaction to Visa as counterfeit (Type 4) and validated that the cardholder was in possession of their card at the time of the transaction, the fraud reporting to Visa will be captured by ADCR—no additional work is required.
Click below to access the printer-friendly version.
PDF (Entire Guide) PDF (This Section)
