Security Rules And Procedures—Merchant Edition SPME Entire Manual Public

2015-01-12

: Mc Spme-Entire Manual Public SPME-Entire_Manual_public

Open the PDF directly: View PDF .
Page Count: 148 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Security Rules and Procedures—Merchant Edition
Notices
Table of Contents
Chapter 1 Customer Obligations
- 1.1 Compliance with the Standards
- 1.2 Conflict with Law
- 1.3 The Security Contact
Chapter 2 Omitted
Chapter 3 Card and TID Design Standards
- 3.9 Card Validation Code (CVC)
  - 3.9.4 Acquirer Requirements for CVC 2
- 3.10 Service Codes
- 3.11 Transaction Information Documents (TIDs)
Chapter 4 POI Terminal and PIN Security Standards
- 4.1 Personal Identification Numbers (PINs)
- 4.3 PIN Verification
- 4.5 PIN Encipherment
- 4.6 PIN Key Management
  - 4.6.1 PIN Transmission Between Customer Host Systems and the Interchange System
  - 4.6.2 On-behalf Key Management
- 4.7 PIN at the POI for MasterCard Magnetic Stripe Transactions
- 4.8 POI Terminal Security Standards
- 4.9 Hybrid POI Terminal Security Standards
- 4.10 PIN Entry Device Standards
- 4.11 Wireless POS Terminals and Internet/Stand-alone IP-enabled POS Terminal Security Standards
- 4.12 POS Terminals Using Electronic Signature Capture Technology (ESCT)
- 4.13 Component Authentication
- 4.14 Triple DES Migration Standards
Chapter 5 Card Recovery and Return Standards
- 5.1 Card Recovery and Return
  - 5.1.1 Card Retention by Merchants
Chapter 6 Fraud Loss Control Standards
- 6.2 MasterCard Fraud Loss Control Program Standards
  - 6.2.2 Acquirer Fraud Loss Control Programs
- 6.3 MasterCard Counterfeit Card Fraud Loss Control Standards
Chapter 7 Merchant, Sub-merchant, and ATM Owner Screening and Monitoring Standards
- 7.1 Screening New Merchants, Sub-merchants, and ATM Owners
- 7.2 Ongoing Monitoring
- 7.3 Additional Requirements for Certain Merchant and Sub-merchant Categories
  - 7.3.1 Merchant Education
Chapter 8 MasterCard Fraud Control Programs
- 8.1 Presenting Valid Transactions
  - 8.1.1 Notifying MasterCard—Acquirer Responsibilities
  - 8.1.3 MasterCard Audit
- 8.2 Global Merchant Audit Program
- 8.3 Excessive Chargeback Program
- 8.4 Questionable Merchant Audit Program (QMAP)
Chapter 9 MasterCard Registration Program
- 9.1 MasterCard Registration Program Overview
- 9.2 General Registration Requirements
  - 9.2.1 Merchant Registration Fees and Noncompliance Assessments
- 9.3 General Monitoring Requirements
- 9.4 Additional Requirements for Specific Merchant Categories
Chapter 10 Account Data Protection Standards and Programs
- 10.1 Account Data Protection Standards
- 10.2 Account Data Compromise Events
- 10.3 MasterCard Site Data Protection (SDP) Program
- 10.4 Connecting to MasterCard—Physical and Logical Security Requirements
Chapter 11 MATCH System
- 11.1 MATCH Overview
  - 11.1.1 System Features
  - 11.1.2 How does MATCH Search when Conducting an Inquiry?
- 11.2 MATCH Standards
- 11.4 Merchant Removal from MATCH
- 11.5 MATCH Reason Codes
  - 11.5.1 Reason Codes for Merchants Listed by the Acquirer
Chapter 12 Omitted
Chapter 13 Fraud Management Program (FMP)
- 13.1 About FMP
  - 13.1.2 FMP Level 2 Non-Customer Reviews
Appendix A Omitted
Appendix B Formset Specifications
- B.1 MasterCard Formset Specifications
- B.2 Formset Printing Standards
Appendix C Omitted
Appendix D Best Practices Guides
- D.1 Acquirers’ Best Practices Guide
Appendix E Omitted
Definitions
- Access Device
- Account
- Acquirer
- Activity(ies)
- Affiliate Customer, Affiliate
- Association Customer, Association
- Automated Teller Machine (ATM)
- ATM Owner Agreement
- ATM Terminal
- ATM Transaction
- Card
- Cardholder
- Chip Card (Smart Card, Integrated Circuit Card, IC Card, or ICC)
- Chip Transaction
- Cirrus Access Device
- Cirrus Account
- Cirrus Card
- Cirrus Customer
- Cirrus Payment Application
- Contact Chip Transaction
- Contactless Chip Transaction, Contactless Transaction
- Contactless Payment Device
- Corporation
- Cross-border Transaction
- Customer
- Data Storage Entity (DSE)
- Digital Wallet Operator (DWO)
- Digital Wallet Operator Mark, DWO Mark
- Domestic Transaction
- Dual Interface Hybrid POS Terminal
- Hybrid ATM Terminal
- Hybrid MPOS Terminal
- Hybrid PIN-based In-Branch Terminal
- Hybrid POI Terminal
- Independent Sales Organization (ISO)
- Interchange System
- Interregional Transaction
- Intracountry Transaction
- Intraregional Transaction
- Issuer
- License, Licensed
- Maestro
- Maestro Access Device
- Maestro Account
- Maestro Card
- Maestro Customer
- Maestro Payment Application
- Maestro Transaction
- Manual Cash Disbursement Transaction
- Marks
- MasterCard
- MasterCard Access Device
- MasterCard Account
- MasterCard-branded Application Identifier (AID)
- MasterCard Card
- MasterCard Customer
- MasterCard Europe
- MasterCard Incorporated
- MasterCard Payment Application
- MasterCard PayPass Magnetic Stripe Profile Transaction
- MasterCard PayPass-M/Chip Transaction
- MasterCard Transaction
- Member, Membership
- Merchant
- Merchant Agreement
- Mobile Payment Device
- Mobile POS (MPOS) Terminal
- Participation
- Pass-through Digital Wallet
- Pass-through Digital Wallet Operator (DWO)
- Payment Application
- Payment Facilitator
- PIN-based In-Branch Terminal
- PIN-based In-Branch Terminal Transaction
- Point of Interaction (POI)
- POI Terminal
- Portfolio
- Point-of-Sale (POS) Terminal
- POS Transaction
- Principal Customer, Principal
- Program
- Program Services
- Region
- Rules
- Service Provider
- Service Provider Registration Facilitator
- Settlement
- Settlement Date
- Sponsor, Sponsorship
- Staged Digital Wallet
- Staged Digital Wallet Operator (DWO)
- Standards
- Stand-In Parameters
- Stand-In Processing Service
- Sub-merchant
- Terminal
- Third Party Processor (TPP)
- Transaction
- Volume

SecurityRulesand

Procedures

MerchantEdition

7February2014

Notices

Followingarepoliciespertainingtoproprietaryrights,trademarks,translations,anddetailsabout

theavailabilityofadditionalinformationonline.

ProprietaryRights

TheinformationcontainedinthisdocumentisproprietaryandconfidentialtoMasterCardInternational

Incorporated,oneormoreofitsaffiliatedentities(collectively“MasterCard”),orboth.

Thismaterialmaynotbeduplicated,published,ordisclosed,inwholeorinpart,withouttheprior

writtenpermissionofMasterCard.

Trademarks

TrademarknoticesandsymbolsusedinthisdocumentreflecttheregistrationstatusofMasterCard

trademarksintheUnitedStates.PleaseconsultwiththeCustomerOperationsServicesteamorthe

MasterCardLawDepartmentfortheregistrationstatusofparticularproduct,program,orservicenames

outsidetheUnitedStates.

Allthird-partyproductandservicenamesaretrademarksorregisteredtrademarksoftheirrespective

owners.

Disclaimer

MasterCardmakesnorepresentationsorwarrantiesofanykind,expressorimplied,withrespectto

thecontentsofthisdocument.Withoutlimitation,MasterCardspecificallydisclaimsallrepresentations

andwarrantieswithrespecttothisdocumentandanyintellectualpropertyrightssubsistingthereinor

anypartthereof,includingbutnotlimitedtoanyandallimpliedwarrantiesoftitle,non-infringement,

orsuitabilityforanypurpose(whetherornotMasterCardhasbeenadvised,hasreasontoknow,oris

otherwiseinfactawareofanyinformation)orachievementofanyparticularresult.Withoutlimitation,

MasterCardspecificallydisclaimsallrepresentationsandwarrantiesthatanypracticeorimplementationof

thisdocumentwillnotinfringeanythirdpartypatents,copyrights,tradesecretsorotherrights.

Translation

AtranslationofanyMasterCardmanual,bulletin,release,orotherMasterCarddocumentintoalanguage

otherthanEnglishisintendedsolelyasaconveniencetoMasterCardcustomers.MasterCardprovidesany

translateddocumenttoitscustomers“ASIS”andmakesnorepresentationsorwarrantiesofanykind

withrespecttothetranslateddocument,including,butnotlimitedto,itsaccuracyorreliability.Inno

eventshallMasterCardbeliableforanydamagesresultingfromrelianceonanytranslateddocument.

TheEnglishversionofanyMasterCarddocumentwilltakeprecedenceoveranytranslatedversionin

anylegalproceeding.

InformationAvailableOnline

MasterCardprovidesdetailsaboutthestandardsusedforthisdocument—includingtimesexpressed,

languageuse,andcontactinformation—onthePublicationsSupportpageavailableonMasterCard

Connect™.GotoPublicationsSupportforcentralizedinformation.

SP7February2014•SecurityRulesandProcedures

TableofContents

Chapter1CustomerObligations.........................................................1-i

1.1CompliancewiththeStandards.........................................................................................1-1

1.2ConflictwithLaw...............................................................................................................1-1

1.3TheSecurityContact..........................................................................................................1-1

Chapter2Omitted................................................................................2-i

Chapter3CardandTIDDesignStandards..........................................3-i

3.9CardValidationCode(CVC)..............................................................................................3-1

3.9.4AcquirerRequirementsforCVC2.............................................................................3-1

3.10ServiceCodes...................................................................................................................3-1

3.10.2AcquirerInformation...............................................................................................3-1

3.10.3ValidServiceCodes.................................................................................................3-2

3.10.4AdditionalServiceCodeInformation......................................................................3-3

3.11TransactionInformationDocuments(TIDs).....................................................................3-3

3.11.1FormsetContents....................................................................................................3-4

3.11.2POSTerminalReceiptContents...............................................................................3-5

3.11.3StandardWording....................................................................................................3-6

3.11.4PrimaryAccountNumberTruncationandExpirationDateOmission.....................3-7

Chapter4POITerminalandPINSecurityStandards..........................4-i

4.1PersonalIdentificationNumbers(PINs).............................................................................4-1

4.3PINVerification..................................................................................................................4-1

4.5PINEncipherment..............................................................................................................4-2

4.6PINKeyManagement........................................................................................................4-2

4.6.1PINTransmissionBetweenCustomerHostSystemsandtheInterchange

System................................................................................................................................4-2

4.6.2On-behalfKeyManagement.....................................................................................4-3

4.7PINatthePOIforMasterCardMagneticStripeTransactions.............................................4-4

4.8POITerminalSecurityStandards........................................................................................4-4

4.9HybridPOITerminalSecurityStandards............................................................................4-5

4.10PINEntryDeviceStandards.............................................................................................4-6

4.11WirelessPOSTerminalsandInternet/Stand-aloneIP-enabledPOSTerminalSecurity

Standards.................................................................................................................................4-7

4.12POSTerminalsUsingElectronicSignatureCaptureTechnology(ESCT)..........................4-8

SecurityRulesandProcedures•7February2014i

TableofContents

4.13ComponentAuthentication..............................................................................................4-8

4.14TripleDESMigrationStandards........................................................................................4-9

Chapter5CardRecoveryandReturnStandards................................5-i

5.1CardRecoveryandReturn.................................................................................................5-1

5.1.1CardRetentionbyMerchants....................................................................................5-1

Chapter6FraudLossControlStandards.............................................6-i

6.2MasterCardFraudLossControlProgramStandards...........................................................6-1

6.2.2AcquirerFraudLossControlPrograms......................................................................6-1

6.3MasterCardCounterfeitCardFraudLossControlStandards...............................................6-3

6.3.1CounterfeitCardNotification.....................................................................................6-3

6.3.2ResponsibilityforCounterfeitLoss............................................................................6-4

6.3.3AcquirerCounterfeitLiabilityProgram......................................................................6-4

Chapter7Merchant,Sub-merchant,andATMOwnerScreening

andMonitoringStandards.......................................................................7-i

7.1ScreeningNewMerchants,Sub-merchants,andATMOwners...........................................7-1

7.1.1ScreeningProcedures................................................................................................7-1

7.1.2EvidenceofCompliancewithScreeningProcedures................................................7-2

7.1.3RetentionofInvestigativeRecords............................................................................7-2

7.1.4AssessmentsforNoncompliancewithScreeningProcedures....................................7-3

7.2OngoingMonitoring..........................................................................................................7-4

7.3AdditionalRequirementsforCertainMerchantandSub-merchantCategories...................7-5

7.3.1MerchantEducation..................................................................................................7-5

Chapter8MasterCardFraudControlPrograms.................................8-i

8.1PresentingValidTransactions.............................................................................................8-1

8.1.1NotifyingMasterCard—AcquirerResponsibilities......................................................8-1

8.1.3MasterCardAudit.......................................................................................................8-1

8.2GlobalMerchantAuditProgram........................................................................................8-3

8.2.1AcquirerResponsibilities...........................................................................................8-4

8.2.2Tier3SpecialMerchantAudit...................................................................................8-5

8.2.3ChargebackResponsibility........................................................................................8-6

8.2.4ExclusionfromtheGlobalMerchantAuditProgram.................................................8-8

8.2.5NotificationofMerchantIdentification....................................................................8-10

8.2.6MerchantOnlineStatusTracking(MOST)System...................................................8-11

8.3ExcessiveChargebackProgram........................................................................................8-12

ii7February2014•SecurityRulesandProcedures

TableofContents

8.3.1ECPDefinitions.......................................................................................................8-12

8.3.2ReportingRequirements..........................................................................................8-13

8.3.3Assessments............................................................................................................8-15

8.3.5AdditionalTier2ECMRequirements......................................................................8-17

8.4QuestionableMerchantAuditProgram(QMAP)..............................................................8-18

8.4.1QMAPDefinitions...................................................................................................8-18

8.4.2MasterCardCommencementofanInvestigation.....................................................8-20

8.4.4MasterCardNotificationtoAcquirers.......................................................................8-20

8.4.5MerchantTermination.............................................................................................8-21

8.4.6MasterCardDetermination.......................................................................................8-21

8.4.7ChargebackResponsibility......................................................................................8-22

8.4.8FraudRecovery.......................................................................................................8-22

8.4.9QMAPFees.............................................................................................................8-22

Chapter9MasterCardRegistrationProgram.....................................9-i

9.1MasterCardRegistrationProgramOverview.......................................................................9-1

9.2GeneralRegistrationRequirements....................................................................................9-1

9.2.1MerchantRegistrationFeesandNoncomplianceAssessments..................................9-2

9.3GeneralMonitoringRequirements.....................................................................................9-3

9.4AdditionalRequirementsforSpecificMerchantCategories................................................9-4

9.4.1TelecomMerchantsandTransactions........................................................................9-4

9.4.2Non-face-to-faceAdultContentandServicesMerchants...........................................9-4

9.4.3Non–face-to-faceGamblingMerchants.....................................................................9-5

9.4.4PharmaceuticalandTobaccoProductMerchants......................................................9-6

9.4.5StateLotteryMerchants(U.S.RegionOnly)..............................................................9-7

9.4.6SkillGamesMerchants(U.S.RegionOnly)...............................................................9-9

Chapter10AccountDataProtectionStandardsandPrograms.........10-i

10.1AccountDataProtectionStandards................................................................................10-1

10.2AccountDataCompromiseEvents.................................................................................10-1

10.2.1PolicyConcerningAccountDataCompromiseEventsandPotentialAccount

DataCompromiseEvents.................................................................................................10-2

10.2.2ResponsibilitiesinConnectionwithADCEventsandPotentialADCEvents...........10-3

10.2.3ForensicReport.....................................................................................................10-8

10.2.4AlternativeStandardsApplicabletoCertainMerchants.........................................10-9

10.2.5MasterCardDeterminationofADCEventorPotentialADCEvent.......................10-10

10.2.6Assessmentsand/orDisqualificationforNoncompliance.....................................10-17

10.2.7FinalFinancialResponsibilityDetermination.......................................................10-17

SecurityRulesandProcedures•7February2014iii

TableofContents

10.3MasterCardSiteDataProtection(SDP)Program...........................................................10-18

10.3.1PaymentCardIndustryDataSecurityStandards...................................................10-19

10.3.2ComplianceValidationTools................................................................................10-19

10.3.3AcquirerComplianceRequirements.....................................................................10-20

10.3.4ImplementationSchedule.....................................................................................10-21

10.4ConnectingtoMasterCard—PhysicalandLogicalSecurityRequirements.....................10-28

10.4.1MinimumSecurityRequirements..........................................................................10-28

10.4.2AdditionalRecommendedSecurityRequirements................................................10-29

10.4.3OwnershipofServiceDeliveryPointEquipment.................................................10-30

Chapter11MATCHSystem..................................................................11-i

11.1MATCHOverview..........................................................................................................11-1

11.1.1SystemFeatures.....................................................................................................11-1

11.1.2HowdoesMATCHSearchwhenConductinganInquiry?.....................................11-2

11.2MATCHStandards..........................................................................................................11-4

11.2.1Certification...........................................................................................................11-5

11.2.2WhentoAddaMerchanttoMATCH.....................................................................11-5

11.2.3InquiringaboutaMerchant...................................................................................11-6

11.2.6MATCHRecordRetention......................................................................................11-6

11.4MerchantRemovalfromMATCH....................................................................................11-6

11.5MATCHReasonCodes...................................................................................................11-7

11.5.1ReasonCodesforMerchantsListedbytheAcquirer.............................................11-7

Chapter12Omitted..............................................................................12-i

Chapter13FraudManagementProgram(FMP).................................13-i

13.1AboutFMP.....................................................................................................................13-1

13.1.2FMPLevel2Non-CustomerReviews.....................................................................13-1

AppendixAOmitted...............................................................................A-i

AppendixBFormsetSpecications........................................................B-i

B.1MasterCardFormsetSpecifications....................................................................................B-1

B.1.1FormsetPhysicalDimensions...................................................................................B-1

B.1.2NumberofCopiesandRetentionRequirements.......................................................B-1

B.1.3PaperStockCharacteristics.......................................................................................B-1

B.1.4ColorofInterchangeCopy.......................................................................................B-1

B.1.5Carbon......................................................................................................................B-1

iv7February2014•SecurityRulesandProcedures

TableofContents

B.1.6RegistrationMark......................................................................................................B-2

B.1.7FormsetNumbering..................................................................................................B-2

B.1.8InformationSlipSpecifications.................................................................................B-3

B.2FormsetPrintingStandards...............................................................................................B-3

B.2.1FinancialTransactionFormsets.................................................................................B-3

B.2.2InformationSlipFormsets.........................................................................................B-4

B.2.3Imprinters.................................................................................................................B-5

AppendixCOmitted................................................................................C-i

AppendixDBestPracticesGuides..........................................................D-i

D.1Acquirers’BestPracticesGuide........................................................................................D-1

AppendixEOmitted................................................................................E-i

Denitions.........................................................................G-1

AccessDevice.........................................................................................................................G-1

Account...................................................................................................................................G-1

Acquirer..................................................................................................................................G-1

Activity(ies).............................................................................................................................G-1

AffiliateCustomer,Affiliate.....................................................................................................G-1

AssociationCustomer,Association..........................................................................................G-1

AutomatedTellerMachine(ATM)...........................................................................................G-1

ATMOwnerAgreement..........................................................................................................G-1

ATMTerminal.........................................................................................................................G-1

ATMTransaction.....................................................................................................................G-1

Card........................................................................................................................................G-2

Cardholder..............................................................................................................................G-2

ChipCard(SmartCard,IntegratedCircuitCard,ICCard,orICC)..........................................G-2

ChipTransaction.....................................................................................................................G-2

CirrusAccessDevice...............................................................................................................G-2

CirrusAccount........................................................................................................................G-2

CirrusCard..............................................................................................................................G-2

CirrusCustomer......................................................................................................................G-2

CirrusPaymentApplication....................................................................................................G-2

ContactChipTransaction........................................................................................................G-2

SecurityRulesandProcedures•7February2014v

TableofContents

ContactlessChipTransaction,ContactlessTransaction...........................................................G-2

ContactlessPaymentDevice...................................................................................................G-2

Corporation.............................................................................................................................G-3

Cross-borderTransaction........................................................................................................G-3

Customer.................................................................................................................................G-3

DataStorageEntity(DSE).......................................................................................................G-3

DigitalWalletOperator(DWO)..............................................................................................G-3

DigitalWalletOperatorMark,DWOMark..............................................................................G-3

DomesticTransaction.............................................................................................................G-3

DualInterfaceHybridPOSTerminal......................................................................................G-3

HybridATMTerminal.............................................................................................................G-4

HybridMPOSTerminal...........................................................................................................G-4

HybridPIN-basedIn-BranchTerminal....................................................................................G-4

HybridPOITerminal..............................................................................................................G-4

IndependentSalesOrganization(ISO)...................................................................................G-4

InterchangeSystem.................................................................................................................G-4

InterregionalTransaction........................................................................................................G-4

IntracountryTransaction.........................................................................................................G-5

IntraregionalTransaction........................................................................................................G-5

Issuer......................................................................................................................................G-5

License,Licensed....................................................................................................................G-5

Maestro...................................................................................................................................G-5

MaestroAccessDevice...........................................................................................................G-5

MaestroAccount.....................................................................................................................G-5

MaestroCard...........................................................................................................................G-5

MaestroCustomer...................................................................................................................G-5

MaestroPaymentApplication.................................................................................................G-5

MaestroTransaction................................................................................................................G-5

ManualCashDisbursementTransaction.................................................................................G-5

Marks......................................................................................................................................G-6

MasterCard..............................................................................................................................G-6

MasterCardAccessDevice......................................................................................................G-6

MasterCardAccount................................................................................................................G-6

MasterCard-brandedApplicationIdentifier(AID)...................................................................G-6

vi7February2014•SecurityRulesandProcedures

TableofContents

MasterCardCard.....................................................................................................................G-6

MasterCardCustomer..............................................................................................................G-6

MasterCardEurope.................................................................................................................G-6

MasterCardIncorporated........................................................................................................G-6

MasterCardPaymentApplication............................................................................................G-6

MasterCardPayPassMagneticStripeProfileTransaction........................................................G-6

MasterCardPayPass-M/ChipTransaction................................................................................G-6

MasterCardTransaction...........................................................................................................G-6

Member,Membership.............................................................................................................G-7

Merchant.................................................................................................................................G-7

MerchantAgreement...............................................................................................................G-7

MobilePaymentDevice..........................................................................................................G-7

MobilePOS(MPOS)Terminal................................................................................................G-7

Participation............................................................................................................................G-7

Pass-throughDigitalWallet.....................................................................................................G-7

Pass-throughDigitalWalletOperator(DWO).........................................................................G-7

PaymentApplication...............................................................................................................G-7

PaymentFacilitator.................................................................................................................G-8

PIN-basedIn-BranchTerminal................................................................................................G-8

PIN-basedIn-BranchTerminalTransaction............................................................................G-8

PointofInteraction(POI).......................................................................................................G-8

POITerminal..........................................................................................................................G-8

Portfolio..................................................................................................................................G-8

Point-of-Sale(POS)Terminal..................................................................................................G-8

POSTransaction......................................................................................................................G-8

PrincipalCustomer,Principal..................................................................................................G-8

Program..................................................................................................................................G-8

ProgramServices....................................................................................................................G-9

Region.....................................................................................................................................G-9

Rules.......................................................................................................................................G-9

ServiceProvider......................................................................................................................G-9

ServiceProviderRegistrationFacilitator..................................................................................G-9

Settlement...............................................................................................................................G-9

SettlementDate.......................................................................................................................G-9

SecurityRulesandProcedures•7February2014vii

TableofContents

Sponsor,Sponsorship.............................................................................................................G-9

StagedDigitalWallet...............................................................................................................G-9

StagedDigitalWalletOperator(DWO)..................................................................................G-10

Standards...............................................................................................................................G-10

Stand-InParameters...............................................................................................................G-10

Stand-InProcessingService...................................................................................................G-10

Sub-merchant.........................................................................................................................G-10

Terminal.................................................................................................................................G-10

ThirdPartyProcessor(TPP)...................................................................................................G-10

Transaction............................................................................................................................G-10

Volume...................................................................................................................................G-10

viii7February2014•SecurityRulesandProcedures

Chapter1CustomerObligations

ThischapterdescribesgeneralCustomercomplianceandProgramobligationsrelatingto

MasterCardCardissuingandMerchantacquiringProgramActivities.

1.1CompliancewiththeStandards................................................................................................1-1

1.2ConflictwithLaw.....................................................................................................................1-1

1.3TheSecurityContact................................................................................................................1-1

SecurityRulesandProcedures•7February20141-i

CustomerObligations

1.1CompliancewiththeStandards

ThismanualcontainsStandards.EachCustomermustcomplyfullywiththese

Standards.

AlloftheStandardsinthismanualareassignedtononcompliancecategoryA

underthecomplianceframeworksetforthinChapter2oftheMasterCard

Rulesmanual(“thecomplianceframework”),unlessotherwisespecifiedin

thetablebelow.Thenoncomplianceassessmentscheduleprovidedinthe

complianceframeworkpertainstoanyStandardintheSecurityRulesand

ProceduresmanualthatdoesnothaveanestablishedcomplianceProgram.The

Corporationmaydeviatefromthescheduleatanytime.

SectionNumberSectionTitleCategory

1.3TheSecurityContactC

2.3ContractingwithCard

RegistrationCompanies

3.11.3StandardWordingB

7.1.3RetentionofInvestigative

Records

1.2ConictwithLaw

ACustomerisexcusedfromcompliancewithaStandardinanycountry

orregionofacountryonlytotheextentthatcompliancewouldcausethe

Customertoviolatelocalapplicablelaworregulation,andfurtherprovidedthat

theCustomerpromptlynotifiestheCorporation,inwriting,ofthebasisforand

natureofaninabilitytocomply.TheCorporationhastheauthoritytoapprove

localalternativestotheseStandards.

1.3TheSecurityContact

EachCustomermusthaveaSecurityContactlistedforeachofitsMember

IDs/ICAnumbersintheMemberInformationtoolonMasterCardConnect™.

SecurityRulesandProcedures•7February20141-1

Chapter2Omitted

Thischapterhasbeenomitted.

SecurityRulesandProcedures•7February20142-i

Chapter3CardandTIDDesignStandards

ThischaptermaybeofparticularinteresttoIssuersandvendorscertiedbyMasterCard

responsibleforthedesign,creation,andcontrolofCards.Itprovidesspecicationsforall

MasterCard,Maestro,andCirrusCardProgramsworldwide.

3.9CardValidationCode(CVC)....................................................................................................3-1

3.9.4AcquirerRequirementsforCVC2...................................................................................3-1

3.10ServiceCodes.........................................................................................................................3-1

3.10.2AcquirerInformation.....................................................................................................3-1

3.10.3ValidServiceCodes.......................................................................................................3-2

3.10.4AdditionalServiceCodeInformation............................................................................3-3

3.11TransactionInformationDocuments(TIDs)...........................................................................3-3

3.11.1FormsetContents...........................................................................................................3-4

3.11.2POSTerminalReceiptContents.....................................................................................3-5

3.11.3StandardWording..........................................................................................................3-6

3.11.4PrimaryAccountNumberTruncationandExpirationDateOmission...........................3-7

SecurityRulesandProcedures•7February20143-i

CardandTIDDesignStandards

3.9CardValidationCode(CVC)

TheCVCisasecurityfeaturewithcomponentsidentifiedelsewhereinthis

manual.UseofCVCsmakesitmoredifficultforcounterfeiterstoalterCards

andreusethemforfraudulentpurposes.

3.9.4AcquirerRequirementsforCVC2

WhentheMerchantprovidestheindent-printedCVC2value,theAcquirer

mustincludetheCVC2valueinDE48,subelement92oftheAuthorization

Request/0100message.TheAcquirerisalsoresponsibleforensuringthatthe

MerchantreceivestheCVC2responsecodeprovidedbytheIssuerinDE48,

subelement87oftheAuthorizationRequestResponse/0110message.

Allnon-face-to-facegamblingTransactionsconductedwithaMasterCardCard>>

mustincludetheCVC2valueinDE48,subelement92oftheAuthorization

Request/0100message.

3.10ServiceCodes

Theservicecode,athree-digitnumberthatcomplieswithISO7813

(IdentificationCards—FinancialTransactionCards),isencodedonTrack1

andTrack2ofthemagneticstripeofaCardandindicatestoamagnetic

stripe-readingterminaltheTransactionacceptanceparametersoftheCard.

EachdigitoftheservicecoderepresentsadistinctelementoftheIssuer’s

Transactionacceptancepolicy.However,notallcombinationsofvaliddigits

formavalidservicecode,norareallservicecodecombinationsvalidforall

CardPrograms.IssuersmayencodeonlyoneservicecodeonCards,andthe

samevaluemustbeencodedonbothTrack1andTrack2intheirrespective,

designatedpositions.

ServicecodesprovideIssuerswithflexibilityindefiningCardacceptance

parameters,andprovideAcquirerswiththeabilitytointerpretIssuers’Card

acceptancepreferencesforallPOIconditions.

Servicecodesapplytomagneticstripe-readTransactionsonly.Inthecaseof

ChipCardsusedinHybridPOSTerminals,theHybridPOSTerminalusesthe

dataencodedinthechiptocompletetheTransaction.

NOTE

Avalueof2or6inposition1oftheservicecodeindicatesthatachipispresent

onaCardwhichcontainstheMasterCardapplicationthatispresentonthe

magneticstripe.

3.10.2AcquirerInformation

AcquirersmustensurethattheirhybridPOIterminalsdonotrejectorotherwise

declinetocompleteaTransactionsolelybecauseoftheservicecodeencoded

onthemagneticstripe.

SecurityRulesandProcedures•7February20143-1

CardandTIDDesignStandards

3.10ServiceCodes

Acquirersarenotrequiredtoactontheservicecodesatthistimeunless:

•Avalueof2or6ispresentinposition1oftheservicecodeforaMasterCard

PaymentApplication.ThehybridPOIterminalmustfirstattempttoprocess

theTransactionasachipTransaction;or

•ThePOIterminalislocatedintheEuropeRegionandhasmagnetic

stripe-readingcapability,andavalueof2ispresentinposition2ofthe

servicecodeforaMasterCardPaymentApplication.TheAcquirermust

ensurethatauthorizationisobtainedbeforetheMerchantcompletesa

magneticstripe-readTransaction.

3.10.3ValidServiceCodes

Table3.3definesservicecodevaluesforMasterCard,MasterCardElectronic,

Maestro,andCirrusPaymentApplicationsandeachpositionofthethree-digit

servicecode.

NOTE

Servicecodesarethreepositionsinlength.Toidentifyvalidservicecodevalues,

combinethevalidnumbersforeachofthethreepositionsinthistable.The

value000isnotavalidservicecodeandmustnotbeencodedonthemagnetic

stripeofMasterCard,MasterCardElectronic,Maestro,orCirruscards.

Table3.3—ServiceCodeValues

DenitionPosition1Position2Position3

InternationalCard1

InternationalCard—IntegratedCircuitCard2

NationalUseOnly5

NationalUseOnly—IntegratedCircuitCard6

PrivateLabelorProprietaryCard7

NormalAuthorization0

PositiveOnlineAuthorizationRequired2

PINRequired0

NormalCardholderVerification,NoRestrictions1

NormalCardholderVerification—Goodsandservicesonly

atPointofInteraction(nocashback)2

ATMOnly,PINRequired3

PINRequired—GoodsandservicesonlyatPointof

Interaction(nocashback)5

3-27February2014•SecurityRulesandProcedures

CardandTIDDesignStandards

3.11TransactionInformationDocuments(TIDs)

DenitionPosition1Position2Position3

PromptforPINifPINPadPresent6

PromptforPINifPINPadPresent—Goodsandservices

onlyatPointofService(nocashback)7

NOTE

InAuthorizationRelease06.2,supportofPurchaseofGoodsandServiceswith

CashBackTransactionswasmandatedforDebitMasterCard®cards.Position3,

values5and7arenotvalidvaluesapplicableforDebitMasterCardTransactions.

3.10.4AdditionalServiceCodeInformation

ThefollowinginformationexplainstheservicecodevaluesinTable3.3.

•NormalauthorizationisanauthorizedTransactionaccordingtothe

establishedrulesgoverningTransactionsatthePOI.

•PositiveOnlineAuthorizationRequiredservicecodes(valueof2in

position2)indicatethatanelectronicauthorizationmustberequestedfor

allTransactions.ThisservicecodevaluemustbeusedonMasterCard

Electronic™cards,butisoptionalforMasterCardUnembossedcards.

•NormalCardholderverificationindicatesthattheCardholderverification

method(CVM)mustbeperformedinaccordancewithestablishedrules

governingCardholderverificationatthePOI.

•ICC-relatedservicecodes(valueof2or6inposition1)arepermittedonly

onChipCardscontainingaMasterCardorCirrusPaymentApplication

type-approvedbyMasterCardoritsagent.

•ICC-relatedservicecodes(valueof2or6inposition1)maynotbeused

forstand-alonestoredvalue(purse)applicationsthatresideonMasterCard

orCirruscards.Intheseinstances,avalueof1mustbeplacedinthefirst

position.

•NationalUseOnlyservicecodes(valueof5or6inposition1)arepermitted

onlyonNationalUseOnlyCardsapprovedbyMasterCard.Thisincludes

PIN-relatedservicecodesonNationalUseOnlyCards(forexample,506)

governedbylocalPINprocessingrules.

•Privatelabelorproprietaryservicecodes(valueof7inposition1)onCards

thatcontainavalidMasterCardBINarepermittedonlyonprivatelabelor

proprietaryCardsapprovedbyMasterCard.

IssuersmaynotusePIN-relatedservicecodesforCardProgramsunless

MasterCardhasapprovedtheindicateduseofaPIN.

3.11TransactionInformationDocuments(TIDs)

TransactionInformationDocuments(TIDs)usedininterchangeTransactions

mustcomplywiththeStandardssetforthinthissection.

SecurityRulesandProcedures•7February20143-3

CardandTIDDesignStandards

3.11TransactionInformationDocuments(TIDs)

BelowisalistofthetypesofTIDsdiscussedinthissection:

•Retailsale

•Credit

•Cashdisbursement

•Information

NOTE

TheAcquirermustretainacopyoftheTIDforatleast13months.

IftheMerchantusesamanualimprinter,theTIDproducediscalledaformset

orslip.ForMasterCardformsetspecifications,refertoAppendixB.

IfaTransactionbeginsatanelectronicterminal,theMerchantmaysubstitutea

terminalreceiptforaformset.Terminalreceiptshavenoprescribedphysical

specificationsbutmustbenumberedsequentiallyforreferencepurposes.

ATIDmustnotreflectthefollowinginformation:

•ThePIN,anypartofthePIN,oranyfillcharactersrepresentingthePIN

•TheCVC2,whichispresentinawhitepaneladjacenttothesignature

paneloftheCard

MasterCardprohibitstherecordingofPINdataandCVCdatainanymanner

foranypurpose.

3.11.1FormsetContents

Eachcopyofaretailsale,credit,orcashdisbursementformsetshallsatisfy

minimumstatutoryandregulatoryrequirementsinthejurisdictioninwhichthe

sliporiginatesandanyapplicableregulations,issuedbytheU.S.Boardof

GovernorsoftheFederalReserveSystemorotherregulatoryauthorities,and

shallcontainthefollowing:

3-47February2014•SecurityRulesandProcedures

CardandTIDDesignStandards

3.11TransactionInformationDocuments(TIDs)

•Inthecaseofretailsaleandcreditslips,aspaceforthedescriptionof

goods,services,orotherthingsofvaluesoldbytheMerchanttothe

customerandthecostthereof,insufficientdetailtoidentifytheTransaction.

•Adequatespacesfor:

–Thecustomer’ssignature

–CardimprintandtheMerchantorbankidentificationplateimprint

–DateoftheTransaction

–Authorizationnumber(exceptoncreditslips)

–Salesclerk’sorteller’sinitialsordepartmentnumber

–Currencyconversionfield

–Merchant’ssignatureoncreditslips

–DescriptionofthepositiveidentificationsuppliedbytheCardholderon

cashdisbursementsandretailsaleslipsforcertainuniqueTransactions.

•Alegendclearlyidentifyingtheslipasaretailsale,credit,orcash

disbursementandidentifyingthereceivingpartyofeachcopy.

•Onthecustomercopyoftheformset,thewords(inEnglish,locallanguage,

orboth):“IMPORTANT—retainthiscopyforyourrecords,”orwordsto

similareffect.

•Suchothercontentsasarenotinconsistentwiththeserules.

MasterCardrecommendsthateachretailsale,credit,andcashdisbursement

slipbearameansofidentifyingtheCustomerthatdistributedthesliptothe

Merchant.

3.11.2POSTerminalReceiptContents

EachcopyofaPOSTerminalreceiptshallsatisfyallrequirementsofapplicable

law,andshallcontainthefollowinginformation:

SecurityRulesandProcedures•7February20143-5

CardandTIDDesignStandards

3.11TransactionInformationDocuments(TIDs)

•DoingBusinessAs(DBA)Merchantname,cityandstate,country,orthe

pointofbankinglocation

•Transactiondate

•MasterCardAccountnumber(refertosection3.11.4fordetailsondisplaying

theMasterCardAccountnumber)

•TransactionamountintheoriginalTransactioncurrency

•Adequatespaceforthecustomer’ssignature,unlesstheTransactionis

completedwithaPINastheCVMornoCVMisused(signaturespace

requiredonMerchantcopyonly)

•Authorizationapprovalcode(exceptoncreditreceipts).Optionally,

theAcquireralsomayprinttheTransactioncertificate,theapplication

cryptogram,orbothforChipCardTransactions.

•Merchant’ssignatureoncreditreceiptsonly

EachreceiptshallclearlyidentifytheTransactionasaretailsale,credit,or

cashdisbursement.

3.11.3StandardWording

MasterCardhasdevelopedthefollowingstandardwordingforuseonthe

interchangecopyoftheformset.Usethestandardwording,whichmayappear

inEnglish,thelocallanguage,orboth,unlessMasterCardhaspreviously

grantedavariancepermittinguseofotherwording.

Retailsaleslips:“TheIssueroftheCardidentifiedonthisitemis

authorizedtopaytheamountshownas‘total’upon

properpresentation.Ipromisetopaysuchtotal

(togetherwithanyotherchargesduethereon)subject

toandinaccordancewiththeagreementgoverning

theuseofsuchCard.”

Creditslips:“IrequestthattheaboveCardholderaccountbe

creditedwiththeamountshownas‘total’becauseof

thereturnof,oradjustmentson,thegoods,services,

orotheritemsofvaluedescribed,andauthorizethe

banktowhichthiscreditslipisdeliveredtocharge

myaccountinaccordancewithmyagreementwith

suchbank.”

Cashdisbursement

slips:

“IherebyrequesttheIssueroftheCardidentified

abovetopaytobearertheamountshownas‘total’

hereon.IherebyconfirmthatIwillpaysaidamount,

withanychargesduethereon,tosaidIssuerin

accordancewithtermsoftheagreementgoverning

theuseofsaidCard.”

3-67February2014•SecurityRulesandProcedures

CardandTIDDesignStandards

3.11TransactionInformationDocuments(TIDs)

Informationslips:“Informationonthissliprelatestothetypeof

Transactionindicatedabove,andtheamountshown

hereonasthetotalshouldagreewiththeamounton

thereceiptprovidedatthetimeoftheTransaction.”

3.11.4PrimaryAccountNumberTruncationandExpirationDate

Omission

Forinformationonthistopic,referto“PrimaryAccountNumber(PAN)>>

TruncationandExpirationDateOmission”(under“ProvidingaTransaction

Receipt”)inChapter3oftheTransactionProcessingRulesmanual.

SecurityRulesandProcedures•7February20143-7

Chapter4POITerminalandPINSecurityStandards

ThischaptermaybeofparticularinteresttoIssuersofCardsthatsupportPINasa

Cardholdervericationmethod(CVM)andAcquirersofPoint-of-Interaction(POI)Terminals

thatacceptPINasaCVM.Refertotheapplicabletechnicalspecicationsandthe

TransactionProcessingRulesmanualforadditionalPOITerminalandTransactionprocessing

requirementsrelatingtotheuseofaPIN.

4.1PersonalIdentificationNumbers(PINs)...................................................................................4-1

4.3PINVerification........................................................................................................................4-1

4.5PINEncipherment....................................................................................................................4-2

4.6PINKeyManagement..............................................................................................................4-2

4.6.1PINTransmissionBetweenCustomerHostSystemsandtheInterchangeSystem...........4-2

4.6.2On-behalfKeyManagement...........................................................................................4-3

4.7PINatthePOIforMasterCardMagneticStripeTransactions...................................................4-4

4.8POITerminalSecurityStandards..............................................................................................4-4

4.9HybridPOITerminalSecurityStandards..................................................................................4-5

4.10PINEntryDeviceStandards...................................................................................................4-6

4.11WirelessPOSTerminalsandInternet/Stand-aloneIP-enabledPOSTerminalSecurity

Standards.......................................................................................................................................4-7

4.12POSTerminalsUsingElectronicSignatureCaptureTechnology(ESCT)................................4-8

4.13ComponentAuthentication....................................................................................................4-8

4.14TripleDESMigrationStandards..............................................................................................4-9

SecurityRulesandProcedures•7February20144-i

POIT erminalandPINSecurityStandards

4.1PersonalIdenticationNumbers(PINs)

AnIssuermustgiveeachofitsCardholdersapersonalidentificationnumber

(PIN)inconjunctionwithMasterCardCardissuance,oroffertheCardholder

theoptionofreceivingaPIN.TheIssuermustgivetheCardholderaPIN

inconjunctionwithMaestroCardandCirrusCardissuance.ThePIN

allowsCardholderstoaccesstheMasterCardATMNetwork®acceptingthe

MasterCard®,Maestro®,andCirrus®brands,andtoconductTransactionsat

Cardholder-activatedterminal(CAT)1devices,MaestroMerchantlocations,and

HybridPoint-of-Sale(POS)Terminals.

AnIssuershouldrefertotheguidelinesforPINandkeymanagementsetforth

intheIssuerPINSecurityGuidelines.

AnAcquirermustcomplywiththelatesteditionofthefollowingdocuments,

availableatwww.pcisecuritystandards.org:

•PaymentCardIndustryPINSecurityRequirements

•PaymentCardIndustryPOSPINEntryDeviceSecurityRequirements

•PaymentCardIndustryEncryptingPINPadSecurityRequirements

4.3PINVerication

AnIssuermustbecapableofverifyingPINsbasedonamaximumofsix

characters.TheIssuermayusethePINverificationalgorithmofitschoice.

IfaCardisencodedwithaPINVerificationValue(PVV),thentheIssuermay

usetheMasterCardPINverificationserviceforauthorizationprocessing.Ifa

proprietaryalgorithmisusedforthePVVcalculationorthePVVisnotencoded

ontheCard,thenPINverificationwillnotbeperformedonaTransaction

authorizedbymeansoftheStand-InProcessingService.

ACustomerinaRegionotherthantheEuropeRegionmayreferto“PIN

ProcessingforNon-EuropeRegionCustomers”intheAuthorizationManual,

Chapter9,“AuthorizationServicesDetails”formoreinformationaboutthe

MasterCardPINverificationservice,inwhichtheMasterCardWorldwide

NetworkperformsPINverificationonbehalfofCardIssuers.EuropeRegion

CustomersshouldrefertoChapter12,"PINProcessingforEuropeRegion

Customers,"oftheAuthorizationManual.

Referto“PINGenerationVerification”inSingleMessageSystemSpecifications,

Chapter6,“Encryption”formoreinformationaboutPINverificationthatthe

MasterCardWorldwideNetworkperformsdirectlyforDebitMasterCardCard

andMaestroandCirrusCardIssuers,andthetwoPINverificationmethods(IBM

3624andABA)thatthePINverificationservicesupports.TheANSIformatof

PINblockconstructionisalsodescribedinthatchapter.

SecurityRulesandProcedures•7February20144-1

POIT erminalandPINSecurityStandards

4.5PINEncipherment

AllCustomersandtheiragentsperformingPINTransactionprocessingmust

complywiththesecurityrequirementsforPINenciphermentspecifiedinthe

PaymentCardIndustryPINSecurityRequirements.

AllIssuersandtheiragentsperformingPINprocessingshouldalsorefer

totheMasterCardIssuerPINSecurityGuidelinesdocumentregardingPIN

encipherment.

4.6PINKeyManagement

Keymanagementistheprocessofcreating,distributing,maintaining,storing,

anddestroyingcryptographickeys,includingtheassociatedpoliciesand

proceduresusedbyprocessingentities.

AllAcquirersandtheiragentsperformingPINTransactionprocessingmust

complywiththesecurityrequirementsforPINandkeymanagementspecified

inthePaymentCardIndustryPINSecurityRequirements.

Inaddition,allAcquirersandtheiragentsmustadheretothefollowing

StandardsforPINencryption:

1.PerformallPINencryption,translation,anddecryptionforthenetwork

usinghardwareencryption.

2.DonotperformPINencryption,translation,ordecryptionunderTripleData

EncryptionStandard(DES)softwareroutines.

3.UsetheTripleDESalgorithmtoperformallencryption.

AllIssuersandtheiragentsperformingPINprocessingshouldrefertothe

MasterCardIssuerPINSecurityGuidelinesregardingallaspectsofIssuerPIN

andPINkeymanagement,includingPINselection,transmission,storage,usage

guidance,andPINchange.

4.6.1PINTransmissionBetweenCustomerHostSystemsand

theInterchangeSystem

TheInterchangeSystemandCustomersexchangePINencryptionkeys(PEKs)

intwomanners:staticallyanddynamically.DirectlyconnectedCustomersthat

areprocessingMasterCardTransactionsthatcontainaPINmayuseeitherstatic

ordynamickeyencryptiontoencipherthePIN.

MasterCardstronglyrecommendsusingdynamicPEKs.StaticPEKsmustbe

replacedasindicatedinthereferencesbelow.

ForinformationaboutPINkeymanagementandrelatedservices,including

requirementsforkeychangeintervalsandemergencykeys,refertothemanuals

listedinTable4.1,whichareavailablethroughtheMasterCardConnect™

Publicationsproduct.

4-27February2014•SecurityRulesandProcedures

POIT erminalandPINSecurityStandards

4.6PINKeyManagement

Table4.1—PINKeyManagementReferences

ForTransactionauthorizationrequestmessages

routedthrough…Referto…

MasterCardWorldwideNetwork/

DualMessageSystem

AuthorizationManual

MasterCardWorldwideNetwork/

SingleMessageSystem

Specifications

MasterCardKeyManagementCenterviathe

On-behalfKeyManagement(OBKM)Interface

On-behalfKeyManagement

(OBKM)Procedures

and

On-behalfKeyManagement

(OBKM)Interface

Specifications

4.6.2On-behalfKeyManagement

MasterCardofferstheOn-behalfKeyManagement(OBKM)servicetoEurope

RegionCustomersasameanstoensurethesecuretransferofCustomer

cryptographickeystotheMasterCardKeyManagementCenter.OBKMservices

offerCustomersthreekeyexchangeoptions:

•One-LevelKeyHierarchy—Customersdelivertheircryptographickeys

inthreecleartextcomponentstothreeMasterCardEuropesecurity

officers.ThesecurityofficersthenloadthekeycomponentsintotheKey

ManagementCenter.

•Two-LevelKeyHierarchy—TheKeyManagementCentergeneratesand

deliverstransportkeystoCustomersinthreeseparatecleartextcomponents.

Customersusethetransportkeystoprotectandsendtheircryptographic

keystoKeyManagementServicesinWaterloo,Belgium.KeyManagement

ServicesthenloadstheCustomerkeysintotheKeyManagementCenter.

•Three-LevelKeyHierarchy—TheKeyManagementCenterusespublickey

techniquestodelivertransportkeystoCustomersinthreeseparateclear

textcomponents.Customersusethetransportkeystoprotectandsend

theircryptographickeystoKeyManagementServicesinWaterloo,Belgium.

KeyManagementServicesthenloadstheCustomerkeysintotheKey

ManagementCenter.

MasterCardrecommendsthatCustomersusetheTwo-LevelorThree-Level

KeyHierarchy,bothofwhichusetransportkeystoestablishasecurechannel

betweentheCustomerandtheKeyManagementCenter.

MasterCardhasdevelopedaCryptographySelfTestTool(CSTT)toassist

CustomersinmeetingOBKMinterfacerequirements.Customersmustuse

theCSTTbeforeexchangingkeyswithKeyManagementServicesusingthe

Two-LevelandThree-LevelHierarchies.

SecurityRulesandProcedures•7February20144-3

POIT erminalandPINSecurityStandards

4.7PINatthePOIforMasterCardMagneticStripeTransactions

CustomersmustregistertoparticipateintheOBKMservice.Formore

information,contactkey_management@mastercard.comorrefertothe

On-behalfKeyManagement(OBKM)ProceduresandOn-behalfKey

Management(OBKM)InterfaceSpecifications,availableviatheMasterCard

ConnectPublicationsproduct.

4.7PINatthePOIforMasterCardMagneticStripe

Transactions

MasterCardmayauthorizetheuseofaPINforMasterCardmagneticstripe

TransactionsatselectedMerchanttypes,POSTerminaltypes,orMerchant

locationsinspecificcountries.MasterCardrequirestheuseofaPINatCAT

1devices.AcquirersandMerchantsthatsupportPIN-basedMasterCard

magneticstripeTransactionsmustprovideCardholderswiththeoptionofa

signature-basedTransaction,unlesstheTransactionoccursataCAT1deviceor

ataCAT3devicewithofflinePINcapabilityforChipTransactions.

MasterCardrequiresMerchantstoprovideaPOSTerminalthatmeetsspecific

requirementsforPINprocessingwhereveranapprovedimplementationtakes

place.Whenapplicable,eachTransactionmustbeinitiatedwithaCardin

conjunctionwiththePINenteredbytheCardholderattheterminal.The

AcquirermustbeabletotransmitthePINintheAuthorizationRequest/0100

messageincompliancewithallapplicablePINsecurityStandards.

AcquirersandMerchantsmustnotrequireaCardholdertodisclosehisor

herPIN,otherthanbyprivateentryintoasecurePINentrydevice(PED)as

describedinsection4.9ofthismanual.

AcquirersmustcontrolPOIterminalsequippedwithPINpads.Ifaterminalis

capableofpromptingforthePIN,theAcquirermustincludethePINandfull

magneticstripe-readdataintheAuthorizationRequest/0100message.

MasterCardwillvalidatethePINwhenprocessingforIssuersthatprovide

thenecessarykeystoMasterCardpursuanttotheseStandards.AllotherPOI

TransactionscontainingPINdatawillbedeclinedinStand-Inprocessing.

4.8POITerminalSecurityStandards

TheAcquirermustensurethateachPOITerminal:

1.HasamagneticstripereadercapableofreadingTrack2dataand

transmittingsuchdatatotheIssuerforauthorization;

2.PermitstheCardholdertoenterPINdatainaprivatemanner;

3.PreventsanewTransactionfrombeinginitiatedbeforethepriorTransaction

iscompleted;and

4.ValidatestheauthenticityoftheCardorotherAccessDevice.

4-47February2014•SecurityRulesandProcedures

POIT erminalandPINSecurityStandards

4.9HybridPOIT erminalSecurityStandards

FormagneticstripeTransactions,thefollowingchecksmustbeperformedby

theAcquirer(eitherinthePOITerminalortheAcquirerhostsystem),before

theauthorizationrequestisforwarded:

1.LongitudinalRedundancyCheck(LRC)—Themagneticstripemustberead

withoutLRCerror.

2.TrackLayout—Thetracklayoutmustconformtothespecificationsin

AppendixA.

WithrespecttotheelectronicfunctionsperformedbyaPOITerminal,the

followingrequirementsapply:

1.ATransactionmaynotbedeclinedduetobankidentificationnumber

(BIN)/Issueridentificationnumber(IIN)validation.

2.ATransactionmaynotbedeclinedasaresultofeditsorvalidations

performedontheprimaryaccountnumber(PAN)length,expirationdate,

servicecode,discretionarydata,orcheckdigitdataoftheAccessDevice.

3.TestsoreditsonTrack1mustnotbeperformedforthepurposeof

disqualifyingaCardfromeligibilityforInterchangeSystemprocessing.

4.9HybridPOITerminalSecurityStandards

TheAcquirermustensurethataHybridPOITerminalcomplieswithallof

thefollowingStandards:

•EachHybridPOSTerminalthatreadsandprocessesEMV-compliant

paymentapplicationsmustreadandprocessEMV-compliantMasterCard

andMaestroPaymentApplications.

•EachHybridATMandHybridPIN-basedIn-BranchTerminalthatreadsand

processesEMV-compliantpaymentapplicationsmustreadandprocess

EMV-compliantMasterCard,Maestro,andCirrusPaymentApplications.

•EachHybridPOITerminalmustperformaChipTransactionwhenaChip

CardorAccessDeviceispresentedincompliancewithallapplicable

Standards,includingthoseStandardssetforthintheM/ChipRequirements

manual.

•Eachoffline-capableHybridPOSTerminalmustsupportofflineStaticData

Authentication(SDA)andofflineDynamicDataAuthentication(DDA)as

Cardauthenticationmethods(CAMs).Eachoffline-capableHybridPOS

TerminalcertifiedbyMasterCardonorafter1January2011alsomust

supportofflineCombinedDataAuthentication(CDA)asaCAM.

SecurityRulesandProcedures•7February20144-5

POIT erminalandPINSecurityStandards

4.10PINEntryDeviceStandards

•ExceptintheUnitedStatesRegion,eachoffline-capableHybridPOS

TerminalcertifiedbyMasterCardonorafter1January2011mustsupport

offlinePINprocessingasaCardholderverificationmethod(CVM).In

Taiwan,thisrequirementappliestoHybridPOSTerminalscertifiedby

MasterCardonorafter1January2013.

•IntheUnitedStatesRegion,eachHybridPOSTerminalthatsupportsPIN

mustsupportbothonlinePINandofflinePINprocessing.

•EachHybridPOSTerminalthatsupportsofflinePINprocessingmust

supportbothcleartextandencryptedPINoptions.

4.10PINEntryDeviceStandards

APEDonanATMTerminal,PIN-basedIn-BranchTerminal,orPOSTerminal

musthaveanumerickeyboardtoenabletheentryofPINs,withan‘enterkey’

functiontoindicatethecompletionofentryofavariablelengthPIN.

InallRegionsexcepttheCanadaandUnitedStatesRegions,aPEDmustaccept

PINshavingfourtosixnumericcharacters.IntheCanadaandU.S.Regions,a

PEDmustsupportPINsofupto12alphanumericcharacters.Itisrecommended

thatallPEDssupporttheinputofPINsinletter-numbercombinationsasfollows:

1Q,Z6M,N,O

2A,B,C7P,R,S

3D,E,F8T,U,V

4G,H,I9W,X,Y

5J,K,L

AnAcquirermustensurethatallPEDsthatarepartofPOSTerminalsmeetthe

followingPaymentCardIndustry(PCI)requirements:

1.AllPEDsmustbecompliantwiththePaymentCardIndustryPINSecurity

Requirementsmanual.

2.Allnewlyinstalled,replaced,orrefurbishedPEDsmustbecompliantwith

thePCIPOSPEDSecurityRequirementsandEvaluationProgram.

3.AllPEDsmustbeincompliancewiththePCIPOSPEDSecurity

RequirementsandEvaluationProgramorappearontheMasterCardlist

ofapproveddevices.

AsarequirementforPEDtestingunderthePCIPOSPEDSecurityRequirements

andEvaluationProgram,thePEDvendormustcompletetheformsinthe

PaymentCardIndustryPOSPINEntryDeviceSecurityRequirementsmanual,

alongwiththePaymentCardIndustryPOSPINEntryDeviceEvaluationVendor

Questionnaire.Thevendormustsubmitallformstogetherwiththeproper

paperwork,includingtherequiredPEDsamples,totheevaluationlaboratory.

4-67February2014•SecurityRulesandProcedures

POIT erminalandPINSecurityStandards

4.11WirelessPOSTerminalsandInternet/Stand-aloneIP-enabledPOST erminalSecurityStandards

IfaCustomerorMasterCardquestionsaPEDwithrespecttophysicalsecurity

attributes(thosethatdeteraphysicalattackonthedevice)orlogicalsecurity

attributes(functionalcapabilitiesthatpreclude,amongotherthings,theoutput

ofacleartextPINoracryptographickey),MasterCardhastherighttoeffectan

independentevaluationperformedatthemanufacturer’sexpense.

MasterCardwillconductperiodicsecurityreviewswithselectedAcquirersand

Merchants.ThesereviewswillensurecompliancewithMasterCardsecurity

requirementsandgenerallyacceptedbestpractices.

WARNING!

ThephysicalsecurityofthePEDdependsonitspenetrationcharacteristics.

Virtuallyanyphysicalbarriermaybedefeatedwithsufcienteffort.

ForsecuretransmissionofthePINfromthePEDtotheIssuerhostsystem,

thePEDmustencryptthePINusingtheapprovedalgorithm(s)forPIN

enciphermentlistedinISO9564-2andtheappropriatePINblockformatas

providedinISO9564-1.

IfthePINpadandthesecurecomponentofthePEDarenotintegratedintoa

singletamper-evidentdevice,thenforsecuretransmissionofthePINfromthe

PINpadtothesecurecomponent,thePINpadmustencryptthePINusingthe

approvedalgorithm(s)forPINenciphermentlistedinISO9564-2.

4.11WirelessPOSTerminalsandInternet/Stand-alone

IP-enabledPOSTerminalSecurityStandards

MasterCardhasestablishedsecurityrequirementsfortheencryptionofsensitive

databyPOSTerminals.TheserequirementsapplytoPOSTerminalsthatuse

wideareawirelesstechnologies,suchasgeneralpacketradioservice(GPRS)

andcodedivisionmultipleaccess(CDMA),tocommunicatetohostsand

stand-aloneIP-connectedterminalsthatlinkviatheInternet.

AllwirelessPOSTerminalsandInternet/IP-enabledPOSTerminalsmust

supporttheencryptionofTransactionandCardholderdatabetweenthePOS

Terminalandtheserversystemwithwhichtheycommunicate,usingencryption

algorithmsapprovedbyMasterCard.

IfthedeployedInternet/IP-enabledPOSTerminalsaresusceptibletoattacks

frompublicnetworks,Acquirersmustensurethattheyareapprovedbythe

MasterCardIPPOSTerminalSecurity(PTS)TestingProgram.

Internet/IP-enabledPOSTerminalsmaybesubmittedforsecurityevaluation

atlaboratoriesrecognizedbytheMasterCardIPPTSTestingProgramfor

subsequentapproval.

AllAcquirersdeployingwirelessPOSTerminalsorInternet/IP-enabledPOS

Terminalsmustrefertothefollowingrequiredsecuritydocuments:

SecurityRulesandProcedures•7February20144-7

POIT erminalandPINSecurityStandards

4.12POST erminalsUsingElectronicSignatureCaptureTechnology(ESCT)

•POSTerminalSecurityProgram—ProgramManual

•POSTerminalSecurityProgram—SecurityRequirements

•POSTerminalSecurityProgram—DerivedTestRequirements

•POSTerminalSecurityProgram—VendorQuestionnaire

•PaymentCardIndustryDataSecurityStandard(producedbythePCI

SecurityStandardsCouncil)

•AnyotherrelatedsecuritydocumentsthatMasterCardmaypublishfrom

timetotime.

4.12POSTerminalsUsingElectronicSignatureCapture

Technology(ESCT)

AnAcquirerthatdeploysPOSTerminalsusingElectronicSignatureCapture

Technology(ESCT)mustensurethefollowing:

•Properelectronicdataprocessing(EDP)controlsandsecurityareinplace,

sothatdigitizedsignaturesarerecreatedonaTransaction-specificbasis.

TheAcquirermayrecreatethesignaturecapturedforaspecificTransaction

onlyinresponsetoaretrievalrequestfortheTransaction.

•Appropriatecontrolsexistoveremployeeswithauthorizedaccessto

digitizedsignaturesmaintainedintheAcquirerorMerchanthostcomputers.

Onlyemployeesandagentswitha“needtoknow”shouldbeabletoaccess

thestored,electronicallycapturedsignatures.

•Thedigitizedsignaturesarenotaccessedorusedinamannercontrary

totheStandards.

MasterCardreservestherighttoauditCustomerstoensurecompliancewith

theserequirementsandmayprohibittheuseofESCTifitidentifiesinadequate

controls.

4.13ComponentAuthentication

AllcomponentsactivelyparticipatingintheInterchangeSystemmust

authenticateeachotherbymeansofcryptographicprocedures,eitherexplicitly

byaspecificauthenticationprotocolorimplicitlybycorrectexecutionofa

cryptographicservicepossessingsecretinformation(forexample,theshared

keyorthelogonID).

AcomponentactivelyparticipatesintheInterchangeSystemif,becauseof

itspositioninthesystem,itcanevaluate,modify,orprocesssecurity-related

information.

4-87February2014•SecurityRulesandProcedures

POIT erminalandPINSecurityStandards

4.14TripleDESMigrationStandards

TripleDataEncryptionStandard(DES),minimumdoublekeylength(hereafter

referredtoas“TripleDES”),mustbeimplementedasfollows:

•AllnewlyinstalledPEDs,includingreplacementandrefurbishedPEDsthat

arepartofPOSTerminals,mustbeTripleDEScapable.Thisrequirement

appliestoPOSTerminalsownedbyCustomersandnon-Customers.

•AllCustomerandprocessorhostsystemsmustsupportTripleDES.

•ItisstronglyrecommendedthatallPEDsthatarepartofPOSTerminalsbe

TripleDEScompliantandchip-capable.

•AllPEDsthatarepartofATMTerminalsmustbeTripleDEScompliant.

•AllPIN-basedTransactionsroutedtotheInterchangeSystemmustbeTriple

DEScompliant.

MasterCardrecognizesthatCustomersmayelecttouseotherpublickey

encryptionmethodsbetweentheirPOSTerminalsorATMsandtheirhost(s).

Insuchinstances,MasterCardmustapprovethealternatemethodchosenin

advanceofitsimplementationanduse.

Approvalwillbedependent,inpart,onwhetherMasterCarddeemsthe

alternatemethodtobeassecureasormoresecurethanTripleDES.Approval

isrequiredbeforeimplementationcanbegin.AllTransactionsroutedtothe

InterchangeSystemmustbeTripleDEScompliant.

SecurityRulesandProcedures•7February20144-9

Chapter5CardRecoveryandReturnStandards

ThischaptermaybeofparticularinteresttoCustomersthatissueMasterCard®cards.It

includesguidelinesforpersonnelresponsibleforCardretentionandreturn,reportingof

lostandstolenCards,andcriminalandcounterfeitinvestigations.

5.1CardRecoveryandReturn.......................................................................................................5-1

5.1.1CardRetentionbyMerchants..........................................................................................5-1

5.1.1.1ReturningRecoveredCards....................................................................................5-1

5.1.1.2ReturningCounterfeitCards...................................................................................5-2

5.1.1.3LiabilityforLoss,Costs,andDamages...................................................................5-2

SecurityRulesandProcedures•7February20145-i

CardRecoveryandReturnStandards

5.1CardRecoveryandReturn

ThefollowingsectionsaddressCustomerresponsibilitiesassociatedwithCard

retentionandreturn,rewardsforCardcapture,reportingoflostandstolen

Cards,andcriminalandcounterfeitinvestigations.

5.1.1CardRetentionbyMerchants

AcquirersandMerchantsshouldusetheirbesteffortstorecoveraCardby

reasonableandpeacefulmeansif:

•TheIssueradvisestheAcquirerorMerchanttorecovertheCardinresponse

toanauthorizationrequest.

•TheElectronicWarningBulletinfileoraneffectiveregionalWarningNotice

liststheaccountnumber.

AfterrecoveringaCard,therecoveringAcquirerorMerchantmustnotifyits

authorizationcenteroritsAcquirerandreceiveinstructionsforreturningthe

Card.IfmailingtheCard,therecoveringAcquirerorMerchantfirstshouldcut

theCardinhalfthroughthemagneticstripe.

MaestroCardcaptureataPoint-of-Sale(POS)Terminalisnotpermittedwith

respecttoInterregionalTransactionsorIntraregionalTransactionsthatoccur

withintheAsia/Pacific,LatinAmericaandtheCaribbean,orUnitedStates

Regions.

5.1.1.1ReturningRecoveredCards

TheAcquirermustfollowtheseprocedureswhenreturningarecoveredCard

totheIssuer:

1.IftheMerchanthasnotalreadydoneso,theAcquirermustrendertheCard

unusablebycuttingitinhalfverticallythroughthemagneticstripe.

2.TheAcquirermustforwardtherecoveredCardtotheIssuerwithinfive

calendardaysofreceivingtheCardalongwiththefirstcopy(white)ofthe

InterchangeCardRecoveryForm(ICA-6).Theadditionalcopiesarefile

copiesfortheAcquirer’srecords.Unlessotherwisenotedinthe“Other

Information”sectionoftheMemberInformationtool,arecoveredCard

mustbereturnedtotheSecurityContactoftheIssuer.

NOTE

AsampleoftheInterchangeCardRecoveryForm(ICA-6)appearsintheBusiness

FormssectionofMasterCardConnect™.

AMerchantmayreturnaCardinadvertentlyleftattheMerchantlocationif

theCardholderclaimstheCardbeforetheendofthenextbusinessdayand

presentspositiveidentification.WithrespecttounclaimedCards,aMerchant

mustfollowtheAcquirer'srequirementsassetforthintheMerchantAgreement.

SecurityRulesandProcedures•7February20145-1

CardRecoveryandReturnStandards

5.1CardRecoveryandReturn

5.1.1.2ReturningCounterfeitCards

TheAcquirerorMerchantmustreturncounterfeitCardstotheIssuerby

followingtheinstructionsprovidedbyitsauthorizationcenter.Thefollowing

informationidentifiesanIssuer:

•TheIssuer’sMasterCardbankidentificationnumber(BIN)presentinthe

AccountInformationArea.

•TheMemberIDimprintedintheCardSourceIdentificationareaonthe

backoftheCard.

IntheabsenceofaBINorMemberID,theIssuermaybeidentifiedbyany

othermeans,includingthebanknameprintedonthefrontorbackoftheCard

orthemagneticstripe.IftheIssuerisstillunidentifiable,returntheCardtothe

MasterCardvicepresidentoftheSecurityandRiskServicesDepartment.

NOTE

TheabovemethodofidentifyingtheIssuerappliesonlytothereturnof

acounterfeitCard,nottodeterminingtheCustomerresponsibleforthe

counterfeitlossesassociatedwithsuchCards.Formoreinformation,referto

Chapter6—FraudLossControlStandardsofthismanual.

5.1.1.3LiabilityforLoss,Costs,andDamages

NeitherMasterCardnoranyCustomershallbeliableforloss,costs,orother

damagesforclaimsdeclaredagainstthembyanIssuerforrequestedactionsin

thelistingofanaccountoraGrouporSerieslistingontheElectronicWarning

BulletinfileorintheapplicableregionalWarningNoticebytheIssuer.Refer

totheAccountManagementSystemUserManualforinformationaboutthe

proceduresforlistingaccounts.

IfanAcquirererroneouslyusestheseprocedureswithouttheIssuer’sguidance

andauthorizesMerchantrecoveryofaCardnotlistedontheElectronicWarning

BulletinfileorintheapplicableregionalWarningNotice,neitherMasterCard

oritsCustomersshallbeliableforloss,costs,orotherdamagesifaclaim

ismadeagainstthem.

NoCustomerisliableunderthissectionforanyclaimunlesstheCustomerhas:

•Writtennoticeoftheassertionofaclaimwithin120daysoftheassertion

oftheclaim,and

•Adequateopportunitytocontrolthedefenseorsettlementofanylitigation

concerningtheclaim.

5-27February2014•SecurityRulesandProcedures

Chapter6FraudLossControlStandards

Thischaptermaybeofparticularinteresttopersonnelresponsibleforfraudlosscontrol

programs,counterfeitlossproceduresandreimbursement,andAcquirercounterfeit

liability.

6.2MasterCardFraudLossControlProgramStandards.................................................................6-1

6.2.2AcquirerFraudLossControlPrograms............................................................................6-1

6.2.2.1AcquirerAuthorizationMonitoringRequirements..................................................6-1

6.2.2.2AcquirerMerchantDepositMonitoringRequirements...........................................6-1

6.2.2.3RecommendedAdditionalAcquirerMonitoring.....................................................6-2

6.3MasterCardCounterfeitCardFraudLossControlStandards.....................................................6-3

6.3.1CounterfeitCardNotification...........................................................................................6-3

6.3.1.2NotificationbyAcquirer.........................................................................................6-3

6.3.1.3FailuretoGiveNotice............................................................................................6-4

6.3.2ResponsibilityforCounterfeitLoss..................................................................................6-4

6.3.2.1LossfromInternalFraud........................................................................................6-4

6.3.2.3TransactionsArisingfromUnidentifiedCounterfeitCards......................................6-4

6.3.3AcquirerCounterfeitLiabilityProgram............................................................................6-4

6.3.3.1AcquirerCounterfeitLiability..................................................................................6-5

6.3.3.2AcquirerLiabilityPeriod.........................................................................................6-5

6.3.3.3RelieffromLiability................................................................................................6-5

6.3.3.4ApplicationforRelief..............................................................................................6-6

SecurityRulesandProcedures•7February20146-i

FraudLossControlStandards

6.2MasterCardFraudLossControlProgramStandards

Theexistenceanduseofmeaningfulcontrolsareaneffectivemeanstolimit

totalfraudlossesandlossesforallfraudtypes.Thissectiondescribesminimum

requirementsforIssuerandAcquirerfraudlosscontrolprograms.

6.2.2AcquirerFraudLossControlPrograms

AnAcquirer’sfraudlosscontrolprogrammustmeetthefollowingminimum

requirements,andpreferablywillincludetherecommendedadditional

parameters.Theprogrammustautomaticallygeneratedailyfraudmonitoring

reportsorreal-timealerts.Acquirerstafftrainedtoidentifypotentialfraudmust

analyzethedatainthesereportswithin24hours.

TocomplywiththefraudlosscontrolStandards,Acquirersalsomusttransmit

completeandunaltereddatainallCard-readauthorizationrequestmessages.

Additionally,Acquirerswithhighfraudlevelsmust:

•Install“readanddisplay”terminalsinareasdeterminedtobeathighrisk

forfraudorcounterfeitactivity,or

•InstallHybridPoint-of-Sale(POS)Terminals

6.2.2.1AcquirerAuthorizationMonitoringRequirements

Dailyreportsorreal-timealertsmonitoringMerchantauthorizationrequests

mustbegeneratedatthelatestonthedayfollowingtheauthorizationrequest,

andmustbebasedonthefollowingparameters:

•NumberofauthorizationrequestsaboveathresholdsetbytheAcquirer

forthatMerchant

•Ratioofnon-Card-readtoCard-readTransactionsthatisabovethethreshold

setbytheAcquirerforthatMerchant

•PANkeyentryratiothatisabovethethresholdsetbytheAcquirerforthat

Merchant

•Repeatedauthorizationrequestsforthesameamountorthesame

Cardholderaccount

•Increasednumberofauthorizationrequests

•“Outofpattern”fallbackTransactionvolume

6.2.2.2AcquirerMerchantDepositMonitoringRequirements

Dailyreportsorreal-timealertsmonitoringMerchantdepositsmustbe

generatedatthelatestonthedayfollowingthedeposit,andmustbebased

onthefollowingparameters:

SecurityRulesandProcedures•7February20146-1

FraudLossControlStandards

6.2MasterCardFraudLossControlProgramStandards

•IncreasesinMerchantdepositvolume

•IncreaseinaMerchant’saverageticketsizeandnumberofTransactions

perdeposit

•Changeinfrequencyofdeposits

•FrequencyofTransactionsonthesameCardholderaccount,including

creditTransactions

•Unusualnumberofcredits,orcreditdollarvolume,exceedingalevelof

salesdollarvolumeappropriatetotheMerchantcategory

•LargecreditTransactionamounts,significantlygreaterthantheaverage

ticketsizefortheMerchant’ssales

•Creditsissuedsubsequenttothereceiptofachargebackwiththesame

accountnumberandfollowedbyasecondpresentment

•CreditsissuedtoanaccountnumbernotusedpreviouslyattheMerchant

location

90-dayRule

TheAcquirermustcomparedailydepositsagainsttheaverageTransaction

countandamountforeachMerchantoveraperiodofatleast90days,tolessen

theeffectofnormalvariancesinaMerchant’sbusiness.FornewMerchants,

theAcquirershouldcomparetheaverageTransactioncountandamountfor

otherMerchantswithinthesameMCCassignedtotheMerchant.Intheevent

thatsuspiciouscreditorrefundTransactionactivityisidentified,ifappropriate,

theAcquirershouldconsiderthesuspensionofTransactionspendingfurther

investigation.

150PercentRecommendation

Tooptimizetheeffectivenessoffraudanalysisstaff,Merchantsthatappearin

themonitoringreportsshouldexceedtheaverageby150percentormore.

However,theamountovertheaverageisattheAcquirer’sdiscretion.

6.2.2.3RecommendedAdditionalAcquirerMonitoring

MasterCardrecommendsthatAcquirersadditionallymonitorthefollowing

parameters:

6-27February2014•SecurityRulesandProcedures

FraudLossControlStandards

6.3MasterCardCounterfeitCardFraudLossControlStandards

•Fallbackmethods

•CreditTransactions(suchasrefunds)andMerchantauthorizationreversals

•Transactionsconductedathigh-riskMerchants

•PANkey-entryTransactionsexceedingratio

•Abnormalhoursorseasons

•InactiveMerchants

•Transactionswithnoapprovalcode

•Transactionsthatweredeclined

•Inconsistentauthorizationandclearingdataelementsforthesame

Transactions

WebSiteMonitoringRecommendation

MasterCardrecommendsthatAcquirersuseaWebsitemonitoringsolutionto

reviewtheirelectroniccommerce(e-commerce)Merchants’activitytoavoid

processingillegalorbrand-damagingTransactions.

6.3MasterCardCounterfeitCardFraudLossControl

Standards

MasterCardactivelyassistslawenforcementinthepursuitoforganizedand

informalcriminalgroupsengagedincounterfeitfraud.AlthoughMasterCard

hasachievedsubstantialsuccessinthisarea,includingnumerousconvictionsof

counterfeitersandseizuresoftheirphysicalplants,organizedcriminalelements

continuetoexpand,withnewgroupsemergingalmostdaily.

Inadditiontoimplementingthefraudlosscontrolsdescribedinsection6.2,

Customersmustalsomakeagood-faithattempttolimitcounterfeitlosses.At

aminimum,anIssuerisrequiredtoincorporatetheCardsecurityfeatures

describedinChapter3onallCards,andanAcquirermusttransmitfullmagnetic

stripeorchipdataonallCard-readPOSTransactions.

6.3.1CounterfeitCardNotication

AllCustomersmustnotifyMasterCardimmediatelyuponsuspicionordetection

ofcounterfeitCards.

6.3.1.2NoticationbyAcquirer

AnAcquirerdetectingorsuspectingacounterfeitCardbearingneitheravalid

BINnoravalidMemberIDimmediatelymustnotifyitsregionalSecurity

andRiskServicesrepresentativeandtheIssuerbyphone,e-mail,ortelex

communication.MasterCardwilladdtheaccountnumbertotheAccount

ManagementSystem.

SecurityRulesandProcedures•7February20146-3

FraudLossControlStandards

6.3MasterCardCounterfeitCardFraudLossControlStandards

6.3.1.3FailuretoGiveNotice

FailurebytheAcquirerorIssuertogivenoticewithin24hoursofdetectinga

counterfeitCardrelievesMasterCardofanyresponsibilityforanyresultingloss

incurredbyanypartyfailingtogivenotice.

6.3.2ResponsibilityforCounterfeitLoss

CertainlossesresultingfromcounterfeitTransactionsaretheresponsibility

ofeithertheIssuerorAcquirerbasedonthecircumstancesdescribedinthis

section.

6.3.2.1LossfromInternalFraud

MasterCardisnotresponsibleforanylossarisingfromorrelatedtoany

fraudulent,dishonest,orotherwisewrongfulactofanyofficer,director,

oremployeeofaCustomer,orofaCustomer’sServiceProvider,agent,or

representative.

6.3.2.3TransactionsArisingfromUnidentiedCounterfeitCards

TheAcquirerisresponsibleforanycounterfeitlossresultingfromorrelatedto

theacceptancebyaMerchantofaCardthatcannotbeidentifiedbytheBIN

orMemberIDimprintedintheTransactionrecord.

6.3.3AcquirerCounterfeitLiabilityProgram

TheAcquirerCounterfeitLiabilityProgramisintendedtocombatincreases

inworldwidecounterfeitinginthecreditcardindustry.TheProgramshifts

partialcounterfeitlossliabilitytoAcquirersthatexceedworldwidecounterfeit

Standards.

FraudManagementusestheAcquirercounterfeitvolumeratio(ACVR)to

evaluateallCustomers’volumesofacquiredcounterfeit.TheACVRisa

Customer’sdollarvolumeofacquiredcounterfeitasapercentageofthetotal

dollarvolumeacquiredbythatCustomer.

FraudManagementmonitorsthe20CustomerswiththehighestACVRsona

quarterlybasis.MasterCardnotifieseachCustomerwithliabilityofitsown

ACVR,theworldwideaverage,thereportedcounterfeit,andtheamountof

Customerliabilitycalculatedonaquarterlybasis.

MasterCardusesfundsobtainedfromAcquirersthatexceedestablishedannual

thresholdstoprovidethefollowingsupport:

•RecoverthecostsassociatedwiththeadministrationofthisProgram,

•Fundthedevelopmentofnewfraudcontrolprograms,and

•SupplementtheMasterCardliabilitylimitforthereimbursementofIssuers’

counterfeitlosses.

6-47February2014•SecurityRulesandProcedures

FraudLossControlStandards

6.3MasterCardCounterfeitCardFraudLossControlStandards

6.3.3.1AcquirerCounterfeitLiability

AnAcquirerisliableforanycounterfeitvolumethatisaboveathresholdof10

timestheworldwideACVR.

FMPreviewteamswillprovideareporttoAcquirerswhoseACVRexceeds10

timestheworldwideaveragewithrecommendationsonhowtoreducethe

volumeofacquiredcounterfeitTransactions.IfanAcquirerimplementsallof

theprogramsrecommendedbyFraudManagement,ortakesnecessaryaction

tocurbcounterfeit,MasterCardwillreviewtheactionstakenandmayadjustthe

cumulativeliabilitythatwouldotherwisebeimposedbytheProgram.

Counterfeitexperienceinconsistentwiththeimplementationoftherequired

programswillresultinfurtherFMPLevel3CustomerreviewsbyMasterCard.

FormoreinformationabouttheFMP,refertoChapter13ofthismanual.

6.3.3.2AcquirerLiabilityPeriod

TheAcquirer’sACVRliabilityiscomputedfortheperiodfrom1Januarythrough

31December.ACVRliabilityisdeterminedafterfinalsubmissionofcounterfeit

reimbursementclaimsforeach12-monthcycle.

6.3.3.3RelieffromLiability

Toqualifyforrelieffromliability,anAcquirermustmeetthefollowingcriteria:

1.TheAcquirermustcomplywiththeAcquirerlosscontrolprogramStandards

describedinsection6.2.2.

2.TheAcquirermustissueinternalproceduresdesignatingresponsibilitiesfor

monitoringtheexceptionreports,explaininghowtheyshouldbeused,and

definingactionstobetakenwhenthresholdsareexceeded.Customers

willneedtomaintaininternalrecordsthatclearlydemonstratesupervisory

reviewofsuchproceduresandtheperiodicreviewofresultsbysenior

management.

3.TheAcquirermusttransmitthefull,uneditedISO:8583authorization

messagefromterminal-readTransactionstothesystem.

4.TheAcquirerthatissubjecttoliabilitymayberequiredbyMasterCardto

takeadditionalactiontoattemptfurthertoreduceitslevelofcounterfeit

losses.

MasterCardwillproviderelieffromreversalofresponsibilitytoAcquirersthat

exceedthethresholdundertheAcquirerCounterfeitLiabilityProgramandthat

fullymeettheaforementionedcriteria.

NOTE

AcquirersmustsubmitawrittenapplicationforreliefinorderforMasterCard

toproviderelieffromresponsibility.

SecurityRulesandProcedures•7February20146-5

FraudLossControlStandards

6.3MasterCardCounterfeitCardFraudLossControlStandards

6.3.3.4ApplicationforRelief

AnAcquirermustsubmitthewrittenapplicationforreliefundersignatureof

anappropriateofficer,suchastheCardcentermanagerofthatCustomer.The

followinginformationmustbeincludedintheapplication:

•Certificationthattherequisitecontrolsareinplace

•Adetaileddescriptionofthecontrols

•Thespecificparametersbeingused

•Acopyoftheproceduresdocumentdescribedinsection6.3.3.3

•Samplecopiesoftheautomatedexceptionreports

TheapplicationforreliefmustbesubmittedtothevicepresidentofFraud

ManagementattheaddressprovidedinAppendixC.

Theeffectivedateoftheprovisionsofreliefwillbenosoonerthan90days

aftertheAcquirerhasfullyimplementedtherequisitecontrols.Releasefrom

responsibilityfortheAcquirerwillnotbegranteduntilalloftherequirements

areinplaceforatleast90days.Continuedeligibilityforreliefwillbesubject

toperiodicreviewbySecurityandRiskServicesstaff,andmayberevoked

atanytime.

6-67February2014•SecurityRulesandProcedures

Chapter7Merchant,Sub-merchant,andATMOwner

ScreeningandMonitoringStandards

ThischaptermaybeofparticularinteresttoCustomerpersonnelresponsibleforscreening

andmonitoringMerchants,Sub-merchants,andATMOwners.

7.1ScreeningNewMerchants,Sub-merchants,andATMOwners.................................................7-1

7.1.1ScreeningProcedures......................................................................................................7-1

7.1.2EvidenceofCompliancewithScreeningProcedures......................................................7-2

7.1.3RetentionofInvestigativeRecords..................................................................................7-2

7.1.4AssessmentsforNoncompliancewithScreeningProcedures..........................................7-3

7.2OngoingMonitoring.................................................................................................................7-4

7.3AdditionalRequirementsforCertainMerchantandSub-merchantCategories.........................7-5

7.3.1MerchantEducation........................................................................................................7-5

SecurityRulesandProcedures•7February20147-i

Merchant,Sub-merchant,andATMOwnerScreeningandMonitoringStandards

7.1ScreeningNewMerchants,Sub-merchants,andATMOwners

7.1ScreeningNewMerchants,Sub-merchants,andATM

Owners

ACustomerisresponsibleforensuringthattheproceduressetforthinthis

sectionforthescreeningofaprospectiveMerchant,Sub-merchant,orATM

ownerareperformedbeforetheCustomerentersintoaMerchantAgreementor

ATMOwnerAgreementoraPaymentFacilitatoroftheCustomerentersinto

aSub-merchantagreement.

TheperformanceofthesescreeningproceduresdoesnotrelieveaCustomer

fromtheresponsibilityoffollowinggoodcommercialbankingpractices.The

reviewofanannualreportoranauditedstatement,forexample,mightsuggest

theneedforfurtherinquiry.

7.1.1ScreeningProcedures

EachAcquirer,beforesigningaMerchantAgreementorATMOwnerAgreement,

andeachofitsPaymentFacilitators,beforesigningaSub-merchantagreement,

mustverifythattheprospectiveMerchant,ATMowner,orSub-merchantisa

bonafidebusiness.Suchverificationmustincludeatleastallofthefollowing:

•Creditcheck,backgroundinvestigations,referencechecksoftheentity,and

acheckforvalidityofthebusinessaddressandotherinformationprovided

bytheentity.Ifthecreditcheckoftheentityraisesquestionsordoes

notprovidesufficientinformation,theAcquirerorPaymentFacilitator,as

applicable,alsoshouldconductacreditcheckof:

–Theowner,iftheentityisasoleproprietor;or

–Thepartners,iftheentityisapartnership;or

–Theprincipalshareholders,iftheentityisacorporation.

•InquirytotheMasterCardMemberAlerttoControlHigh-risk(Merchants)

(MATCH™)systemaboutaprospectiveMasterCardMerchantor

Sub-merchant.TheCustomeritselfmustperformaMATCHsysteminquiry

aboutaprospectiveMasterCardSub-merchant.

•InvestigationofthepreviousMerchantAgreementsofaprospective

Merchant.

•ConfirmationthatallATMsclaimedbyaprospectiveATMownerexistand

areoperational.

•VerificationofthelocationandconditionofallATMsdeployedbya

prospectiveATMowner.

NOTE

NoCustomerisexemptfromparticipationintheMATCHsystem.

SecurityRulesandProcedures•7February20147-1

Merchant,Sub-merchant,andATMOwnerScreeningandMonitoringStandards

7.1ScreeningNewMerchants,Sub-merchants,andATMOwners

AnAcquirerisnotrequiredtoconductacreditcheckofapublicorprivate

companythathasannualsalesrevenueinexcessofUSD50million(or

theforeigncurrencyequivalent),providedtheAcquirerreviews,andfinds

satisfactoryforpurposesoftheacquiringbeingconsidered,themostrecent

annualreportoftheMerchant,includingauditedfinancialstatements.Aprivate

companythatdoesnothavearecentauditedfinancialstatementissubjecttoa

creditcheckandinspectionevenifitsannualsalesrevenueexceedsUSD50

million.

ItisrecommendedthattheAcquirer,withrespecttoaprospectiveMerchant

orATMowner,andthePaymentFacilitator,withrespecttoaprospective

Sub-merchant,performaninspectionoftheentity’spremises(bothphysical

locationsandInternetURLs,asapplicable)andrecordstoensurethatithasthe

properfacilities,equipment,inventory,agreements,andpersonnelrequiredand

ifnecessary,licenseorpermitandothercapabilitiestoconductthebusiness.

TheAcquirerorPaymentFacilitatorshouldbesatisfiedthataprospective

MerchantorSub-merchantisabletosupportthefulfillmentofproductsor

servicestobemarketed,andensurethattheMerchantorSub-merchanthas

proceduresandresourcestohandleCardholderinquiriesandtosupport

refunds,wherenecessary.

7.1.2EvidenceofCompliancewithScreeningProcedures

AsevidencethattheAcquirerisincompliancewiththescreeningrequirements

setforthinthischapter,MasterCardrequires,ataminimum,thefollowing

information:

•Areportfromacreditbureau,or,ifthecreditbureaureportisincomplete

orunavailable,thewrittenresultsofadditionalfinancialandbackground

checksofthebusiness,itsprincipalowners,andofficers;

•WithrespecttothescreeningofaMerchantorSub-merchantforMasterCard

Transactionprocessing,proofoftheAcquirer’sinquiryintotheMATCH

system,includingacopyoftheinquiryrecord;

•WithrespecttothescreeningofaMerchant,astatementfromthe

MerchantaboutpreviousMerchantAgreements,includingthename(s)of

theentity(ies)wheretheMerchanthasorhadtheagreement(s)andthe

reason(s)forterminatingtheagreement(s),ifapplicable.

7.1.3RetentionofInvestigativeRecords

TheAcquirermustretainallrecordsconcerningtheinvestigationofaMerchant,

Sub-merchant,orATMownerforaminimumoftwoyearsafterthedatethatthe

MerchantAgreement,Sub-merchantagreement,orATMOwnerAgreement,as

applicable,isterminatedorexpires.MasterCardrecommendsthatAcquirers

retainthefollowingrecordsasabestpractice:

7-27February2014•SecurityRulesandProcedures

Merchant,Sub-merchant,andATMOwnerScreeningandMonitoringStandards

7.1ScreeningNewMerchants,Sub-merchants,andATMOwners

•SignedMerchantAgreement

•PreviousMerchantstatements

•Corporateorpersonalbankingstatements

•Creditreports

•Siteinspectionreport,toincludephotographsofpremises,inventory

verification,andthenameandsignatureoftheinspectorofrecord

•Merchantcertificateofincorporation,licenses,orpermits

•Verificationofreferences,includingpersonal,business,orfinancial

•Verificationoftheauthenticityofthesupplierrelationshipforthegoods

orservices(invoicerecords)thattheMerchantisofferingtheCardholder

forsale

•Date-stampedMATCHinquiryrecords

•Date-stampedMATCHadditionrecord

•AllCustomercorrespondencewiththeMerchantorATMowner

•AllcorrespondencerelatingtoIssuer,Cardholder,orlawenforcement

inquiriesconcerningtheMerchant,Sub-merchant,ATMowner,orany

associatedServiceProvider

•SignedServiceProvidercontract,includingthenameofagentsinvolved

intheduediligenceprocess

•AcquirerduediligencerecordsconcerningtheServiceProviderandits

agents

RefertoChapter7oftheMasterCardRulesmanualformoreinformationabout

ServiceProviders.

NOTE

MasterCardrecommendsthattheAcquirerretaintheserecordstoverify>>

compliancewiththescreeningprocedures,intheeventthatMasterCard

conductsanauditasdescribedinsection7.1.4.

7.1.4AssessmentsforNoncompliancewithScreening

Procedures

MasterCardmayauditanAcquirerforcompliancewiththescreeningprocedures

setforthinthischapter,andeachCustomermustcomplywithandassistany

suchaudit.MasterCardwillreviewtheapplicablerecordsretainedbythe

AcquirertodeterminewhetheranAcquirerhascompliedwiththesescreening

procedures.

SecurityRulesandProcedures•7February20147-3

Merchant,Sub-merchant,andATMOwnerScreeningandMonitoringStandards

7.2OngoingMonitoring

IfMasterCarddeterminesthatanAcquirerhasnotcompliedwiththese

screeningprocedures,andiftheAcquirerdoesnotcorrectalldeficienciesthat

gaverisetotheviolationtothesatisfactionofMasterCardwithin30daysof

knowledgeornoticeofsuchdeficiencies,MasterCardmayassesstheAcquirer

uptoUSD100,000foreach30-dayperiodfollowingtheaforementionedperiod,

withamaximumaggregateassessmentofUSD500,000duringanyconsecutive

12-monthperiod.Anysuchassessment(s)willbeinadditiontoanyother

financialresponsibilitythattheAcquirermayincur,assetforthintheStandards.

ViolatorswillalsobesubjecttochargebacksoffraudulentTransactions.

FailuretoinquiretotheMATCHsystembeforesigningaMerchantAgreement

forMasterCardTransactionprocessingorbeforeaPaymentFacilitatorsignsa

Sub-merchantagreementforMasterCardTransactionprocessingmayresultin

anassessmentofuptoUSD5,000foreachinstanceofnoncompliance.

7.2OngoingMonitoring

AnAcquirermustmonitortheTransactionactivityofeachofitsMerchants

(sales,credits,andchargebacks),andensurethataPaymentFacilitatorconducts

suchmonitoringwithrespecttoeachofitsSub-merchants,inaneffortto

deterfraud.Monitoringmustfocusonchangesinactivityovertime,activity

inconsistentwiththeMerchant'sorSub-merchant'sbusiness,orexceptional

activityrelatingtothenumberofTransactionsandTransactionamountsoutside

thenormalfluctuationrelatedtoseasonalsales.SpecificallyforMasterCard

Transactionprocessing,ongoingmonitoringincludes,butisnotlimitedto,

theAcquirerfraudlosscontrolsrelatingtodeposit(includingcredits)and

authorizationactivitydescribedinsection6.2.2.

Withrespecttoanelectroniccommerce(e-commerce)Merchant,theAcquirer

regularly,asreasonablyappropriateinlightofallcircumstances,mustreview

andmonitortheMerchant'sWebsite(s)andbusinessactivitiestoconfirmandto

reconfirmregularlythatanyactivityrelatedtoorusingaMarkisconducted

inalegalandethicalmannerandinfullcompliancewiththeStandards.The

AcquirermustensurethataPaymentFacilitatorconductssuchmonitoringwith

respecttoeachofitsSub-merchant'sWebsite(s).

Asabestpractice,MasterCardrecommendsthatAcquirersuseaWebsite

monitoringsolutiontoreviewtheire-commerceMerchants’andSub-merchants'

activitytoavoidprocessingillegalorbrand-damagingTransactions.

7-47February2014•SecurityRulesandProcedures

Merchant,Sub-merchant,andATMOwnerScreeningandMonitoringStandards

7.3AdditionalRequirementsforCertainMerchantandSub-merchantCategories

7.3AdditionalRequirementsforCertainMerchantand

Sub-merchantCategories

AnAcquirerofatelecomMerchantorSub-merchant(exceptakey-entry

telecomMerchantorSub-merchant),non-face-to-faceadultcontentand>>

servicesMerchantorSub-merchant,non–face-to-facegamblingMerchantor

Sub-merchant,non–face-to-facepharmaceuticalandtobaccoproductMerchant

orSub-merchant,statelotteryMerchantorSub-merchant(U.S.Regiononly),

skillgamesMerchantorSub-merchant(U.S.Regiononly),and/orMerchantor

Sub-merchantreportedundertheExcessiveChargebackProgram(ECP)must

complywiththeregistrationandmonitoringrequirementsoftheMasterCard

RegistrationProgram(MRP)foreachsuchMerchantorSub-merchant,as

describedinChapter9.

7.3.1MerchantEducation

Onceanacquiringrelationshipisestablished,anAcquirermustinstituteafraud

preventionprogram,includinganeducationprocessconsistingofperiodicvisits

toMerchants,distributionofrelatededucationalliterature,andparticipationin

Merchantseminars.InstructionstoMerchantsmustincludeCardacceptance

procedures,useoftheElectronicWarningBulletinfileorWarningNotice,

authorizationproceduresincludingCode10procedures,propercompletionof

Transactioninformationdocuments(TIDs)(includingprimaryaccountnumber

[PAN]truncation),timelypresentmentoftheTransactiontotheAcquirer,and

properhandlingpursuanttoCardcapturerequests.Customersmustthoroughly

reviewwithMerchantstheStandardsagainstthepresentmentoffraudulent

Transactions.Inaddition,Customersmustreviewthedatasecurityprocedures

toensurethatonlyappropriateCarddataisstored,magneticstripedatanever

isstored,andanystorageofdataisdoneinaccordancewiththeStandardsfor

encryption,Transactionprocessing,andotherprescribedpractices.

AnAcquirermustalsoensurethataPaymentFacilitatorconductsappropriate

educationactivitiesforeachofitsSub-merchants.

SecurityRulesandProcedures•7February20147-5

Chapter8MasterCardFraudControlPrograms

ThischaptermaybeofparticularinteresttoCustomerpersonnelresponsibleformonitoring

Merchantand/orIssueractivityforcompliancewithfraudlosscontrolStandards.

8.1PresentingValidTransactions...................................................................................................8-1

8.1.1NotifyingMasterCard—AcquirerResponsibilities............................................................8-1

8.1.3MasterCardAudit.............................................................................................................8-1

8.1.3.1InitiationofMasterCardAudit................................................................................8-2

8.1.3.2InformationRequiredbyMasterCard.....................................................................8-2

8.1.3.3NotificationtoCustomersofChargebackPeriod....................................................8-3

8.2GlobalMerchantAuditProgram..............................................................................................8-3

8.2.1AcquirerResponsibilities.................................................................................................8-4

8.2.2Tier3SpecialMerchantAudit.........................................................................................8-5

8.2.3ChargebackResponsibility..............................................................................................8-6

8.2.4ExclusionfromtheGlobalMerchantAuditProgram.......................................................8-8

8.2.4.1SystematicExclusions.............................................................................................8-8

8.2.4.2ExclusionafterGMAPIdentification.......................................................................8-9

8.2.5NotificationofMerchantIdentification..........................................................................8-10

8.2.5.1DistributionofReports.........................................................................................8-10

8.2.6MerchantOnlineStatusTracking(MOST)System.........................................................8-11

8.2.6.1MOSTMandate.....................................................................................................8-11

8.2.6.2MOSTRegistration................................................................................................8-12

8.3ExcessiveChargebackProgram..............................................................................................8-12

8.3.1ECPDefinitions.............................................................................................................8-12

8.3.2ReportingRequirements................................................................................................8-13

8.3.2.1Chargeback-MonitoredMerchantReportingRequirements..................................8-13

8.3.2.1.1CMMReportContents..................................................................................8-14

8.3.2.1.2LateCMMReportSubmissionAssessment...................................................8-14

8.3.2.2ExcessiveChargebackMerchantReportingRequirements...................................8-14

8.3.2.2.1ECMReportContents..................................................................................8-14

8.3.2.2.2LateECMReportSubmissionAssessment....................................................8-15

8.3.3Assessments..................................................................................................................8-15

8.3.3.1ECPAssessmentCalculation.................................................................................8-16

8.3.5AdditionalTier2ECMRequirements............................................................................8-17

8.4QuestionableMerchantAuditProgram(QMAP)....................................................................8-18

8.4.1QMAPDefinitions.........................................................................................................8-18

SecurityRulesandProcedures•7February20148-i

MasterCardFraudControlPrograms

8.4.2MasterCardCommencementofanInvestigation...........................................................8-20

8.4.4MasterCardNotificationtoAcquirers.............................................................................8-20

8.4.5MerchantTermination...................................................................................................8-21

8.4.6MasterCardDetermination.............................................................................................8-21

8.4.7ChargebackResponsibility............................................................................................8-22

8.4.8FraudRecovery.............................................................................................................8-22

8.4.9QMAPFees...................................................................................................................8-22

8-ii7February2014•SecurityRulesandProcedures

MasterCardFraudControlPrograms

8.1PresentingValidTransactions

AMerchantmustpresenttoitsAcquireronlyvalidTransactionsbetweenitself

andabonafideCardholder.

AMerchantmustnotpresentaTransactionthatitknowsorshouldhave

knowntobefraudulentornotauthorizedbytheCardholder,orauthorizedby

aCardholderwhoisincollusionwiththeMerchantforafraudulentpurpose.

Withinthescopeofthisrule,theMerchantisresponsiblefortheactionsof

itsemployees.

8.1.1NotifyingMasterCard—AcquirerResponsibilities

AnAcquirermustimmediatelynotifyMerchantFraudControlstaffinwriting

when,inregardtoaMerchantwithwhomithasenteredintoaMasterCard

MerchantAgreement:

•TheAcquirermayhavereasontobelievethattheMerchantisengagingin

collusiveorotherwisefraudulentorinappropriateactivity,or

•TheAcquirerdeterminesthattheMerchant’sratioofchargebacks,creditsto

salesexceedscriteriaestablishedbyMasterCard.

AnAcquirermustacceptchargebacksforallfraudulentMasterCardTransactions

thattookplaceduringtheperiodwhentheMerchantwasinviolationofRule

5.12oftheMasterCardRulesmanual(“theValidTransactionsRule”).

Moreover,ifanAcquirerfailstoidentifyanddeclareaMerchantinviolationof

theStandard,MasterCardmaydosoafteranauditoftheCustomer’sMerchant

fileandrecords.

8.1.3MasterCardAudit

MasterCard,initssolediscretion,andeitheritselforbyuseofathirdparty,

mayconductanauditofanAcquirer’sMerchantfilesandrecordstodetermine

whethertheMerchantisinviolationoftheValidTransactionsRule.Merchant

FraudControlstaffwillnotifytheAcquirerofadecisiontoconductsuchan

audit.AnAcquireranditsMerchantsmustcooperatefully.Duringtheaudit,

MasterCardmaylisttheMerchantontheMemberAlerttoControlHigh-risk

(Merchants)(MATCH™)systemunderMATCHreasoncode00(Questionable

Merchant/UnderInvestigation).

Inthecourseoftheaudit,staffwilldevelopallegationsfromanyavailable

sources,including,butnotlimitedto,internalstudies,analyses,Customer

inputandcomplaints,andfrominformationderivedfromcomplianceactions

regardingactivitiesbyMerchantswhichwouldraiseseriousconcernsas

towhethersuchMerchantshavecausedtobeenteredintointerchange

TransactionswhichtheMerchantskneworshouldhaveknownwerefraudulent

orresultedinexcessivecoststotheindustry.

ItistheobligationoftheAcquirertomonitoreachMerchantclosely.

SecurityRulesandProcedures•7February20148-1

MasterCardFraudControlPrograms

8.1PresentingValidTransactions

MasterCardmayassesstheAcquirerforcostsandexpensesincurredrelated

totheaudit.

8.1.3.1InitiationofMasterCardAudit

IfMasterCardsuspectsthataMerchantmaybeinviolationoftheValid

TransactionsRule,MasterCardwillsendalettertotheSecurityContactlistedin

theMemberInformationtool.TheSecurityContactisresponsiblefordistributing

thelettertothepersonresponsiblefortheAcquirer’sMerchantauditprograms.

TheletterexplainswhyMasterCardisconductingtheauditandassessments

associatedwithviolationsoftheValidTransactionsRule.Customersmustreturn

therequestedinformationtoMerchantFraudControlforeachMerchantlisted

intheletterwithin30calendardaysofthedateofthecoverletter.

8.1.3.2InformationRequiredbyMasterCard

ThefollowingisalistofsomeoftheitemsthatMasterCardmayrequire

Acquirerstoprovideduringthecourseofanaudit,initiatedbyMasterCard

todeterminewhetheranAcquirer’sMerchantwasinviolationoftheValid

TransactionsRule:

1.Adetailedstatementoffactsexplainingwhether,when,andhowthe

Customerbecameawareoffraudulentactivityorchargebackorcustomer

serviceissues,thestepstakenbytheCustomertocontroltheoccurrenceof

fraud,andthecircumstancessurroundingtheMerchant’stermination.

2.AllinternaldocumentsabouttheopeningandsigningoftheMerchant

includingitsapplication,MerchantAgreement,creditreport,andcertified

siteinspectionreport.(TheAcquirershouldincludetheMerchant’sopening

andclosingdates.)

3.AllinternalCustomerdocumentsregardingtheduediligenceprocedures

followedbeforesigningtheMerchant,includingbackgroundchecksofthe

companyanditsprincipals,andthetelephonelogsfortradeandbank

referencesthattheCustomerverifiedduringtheduediligenceprocedure.

4.Internalreports,whereapplicable,confirminginquirybytheCustomerinto

theMATCHsystembeforesigningtheMerchantand,ifapplicable,inputof

theMerchanttotheMATCHsystemdatabasewithinfivebusinessdaysafter

itsdecisiontoclosetheMerchantasspecifiedintheserules.

IfaServiceProviderofanAcquirerfacilitatesthesigningofaMerchant,the

ServiceProvidermustincludetheduediligencedocuments.

Additionally,ifanAcquirer’sServiceProviderassistedinthesigningofthe

Merchant,theCustomermustprovideallServiceProviderduediligence

documentsregardingtherepresentativethatsignedtheMerchant.

Staffwillestablishanaudit(review)periodforwhichtheAcquirermustprovide

thefollowingsupportingdocumentation:

1.AuthorizationlogsfortheMerchant.

8-27February2014•SecurityRulesandProcedures

MasterCardFraudControlPrograms

8.2GlobalMerchantAuditProgram

2.Ifrequestedtodoso,theAcquirermustprovideamonthlybreakdownof

chargebacksandcreditsbycount,amount,andIssuerbankidentification

number(BIN)forthesuspectedviolationperiod,asspecifiedbyMasterCard.

3.AcompleterecordoftheMerchantsalesvolume,includingthenumberof

Transactionsatthelocation,fortheperiodforwhichMasterCardrequests

theauthorizationlogs.CustomersoutsidetheU.S.Regionthatdonotreport

theirlocalfraudtotheSystemtoAvoidFraudEffectively(SAFE)maynot

includelocalsalesintheMerchant’ssalesvolume.

MasterCardmayrequiretheCustomertoprovideadditionalinformation

deemedrelevanttotheaudit.IntheeventthatanAcquirerrefusestodisclose

informationrequestedbyMasterCard,MasterCardmay,initssolediscretionfor

thepurposeoftheaudit,presumethattheinformationwouldnotbefavorable

totheAcquireranddeclaretheMerchantinviolationoftheValidTransactions

Rule.

8.1.3.3NoticationtoCustomersofChargebackPeriod

IfMasterCarddeterminesthataMerchantisinviolationoftheValidTransactions

Rule,MasterCardwillpublishaGlobalSecurityBulletinidentifyingtheMerchant

andspecifyingtheappropriatechargebackperiod.TheIssuerhas120calendar

daysfromthedateoftheGlobalSecurityBulletintochargebackTransactions

totheAcquirer(usingIPMmessagereasoncode4849—QuestionableMerchant

Activity).

InthecaseofTransactionsoccurringafterthedateoftheGlobalSecurity

Bulletin,butwithinthedatesspecified,theIssuerhas120calendardaysfrom

thedateoftheTransactiontochargebacktheTransactions.TheIssuermust

includethenumberoftheGlobalSecurityBulletin(forexample,“Global

SecurityBulletinNo.XX”)intheDataRecordText(DataElement72)when

processingthechargeback.

8.2GlobalMerchantAuditProgram

TheGlobalMerchantAuditProgram(GMAP)usesarollingsixmonthsofdata

toidentifyMasterCardMerchantlocationsthat,inanycalendarmonth,meetthe

criteriasetforthinTable8.1.

Table8.1—FraudCriteriaforGlobalMerchantAuditProgramTierClassication

AMasterCardMerchantlocationis

classiedinthefollowingGMAPtier...

Ifinanycalendarmonth,the

MasterCardMerchantlocationmeets

thefollowingfraudcriteria...

Tier1—InformationalFraudAlert•ThreefraudulentTransactions

•AtleastUSD3,000infraudulent

Transactions

SecurityRulesandProcedures•7February20148-3

MasterCardFraudControlPrograms

8.2GlobalMerchantAuditProgram

AMasterCardMerchantlocationis

classiedinthefollowingGMAPtier...

Ifinanycalendarmonth,the

MasterCardMerchantlocationmeets

thefollowingfraudcriteria...

•Afraud-to-salesdollarvolumeratio

minimumof3%andnotexceeding

4.99%

Tier2—SuggestedTrainingFraudAlert•FourfraudulentTransactions

•AtleastUSD4,000infraudulent

Transactions

•Afraud-to-salesdollarvolumeratio

minimumof5%andnotexceeding

7.99%

Tier3—HighFraudAlert•FivefraudulentTransactions

•AtleastUSD5,000infraudulent

Transactions

•Afraud-to-salesdollarvolumeratio

minimumof8%

IfaMasterCardMerchantlocationisidentifiedinmultipletiersduringanyrolling

six-monthperiod,GMAPwillusethehighesttierfortheMerchantidentification.

NOTE

IfaMasterCardMerchanthasmorethanonelocation(oroutlet),theprogram

criteriaapplytoeachlocationindependently.

8.2.1AcquirerResponsibilities

MasterCardwillnotifyanAcquireroftheidentificationofaTier1,Tier2,or

Tier3MerchantviatheMerchantOnlineStatusTracking(MOST)tool.GMAP

MerchantidentificationsareprovidedforinformationonlyandnoAcquirer

responseisnecessary.IfMasterCardnotifiesanAcquirerviaMOSTthata

Tier3specialMerchantaudithasbeeninitiated,theAcquirermustrespond

asdescribedinsection8.2.2.

WhenaMerchantisidentifiedinTier1,Tier2,orTier3,theAcquirershould

evaluatethefraudcontrolmeasuresandMerchanttrainingproceduresin

placefortheMerchant.MasterCardstronglyrecommendsthattheAcquirer

actpromptlytocorrectanyidentifieddeficiencies.Suggestedenhancements

aredescribedintheGMAPBestPracticesGuideforAcquirersandMerchants

toControlFraud.

MasterCard,initssolediscretion,mayconductanaudittodeterminewhethera

MerchantlocationisinviolationoftheValidTransactionsRule,asdescribedin

section8.1.3,andmayassignchargebackliability.

8-47February2014•SecurityRulesandProcedures

MasterCardFraudControlPrograms

8.2GlobalMerchantAuditProgram

8.2.2Tier3SpecialMerchantAudit

IfGMAPidentifiesaMerchantlocationinTier3,MasterCardwilldetermine

whethertoinitiateanauditoftheMerchantlocation(“aTier3specialMerchant

audit”).IfMasterCarddecidestoconductaTier3specialMerchantaudit,the

auditwillproceedasfollows:

1.MasterCardnotiesAcquirer.TheAcquirerwillreceivenotificationfrom

MasterCard,throughMOST,thataTier3specialMerchantaudithasbeen

initiated.

2.Acquirerresponseduewithin30-dayresponseperiod.Nolaterthan30

daysaftertheTier3specialMerchantauditnotificationdate(“the30-day

responseperiod”),theAcquirermustrespondtotheauditnotification

throughMOSTbyeither:

a.NotifyingMasterCardthattheAcquirerhasterminatedtheMerchant

(iftheAcquirerdeterminesthattheMerchantmustbereportedtothe

MATCHsystem,theAcquirermaydosothroughMOST),or;

b.Completingtheonlinequestionnaire,iftheAcquirerdidnotterminate

theMerchant.ThisquestionnaireisusedtoinformMasterCardof1)any

exceptionalorextenuatingcircumstancespertainingtotheidentified

Merchant’sfraudand2)thefraudcontrolmeasuresinplaceatthe

Merchantlocation.

Uponreviewofthecompletedonlinequestionnaire,MasterCard,atits

solediscretion,may:

•GranttheMerchantlocationanexclusionfortheMerchantidentification,

or;

•ProvidetheAcquirerwiththeopportunitytoimplementadditional

fraudcontrolmeasures(“thefraudcontrolactionplan”),asdirectedby

MasterCard,attheMerchantlocation,or;

•AssignchargebackresponsibilitytotheAcquirerfortheMerchant

location.

3.Fraudcontrolactionplanrequiredwithin90-dayactionperiod.If

MasterCardrequirestheAcquirertoimplementafraudcontrolactionplan,

MasterCardwillprovidetheplantotheAcquirerthroughMOST.The

Acquirerhas90daysfromthefirstdayofthemonthfollowingthemonthin

whichtheMerchantwasidentifiedinGMAP(“the90-dayactionperiod”)

totakeallrequiredactions,includingbutnotlimitedtoconfirmationthat

suchfraudcontrolactionplanhastakeneffect.MasterCardmayextendthe

90-dayactionperiodatitssolediscretion.ForAcquirersthatimplementa

fraudcontrolactionplan,theidentifiedMerchantisagaineligibletobe

newlyidentifiedinGMAPcommencingonthesixthmonthfollowingthe

monthinwhichtheMerchantwasfirstidentifiedinGMAP.Fraudulent

TransactionsreportedtoSAFEwillbereviewedundertheProgram

commencingonthefourthandfifthmonthsfollowingthemonthinwhich

theMerchantwasfirstidentifiedinGMAP,andwillcontinueincrementally

SecurityRulesandProcedures•7February20148-5

MasterCardFraudControlPrograms

8.2GlobalMerchantAuditProgram

thereafteruntiltheMerchantresumesasix-monthrollingreviewperiod,

providedtheMerchantdoesnotexceedtheGMAPTier1,2,or3thresholds.

TheAcquirerofaMerchantsubjecttoaTier3specialMerchantauditmust

providesatisfactorydocumentationtosubstantiatethatreasonablecontrols

tocombatfraudhavebeenimplemented,includingimplementationofa

MasterCarddirectedfraudcontrolactionplan.

RefertoFigure8.1forasampletimelineofaTier3specialMerchantaudit.

Figure8.1—Tier3SpecialMerchantAuditSampleTimeline

8.2.3ChargebackResponsibility

MasterCardwillrevieweachAcquirerofaMerchantlocationsubjecttoaTier

3specialMerchantauditonacase-by-casebasisanddetermine,atthesole

discretionofMasterCard,ifachargebackliabilityperiodisapplicable.The

chargebackliabilityperiodisforsixmonthsandbeginsonthefirstdayofthe

fourthmonthfollowingtheGMAPTier3identification.

8-67February2014•SecurityRulesandProcedures

MasterCardFraudControlPrograms

8.2GlobalMerchantAuditProgram

MasterCard,atitssolediscretion,mayextendthechargebackliabilityperiod

to12months.

MasterCardreservestherighttolisttheAcquirerID,Acquirername,Merchant

name,Merchantlocation,andchargebackliabilityperiodofanyTier3Merchant

inaGlobalSecurityBulletin.

WhenMasterCardliststheAcquirerandMerchantinformationinaGlobal

SecurityBulletin,Issuerchargebackrightswillapply.EachIssuerthenhasa

righttousemessagereasoncode4849—QuestionableMerchantActivityto

chargebacktotheAcquireranyfraudulentTransactionsfromtheMerchantthat

arereportedtoSAFEwiththefollowingfraudtypes:

•00—LostFraud,

•01—StolenFraud,

•04—CounterfeitCardFraud,

•06—CardNotPresent1Fraud,or

•07—MultipleImprintFraud.

EachTransactionchargedbackmusthaveoccurredduringthepublished

chargebackperiodandmustbereportedtoSAFEwithintheapplicabletime

frame(refertoChapter12ofthismanual).Issuersmaynotusemessage

reasoncode4849tochargebackTransactionsfromanAcquirerandMerchant

identifiedinGMAPifthefraudtypeis:

•02—NeverReceivedIssue,

•03—FraudulentApplication,

•05—AccountTakeoverFraud,or

•51—Bust-outCollusiveMerchant.

OnceMasterCardliststheAcquirerID,Acquirername,Merchantname,

Merchantlocation,andchargebackresponsibilityperiodinaGlobalSecurity

Bulletin,theIssuermaynotusemessagereasoncode4849—Questionable

MerchantActivity,inanyofthefollowingsituations:

1.RefertoIssuerrestrictionsonchargebacksformessagereasoncode4849fortheMasterCard®

SecureCode™globalliabilityshiftasdescribedlaterinthissection.

SecurityRulesandProcedures•7February20148-7

MasterCardFraudControlPrograms

8.2GlobalMerchantAuditProgram

•TheTransactionwasnotreportedproperlytoSAFEwithintheapplicable

timeframespecifiedinthismanual.

•TheTransactionwasreportedtoSAFEasafraudtypeofNeverReceived

Issue(02),FraudulentApplication(03),AccountTakeoverFraud(05),or

Bust-outCollusiveMerchant(51).

•IftheSecureCodegloballiabilityshiftfore-commerceTransactionsisin

effect,andallofthefollowingconditionsoccur:

–TheMerchantisUniversalCardholderAuthenticationField

(UCAF™)-enabled,and

–TheIssuerprovidedtheUCAFdataforthatTransaction,and

–Allothere-commerceAuthorizationRequest/0100messageandclearing

requirementsweresatisfied,and

–TheAuthorizationRequestResponse/0110messagereflectedtheIssuer’s

approvaloftheTransaction.

•IfanintracountryorintraregionalchipliabilityshiftortheinterregionalChip

LiabilityShiftProgram(Level1)isineffect,theTransactionwasprocessed

atachipcompliantPoint-of-Interaction(POI)terminal,theTransaction

wasreportedtoSAFEascounterfeitfraud,andeithertheTransactionwas

identifiedproperlyas1)anofflinechipTransactionintheclearingrecord,

or2)asanonlineTransactionintheAuthorizationRequest/0100message,

andtheAuthorizationRequestResponse/0110messagereflectedtheIssuer’s

approvaloftheTransaction.

8.2.4ExclusionfromtheGlobalMerchantAuditProgram

ThefollowingsectionsaddressexclusionsfromGMAP.

8.2.4.1SystematicExclusions

ThefollowingTransactionssystematicallyareexcludedforthepurposesof

determiningtheidentificationofaMerchantinGMAP:

•DebitFraud—ThisincludesallfraudrelatedtoCirrus(CIR)andMaestro

(MSI).

•AllNeverReceivedIssue,FraudulentApplication,AccountTakeover

(ATO),andBust-outCollusiveMerchantfraudtypes—Thisincludesall

TransactionsreportedtoSAFEasfraudtype:

–02—NeverReceivedIssue

–03—FraudulentApplication

–05—AccountTakeoverFraud

–51—Bust-outCollusiveMerchant

8-87February2014•SecurityRulesandProcedures

MasterCardFraudControlPrograms

8.2GlobalMerchantAuditProgram

8.2.4.2ExclusionafterGMAPIdentication

AfterMasterCardprovidesnotificationtoanAcquirerthataTier3special

Merchantaudithasbeeninitiated,theAcquirermayrequestthatMasterCard

excludetheMerchantforgoodcause.

Whenrequestinganexclusion,theAcquirermustsubmitthecompletedspecial

Merchantauditonlinequestionnairewithin30daysoftheTier3special

Merchantauditnotificationandprovidesuchothersupportinginformationthat

MasterCardrequires.

MasterCardstaffwilldecidewhethertoexcludeaMerchantfromGMAP.

Whenevaluatingexclusionrequests,MasterCardmayconsidersuchmattersas:

•Afraud-to-salesdollarvolumeratiobelow8percent—IftheMerchant’s

MasterCarddollarvolumeisnotsystematicallyavailableforcalculation,the

AcquirerwillhavetheopportunitytoprovidethisdatatoMasterCardfor

review.TorecalculatetheMerchantfraud-to-salesdollarvolumeratio,

theAcquirermustpresentsupportingdocumentationtoshowonlythe

MasterCardsalesfortheidentifiedlocationduringtheapplicablemonthsin

whichtheidentificationcriteriaaremet.

IfthesupportingdocumentationdemonstratesthattheMerchantlocation

didnotexceedtheTier3fraudthresholds,theAcquirerwillreceivean

exclusionfortheMerchant.

IfthesupportingdocumentationdemonstratesthattheMerchant’s

fraud-to-salesratioexceeds8percent,MasterCardwilltakeactionas

describedinsection8.2.2.

•ThefraudcontrolProgramcurrentlyinplaceattheMerchant

location—MasterCardwillreviewinformationpertainingtothefraudcontrol

ProgramcurrentlyinplaceattheMerchantlocationtoestablishifadditional

fraudcontrolmeasurescouldhavepreventedorreducedthefraud.

•AchainMerchant—AchainMerchantisdefinedintheIPMClearing

FormatsunderDataElement(DE)43(CardAcceptorName/Location)as

oneofmultipleMerchantoutletshavingcommonownershipandselling

thesamelineofgoodsorservices.MasterCardStandardsfurtherindicate

thatsubfield1(CardAcceptorName)ofthisdataelementmustcontaina

uniqueidentifierattheendofthisfieldiftheMerchanthasmorethanone

locationinthesamecity.ItistheAcquirer’sresponsibilitytoensurethatall

Merchantsofthisnatureareidentifiedproperly.Merchantswithmultiple

locationsthatareincompliancewiththisStandardareidentifieduniquely

intheauditprograms.

AcquirerswithaMerchantsubjecttoaTier3specialMerchantauditbased

onacalculationinclusiveofmorethanonelocationmayapplyforan

exclusion.Toapplyforsuchanexclusion,theAcquirermustprovide

MasterCardwithfraudandsalesdataforeachlocationwithinthechain.

IfthesameMerchantIDnumberisusedtoidentifyalloftheMerchant

locations,theAcquirermustfurtherprovideacopyofthesalesdraftfor

eachTransactionidentifiedasfraudulent.

SecurityRulesandProcedures•7February20148-9

MasterCardFraudControlPrograms

8.2GlobalMerchantAuditProgram

Exclusionsbasedonotherexceptionalorextenuatingcircumstances—An

AcquirermayrequestanexclusionforaMerchantlocationfromaTier3special

Merchantauditbasedonexceptionalorextenuatingcircumstancesbyproviding

appropriateinformation.

ThefollowingareexamplesofinformationthatMasterCardwillconsiderwith

regardtoanexclusionrequestforexceptionalorextenuatingcircumstances:

1.SAFEdataerror:

•ErroneousTransactionamountreported

•ReportedTransactionamountinflatedasaresultofcurrencyconversion

•TransactionreportedunderincorrectAcquirerIDorMerchantname

•DuplicateTransactionsreported

•Non-fraudulentTransactionreportedtoSAFEinerror(suchasadispute)

2.TheMerchantcapturedfraudulentCard(s)transactedatitslocation.

3.TheMerchantassistedwiththeapprehensionandconvictionofcriminal(s)

thattransactedfraudulentCardsatitslocation.

4.TheMerchantidentifiedfraudulentTransactionsbeforeshipping

merchandiseandissuedcreditstotheCardholderaccountinatimely

fashion,providedthecreditwasnotissuedinresponsetoaretrieval

requestorchargeback.

8.2.5NoticationofMerchantIdentication

WhenaMerchantlocationisidentifiedinGMAP ,MasterCardwillreportthe

MerchantidentificationinMOST,detailingtheidentification.

Inaddition,theAcquirerwillreceivetheGlobalMerchantAuditProgramReport.

AcquirersmustuseMOSTtorespondtoaTier3specialMerchantaudit

notification.

NOTE

Acquirersareresponsibleforensuringthattheyarecapableofreceiving

noticationofMerchantsidentiedinGMAP .IfanAcquirerdoesnotreceive

anautomatednotication,itistheAcquirer'sresponsibilitytoobtainthis

informationthroughMasterCardConnect™.

8.2.5.1DistributionofReports

RefertotheMOSTUsers’Manualforinformationaboutthedistributionof

GMAPreports.

8-107February2014•SecurityRulesandProcedures

MasterCardFraudControlPrograms

8.2GlobalMerchantAuditProgram

8.2.6MerchantOnlineStatusTracking(MOST)System

TheMOSTsystemresidesontheMasterCardConnectplatform,andisusedto

administertheprocessforMerchantsidentifiedinGMAP.TheMOSTsystem

allowsanAcquirerto:

•VieweachMerchantidentifiedinGMAP

•DeterminethereasonsthataMerchantwasidentifiedinGMAP

•RetrievefullTransactiondetailsforeachidentifiedMerchantviaFraud

Reporter

•ViewthestatusofeachMerchantsubjecttoaTier3specialMerchantaudit

•CompleteanonlinequestionnaireasrequiredbyMasterCardforaTier3

specialMerchantaudit

•DeterminethechargebackliabilityperiodforeachMerchantsubjecttoa

Tier3specialMerchantaudit

8.2.6.1MOSTMandate

AcquirersmustusetheMOSTsystemavailableonMasterCardConnectwhen

requiredbyMasterCardtorespondtoaTier3specialMerchantauditinMOST.

MasterCardwillassessaUSD100processingfeeperindividualMerchant

identificationforanAcquirerthatdoesnotsolelyuseMOSTtorespondtoa

Tier3specialMerchantaudit.

MasterCardwillassesstheUSD100processingfeeonlyonetimeforeach

requiredTier3specialMerchantauditresponse.Thefeewillbecollectedby

debitingtheAcquirer’sMasterCardConsolidatedBillingSystem(MCBS)account.

Inaddition,MasterCardmayassessanAcquireraUSD100processingfeeifthe

Tier3specialMerchantauditresponseiscompletedinMOSTandissubmitted

usinganyotheradditionalmethod.However,ifanAcquirerrespondstoaTier

3specialMerchantauditviaMOSTandthenchoosestosubmitsupporting

documentationviaanothercommunicationmethod,ortoengageindialogue

withMasterCardstaff,thenMasterCardwillnotassesstheAcquireraprocessing

fee.

MOSTandMATCHhavebeenincorporatedintoonesuiteofmandatedproducts

forwhichAcquirersgloballyareassessedacombinedannualfeeofUSD4,000.

SecurityRulesandProcedures•7February20148-11

MasterCardFraudControlPrograms

8.3ExcessiveChargebackProgram

8.2.6.2MOSTRegistration

TouseMOST,ausermustbelicensedforeachacquiringMemberID/ICA

numberatachildlevel,regardlessofaparent/childrelationship.Eachuser

accessrequesttotheMOSTsystemfirstissubmittedbytherequestervia

theMasterCardConnectStoreonMasterCardConnect.Therequestthenis

submittedtotheCustomer’sMasterCardOnlineAdministrationTool(MAT)

administratorforapproval.TheMATadministratorisresponsibleforapproving

authorizationforaCustomeruserorprocessortousetheMOSTsystemfor

thatCustomer’sspecifiedMemberIDs/ICAnumbers.Aftertheaccessrequest

isapprovedbytheMATadministrator,therequestautomaticallyissentto

MasterCardforprocessing.

MasterCardwilldeclinerequestsforaccesstotheMOSTsystemthatarenot

complete,accurate,orapprovedbytheMATadministratorforeachMember

ID/ICAnumberforwhichtheuserisrequestingMOSTaccess.MasterCard

staffreservestherighttorequestwrittenauthorizationfromaCustomer’s

SecurityContact,PrincipalContact,orMATCHContacttovalidatetheuser’s

requestforMOSTaccess.WhenMasterCarddeclinesauseraccessrequest,the

usermustresubmitasubsequentonlineMOSTproductregistrationrequest

totheCustomer’sMATadministratorforapproval.Onceapprovedbythe

MATadministrator,therequestautomaticallywillberoutedtoMasterCardfor

processing.

ToregisterforMOST,logintoMasterCardConnect(www.mastercardcon-

nect.com)byenteringyourUserIDandPassword,thenrequestaccessto

MOSTfromtheMasterCardConnectStoremenu.

ForadditionalassistancewithregisteringfortheMOSTonlinesystem,contact

theCustomerOperationsServicesteamusingthecontactinformationprovided

insectionC.6ofAppendixC.

8.3ExcessiveChargebackProgram

MasterCarddesignedtheExcessiveChargebackProgram(ECP)toencourage

eachAcquirertocloselymonitor,onanongoingbasis,itschargeback

performanceattheMerchantlevelandtodeterminepromptlywhena

MasterCardMerchanthasexceededorislikelytoexceedmonthlychargeback

thresholds.

8.3.1ECPDenitions

ThefollowingtermsusedintheECPhavethemeaningssetforthbelow.

MerchantAMerchantisdefinedasanydistinctMasterCard

Merchantlocation,whetheraMerchant’sphysical

locationoraMerchant’sInternetsiteoruniform

resourcelocator(URL)thatisidentifiedbyadistinct

billingdescriptorbytheAcquirerintheTransaction

record.

8-127February2014•SecurityRulesandProcedures

MasterCardFraudControlPrograms

8.3ExcessiveChargebackProgram

Chargeback-to-

TransactionRatio

(CTR)

TheCTRisthenumberofMasterCardchargebacks

receivedbytheAcquirerforaMerchantinacalendar

monthdividedbythenumberoftheMerchant’s

MasterCardsalesTransactionsintheprecedingmonth

acquiredbythatAcquirer.(ACTRof1%equals100

basispoints,andaCTRof1.5%equals150basis

points.)

Chargeback-

MonitoredMerchant

(CMM)

ACMMisaMerchantthathasaCTRinexcessof100

basispointsandatleast100chargebacksinacalendar

month.

Excessive

Chargeback

Merchant(ECM)

AMerchantisanECMifineachoftwoconsecutive

calendarmonths(the“triggermonths”),theMerchant

hasaminimumCTRof150basispointsandatleast

100chargebacksineachmonth.Thisdesignationis

maintaineduntiltheECM’sCTRisbelow150basis

pointsfortwoconsecutivemonths.

Tier1ECMAMerchantisaTier1ECMduringthefirstthrough

sixthmonth(whetherconsecutiveornon-consecutive)

thattheMerchantisidentifiedasanECM.

Tier2ECMAMerchantisaTier2ECMduringtheseventh

throughtwelfthmonth(whetherconsecutiveor

non-consecutive)thattheMerchantisidentifiedasan

ECM.

8.3.2ReportingRequirements

ItistheAcquirer’sresponsibilityonanongoingbasistomonitoreachof

itsMerchantsinaccordancewiththeStandards,includingbutnotlimitedto

sections6.2.2,7.2,and7.3.1ofthismanual.

TheECPrequiresanAcquirertocalculate,foreachcalendarmonth,theCTRin

basispointsforeachofitsMerchantsandreporttoMasterCardanyMerchant

thatisaCMMorECMasdefinedinsection8.3.1.

MasterCardwillassessanAcquirerofanECMthereportingfeesetforthin

section8.3.2.2.

8.3.2.1Chargeback-MonitoredMerchantReportingRequirements

Eachcalendarmonth,anAcquirermustsubmittoMasterCardaseparateCMM

reportforeachofitsMerchant(s)thatqualifiesasaCMMfortheprevious

calendarmonth.ForthepurposeofdeterminingifanAcquirerisobligatedto

submitaCMMreport,theAcquirermustcalculatetheCTRassetforthinsection

8.3.1.TheAcquirermustsubmitthisreportnolaterthan45daysfromthe

endofthecalendarmonth.

SecurityRulesandProcedures•7February20148-13

MasterCardFraudControlPrograms

8.3ExcessiveChargebackProgram

TheAcquirermustsubmittheCMMreportinaformandmannerrequiredby

MasterCard.TheAcquireralsomustprovideacopyoftheCMMreportand

theseECPStandardstothespecificCMM.

TheAcquirermustcontinuetoprovideCMMreportinguntiltheMerchantisno

longeridentifiedasaCMMfortwoconsecutivemonths.

8.3.2.1.1CMMReportContents

TheCMMreportmustincludeallofthefollowinginformation:

•ThenameandlocationoftheCMM

•ThecalendarmonthofCMMqualificationbeingreported

•TheCTRoftheCMMforthereportedcalendarmonth

•TheCardacceptorbusinesscode/Merchantcategorycode(MCC)assigned

totheCMMandadescriptionofthenatureoftheCMM’sbusiness

•Thenumberandgrossdollarvolume(GDV)oftheCMM’sMasterCardsales

Transactionsinthereportedcalendarmonthandintheprecedingmonth

•ThenumberandGDVofchargebacksoftheCMM’sMasterCardsales

Transactionsforthereportedcalendarmonth

•AnyadditionalinformationasMasterCardmayrequire

8.3.2.1.2LateCMMReportSubmissionAssessment

IfMasterCarddeterminesthataMerchantisaCMMandtheAcquirerfailsto

submitatimelyCMMreporttoMasterCardforthatMerchant,MasterCardmay

assesstheAcquireruptoUSD5,000permonthforeachmonththataspecific

monthlyCMMreportisoverdue.

8.3.2.2ExcessiveChargebackMerchantReportingRequirements

Within30daysoftheendofthesecondtriggermonth,andonamonthlybasis

thereafter,theAcquirermustsubmitaseparateECMreportforeachofitsECMs

(inlieuofaCMMreport)untilthatECM’sCTRisbelow150basispointsfor

twoconsecutivemonths.TheAcquireralsomustprovideacopyoftheECM

reportandtheseECPStandardstothespecificECM.MasterCardwillassessthe

AcquirerareportingfeeofUSD100foreachECMreportsubmitted.

TheAcquirermustcontinuetoprovidemonthlyECMreportinguntilthe

MerchantisnolongeridentifiedasanECMfortwoconsecutivemonths.If

duringthosemonthstheMerchantisidentifiedasaCMM,thentheCMM

reportingrequirementswillapply.

8.3.2.2.1ECMReportContents

TheECMreportmustincludealloftheinformationrequiredfortheCMM

report,andthefollowingadditionalinformation:

8-147February2014•SecurityRulesandProcedures

MasterCardFraudControlPrograms

8.3ExcessiveChargebackProgram

•AdescriptionoftheAcquirer’schargebackcontrolsinplacetomonitorthe

ECM’sactivities

•AnevaluationofthepracticesthatcausedtheECMtoexceedtheECP

Standard

•AnAcquireractionplantoreducetheECM’sCTR

•AnelectronicfilethatcontainschargebackTransactiondetailsforeach

chargebackreceivedbytheAcquirerfortheECMinthecalendarmonth

•AnyadditionalinformationasMasterCardmayrequirefromtimetotime

MasterCardwillassesstheAcquirerareportingfeeofUSD100foreachECM

reportsubmitted.

8.3.2.2.2LateECMReportSubmissionAssessment

IfMasterCarddeterminesthataMerchantisanECMandtheAcquirerfailsto

submitatimelyECMreporttoMasterCardforthatECM,MasterCardmayassess

theAcquireruptoUSD500perdayforeachofthefirst15daysthattheECM

reportforthatECMisoverdueanduptoUSD1,000perdaythereafteruntilthe

delinquentECMreportissubmitted.

8.3.3Assessments

InadditiontoanyapplicableassessmentsforECMreportsorlatereport

submissions,MasterCardmayassesstheAcquirerforIssuerreimbursement

feesandviolationassessmentsforexcessivechargebacksarisingfroman

ECM.MasterCardcalculatestheIssuerreimbursementfeesandassessmentsas

describedinsection8.3.3.1andtheyapplyineachcalendarmonththatthe

ECMexceedsaCTRof150basispointsafterthefirsttriggermonth.Forthe

purposesofcalculatingIssuerreimbursementfeesandassessmentsonly(and

notforthepurposeofsatisfyingthereportingrequirementscontainedherein),

anAcquirermayofferanalternativeCTRcalculationthatmoreaccurately“maps

back”orlinksthechargebackstotherelevantsalesTransactions.

Forthefirst12monthsofaMerchant’sidentificationasanECM,MasterCard

willconsidertheMerchant’sactualchargebackvolumeasafactorinits

determinationofAcquirerliability.Duringthisperiod,MasterCardwillassess

theAcquirerthelesserof:

•ThetotaloftheIssuerreimbursementplusviolationassessmentamounts,

calculatedasdescribedinsection8.3.3.1foragivenmonth,or

•TheMerchant’schargebackdollarvolumereportedbytheAcquirerfor

thatmonth.

SecurityRulesandProcedures•7February20148-15

MasterCardFraudControlPrograms

8.3ExcessiveChargebackProgram

8.3.3.1ECPAssessmentCalculation

MasterCarddeterminesanAcquirer’sliabilityforthemonthlyIssuer

reimbursementfeesandassessmentsforeachECMassetforthbelow.

MasterCardcalculatestheIssuerreimbursementfeesinthefollowingsteps1,2,

and3,andcalculatestheviolationassessmentinstep4.

1.CalculatetheCTRforeachcalendarmonththattheECMexceededaCTRof

150basispoints(whichmayalsobeexpressedas1.5%or0.015).

2.FromthetotalnumberofchargebacksintheaboveCTRcalculation,subtract

thenumberofchargebacksthataccountforthefirst150basispointsofthe

CTR.(Thisamountisequivalentto1.5percentofthenumberofmonthly

salesTransactionsusedtocalculatetheCTR.)Theresultisthenumberof

chargebacksabovethethresholdof150basispoints.

3.Multiplytheresultfromstep2byUSD25.ThisistheIssuerreimbursement.

4.Adjusttheresultinstep3toreflecttheextentthattheAcquirerhas

exceededthe150basispointsthresholdbymultiplyingthevalueinstep

3bytheCTR(expressedasbasispoints).Dividethisresultby100.This

amountistheviolationassessment.

Repeatsteps1–4foreachcalendarmonth(otherthanthefirsttriggermonth)

thattheECMexceededaCTRof150basispointsor1.5percent.

Example:TheAcquirerforMerchantABCacquiredMasterCardsales

Transactionsandchargebacksoverasix-monthperiodasfollows:

MonthJanuaryFebruaryMarchAprilMayJuneJuly

Sales

Transactions

95,66595,46095,56195,86795,25595,88995,758

Chargebacks1,0501,4671,6351,5561,4951,052985

CTRinbasis

points

—153171163156110103

FebruaryandMarcharethetriggermonths,asthesearetwoconsecutive

monthswheretheCTRexceeded150basispoints.AttheendofJuly,

MerchantABCwasnolongeranECMasitsCTRwasbelow150basispoints

fortwoconsecutivemonths.MasterCardcalculatesassessmentsandIssuer

reimbursementsforeachofthemonthsMarchthroughJuly.

Forexample,theassessmentforApril(usingMarchsalesTransactionsandApril

chargebackvolumes)iscalculatedasfollows:

8-167February2014•SecurityRulesandProcedures

MasterCardFraudControlPrograms

8.3ExcessiveChargebackProgram

•TheCTR=Aprilchargebacks/MarchsalesTransactions=1,556/95,561=

0.01628or163basispoints(rounded)

•Thenumberofchargebacksinexcessofthe150basispointsisdetermined

bysubtracting1.5percentoftheMarchsalesTransactionsfromthenumber

ofAprilchargebacks.1.5percentoftheMarchsalesTransactions(95,561x

0.015)is1,433.1,556–1,433=123chargebacks

•TheIssuerreimbursementforAprilis123xUSD25=USD3,075

•Theviolationassessmentis(USD3,075x163)/100or501,225/100=USD

5,012.25

Usingthismethodology,theIssuerreimbursementfeesandassessmentsforthe

AcquirerforMerchantABCareasfollows.

Month

Issuer

ReimbursementAssessmentTotal

February(first

triggermonth)

000

March(second

triggermonth)

USD5,075.00USD8,678.25USD13,753.25

AprilUSD3,075.00USD5,012.25USD8,087.25

MayUSD1,425.00USD2,223.00USD3,648.00

June000

July000

TotalUSD9,575.00USD15,913.50USD25,488.50

Example:ForthemonthofMarch,theAcquirerreportedMerchantABC

chargebackvolumeof1,635chargebackstotalingUSD12,145.Thisamountis

lessthanthecalculatedamountoftheIssuerreimbursementplusviolation

assessmenttotalofUSD13,753.25,asshownaboveforMarch.Therefore,

MasterCardwillassesstheAcquirerthelesserchargebackvolumeamountrather

thanthegreatercalculatedamount.

8.3.5AdditionalTier2ECMRequirements

AfteraMerchanthasbeenaTier1ECMforsixmonths(whetherconsecutive

ornon-consecutive),theMerchantwillbedeemedaTier2ECMinitsseventh

monthasanECM.

WithrespecttoaTier2ECM,MasterCardmay:

1.AdvisetheAcquirerwithregardtotheactionplanandothermeasures

thattheAcquirershouldtakeorconsidertakingtoreducetheMerchant’s

CTR;and/or

SecurityRulesandProcedures•7February20148-17

MasterCardFraudControlPrograms

8.4QuestionableMerchantAuditProgram(QMAP)

2.RequiretheAcquirertoundergoaFraudManagementProgram(FMP)Level

3Customerreview,attheAcquirer’sexpense,asdescribedinChapter13

ofthismanual.

AfteraMerchanthasbeenanECMfor12months(whetherconsecutiveor

non-consecutive),theAcquirerwillbedeemedtobeinviolationofRule5.11.7

oftheMasterCardRulesmanual(“theIllegalorBrand-damagingTransactions

Rule”),andinadditiontotheassessmentsdescribedinsection8.3.3,issubject

tononcomplianceassessmentsofuptoUSD50,000permonthafterthetwelfth

monththattheMerchantremainsanECM.

8.4QuestionableMerchantAuditProgram(QMAP)

TheQuestionableMerchantAuditProgram(QMAP)establishesminimum

standardsofacceptableMerchantbehaviorandidentifiesMerchantsthatmay

failtomeetsuchminimumstandardsbyparticipatingincollusiveorotherwise

fraudulentorinappropriateactivity.TheQMAPalsopermitsanIssuerto

obtainpartialrecoveryofuptoone-halfofactualfraudlossesresultingfrom

fraudulentTransactionsataQuestionableMerchant,basedonSAFEreporting.

ThecriteriatoidentifyaQuestionableMerchantandthefraudrecoveryprocess

aredescribedbelow.

8.4.1QMAPDenitions

ForpurposesoftheQMAP ,thefollowingtermshavethemeaningssetforth

below:

Cardholderbust-outaccountmeansanaccountforwhichallofthefollowing

conditionsaretrue:

1.TheIssuerclosedtheaccountpriortotheearlierof(i)theIssuerrequesting

thatMasterCardcommenceaninvestigationastowhetheraMerchant

isaQuestionableMerchant,or(ii)MasterCardnotifyingtheIssuerthat

MasterCardhascommencedaninvestigationastowhetheraMerchantisa

QuestionableMerchant;and

2.ATransactionarisingfromuseoftheaccounthasnotbeenchargedback

foreitheranauthorization-relatedchargeback(assetforthinsection3.2of

theChargebackGuide)orfraud-relatedchargeback(assetforthinsection

3.3oftheChargebackGuide)duringthe180dayspriortotheearlierof(i)

theIssuerrequestingthatMasterCardcommenceaninvestigationasto

whetheraMerchantisaQuestionableMerchant,or(ii)MasterCardnotifying

theIssuerthatMasterCardhascommencedaninvestigationastowhethera

MerchantisaQuestionableMerchant;and

3.Atleastoneofthefollowingistrue:

a.Theaccountinquestionis“linked”tooneormoreCardholder

bust-outaccounts.Asusedherein,tobe“linked”meansthatpersonal,

non-publicinformationpreviouslyprovidedbyanapplicantin

connectionwiththeestablishmentofoneormoreCardholderbust-out

8-187February2014•SecurityRulesandProcedures

MasterCardFraudControlPrograms

8.4QuestionableMerchantAuditProgram(QMAP)

accounts(name,address,telephonenumber,socialsecuritynumber

orothergovernment-issuedidentificationnumber,authorizeduser,

demanddepositaccountnumber,andthelike)hasbeenprovidedbyan

applicantinconnectionwiththeestablishmentofthesubjectaccount;or

b.TheaccountislinkedtooneormoreCardholderbust-outaccounts

usedinTransactionswithaMerchantthatMasterCardidentifiedasa

QuestionableMerchantinaGlobalSecurityBulletin;or

c.TheCardholderrequeststhatoneormoreadditionalpersonsbe

designatedasanadditionalCardholderoftheaccountwithinashort

periodoftime;or

d.TheCardholderrequeststhatthecreditlimitoftheaccountbeincreased

soonaftertheaccountisopened;or

e.TheCardholdermakesfrequentbalancequeriesor“open-to-buy”

queries;or

f.Nopaymenthasbeenmadeofchargestotheaccount;or

g.TheIssuerclosedtheaccountafterafailedpayment(dishonoredcheck

orthelike)ofchargestotheaccount.

CaseScopePeriodmeansthe180-calendar-dayperiodprecedingthedateon

whichMasterCardcommencesaninvestigationintotheactivitiesofasuspected

QuestionableMerchant.

QuestionableMerchantmeansaMerchantthatsatisfiesallofthefollowing

criteria:

1.TheMerchantsubmittedatleastUSD50,000inTransactionvolumeduring

theCaseScopePeriod;

2.TheMerchantsubmittedatleastfive(5)Transactionstooneormore

AcquirersduringtheCaseScopePeriod;and

3.Atleastfifty(50)percentoftheMerchant’stotalTransactionvolume

involvedtheuseofCardholderbust-outaccounts

Atleastthree(3)ofthefollowingfour(4)conditionsapplytotheMerchant’s

TransactionactivityduringtheCaseScopePeriod:

a.TheMerchant’sfraud-to-salesTransactionratiowasseventy(70)percent

orgreater.

b.Atleasttwenty(20)percentoftheMerchant’sTransactionssubmitted

forauthorizationweredeclinedbytheIssuerorreceivedaresponseof

“01—Refertoissuer”duringtheCaseScopePeriod.

c.TheMerchanthasbeensubmittingTransactionsforfewerthansix(6)

months.

d.TheMerchant’stotalnumberortotaldollaramountoffraudulent

Transactions,authorizationdeclines,andIssuerreferralswasgreater

SecurityRulesandProcedures•7February20148-19

MasterCardFraudControlPrograms

8.4QuestionableMerchantAuditProgram(QMAP)

thantheMerchant’stotalnumberortotaldollaramountofapproved

Transactions.

MasterCardhassolediscretion,basedoninformationfromanysource,to

determinewhetheraMerchantmeetingthesecriteriaisaQuestionable

Merchant.

8.4.2MasterCardCommencementofanInvestigation

MasterCard,atitssolediscretion,maycommenceaQMAPinvestigationofa

Merchant.Duringthependencyofsuchaninvestigation,MasterCardmay

identifytheMerchantbeinginvestigatedinMATCHusingMATCHreasoncode

00(QuestionableMerchant/UnderInvestigation).

IfanIssuerhasreasontobelievethataMerchantmaybeaQuestionable

Merchant,theIssuermustpromptlynotifyMasterCardviae-mailmessageat

qmap@mastercard.com.TransactionsthatoccurredduringtheCaseScope

PeriodmayqualifyaseligibleforrecoveryundertheQMAP.

Inthenotification,theIssuermustprovidethebasisfortheIssuer’sreasonto

believethattheMerchantmaybeaQuestionableMerchant,andmustprovide

allofthefollowinginformation:

1.IssuernameandMemberID;

2.AcquirernameandMemberID;

3.Merchantnameandaddress(city,stateorprovince,andcountry);

4.TotalnumberofTransactionsconductedattheQuestionableMerchant

bytheIssuer’sCardholders;

5.TotaldollarvolumeofIssuerlossesattheQuestionableMerchant;

6.PercentageofTransactionsattributedtoCardholderbust-outaccounts,if

applicable;and

7.DetailsofeachIssuer-confirmedfraudulentTransaction,including

Cardholderaccountnumber,Transactiondateandtime,andTransaction

amountinU.S.dollars.

IfanAcquirerbecomesawarethatitisacquiringforaQuestionable

Merchant,theAcquirermustnotifyMasterCardpromptlyviae-mailmessageat

qmap@mastercard.com.

8.4.4MasterCardNoticationtoAcquirers

FollowingtheMasterCardevaluationofTransactionsreportedtoSAFEby

Issuers,MasterCardmaynotifyanyAcquireroftheinvestigatedMerchantthat

suchMerchanthasinitiallymetthecriteriaofaQuestionableMerchant.Such

notificationwillbesentviae-mailmessagetotheSecurityContactthenlisted

fortheAcquirerintheMemberInformation—MasterCardapplicationavailable

onMasterCardConnect.

8-207February2014•SecurityRulesandProcedures

MasterCardFraudControlPrograms

8.4QuestionableMerchantAuditProgram(QMAP)

Within15calendardaysfromthedateoftheMasterCardnotification,the

AcquirermaycontesttheMasterCardpreliminaryfindingthataMerchantis

aQuestionableMerchant.Insuchanevent,theAcquirershallprovideto

MasterCardanysupplementalinformationnecessarytoreviewthepreliminary

finding.

MasterCardhasaright,butnotanobligation,toauditanAcquirer’srecordsfor

thepurposeofattemptingtodeterminewhetheraMerchantisaQuestionable

Merchant.AnAcquirermustprovideMasterCardsuchotheroradditional

informationasMasterCardmayrequesttoassistintheinvestigation.

TheAcquirermustsubmitalldocumentationandrecordsviae-mailmessageto

qmap@mastercard.com.

8.4.5MerchantTermination

IftheAcquirerdeterminesthattheMerchantunderinvestigation(oranyother

ofitsMerchants)isaQuestionableMerchantandterminatestheMerchant

Agreementforthatreason,theAcquirermustaddtheMerchanttoMATCHusing

MATCHreasoncode08(MasterCardQuestionableMerchantAuditProgram)

withinfive(5)calendardaysofthedecisiontoterminatetheMerchant.

8.4.6MasterCardDetermination

MasterCardwilldetermineifaMerchantisaQuestionableMerchant.

IfMasterCarddeterminesthattheMerchantisnotaQuestionableMerchant,

MasterCardwillsonotifyeachIssuerandAcquirerthatprovidedinformation

pertinenttotheinvestigation.Suchnoticewillbeprovidedviae-mail

messagetotheSecurityContactlistedfortheCustomerintheMember

Information—MasterCardapplicationavailableonMasterCardConnect.In

addition,MasterCardwilldeletetheMATCHlistingoftheMerchantforMATCH

reasoncode00.

IfMasterCarddeterminesthattheMerchantisaQuestionableMerchant,

MasterCardwill:

1.NotifytheMerchant’sAcquirer,and

2.IdentifytheMerchantasaQuestionableMerchantinaGlobalSecurity

Bulletinforeachoftwelve(12)consecutivemonths,and

3.ModifytheMerchant’sMATCHrecordtoreflectareasoncodechangefrom

00(UnderInvestigation)to20(MasterCardQuestionableMerchantAudit

Program).

IftheAcquirerterminatestheMerchantAgreementbecauseMasterCard

determinestheMerchanttobeaQuestionableMerchant,theAcquireris

requiredtoidentifytheMerchantinMATCHwithreasoncode08(MasterCard

QuestionableMerchantAuditProgram).

SecurityRulesandProcedures•7February20148-21

MasterCardFraudControlPrograms

8.4QuestionableMerchantAuditProgram(QMAP)

8.4.7ChargebackResponsibility

WhenMasterCardidentifiesaQuestionableMerchantinaGlobalSecurity

Bulletin,MasterCardwillalsospecifyachargebackperiod(“start”and“end”

dates)ofatleastoneyear.IfanAcquirercontinuestoacquirefroma

MerchantafterMasterCarddeclarestheMerchantaQuestionableMerchant,

theAcquirerisresponsibleforvalidchargebacksusingmessagereasoncode

4849—QuestionableMerchantActivityforaperiodofoneyearfollowing

publicationoftheGlobalSecurityBulletininitiallylistingtheQuestionable

Merchant;provided,MasterCardmayextendthechargebackresponsibility

period.AnIssuerhas120daysfollowingthepublicationdateofaGlobal

SecurityBulletinidentifyingaQuestionableMerchanttochargebackfraudulent

TransactionsthatoccurduringthespecifiedchargebackperiodtotheAcquirer

usingreasoncode4849—QuestionableMerchantActivity.

8.4.8FraudRecovery

FollowingtheidentificationofaQuestionableMerchantinaGlobalSecurity

Bulletin,andusingdatareportedtoSAFE,MasterCardwillnotifyanyIssuer

deemedbyMasterCardtobeeligibleforpartialrecoveryoflossdueto

fraudulentTransactionsataQuestionableMerchant.Thenoticewilldisclose

theamountoftherecovery,lessanadministrativefeedescribedinsection8.4.9,

andthedatethattheamountwillbecreditedtotheIssuer’sMCBSaccount.

AnIssuerisnoteligibletoreceivepartialrecoveryofanyTransaction:

1.ForaMerchantnotlistedintheGlobalSecurityBulletin,or

2.TakingplaceaftertheGlobalSecurityBulletin’sdateofpublication,or

3.NotreportedtoMasterCardviaSAFEasdescribedinsection8.4.3ofthis

manual,or

4.ForwhichtheIssuerreceivedrecoveryviaanyexistingremedyinthe

MasterCardsystem,includingchargeback,recoveryprocess,ortheIssuer’s

owncollectionprocess.

MasterCardreservestherighttorequestadditionalinformationasacondition

ofdeterminingwhetheraTransactionsatisfactorilymeetstheeligibility

requirementsforIssuerpartialrecovery.Inaddition,MasterCardwillnotpay

claimsinexcessoftheamountcollectedfromtheAcquirer(s)forthatpurpose.

MasterCardwilldebitthefraudrecoveryamountfromtheAcquireraccountand

credittheIssueraccount(lessanyadministrativefee).MasterCardwillprocess

IssuerfraudrecoveriesviaMCBS.

8.4.9QMAPFees

MasterCardmaychargeeachIssueranadministrativefeeequalto10percentof

theIssuerrecoveryamountfromaQuestionableMerchantdetermination.

8-227February2014•SecurityRulesandProcedures

MasterCardFraudControlPrograms

8.4QuestionableMerchantAuditProgram(QMAP)

MasterCardmaychargeanAcquireranauditfeenottoexceedUSD2,500for

eachidentificationofaMerchantasaQuestionableMerchant.

SecurityRulesandProcedures•7February20148-23

Chapter9MasterCardRegistrationProgram

ThischaptermaybeofparticularinteresttoCustomerpersonnelresponsibleforregistering

Merchants,Sub-merchants,andotherentitieswithMasterCard.TheMasterCard

RegistrationProgram(MRP)formerlywasreferredtoastheMerchantRegistrationProgram.

9.1MasterCardRegistrationProgramOverview.............................................................................9-1

9.2GeneralRegistrationRequirements..........................................................................................9-1

9.2.1MerchantRegistrationFeesandNoncomplianceAssessments........................................9-2

9.3GeneralMonitoringRequirements...........................................................................................9-3

9.4AdditionalRequirementsforSpecificMerchantCategories......................................................9-4

9.4.1TelecomMerchantsandTransactions..............................................................................9-4

9.4.2Non-face-to-faceAdultContentandServicesMerchants.................................................9-4

9.4.3Non–face-to-faceGamblingMerchants...........................................................................9-5

9.4.4PharmaceuticalandTobaccoProductMerchants............................................................9-6

9.4.5StateLotteryMerchants(U.S.RegionOnly)....................................................................9-7

9.4.6SkillGamesMerchants(U.S.RegionOnly).....................................................................9-9

SecurityRulesandProcedures•7February20149-i

MasterCardRegistrationProgram

9.1MasterCardRegistrationProgramOverview

MasterCardrequiresCustomerstoregisterthefollowingMerchanttypes,

includingSub-merchants,andotherentitiesusingtheMasterCardRegistration

Program(MRP)system,availableviaMasterCardConnect™:

•TelecomMerchants—MCCs4814,4816,and5967(refertosection9.4.1)

•Non-face-to-faceadultcontentandservicesMerchants—MCCs5967,7273,>>

and7841(refertosection9.4.2)

•Non–face-to-facegamblingMerchants—MCCs7995and9754(referto

section9.4.3)

•Non–face-to-facepharmaceuticalMerchants—MCC5122andMCC5912

(refertosection9.4.4)

•Non–face-to-facetobaccoproductMerchants—MCC5993(referto

section9.4.4)

•StatelotteryMerchants(U.S.Regiononly)—MCC9399(refertosection9.4.5)

•SkillgamesMerchants(U.S.Regiononly)—MCC7994(refertosection9.4.6)

ForaskillgamesMerchant,theCustomermustsubmittheregistrationrequest

toMasterCardbysendingane-mailtoInternet_Gambling@mastercard.com.

•MerchantsreportedundertheExcessiveChargebackProgram(referto

section8.3)

Duringregistration,theAcquirermustprovideeachWebsiteURLfromwhich

Transactionsasdescribedinthissectionmayarise,whethertheWebsiteis

thatofaMerchant,aPaymentFacilitator’sSub-merchant,orotherentity.With

respecttoTransactionssubmittedbyaStagedDigitalWalletOperator(DWO),

eachindividualWebsiteURLatwhichTransactionsasdescribedinthissection

maybeeffectedmustbeindividuallyregistered.

IfaCustomeracquiresTransactionsforanyoftheMerchanttypeslistedherein

withoutfirstregisteringtheMerchantorSub-merchantinaccordancewiththe

Standardsdescribedinthissection,MasterCardmayassesstheCustomerasset

forthinsection9.2.1ofthismanual.Inaddition,theAcquirermustensurethat

theviolationiscorrectedpromptly.

RefertotheMasterCardRegistrationProgramUserManualfordirectionsfor

completingregistrationtasksavailableintheMRPsystem.

9.2GeneralRegistrationRequirements

TheCustomermustprovidealloftheinformationrequestedforeachMerchant,

Sub-merchant,orotherentityrequiredtoberegisteredthroughtheMasterCard

RegistrationProgramsystem.Foreachsuchentity,therequestedinformation

includes:

SecurityRulesandProcedures•7February20149-1

MasterCardRegistrationProgram

9.2GeneralRegistrationRequirements

•Thename,doingbusinessas(DBA)name,andaddress

•Thecentralaccessphonenumber,customerservicephonenumber,or

e-mailaddress

•Thename(s),address(es),andtaxidentificationnumber(s)(orother

relevantnationalidentificationnumber)oftheprincipalowner(s)

•Adetaileddescriptionoftheservice(s),product(s),orboththattheentity

willoffertoCardholders

•Adescriptionofpaymentprocessingprocedures,Cardholderdisclosures,

andotherpracticesincluding,butnotlimitedto:

–DatasolicitedfromtheCardholder

–Authorizationprocess(includingfloorlimits)

–Customerservicereturnpoliciesforcardtransactions

–DisclosuremadebytheMerchantbeforesolicitingpaymentinformation

(includingcurrencyconversionatthePointofInteraction[POI])

–Datastorageandsecuritypractices

•Theidentityofanypreviousbusinessrelationship(s)involvingtheprincipal

owner(s)oftheentity

•Acertification,bytheofficeroftheCustomerwithdirectresponsibility

toensurecomplianceoftheregisteredentitywiththeStandards,stating

thatafterconductingadiligentandgoodfaithinvestigation,theCustomer

believesthattheinformationcontainedintheregistrationrequestistrue

andaccurate

OnlyMasterCardcanmodifyordeleteinformationaboutaregisteredentity.

Customersmustsubmitanymodification(s)aboutaregisteredentityinwriting

toMasterCard,withanexplanationfortherequest.MasterCardreservesthe

righttodenyamodificationrequest.

Customersshouldsendanyadditionalrequestedinformationandmodification

requeststothevicepresidentofMerchantFraudControlattheaddress

providedinAppendixC.

ForrequirementsspecifictoMerchantsthatarerequiredtoimplementthe

MasterCardSDPProgram,refertosection10.3ofthismanual.

9.2.1MerchantRegistrationFeesandNoncompliance

Assessments

MasterCardassessestheAcquireranannualUSD500registrationfeeforeach

MerchantandSub-merchantunderthecategorieslistedinsection9.1,except

telecomMerchantsandMerchantsreportedundertheExcessiveChargeback

Program.MasterCardwillcollectthefeefromtheAcquirerviatheMasterCard

ConsolidatedBillingSystem(MCBS).

9-27February2014•SecurityRulesandProcedures

MasterCardRegistrationProgram

9.3GeneralMonitoringRequirements

MasterCardmayassessaCustomerthatacquiresTransactionsforanyofthese

MerchantorSub-merchanttypeswithoutfirstregisteringtheMerchantin

accordancewiththerequirementsoftheMRP.Aviolationwillresultinan

assessmentofuptoUSD10,000.

If,afternoticebyMasterCardoftheAcquirer’sfailuretoregisteraMerchant

orSub-merchant,thatAcquirerfailstoregisteritsMerchantwithin10daysof

notice,theAcquirerwillbesubjecttoadditionalassessmentsofUSD5,000per

monthforuptothreemonths,andUSD25,000permonththereafter,until

theAcquirersatisfiestherequirement.Inaddition,theAcquirermustensure

thattheviolationiscorrectedpromptly.SuchMerchantorSub-merchantmay

alsobedeemedbyMasterCard,initssolediscretion,tobeinviolationof

Rule5.11.7oftheMasterCardRulesmanual(“theIllegalorBrand-damaging

TransactionsRule”).

9.3GeneralMonitoringRequirements

ThemonitoringrequirementsdescribedinthissectionapplytoCustomers

thatacquiretelecomTransactions,non-face-to-faceadultcontentandservices>>

Transactions,non–face-to-facegamblingTransactions,non–face-to-face

pharmaceuticalandtobaccoproductTransactions,statelotteryTransactions

(U.S.Regiononly),skillgamesTransactions(U.S.Regiononly),orTransactions

fromMerchantsreportedundertheExcessiveChargebackProgram:

•TheAcquirermustensurethateachsuchMerchantimplementsreal-time

andbatchprocedurestomonitorcontinuallyallofthefollowing:

–SimultaneousmultipleTransactionsusingthesameAccountnumber

–ConsecutiveorexcessiveattemptsusingthesameAccountnumber

Whenattemptedfraudisevident,aMerchantshouldimplementtemporary

bankidentificationnumber(BIN)blockingasafrauddeterrent.

•TheAcquirermustensurethateachsuchMerchantcomplieswiththe

fraudcontrolStandardsinChapter6ofthismanualandmaintainsa

totalchargeback-to-interchangesalesvolumeratiobelowtheExcessive

ChargebackProgramthresholds.ForinformationabouttheExcessive

ChargebackProgram,refertosection8.3ofthismanual.

•Onaquarterlybasis,theAcquirermustsubmitmonthlyTransactiondatato

MasterCard(viatheMRP)fortheAcquirer’sregisteredMerchants.Thisdata

containssales(countsandamounts),chargebacks(countsandamounts),

andcredits(countsandamounts)bycalendarmonth.Ifpreferred,the

Acquirermaysubmitthisdataonamonthlybasis.

SecurityRulesandProcedures•7February20149-3

MasterCardRegistrationProgram

9.4AdditionalRequirementsforSpecicMerchantCategories

9.4AdditionalRequirementsforSpecicMerchant

Categories

Customersshouldreviewthoroughlytheseadditionalrequirementsforspecific

Merchantcategories.

9.4.1TelecomMerchantsandTransactions

BeforeacquiringMasterCardTransactionsreflectinganyofthefollowing

telecomservices,anAcquirerfirstmustregistertheMerchantorSub-merchant

withMasterCardasdescribedinsection9.2:

•MCC4814,TCCT—T elecommunicationServices,including,butnot

limitedto,prepaidphoneservicesandrecurringphoneservices.This

typeofTransactionincludestheuseofaCardinbothCard-readingand

non–Card-readingenvironments.Itmayincludeprepaidandrecurring

phoneserviceTransactionsorothertelecommunicationsservices.

•MCC4816,TCCT—ComputerNetwork/InformationServices.ThisMCC

identifiesprovidersofcomputernetwork,informationservices,andother

onlineservicessuchase-mailorInternetaccess.

•MCC5967,TCCT—DirectMarketing—InboundTelemarketingMerchants.

ThisMCCincludesprovidersofinformationservicesofferedoverthephone

(audiotext)orInternet(videotext).Anaudiotextcallisapay-per-call

servicewherebyaMerchantprovidesaudioinformationorentertainment

toaCardholderbyphone.TheCardholderischargedeitherpercallor

pertimeinterval,inadditiontoorataratemorethanthechargepaidfor

thetransmissionofthecall.

9.4.2Non-face-to-faceAdultContentandServicesMerchants

Anon-face-to-faceadultcontentandservicesTransactionoccurswhena>>

consumerusesanAccountinaCard-not-presentenvironmenttopurchase

adultcontentorservices,whichmayincludebutisnotlimitedtosubscription

Websiteaccess;streamingvideo;videotapeandDVDrentalsandsales;and

computerandvideopersonalintroduction,dating,andmatchmakingservices.

AnAcquirermustidentifyallnon-face-to-faceadultcontentandservices

TransactionsusingoneofthefollowingMCCandTCCcombinations,as

appropriate:

•MCC5967(DirectMarketing—InboundTelemarketingMerchants)and

TCCT;

•MCC7273(DatingandEscortServices)andTCCT;or

•MCC7841(VideoEntertainmentRentalStores)andTCCT.

9-47February2014•SecurityRulesandProcedures

MasterCardRegistrationProgram

9.4AdditionalRequirementsforSpecicMerchantCategories

BeforeanAcquirermayprocessnon-face-to-faceadultcontentandservices

TransactionsfromaMerchantorSub-merchant,itmustregistertheMerchant

withMasterCardasdescribedinsection9.2ofthismanual.

9.4.3Non–face-to-faceGamblingMerchants

Anon–face-to-facegamblingTransactionoccursinaCard-not-present

environmentwhenaconsumerusesanAccounttoplaceawagerorpurchase

chipsorothervalueusableforgamblingprovidedbyawageringorbetting

establishmentasdefinedbyMCC7995(GamblingTransactions)orMCC

9754(Gambling—HorseRacing,DogRacing,Non-SportsIntrastateInternet

Gambling).

BeforeacquiringTransactionsreflectingnon–face-to-facegambling,anAcquirer

firstmustregistertheMerchantorSub-merchantwithMasterCardasdescribed

insection9.2.

AnAcquirermustidentifyallnon–face-to-facegamblingTransactionsusing

MCC7995andTCCUunlesstheAcquirerhasalsoregisteredtheMerchantor

Sub-merchantasdescribedbelow,inwhichcasetheAcquirermayuseMCC

9754insteadofMCC7995.

InadditiontotherequirementtoregistertheMerchantorSub-merchantas

describedinsection9.2,aU.S.RegionAcquirermayregisteraMerchantor

Sub-merchantunderthissectioniftheMerchantorSub-merchantislocatedin

theU.S.Regionandengagedinlegalgamblingactivityinvolvinghorseracing,

dogracing,ornon-sportsintrastateInternetgambling.Toregistersucha

MerchantorSub-merchant,theAcquirermustdemonstratethatanadequatedue

diligencereviewwasconductedbyprovidingthefollowingitemstoMasterCard

aspartoftheregistrationprocess(herein,allreferencestoaMerchantalso

applytoaSub-merchant):

1.Evidenceoflegalauthority.TheAcquirermustprovide:

•acopyoftheMerchant’slicense(orsimilardocument),ifany,issuedby

theappropriategovernmental(forexample,stateortribal)authority,

thatexpresslyauthorizestheMerchanttoengageinthegambling

activity;and

•anylawapplicabletotheMerchantthatpermitsthegamblingactivity.

2.Legalopinion.TheAcquirermustobtainareasonedlegalopinion,

addressedtotheAcquirer,fromaprivatesectorU.S.lawyerorU.S.law

firm.Thelegalopinionmust:

SecurityRulesandProcedures•7February20149-5

MasterCardRegistrationProgram

9.4AdditionalRequirementsforSpecicMerchantCategories

•identifyallrelevantgambling,gaming,andsimilarlawsapplicableto

theMerchant;

•identifyallrelevantgambling,gaming,andsimilarlawsapplicableto

CardholderspermittedbytheMerchanttotransactwiththeMerchant;

and

•demonstratethattheMerchant’sandCardholders’gamblingand

paymentactivitiescomplyatalltimeswithanylawsidentifiedabove.

TheAcquirermustprovideMasterCardwithacopyofsuchlegalopinion.

ThelegalopinionmustbeacceptabletoMasterCardinitssolediscretion.

3.Effectivecontrols.TheAcquirermustprovidecertificationfromaqualified

independentthirdpartydemonstratingthattheMerchant’ssystemsfor

operatingitsgamblingbusiness:

•includeeffectiveageandlocationverification;and

•arereasonablydesignedtoensurethattheMerchant’sInternetgambling

businesswillremainwithinlegallimits(includinginconnectionwith

interstateTransactions).

Thecertificationmustincludeallscreenshotsrelevanttothecertification

(forexample,ageverificationprocess).Certificationsfrominterested

parties(suchastheAcquirer,IndependentSalesOrganizations[ISOs],the

Merchant,andsoon)arenotacceptablesubstitutesfortheindependent

third-partycertification.

4.Noticationofchanges.TheAcquirermustcertifythatitwillnotify

MasterCardofanychangestotheinformationthatithasprovidedto

MasterCard,includingchangesinapplicablelaw,Merchantactivities,and

Merchantsystems.Suchnotificationshallincludeanyrevisionsoradditions

totheinformationprovidedtoMasterCard(forexample,legalopinion,

third-partycertification)tomaketheinformationcurrentandcomplete.

Suchnotificationisrequiredwithinten(10)daysofanysuchchange.

5.Acceptanceofresponsibilities.TheAcquirermustspecificallyaffirmthatit

willnotsubmitrestrictedTransactionsfromtheMerchantforauthorization.

TheAcquirermustalsospecificallyreaffirmitsindemnificationtoMasterCard

inconnectionwiththeAcquirer’sorMerchant’sactivities.Suchreaffirmation

shallspecificallyindicatethattheAcquireracknowledgesandagreesthat

theTransactionsconstitutetheAcquirer’sActivityandaresubjecttoRule2.3

oftheMasterCardRulesmanual,regardlessoftheAcquirer’scompliance

withtheMasterCardInternetGamblingPolicyortheserequirements.

9.4.4PharmaceuticalandT obaccoProductMerchants

Anon–face-to-facepharmaceuticalTransactionoccursinaCard-not-present

environmentwhenaconsumerusesanAccounttopurchaseprescription

medicinesfromaMerchantwhoseprimarybusinessisnon–face-to-faceselling

ofprescriptiondrugs.

9-67February2014•SecurityRulesandProcedures

MasterCardRegistrationProgram

9.4AdditionalRequirementsforSpecicMerchantCategories

Anon–face-to-facetobaccoproductTransactionoccursinaCard-not-present

environmentwhenaconsumerusesanAccounttopurchasetobaccoproducts

(including,butnotlimitedtocigarettes,cigars,orloosetobacco)froma

Merchantwhoseprimarybusinessisnon-face-to-facesellingoftobacco

products.

BeforeacquiringTransactionsasdescribedbelow,anAcquirerfirstmustregister

theMerchantwithMasterCardasdescribedinsection9.2:

•Non–face-to-facesaleofpharmaceuticals(MCC5122andMCC5912)

•Non–face-to-facesaleoftobaccoproducts(MCC5993)

AnAcquirermustidentifyallnon-face-to-facepharmaceuticalTransactions

usingMCC5122(Drugs,DrugProprietors,andDruggistsSundries)andTCCT

forwholesalepurchasesorMCC5912(DrugStores,Pharmacies)andTCCTfor

retailpurchases.AnAcquirermustidentifyallnon-face-to-facetobaccoproduct

TransactionsusingMCC5993(CigarStoresandStands)andTCCT.

Forclarity,thetermacquiring,asusedinthissection,is“acquiringActivity”as

suchtermisusedinRule2.3oftheMasterCardRulesmanual.

AtthetimeofregistrationofaMerchantorSub-merchantinaccordancewiththis

section,theAcquirerofsuchMerchantorSub-merchantmusthaveverifiedthat

theMerchant’sorSub-merchant'sactivitycompliesfullywithalllawsapplicable

toMasterCard,theMerchantorSub-merchant,theIssuer,theAcquirer,andany

prospectivecustomeroftheMerchantorSub-merchant.Suchverificationmay

include,butisnotlimitedto,awrittenopinionfromindependent,reputable,

andqualifiedlegalcounseloraccreditationbyarecognizedthirdparty.

ByregisteringaMerchantorSub-merchantasrequiredbythissection,the

AcquirerrepresentsandwarrantsthattheAcquirerhasverifiedcompliance

withapplicablelawasdescribedabove.TheAcquirermustmaintainsuch

verificationforsolongasitacquiresTransactionsfromtheMerchantor

Sub-merchantthatissubjecttotheaforedescribedregistrationrequirementand

must,nolessfrequentlythanevery12months,confirmcontinuedcompliance

withapplicablelawconcerningthebusinessoftheregisteredMerchantor

Sub-merchant.TheAcquirermustfurnishMasterCardwithacopyofsuch

documentationpromptlyuponrequest.

9.4.5StateLotteryMerchants(U.S.RegionOnly)

AU.S.RegionAcquirermayuseMCC9399(GovernmentServices—not

elsewhereclassified)toidentifyTransactionsarisingfromaU.S.Region

MerchantorSub-merchantandinvolvingthepurchaseofastatelotteryticketif

theAcquirerhasfirstregisteredtheMerchantorSub-merchantwithMasterCard

asdescribedinsection9.2andthissection9.4.5.

ToregisteraMerchantorSub-merchant,theAcquirermustdemonstratethat

anadequateduediligencereviewwasconductedbyprovidingthefollowing

itemstoMasterCardaspartoftheregistrationprocess(herein,allreferencesto

aMerchantalsoapplytoaSub-merchant):

SecurityRulesandProcedures•7February20149-7

MasterCardRegistrationProgram

9.4AdditionalRequirementsforSpecicMerchantCategories

1.Evidenceoflegalauthority.TheAcquirermustprovide:

•acopyoftheMerchant’slicense(orsimilardocument),ifany,issuedby

theappropriategovernmental(forexample,stateortribal)authority,

thatexpresslyauthorizestheMerchanttoengageinthegambling

activity;and

•anylawapplicabletotheMerchantthatpermitsstatelotteryticketsales.

2.Legalopinion.TheAcquirermustobtainareasonedlegalopinion,

addressedtotheAcquirer,fromaprivatesectorU.S.lawyerorU.S.law

firm.Thelegalopinionmust:

•identifyallrelevantstatelotteryandotherlawsapplicabletothe

Merchant;

•identifyallrelevantstatelotteryandotherlawsapplicabletoCardholders

permittedbytheMerchanttotransactwiththeMerchant;and

•demonstratethattheMerchant’sandCardholders’statelotteryand

paymentactivitiescomplyatalltimeswithanylawsidentifiedabove.

TheAcquirermustprovideMasterCardwithacopyofsuchlegalopinion.

ThelegalopinionmustbeacceptabletoMasterCardinitssolediscretion.

3.Effectivecontrols.TheAcquirermustprovidecertificationfromaqualified

independentthirdpartydemonstratingthattheMerchant’ssystemsfor

operatingitsstatelotterybusiness:

•includeeffectiveageandlocationverification;and

•arereasonablydesignedtoensurethattheMerchant’sstatelottery

businesswillremainwithinlegallimits(includinginconnectionwith

interstateTransactions).

Thecertificationmustincludeallscreenshotsrelevanttothecertification

(forexample,ageverificationprocess).Certificationsfrominterestedparties

(suchastheAcquirer,ISOs,theMerchant,andsoon)arenotacceptable

substitutesfortheindependentthird-partycertification.

4.Noticationofchanges.TheAcquirermustcertifythatitwillnotify

MasterCardofanychangestotheinformationthatithasprovidedto

MasterCard,includingchangesinapplicablelaw,Merchantactivities,and

Merchantsystems.Suchnotificationshallincludeanyrevisionsoradditions

totheinformationprovidedtoMasterCard(forexample,legalopinion,

third-partycertification)tomaketheinformationcurrentandcomplete.

Suchnotificationisrequiredwithinten(10)daysofanysuchchange.

5.Acceptanceofresponsibilities.TheAcquirermustspecificallyaffirmthatit

willnotsubmitrestrictedTransactionsfromtheMerchantforauthorization.

TheAcquirermustalsospecificallyreaffirmitsindemnificationtoMasterCard

inconnectionwiththeAcquirer’sorMerchant’sactivities.Suchreaffirmation

shallspecificallyindicatethattheAcquireracknowledgesandagreesthat

theTransactionsconstitutetheAcquirer’sActivityandaresubjecttoRule2.3

oftheMasterCardRulesmanual,regardlessoftheAcquirer’scompliance

withMasterCardrules,policies,andproceduresortheserequirements.

9-87February2014•SecurityRulesandProcedures

MasterCardRegistrationProgram

9.4AdditionalRequirementsforSpecicMerchantCategories

9.4.6SkillGamesMerchants(U.S.RegionOnly)

AU.S.RegionAcquirermayuseMCC7994(VideoGameArcades/Establishments)

toidentifyTransactionsarisingfromaU.S.RegionMerchantorSub-merchant

conductingcertaingames(herein,“skillgames”)iftheAcquirerhasfirst

registeredtheMerchantorSub-merchantwithMasterCardasdescribedin

section9.2andthissection9.4.6.Forpurposesofthissection,“skillgames”

means:

•gameparticipantspayagameentryfee;

•theoutcomeofthegameisdeterminedbytheskilloftheparticipants

ratherthanbychance;

•thewinnerofagamereceivescashand/oraprizeofmonetaryvalue;and

•nonon-participantinthegamepaysorreceivescashand/oraprizeof

monetaryvalueinrelationtothegame.

ToregisteraMerchantorSub-merchant,theAcquirermustdemonstratethat

anadequateduediligencereviewwasconductedbyprovidingthefollowing

itemstoMasterCardaspartoftheregistrationprocess(herein,allreferencesto

aMerchantalsoapplytoaSub-merchant):

1.Evidenceoflegalauthority.TheAcquirermustprovide:

•acopyoftheMerchant’slicense(orsimilardocument),ifany,issuedby

theappropriategovernmental(forexample,stateortribal)authority,

thatexpresslyauthorizestheMerchanttoconducttheparticulartype

ofskillgame(s)forwhichitwishestoacceptCardsaspaymentfor

entryfees;and

•anylawapplicabletotheMerchantthatpermitstheconductofskill

games.

2.Legalopinion.TheAcquirermustobtainareasonedlegalopinion,

addressedtotheAcquirer,fromaprivatesectorU.S.lawyerorU.S.law

firm.Thelegalopinionmust:

•identifyallrelevantlawsthataddresstheconductofskillgames(e.g.,

anti-gamblinglawsthatprovideanexemptionforskillgames)andother

lawsapplicabletotheMerchant’sskillgamesactivities;

•identifyallrelevantlawsthataddresstheparticipationinskillgames

andotherlawsapplicabletoCardholderspermittedbytheMerchantto

participateinskillgameswiththeMerchant;and

•demonstratethattheMerchant’sandCardholders’skillgamesand

paymentactivitiescomplyatalltimeswithanylawsidentifiedabove.

TheAcquirermustprovideMasterCardwithacopyofsuchlegalopinion.

ThelegalopinionmustbeacceptabletoMasterCardinitssolediscretion.

3.Effectivecontrols.TheAcquirermustprovidecertificationfromaqualified

independentthirdpartydemonstratingthattheMerchant’ssystemsfor

operatingitsskillgamesbusiness:

SecurityRulesandProcedures•7February20149-9

MasterCardRegistrationProgram

9.4AdditionalRequirementsforSpecicMerchantCategories

•includeeffectiveageandlocationverification,asapplicable;and

•arereasonablydesignedtoensurethattheMerchant’sskillgames

businesswillremainwithinlegallimits(includinginconnectionwith

interstateTransactions).

Thecertificationmustincludeallscreenshotsrelevanttothecertification

(forexample,ageverificationprocess).Certificationsfrominterestedparties

(suchastheAcquirer,ISOs,theMerchant,andsoon)arenotacceptable

substitutesfortheindependentthird-partycertification.

4.Noticationofchanges.TheAcquirermustcertifythatitwillnotify

MasterCardofanychangestotheinformationthatithasprovidedto

MasterCard,includingchangesinapplicablelaw,Merchantactivities,and

Merchantsystems.Suchnotificationshallincludeanyrevisionsoradditions

totheinformationprovidedtoMasterCard(forexample,legalopinion,

third-partycertification)tomaketheinformationcurrentandcomplete.

Suchnotificationisrequiredwithinten(10)daysofanysuchchange.

5.Acceptanceofresponsibilities.TheAcquirermustspecificallyaffirm

thatitwillnotsubmitRestrictedTransactions(asdefinedintheInternet

GamblingPolicy)fromtheMerchantforauthorization.TheAcquirermust

alsospecificallyreaffirmitsindemnificationtoMasterCardinconnection

withtheAcquirer’sorMerchant’sactivities.Suchreaffirmationshall

specificallyindicatethattheAcquireracknowledgesandagreesthatthe

TransactionsconstitutetheAcquirer’sActivityandaresubjecttoRule2.3of

theMasterCardRulesmanual,regardlessoftheAcquirer’scompliancewith

MasterCardrules,policies,andproceduresortheserequirements.

9-107February2014•SecurityRulesandProcedures

Chapter10AccountDataProtectionStandardsand

Programs

ThischaptermaybeofparticularinteresttoCustomerpersonnelresponsibleforprotecting

Account,Cardholder,andTransactiondata;andtoCustomersthathaveexperiencedor

wishtoprotectthemselvesagainstaccountdatacompromiseevents.

10.1AccountDataProtectionStandards......................................................................................10-1

10.2AccountDataCompromiseEvents.......................................................................................10-1

10.2.1PolicyConcerningAccountDataCompromiseEventsandPotentialAccountData

CompromiseEvents...............................................................................................................10-2

10.2.2ResponsibilitiesinConnectionwithADCEventsandPotentialADCEvents...............10-3

10.2.2.1Time-SpecificProceduresforADCEventsandPotentialADCEvents................10-4

10.2.2.2OngoingProceduresforADCEventsandPotentialADCEvents.......................10-7

10.2.3ForensicReport...........................................................................................................10-8

10.2.4AlternativeStandardsApplicabletoCertainMerchants...............................................10-9

10.2.5MasterCardDeterminationofADCEventorPotentialADCEvent.............................10-10

10.2.5.1AssessmentsforPCIViolationsinConnectionwithADCEvents......................10-11

10.2.5.2PotentialReductionofFinancialResponsibility.................................................10-11

10.2.5.3ADCOperationalReimbursementandADCFraudRecovery—MasterCard

Only................................................................................................................................10-12

10.2.5.4OperationalReimbursement(OR)Calculation—MasterCardOnly....................10-13

10.2.5.5FraudRecovery(FR)Calculation—MasterCardOnly.........................................10-15

10.2.5.6InvestigationandOtherCosts...........................................................................10-17

10.2.6Assessmentsand/orDisqualificationforNoncompliance...........................................10-17

10.2.7FinalFinancialResponsibilityDetermination.............................................................10-17

10.3MasterCardSiteDataProtection(SDP)Program.................................................................10-18

10.3.1PaymentCardIndustryDataSecurityStandards.........................................................10-19

10.3.2ComplianceValidationTools......................................................................................10-19

10.3.3AcquirerComplianceRequirements...........................................................................10-20

10.3.4ImplementationSchedule...........................................................................................10-21

10.3.4.1MasterCardPCIDSSRisk-basedApproach........................................................10-25

10.3.4.2MasterCardPCIDSSComplianceValidationExemptionProgram.....................10-26

10.3.4.3MandatoryComplianceRequirementsforCompromisedEntities......................10-27

10.4ConnectingtoMasterCard—PhysicalandLogicalSecurityRequirements...........................10-28

10.4.1MinimumSecurityRequirements................................................................................10-28

10.4.2AdditionalRecommendedSecurityRequirements......................................................10-29

10.4.3OwnershipofServiceDeliveryPointEquipment.......................................................10-30

SecurityRulesandProcedures•7February201410-i

AccountDataProtectionStandardsandPrograms

10.1AccountDataProtectionStandards

PCISecurityStandardsaretechnicalandoperationalrequirementsestablished

bythePaymentCardIndustrySecurityStandardsCouncil(PCISSC)toprotect

Accountdata.MasterCardrequiresthatallCustomersthatstore,process,

ortransmitCard,Cardholder,orTransactiondataandallCustomeragents

thatstore,process,ortransmitCard,Cardholder,orTransactiondataonthe

Customer’sbehalfadheretothemostcurrentPaymentCardIndustryPIN

TransmissionSecurityProgram(PCIPTS)andPaymentCardIndustryData

SecurityStandard(PCIDSS).Customersandtheiragentsalsomustensurethat:

•aPoint-of-Sale(POS)TerminalorotherdeviceatthePointofInteraction

(POI)doesnotdisplay,replicate,orstoreanyCard-readdataexcept

primaryaccountnumber(PAN),expirationdate,servicecode,orCardholder

name;and

•beforediscardinganymediacontainingCard,Cardholder,orTransaction

data,includingsuchdataasPANs,personalidentificationnumbers(PINs),

creditlimits,andaccountbalances,theCustomeroritsagentmustrender

thedataunreadable;and

•accesstoCard,Cardholder,orTransactiondatastoredincomputers,

terminals,andPCsislimitedandcontrolledbyestablishingdataprotection

proceduresthatinclude,butarenotlimitedto,apasswordsystemfor

ComputerRemoteTerminal(CRT)access,controloverdial-uplines,and

anyothermeansofaccess.

10.2AccountDataCompromiseEvents

NOTE

Thissection10.2appliestoMasterCardandMaestroTransactions,unless

otherwiseindicated.

Denitions

Asusedinthissection10.2,thefollowingtermsshallhavethemeaningset

forthbelow:

AccountData

CompromiseEvent

orADCEvent

Anoccurrencethatresults,directlyorindirectly,inthe

unauthorizedaccesstoordisclosureofAccountdata.

AgentAnyentitythatstores,processes,orhasaccessto

Accountdatabyvirtueofitscontractualorother

relationship,directorindirect,withaCustomer.For

theavoidanceofdoubt,Agentsinclude,butare

notlimitedto,Merchants,ThirdPartyProcessors

(TPPs)andDataStorageEntities(DSEs)(regardlessof

whethertheTPPorDSEisregisteredwithMasterCard).

SecurityRulesandProcedures•7February201410-1

AccountDataProtectionStandardsandPrograms

10.2AccountDataCompromiseEvents

CustomerThistermappearsintheDefinitionssectionatthe

endofthemanual.Fortheavoidanceofdoubt,

forpurposesofthissection10.2,anyentitythat

MasterCardlicensestoissueaMasterCardand/or

MaestroCard(s)and/oracquireaMasterCardand/or

MaestroTransaction(s)shallbedeemedaCustomer.

PotentialAccount

DataCompromise

EventorPotential

ADCEvent

Anoccurrencethatcouldresult,directlyorindirectly,

intheunauthorizedaccesstoordisclosureofAccount

data.

SensitiveCard

AuthenticationData

ThistermhasthemeaningsetforthinthePayment

CardIndustryDataSecurityStandard,andincludes,

bywayofexampleandnotlimitation,thefullcontents

ofaCard’smagneticstripeortheequivalentonachip,

Cardvalidationcode2(CVC2)data,andPINorPIN

blockdata.

StandardsThistermappearsintheDefinitionssectionattheend

ofthemanual.

10.2.1PolicyConcerningAccountDataCompromiseEventsand

PotentialAccountDataCompromiseEvents

MasterCardoperatesapaymentsolutionssystemforallofitsCustomers.Each

Customerbenefitsfrom,anddependsupon,theintegrityofthatsystem.ADC

EventsandPotentialADCEventsthreatentheintegrityoftheMasterCardsystem

andunderminetheconfidenceofMerchants,Customers,Cardholders,and

thepublicatlargeinthesecurityandviabilityofthesystem.EachCustomer

thereforeacknowledgesthatMasterCardhasacompellinginterestinadopting,

interpreting,andenforcingitsStandardstoprotectagainstandrespondto

ADCEventsandPotentialADCEvents.

Giventheabundanceandsophisticationofcriminals,ADCEventsandPotential

ADCEventsarerisksinherentinoperatingandparticipatinginanysystemthat

utilizespaymentcardaccountdataforfinancialornon-financialtransactions.

MasterCardStandardsaredesignedtoplaceresponsibilityforADCEventsand

PotentialADCEventsontheCustomerthatisinthebestpositiontoguard

againstandrespondtosuchrisk.ThatCustomerisgenerallytheCustomer

whosenetwork,system,orenvironmentwascompromisedorwasvulnerable

tocompromiseorthathasadirectorindirectrelationshipwithanAgentwhose

network,system,orenvironmentwascompromisedorwasvulnerableto

compromise.IntheviewofMasterCard,thatCustomerisinthebestpositionto

safeguarditssystems,torequireandmonitorthesafeguardingofitsAgents’

systems,andtoinsureagainst,andrespondto,ADCEventsandPotential

ADCEvents.

10-27February2014•SecurityRulesandProcedures

AccountDataProtectionStandardsandPrograms

10.2AccountDataCompromiseEvents

MasterCardrequiresthateachCustomerapplytheutmostdiligenceand

forthrightnessinprotectingagainstandrespondingtoanyADCEventor

PotentialADCEvent.EachCustomeracknowledgesandagreesthatMasterCard

hasboththerightandneedtoobtainfulldisclosure(asdeterminedby

MasterCard)concerningthecausesandeffectsofanADCEventorPotential

ADCEventaswellastheauthoritytoimposeassessments,recovercosts,and

administercompensation,ifappropriate,toCustomersthathaveincurredcosts,

expenses,losses,and/orotherliabilitiesinconnectionwithADCEventsand

PotentialADCEvents.

ExceptasotherwiseexpresslyprovidedforintheStandards,MasterCard

determinationswithrespecttotheoccurrenceofandresponsibilityforADC

EventsorPotentialADCEventsareconclusiveandarenotsubjecttoappeal

orreviewwithinMasterCard.

AnyCustomerthatisuncertainwithrespecttorightsandobligationsrelating

toorarisinginconnectionwiththeAccountDataProtectionStandardsand

ProgramssetforthinthisChapter10shouldrequestadvicefromMasterCard

FraudInvestigations.

Notwithstandingthegeneralityoftheforegoing,therelationshipofnetwork,

system,andenvironmentconfigurationswithothernetworks,systems,and

environmentswilloftenvary,andeachADCEventandPotentialADCEvent

tendstohaveitsownparticularsetofcircumstances.MasterCardhasthesole

authoritytointerpretandenforcetheStandards,includingthosesetforthin

thischapter.Consistentwiththeforegoingandpursuanttothedefinitionsset

forthinsection10.2above,MasterCardmaydetermine,asathresholdmatter,

whetheragivensetofcircumstancesconstitutesasingleADCEventormultiple

ADCEvents.Inthisregard,andbywayofexample,whereaCustomeror

Merchantconnectsto,utilizes,accesses,orparticipatesinacommonnetwork,

system,orenvironmentwithoneormoreotherCustomers,Merchants,Service

Providers,orthirdparties,abreachofthecommonnetwork,system,or

environmentthatresults,directlyorindirectly,inthecompromiseoflocal

networks,systems,orenvironmentsconnectedtheretomaybedeemedto

constituteasingleADCEvent.

10.2.2ResponsibilitiesinConnectionwithADCEventsand

PotentialADCEvents

TheCustomerwhosesystemorenvironment,orwhoseAgent’ssystemor

environmentwascompromisedorvulnerabletocompromise(atthetime

thattheADCEventorPotentialADCEventoccurred)isfullyresponsiblefor

resolvingalloutstandingissuesandliabilitiestothesatisfactionofMasterCard,

notwithstandinganysubsequentchangeintheCustomer’srelationshipwithany

suchAgentaftertheADCEventorPotentialADCEventoccurred.Intheevent

ofanydispute,MasterCardwilldeterminetheresponsibleCustomer(s).

SecurityRulesandProcedures•7February201410-3

AccountDataProtectionStandardsandPrograms

10.2AccountDataCompromiseEvents

ShouldaCustomer,inthejudgmentofMasterCard,failtofullycooperate

withtheMasterCardinvestigationofanADCEventorPotentialADCEvent,

MasterCard(i)mayinferthatinformationsoughtbyMasterCard,butnot

obtainedasaresultofthefailuretocooperate,wouldbeunfavorabletothat

Customerand(ii)mayactuponthatadverseinferenceintheapplicationofthe

Standards.Bywayofexampleandnotlimitation,afailuretocooperatecan

resultfromafailuretoproviderequestedinformation;afailuretocooperate

withMasterCardinvestigationguidelines,procedures,practicesandthelike;

orafailuretoensurethatMasterCardhasreasonablyunfetteredaccesstothe

forensicexaminer.

ACustomermaynot,byrefusingtocooperatewiththeMasterCardinvestigation,

avoidadeterminationthattherewasanADCEvent.ShouldaCustomerfail

withoutgoodcausetocomplywithitsobligationsunderthissection10.2or

torespondfullyandinatimelyfashiontoarequestforinformationtowhich

MasterCardisentitledunderthissection10.2,MasterCardmaydrawanadverse

inferencethatinformationtowhichMasterCardisentitled,butthatwasnot

timelyobtainedasaresultoftheCustomer’snoncompliance,wouldhave

supportedor,whereappropriate,confirmedadeterminationthattherewasan

ADCEvent.

Beforedrawingsuchanadverseinference,MasterCardwillnotifytheCustomer

ofitsnoncomplianceandgivetheCustomeranopportunitytoshowgood

cause,ifany,foritsnoncompliance.Thedrawingofanadverseinference

isnotexclusiveofotherremediesthatmaybeinvokedforaCustomer’s

noncompliance.

Thefollowingprovisionssetforthrequirementsandprocedurestowhicheach

CustomeranditsAgent(s)mustadhereuponbecomingawareofanADCEvent

orPotentialADCEvent.

10.2.2.1Time-SpecicProceduresforADCEventsandPotential

ADCEvents

ACustomerisdeemedtobeawareofanADCEventorPotentialADCEvent

whentheCustomerortheCustomer’sAgentfirstbecomesawareofanADC

EventoraPotentialADCEvent.ACustomeroritsAgentisdeemedtobeaware

ofanADCEventorPotentialADCEventundercircumstancesthatinclude,but

arenotlimitedto,anyofthefollowing:

•theCustomeroritsAgentisinformed,throughanysource,oftheinstallation

orexistenceofanymalwareinanyofitssystemsorenvironments,orany

systemorenvironmentofoneofitsAgents,nomatterwheresuchmalware

islocatedorhowitwasintroduced;

•theCustomeroritsAgentreceivesnotificationfromMasterCardorany

othersourcethattheCustomeroritsAgent(s)hasexperiencedanADC

EventoraPotentialADCEvent;or

10-47February2014•SecurityRulesandProcedures

AccountDataProtectionStandardsandPrograms

10.2AccountDataCompromiseEvents

•theCustomeroritsAgentdiscoversor,intheexerciseofreasonable

diligence,shouldhavediscoveredasecuritybreachorunauthorized

penetrationofitsownsystemorenvironmentorthesystemorenvironment

ofitsAgent(s).

ACustomermustnotifyMasterCardimmediatelywhentheCustomerbecomes

awareofanADCEventorPotentialADCEventinoraffectinganysystemor

environmentoftheCustomeroritsAgent.Inaddition,aCustomermust,by

contract,ensurethatitsAgentnotifiesMasterCardimmediatelywhentheAgent

becomesawareofanADCEventorPotentialADCEventinoraffectingany

systemorenvironmentoftheCustomerortheAgent.

WhenaCustomeroritsAgentbecomesawareofanADCEventorPotential

ADCEventeitherinanyofitsownsystemsorenvironmentsorinthesystems

orenvironmentsofitsAgent(s),theCustomermusttake(orcausetheAgentto

take)thefollowingactions,unlessotherwisedirectedinwritingbyMasterCard.

•ImmediatelycommenceathoroughinvestigationintotheADCEventor

PotentialADCEvent.

•Immediately,andnolaterthanwithintwenty-four(24)hours,identify,

contain,andmitigatetheADCEventorPotentialADCEvent,secure

Accountdataandpreserveallinformation,inallmedia,concerningthe

ADCEventorPotentialADCEvent,including:

1.preserveandsafeguardallpotentialevidencepertinenttoaforensic

examinationofanADCEventorPotentialADCEvent;

2.isolatecompromisedsystemsandmediafromthenetwork;

3.preserveallIntrusionDetectionSystems,IntrusionPreventionSystem

logs,allfirewall,Web,database,andeventslogs;

4.documentallincidentresponseactions;and

5.refrainfromrestartingorrebootinganycompromisedorpotentially

compromisedsystemortakingequivalentorotheractionthatwould

havetheeffectofeliminatingordestroyinginformationthatcould

potentiallyprovideevidenceofanADCEventorPotentialADCEvent.

•Withintwenty-four(24)hours,andonanongoingbasisthereafter,submit

toMasterCardallknownorsuspectedfactsconcerningtheADCEventor

PotentialADCEvent,including,bywayofexampleandnotlimitation,

knownorsuspectedfactsastothecauseandsourceoftheADCEventor

PotentialADCEvent.

•Withintwenty-four(24)hoursandcontinuingthroughouttheinvestigation

andthereafter,providetoMasterCard,intherequiredformat,allPANs

andexpirationdatesassociatedwithAccountdatathatwereactually

orpotentiallyaccessedordisclosedinconnectionwiththeADCEvent

orPotentialADCEventandanyadditionalinformationrequestedby

MasterCard.Asusedherein,theobligationtoobtainandprovidePANsto

MasterCardappliestoanyMasterCardorMaestroAccountnumberina

bankidentificationnumber(BIN)/Issueridentificationnumber(IIN)range

assignedbyMasterCard.Thisobligationappliesregardlessofhowor

SecurityRulesandProcedures•7February201410-5

AccountDataProtectionStandardsandPrograms

10.2AccountDataCompromiseEvents

whysuchPANswerereceived,processed,orstored,including,byway

ofexampleandnotlimitation,inconnectionwithorrelatingtoacredit,

debit(signature-orPIN-based)proprietary,oranyotherkindofpayment

Transaction,incentive,orrewardprogram.

•Withinseventy-two(72)hours,engagetheservicesofaPCISSCForensic

Investigator(PFI)toconductanindependentforensicinvestigationtoassess

thecause,scope,magnitude,duration,andeffectsoftheADCEventor

PotentialADCEvent.ThePFIengagedtoconducttheinvestigationmust

nothaveprovidedthelastPCIcompliancereportconcerningthesystem

orenvironmenttobeexamined.PriortothecommencementofsuchPFI’s

investigation,theCustomermustnotifyMasterCardoftheproposedscope

andnatureoftheinvestigationandobtainpreliminaryapprovalofsuch

proposalbyMasterCardor,ifsuchpreliminaryapprovalisnotobtained,

ofamodifiedproposalacceptabletoMasterCard.MasterCardandthe

responsibleCustomer(s)mayagreethataPFI’sinvestigationof,investigation

findings,andrecommendationsconcerningfewerthanalloftheMerchants

withinthescopeoftheADCEventorPotentialADCEventwillbedeemed

toberepresentativeofandusedforpurposesoftheapplicationofthe

StandardsastheinvestigationfindingsandrecommendationsbythePFI

withrespecttoalloftheMerchantswithinthescopeoftheADCEventor

PotentialADCEvent.

•Withintwo(2)businessdaysfromthedateonwhichthePFIwasengaged,

identifytoMasterCardtheengagedPFIandconfirmthatsuchPFIhas

commenceditsinvestigation.

•Withinthree(3)businessdaysfromthecommencementoftheforensic

investigation,ensurethatthePFIsubmitstoMasterCardapreliminary

forensicreportdetailingallinvestigativefindingstodate.

•Withintwenty(20)businessdaysfromthecommencementoftheforensic

investigation,providetoMasterCardafinalforensicreportdetailingall

findings,conclusions,andrecommendationsofthePFI,continuetoaddress

anyoutstandingexposure,andimplementallrecommendationsuntil

theADCEventorPotentialADCEventisresolvedtothesatisfactionof

MasterCard.Inconnectionwiththeindependentforensicinvestigation

andpreparationofthefinalforensicreport,noCustomermayengagein

orenterinto(orpermitanAgenttoengageinorenterinto)anyconduct,

agreement,orunderstandingthatwouldimpairthecompleteness,accuracy,

orobjectivityofanyaspectoftheforensicinvestigationorfinalforensic

report.TheCustomershallnotengageinanyconduct(orpermitanAgent

toengageinanyconduct)thatcouldorwouldinfluence,orunderminethe

independenceof,thePFIorunderminethereliabilityorintegrityofthe

forensicinvestigationorfinalforensicreport.Bywayofexample,andnot

limitation,aCustomermustnotitself,orpermitanyofitsAgentsto,take

anyactionorfailtotakeanyactionthatwouldhavetheeffectof:

1.precluding,prohibiting,orinhibitingthePFIfromcommunicating

directlywithMasterCard;

2.permittingaCustomeroritsAgenttosubstantivelyeditorotherwise

altertheforensicreport;or

10-67February2014•SecurityRulesandProcedures

AccountDataProtectionStandardsandPrograms

10.2AccountDataCompromiseEvents

3.directingthePFItowithholdinformationfromMasterCard.

Notwithstandingtheforegoing,MasterCardmayengageaPFIonbehalfof

theCustomerinordertoexpeditetheinvestigation.TheCustomeronwhose

behalfthePFIissoengagedwillberesponsibleforallcostsassociatedwith

theinvestigation.

10.2.2.2OngoingProceduresforADCEventsandPotentialADC

Events

FromthetimethattheCustomeroritsAgentbecomesawareofanADCEvent

orPotentialADCEventuntiltheinvestigationisconcludedtothesatisfactionof

MasterCard,theCustomermust:

•Provideweeklywrittenstatusreportscontainingcurrent,accurate,and

updatedinformationconcerningtheADCEventorPotentialADCEvent,

thestepsbeingtakentoinvestigateandremediatesame,andsuchother

informationasMasterCardmayrequest.

•Preserveallfiles,data,andotherinformationpertinenttotheADCEventor

PotentialADCEvent,andrefrainfromtakinganyactions(e.g.,rebooting)

thatcouldresultinthealterationorlossofanysuchfiles,forensicdata

sources,includingfirewallandeventlogfiles,orotherinformation.

•Respondfullyandpromptly,inthemannerprescribedbyMasterCard,

toanyquestionsorotherrequests(includingfollow-uprequests)from

MasterCardwithregardtotheADCEventorPotentialADCEventandthe

stepsbeingtakentoinvestigateandremediatesame.

•AuthorizeandrequirethePFItorespondfully,directly,andpromptlyto

anywrittenororalquestionsorotherrequestsfromMasterCard,andtoso

respondinthemannerprescribedbyMasterCard,withregardtotheADC

EventorPotentialADCEvent,includingthestepsbeingtakentoinvestigate

andremediatesame.

•Consentto,andcooperatewith,anyeffortbyMasterCardtoengageand

directaPFItoperformaninvestigationandprepareaforensicreport

concerningtheADCEventorPotentialADCEvent,intheeventthatthe

Customerfailstosatisfyanyoftheforegoingresponsibilities.

•Ensurethatthecompromisedentitydevelopsaremediationactionplan,

includingimplementationandmilestonedatesrelatedtofindings,corrective

measures,andrecommendationsidentifiedbythePFIandsetforthinthe

finalforensicreport.

•Monitorandvalidatethatthecompromisedentityhasfullyimplementedthe

remediationactionplan,recommendations,andcorrectivemeasures.

SecurityRulesandProcedures•7February201410-7

AccountDataProtectionStandardsandPrograms

10.2AccountDataCompromiseEvents

10.2.3ForensicReport

TheresponsibleCustomer(oritsAgent)mustensurethatthePFIretainand

safeguardalldraftforensicreport(s)pertainingtotheADCEventorPotential

ADCEventand,uponrequestofMasterCard,immediatelyprovidetoMasterCard

anysuchdraft.Thefinalforensicreportrequiredundersection10.2.2.1must

includethefollowing,unlessotherwisedirectedinwritingbyMasterCard:

•Astatementofthescopeoftheforensicinvestigation,includingsourcesof

evidenceandinformationusedbythePFI.

•Anetworkdiagram,includingallsystemsandnetworkcomponentswithin

thescopeoftheforensicinvestigation.Aspartofthisanalysis,allsystem

hardwareandsoftwareversions,includingPOSapplicationsandversionsof

applications,andhardwareusedbythecompromisedentitywithinthepast

twelve(12)months,mustbeidentified.

•ApaymentCardTransactionflowdepictingallPOIsassociatedwith

thetransmission,processing,andstorageofAccountdataandnetwork

diagrams.

•Awrittenanalysisexplainingthemethod(s)usedtobreachthesubject

entity’snetworkorenvironmentaswellasmethod(s)usedtoaccessand

exfiltrateAccountdata.

•Awrittenanalysisexplaininghowthesecuritybreachwascontainedand

thesteps(andrelevantdatesofthesteps)takentoensurethatAccountdata

arenolongeratriskofcompromise.

•Anexplanationofinvestigativemethodologyaswellasidentificationof

forensicdatasourcesusedtodeterminefinalreportfindings.

•AdeterminationandcharacterizationofAccountdataat-riskofcompromise,

includingthenumberofAccountsandat-riskdataelements(magnetic

stripedata—Track1andTrack2,Cardholdername,PAN,expirationdate,

CVC2,PIN,andPINblock).

•ThelocationandnumberofAccountswhererestrictedAccountdata

(magneticstripe,Track1andTrack2,Cardholdername,PAN,expiration

date,CVC2,PIN,orPINblock),whetherencryptedorunencrypyted,

wasormayhavebeenstoredbytheentitythatwasthesubjectofthe

forensicinvestigation.ThisincludesrestrictedAccountdatathatwasormay

havebeenstoredinunallocateddiskspace,backupmedia,andmalicious

softwareoutputfiles.

•AtimeframeforTransactionsinvolvingAccountsdeterminedtobeatrisk

ofcompromise.IfTransactiondate/timeisnotabletobedetermined,

file-creationtimestampsmustbesupplied.

•Adeterminationofwhetherasecuritybreachthatexposedpaymentcard

datatocompromiseoccurred.

10-87February2014•SecurityRulesandProcedures

AccountDataProtectionStandardsandPrograms

10.2AccountDataCompromiseEvents

•Onarequirement-by-requirementbasis,aconclusionastowhether,atthe

timethattheADCEventorPotentialADCEventoccurred,eachapplicable

PCISSCrequirementwascompliedwith.Fortheavoidanceofdoubt,asof

thedateofthepublicationoftheseStandards,thePCISecurityStandards

includethePCIDSS,PINEntryDevice(PCIPED)SecurityRequirements,

andPaymentApplicationDataSecurityStandard(PA-DSS).

MasterCardmayrequiretheCustomertocauseaPFItoconductaPCIgap

analysisandincludetheresultofthatanalysisinthefinalforensicreport.

TheCustomermustdirectthePFItosubmitacopyofthepreliminaryandfinal

forensicreportstoMasterCardviaSecureUpload.

10.2.4AlternativeStandardsApplicabletoCertainMerchants

IntheeventofanADCEventorPotentialADCEvent(forpurposesofthis

section10.2.4,an“Event”)forwhichthesubjectisaLevel2,Level3,orLevel

4Merchant,inlieuofcomplyingwiththeresponsibleCustomerobligations

setforthinsection10.2.2.1,thefirstbulletpointofsection10.2.2.2,and

section10.2.3ofthisChapter10,aresponsibleCustomermaycomplywiththe

Standardssetforthinthissection10.2.4providedallofthefollowingcriteria

aresatisfied:

CriterionAMasterCarddeterminesthatfewerthan7,500Accounts

areatriskofunauthorizeddisclosureasaresultof

theEvent;and

CriterionBMasterCarddeterminesthattheMerchanthasnotbeen

thesubjectofanADCEventorPotentialADCEvent

forthethirty-six(36)consecutivemonthsimmediately

precedingthedatethatMasterCarddetermineslikely

tobetheearliestpossibledateoftheEvent;and

CriterionCTheresponsibleCustomerdeterminesthatthe

Merchantusesacomputer-basedacceptancesystem

thatisnotusedbyanotherMerchantorMerchants

andthatisnotoperatedbyaServiceProviderofthe

responsibleCustomer.

ShouldMasterCarddeterminethatthesubjectoftheEventisaLevel2,3,or4

MerchantandthatCriteriaAandB,above,aresatisfied,MasterCardwillprovide

noticetotheresponsibleCustomerviaane-mailmessagetotheresponsible

Customer’sSecurityContactlistedintheMemberInformation—MasterCard

applicationthenavailableonMasterCardConnect™.

Uponreceiptofsuchnotice,theresponsibleCustomermayelecttocauseaPFI

toconductanexaminationoftheMerchantinaccordancewithsection10.2.2.1

ofthisChapter10.Alternatively,andprovidedtheresponsibleCustomer

determinesthatCriterionCissatisfied,theresponsibleCustomeritselfmay

electtoinvestigatetheEventinlieuofcausingaPFItoconductanexamination

oftheMerchant.

SecurityRulesandProcedures•7February201410-9

AccountDataProtectionStandardsandPrograms

10.2AccountDataCompromiseEvents

IftheresponsibleCustomeritselfelectstoconducttheinvestigation,not

laterthansixty(60)daysfollowingthedateofthenoticebyMasterCard

describedabove,theresponsibleCustomermustprovidetoMasterCarda

writtencertificationbyanofficeroftheresponsibleCustomercertifyingthat

allofthefollowingaretrue:

•TheresponsibleCustomerelectedtoinvestigatetheADCEventorPotential

ADCEventinlieuofcausingaPFItoinvestigatetheADCEventorPotential

ADCEvent;and

•TheMerchantthatisthesubjectoftheADCEventorPotentialADCEvent

doesnotuseacomputer-basedacceptancesystemthatisusedbyanother

MerchantorMerchants;and

•TheresponsibleCustomer’sinvestigationoftheADCEventorPotential

ADCEventhasbeencompletedandallsecurityvulnerabilitieshavebeen

eliminated;and

•TheMerchanthasnewlyvalidatedorrevalidatedcompliancewiththePCI

DSS.Documentationconfirmingsuchvalidationorrevalidationmustbe

providedtoMasterCardwiththeofficercertification.

Exceptasspecificallysetforthinthissection10.2.4,allotherMasterCardand

CustomerrightsandobligationswithrespecttoanADCEventorPotentialADC

EventshallcontinuewithrespecttoanyADCEventorPotentialADCEventthat

aresponsibleCustomeritselfelectstoinvestigateinaccordancewiththissection

10.2.4.Further,andfortheavoidanceofdoubt,MasterCardhasarightatany

timetorequirearesponsibleCustomertocauseaPFItoconductaforensic

examinationofaMerchantnotwithstandingtheprovisionsofthissection10.2.4.

10.2.5MasterCardDeterminationofADCEventorPotential

ADCEvent

MasterCardwillevaluatethetotalityofknowncircumstances,includingbutnot

limitedtothefollowing,todeterminewhetherornotanoccurrenceconstitutes

anADCEventorPotentialADCEvent:

•aCustomeroritsAgentacknowledgesorconfirmstheoccurrenceofan

ADCEventorPotentialADCEvent;

•anyPFIreport;or

•anyinformationdeterminedbyMasterCardtobesufficientlyreliableatthe

timeofreceipt.

10-107February2014•SecurityRulesandProcedures

AccountDataProtectionStandardsandPrograms

10.2AccountDataCompromiseEvents

10.2.5.1AssessmentsforPCIViolationsinConnectionwithADC

Events

BasedonthetotalityofknowncircumstancessurroundinganADCEventor

PotentialADCEvent,includingtheknowledgeandintentoftheresponsible

Customer,MasterCard(inadditiontoanyassessmentsprovidedforelsewhere

intheStandards)mayassessaresponsibleCustomeruptoUSD100,000for

eachviolationofarequirementofthePCISSC.

10.2.5.2PotentialReductionofFinancialResponsibility

NotwithstandingaMasterCarddeterminationthatanADCEventoccurred,

MasterCardmayconsideranyactionstakenbythecompromisedentityto

establish,implement,andmaintainproceduresandsupportbestpractices

tosafeguardAccountdatapriorto,during,andaftertheADCEventor

PotentialADCEvent,inordertorelieve,partiallyorfully,anotherwise

responsibleCustomerofresponsibilityforanyassessments,ADCoperational

reimbursement,ADCfraudrecovery,and/orinvestigativecosts.Indetermining

whethertorelievearesponsibleCustomerofanyorallfinancialresponsibility,

MasterCardmayconsiderwhethertheCustomerhascompliedwithallofthe

followingrequirements:

•SubstantiationtoMasterCardfromaPCISSC-approvedQualifiedSecurity

Assessor(QSA)ofthecompromisedentity’scompliancewiththePCIDSSat

thetimeoftheADCEventorPotentialADCEvent.

•ReportingthatcertifiesanyMerchant(s)associatedwiththeADCEvent

orPotentialADCEventascompliantwiththePCIDSSandallapplicable

MasterCardSiteDataProtection(SDP)Programrequirementsatthetime

oftheADCEventorPotentialADCEventinaccordancewithsection

10.3.3ofthismanual.Suchreportingmustalsoaffirmthatallthird

party-providedpaymentapplicationsusedbytheMerchant(s)associated

withtheADCEventorPotentialADCEventarecompliantwiththe

PaymentCardIndustryPaymentApplicationDataSecurityStandard,as

applicable.TheapplicabilityofthePCIPA-DSStothirdparty-provided

paymentapplicationsisdefinedinthePCIPA-DSSProgramGuide,found

atpcisecuritystandards.org.

•IfthecompromisedentityisaEuropeRegionMerchant,aPFIhasvalidated

thattheMerchantwascompliantwithmilestonesonethroughfourofthe

PCIDSSPrioritizedApproachatthetimeoftheADCEventorPotential

ADCEvent.

•RegistrationofanyTPP(s)orDSE(s)associatedwiththeADCEventthrough

MasterCardConnect,inaccordancewithChapter7oftheMasterCardRules.

SecurityRulesandProcedures•7February201410-11

AccountDataProtectionStandardsandPrograms

10.2AccountDataCompromiseEvents

•NotificationofanADCEventorPotentialADCEventtoandcooperation

withMasterCardand,asappropriate,lawenforcementauthorities.

•Verificationthattheforensicinvestigationwasinitiatedwithinseventy-two

(72)hoursoftheADCEventorPotentialADCEventandcompletedas

soonaspractical.

•TimelyreceiptbyMasterCardoftheunedited(byotherthantheforensic

examiner)forensicexaminationfindings.

•EvidencethattheADCEventorPotentialADCEventwasnotforeseeableor

preventablebycommerciallyreasonablemeansandthat,onacontinuing

basis,bestsecuritypracticeswereapplied.

InconnectionwithitsevaluationoftheCustomer’soritsAgent’sactions,

MasterCardwillconsider,andmaydrawadverseinferencesfrom,evidencethat

aCustomeroritsAgent(s)deletedoraltereddata.

Assoonaspracticable,MasterCardwillcontacttheCustomer’sSecurity

Contact,PrincipalContact,orMerchantAcquirerContactastheyarelistedin

theMemberInformationtool,notifyingallimpactedpartiesoftheimpending

financialobligationorcompensation,asapplicable.

ItisthesoleresponsibilityofeachCustomer,notMasterCard,toincludecurrent

andcompleteinformationintheMemberInformationtool.

10.2.5.3ADCOperationalReimbursementandADCFraud

Recovery—MasterCardOnly

NOTE

ThissectionappliestoMasterCardTransactionsonly.

ADCoperationalreimbursementenablesanIssuertopartiallyrecovercosts

incurredinreissuingCardsandforenhancedmonitoringofcompromised

and/orpotentiallycompromisedMasterCardAccountsassociatedwithanADC

Event.ADCfraudrecoveryenablesanIssuertorecoverpartialincremental

magnetic-stripe(POS90)and/orHybridPOSTerminalunabletoprocess

(POS80)counterfeitfraudlossesassociatedwithanADCEvent.MasterCard

determinesADCoperationalreimbursementandADCfraudrecovery.

ADCoperationalreimbursementandADCfraudrecoveryareavailabletoan

IssuerthatislicensedtoaccessMasterCardAlertsatthetimeoftheADCEvent.

MasterCardreservestherighttodeterminewhichADCEventswillbeeligible

forADCoperationalreimbursementand/orADCfraudrecoveryandtolimitor

“clawback”ADCoperationalreimbursementand/orADCfraudrecoverybased

ontheamountcollectedfromtheresponsibleCustomer,excludingassessments,

orforthepurposeofcompromisinganyclaimassertedthatarisesfromor

isrelatedtoanADCEvent.

10-127February2014•SecurityRulesandProcedures

AccountDataProtectionStandardsandPrograms

10.2AccountDataCompromiseEvents

WithregardtoanyparticularADCEvent,MasterCardhasnoobligationto

disburseanamountinexcessoftheamountthatMasterCardactuallyand

finallycollectsfromtheresponsibleCustomer.Inthatregard,(i)anysuch

amountactuallyandfinallychargedtoaresponsibleCustomerwithrespectto

aparticularADCEventisdeterminedbyMasterCardfollowingthefulland

finalresolutionofanyclaimassertedagainstMasterCardthatarisesfromor

isrelatedtothatADCEvent;and(ii)anyfundsdisbursedbyMasterCardto

aCustomerasADCoperationalreimbursementand/orADCfraudrecovery

isdisbursedconditionallyandsubjectto“clawback”untilanyclaimandall

claimsassertedagainstMasterCardthatarisefromorarerelatedtotheADC

Eventarefullyandfinallyresolved.

MasterCardwillchargetheIssueranadministrativefeeasestablishedfrom

timetotimeforadministeringtheADCoperationalreimbursementandADC

fraudrecoveryprocesses.

IntheadministrationoftheADCoperationalreimbursement(OR)andADC

fraudrecovery(FR)programs,MasterCardmaydeterminetheresponsible

Customer’sfinancialresponsibilitywithrespecttoanADCEvent.When

determiningfinancialresponsibility,MasterCardmaytakeintoconsideration

thecompromisedentity’sPCIlevel(assetforthinsection10.3.4),annualsales

volume,andthefactorssetforthinsection10.2.5.2.

TheannualsalesvolumeisderivedfromtheMerchant’sclearingTransactions

processedduringthepreviousyearviatheGlobalClearingManagement

System(GCMS).TransactionsthatarenotprocessedbyMasterCardwillbe

includedintheannualsalesvolumeifsuchdataisavailable.Intheeventthat

theMerchant’sannualsalesvolumeisnotknown,MasterCardwillusethe

Merchant’sexistingsalesvolumetoprojecttheannualsalesvolume.

10.2.5.4OperationalReimbursement(OR)Calculation—MasterCard

Only

NOTE

ThissectionappliestoMasterCardTransactionsonly.

Subjecttosection10.2.5.3,MasterCardgenerallycalculatesORasfollows:

1.Establishthetotalnumberofat-riskAccountsperIssuerICAnumberby

typeofCard,assumingoneandone-half(11/2)CardsperAccount.

2.Subtractafixeddeductible(tobeperiodicallypublishedinaGlobalSecurity

BulletinorotherMasterCardpublication),toaccountforCardexpirations,

Cardre-issuancecycles,AccountsincludedinpreviousMasterCardAlerts

andthere-issuanceofAccountsusingthesamePANbutadifferent

expirationdate.

3.MultiplythenumberofAccountsbyanamountfixedbyMasterCardfrom

timetotime.

4.UnitedStatesRegiononly—ForADCEventinvestigationcasesopenedby

MasterCardonorafter1October2013,subtractanadditional50percent

SecurityRulesandProcedures•7February201410-13

AccountDataProtectionStandardsandPrograms

10.2AccountDataCompromiseEvents

deductiblefromtheproductresultingfromStep3ifthecompromised

entityisaU.S.RegionAcquirer’sMerchantlocatedintheU.S.Regionand

MasterCarddeterminesthatallofthefollowingaretrue:

a.Atleast75percentoftheMerchant’sannualtotalTransactioncount

originatingfromPOSTerminalsandtheTransactionprocessing

environmentdeemedbyMasterCardtobewithinthescopeoftheADC

EventwereprocessedthroughDualInterfaceHybridPOSTerminalsat

thetimeofthesubjectADCEvent.

TheMerchant’sannualtotalTransactioncountisdeterminedbasedon

theMerchant’sclearingTransactionsprocessedduringthetwelve(12)

monthspriortothedateofpublicationoftheMasterCardAlert,via

theGCMS.TransactionsthatwerenotprocessedbyMasterCardare

includedintheannualTransactioncountifdataisreadilyavailable

toMasterCard.IntheeventthatMasterCardisunabletoreadily

determinetheMerchant’sannualtotalTransactioncount,MasterCard

maysubstituteanyknownTransactioncountasabasistoprojectan

annualtotalTransactioncount;and

b.TheMerchanthasnotbeenidentifiedbyMasterCardashaving

experiencedadifferentADCEventduringthetwelve(12)monthsprior

tothedateofpublicationoftheearliestMasterCardAlertforthesubject

ADCEvent;and

c.TheMerchantwasnotstoringSensitiveCardAuthenticationData.

5.UnitedStatesRegiononly—Effective1October2015,MasterCardwill

notassessforORifthecompromisedentityisaU.S.RegionAcquirer’s

MerchantlocatedintheU.S.RegionandMasterCardhasdeterminedthat:

a.Atleast95percentoftheMerchant’sannualtotalTransactioncount

originatingfromPOSTerminalsandtheTransactionprocessing

environmentdeemedbyMasterCardtobewithinthescopeoftheADC

EventwereprocessedthroughDualInterfaceHybridPOSTerminalsat

thetimeofthesubjectADCEvent.

TheMerchant’sannualtotalTransactioncountisdeterminedbasedon

theMerchant’sclearingTransactionsprocessedduringthetwelve(12)

monthspriortothedateofpublicationoftheMasterCardAlert,via

theGCMS.TransactionsthatwerenotprocessedbyMasterCardare

includedintheannualTransactioncountifdataisreadilyavailable

toMasterCard.IntheeventthatMasterCardisunabletoreadily

determinetheMerchant’sannualtotalTransactioncount,MasterCard

maysubstituteanyknownTransactioncountasabasistoprojectan

annualtotalTransactioncount;and

b.TheMerchanthasnotbeenidentifiedbyMasterCardashaving

experiencedadifferentADCEventduringthetwelve(12)monthsprior

tothedateofpublicationoftheearliestMasterCardAlertforthesubject

ADCEvent;and

c.TheMerchantwasnotstoringSensitiveCardAuthenticationData.

10-147February2014•SecurityRulesandProcedures

AccountDataProtectionStandardsandPrograms

10.2AccountDataCompromiseEvents

10.2.5.5FraudRecovery(FR)Calculation—MasterCardOnly

NOTE

ThissectionappliestoMasterCardTransactionsonly.

MasterCarddeterminesFRinthemannersetforthinthissection.

Subjecttosection10.2.5.3,MasterCarddeterminesanamountofincremental

counterfeitfraudattributabletoanADCEventbasedonthefrauddatareported

totheSystemtoAvoidFraudEffectively(SAFE).Asusedintheimmediately

precedingsentence,theword“incrementalcounterfeitfraud”meanscounterfeit

fraudincrementaltothecounterfeitfraudthatMasterCarddetermineswould

havebeenexpectedtooccurhadtheADCEventnotoccurred.

NOTE

IfthefraudtypereportedtoSAFEforoneormorefraudtransactionsischanged

afterMasterCardhascalculatedtheADCfraudrecoveryamount,MasterCard

doesnotrecalculatetheADCfraudrecoveryamount.

ThecalculationofFRusesan“at-risktimeframe.”Theat-risktimeframemay

beknownorunknown.

Theat-risktimeframeis“known”ifMasterCardisabletodetermineaperiodof

timeduringwhichAccountswereplacedatriskofuseinfraudulenttransactions

duetoorinconnectionwithanADCEvent.Insuchcase,theat-risktimeframe

foranAccountnumbercommencesasofthedatethatMasterCarddetermines

thatAccountbecameatrisk,andends,asthecasemaybe,30,45,or60days

afterthedateofpublicationoftheearliestMasterCardAlertpertainingto

thatADCEventdisclosingthatAccountnumber(seetheADCUser’sGuide

foradditionalinformation).

Theat-risktimeframeis“unknown”ifMasterCardisunabletodeterminea

knownat-risktimeframe.Insuchevent,anat-risktimeframeforanAccount

numbercommencestwelve(12)monthspriortothedateofpublicationofthe

earliestMasterCardAlertfortheADCEventthatdisclosesthatAccountnumber,

andends,asthecasemaybe,30,45,or60daysafterthedateofpublicationof

thatMasterCardAlert(seetheADCUser’sGuideforadditionalinformation).

AnAccountnumberdisclosedinaMasterCardAlertinconnectionwitha

differentADCEventduringthesix(6)monthspriortotheearliestdisclosure

ofthatAccountnumberinaMasterCardAlertpublishedinconnectionwith

thesubjectADCEventisnoteligibleforADCfraudrecoveryforthesubject

ADCEvent.Inaddition,astandarddeductible,publishedfromtimetotime,

isappliedtocompensateforchargebackrecoveriesonTransactionsusing

at-riskAccountnumbersandpriorreissuanceofat-riskAccountnumberswith

differentexpirationdates.

UnitedStatesRegiononly—MasterCardwill:

1.ForanADCEventinvestigationcaseopenedbyMasterCardonorafter

1October2013,applyanadditional50percentdeductibleagainstthe

calculationofFRifthecompromisedentityisaU.S.RegionAcquirer’s

SecurityRulesandProcedures•7February201410-15

AccountDataProtectionStandardsandPrograms

10.2AccountDataCompromiseEvents

MerchantlocatedintheU.S.RegionandMasterCarddeterminesthatallof

thefollowingaretrue:

a.Atleast75percentoftheMerchant’sannualtotalU.S.-acquired

TransactioncountoriginatingfromPOSTerminalsandtheTransaction

processingenvironmentdeemedbyMasterCardtobewithinthescope

oftheADCEventwereprocessedthroughDualInterfaceHybridPOS

TerminalsatthetimeofthesubjectADCEvent.

TheMerchant’sannualtotalU.S.-acquiredTransactioncountis

determinedbasedontheMerchant’sclearingTransactionsprocessed

duringthetwelve(12)monthspriortothedateofpublicationofthe

MasterCardAlert,viatheGCMS.Transactionsthatwerenotprocessed

byMasterCardareincludedintheannualU.S.-acquiredTransaction

countifthedataisreadilyavailabletoMasterCard.Intheeventthat

MasterCardisunabletoreadilydeterminetheMerchant’sannualtotal

U.S.-acquiredTransactioncount,MasterCardmaysubstituteanyknown

U.S.-acquiredTransactioncountasabasistoprojectanannualtotal

Transactioncount;and

b.TheMerchanthasnotbeenidentifiedbyMasterCardashaving

experiencedadifferentADCEventduringthetwelve(12)monthsprior

tothedateofpublicationoftheearliestMasterCardAlertforthesubject

ADCEvent;and

c.TheMerchantwasnotstoringSensitiveCardAuthenticationData.

2.ForanADCEventinvestigationcaseopenedbyMasterCardonorafter1

October2015,applya100percentdeductibleagainstthecalculationofFRif

thecompromisedentityisaU.S.RegionAcquirer’sMerchantlocatedinthe

U.S.RegionandMasterCarddeterminesthatallofthefollowingaretrue:

a.Atleast95percentoftheMerchant’sannualtotalU.S.-acquired

TransactioncountoriginatingfromPOSTerminalsandtheTransaction

processingenvironmentdeemedbyMasterCardtobewithinthescope

oftheADCEventwereprocessedthroughDualInterfaceHybridPOS

TerminalsatthetimeofthesubjectADCEvent.

TheMerchant’sannualtotalU.S.-acquiredTransactioncountis

determinedbasedontheMerchant’sclearingTransactionsprocessed

duringthetwelve(12)monthspriortothedateofpublicationofthe

MasterCardAlert,viatheGCMS.Transactionsthatwerenotprocessed

byMasterCardareincludedintheannualU.S.-acquiredTransaction

countifthedataisreadilyavailabletoMasterCard.Intheeventthat

MasterCardisunabletoreadilydeterminetheMerchant’sannualtotal

U.S.-acquiredTransactioncount,MasterCardmaysubstituteanyknown

U.S.-acquiredTransactioncountasabasistoprojectanannualtotal

Transactioncount;and

b.TheMerchanthasnotbeenidentifiedbyMasterCardashaving

experiencedadifferentADCEventduringthetwelve(12)monthsprior

tothedateofpublicationoftheearliestMasterCardAlertforthesubject

ADCEvent;and

10-167February2014•SecurityRulesandProcedures

AccountDataProtectionStandardsandPrograms

10.2AccountDataCompromiseEvents

c.TheMerchantwasnotstoringSensitiveCardAuthenticationData.

10.2.5.6InvestigationandOtherCosts

MasterCardmayassesstheresponsibleCustomerforallinvestigationandother

costsincurredbyMasterCardinconnectionwithanADCEventandmayassess

aCustomerforallinvestigativeandothercostsincurredbyMasterCardin

connectionwithaPotentialADCEvent.

10.2.6Assessmentsand/orDisqualicationforNoncompliance

IftheCustomerfailstocomplywiththeproceduressetforthinthissection

10.2,MasterCardmayimposeanassessmentofuptoUSD25,000perdayfor

eachdaythattheCustomerisnoncompliantand/ordisqualifytheCustomer

fromparticipatingasarecipientofADCoperationalreimbursementandfraud

recoverydisbursements,whethersuchdisbursementsaremadeinconnection

withthesubjectADCEventoranyotherADCEvent,fromthedatethat

MasterCardprovidestheCustomerwithwrittennoticeofsuchdisqualification

untilMasterCarddeterminesthattheCustomerhasresolvedallcompliance

issuesunderthissection10.2.

10.2.7FinalFinancialResponsibilityDetermination

Uponcompletionofitsinvestigation,ifMasterCarddeterminesthataCustomer

bearsfinancialresponsibilityforanADCEventorPotentialADCEvent,

MasterCardwillnotifytheresponsibleCustomerofsuchdeterminationand,

eithercontemporaneouswithsuchnotificationorthereafter,specifytheamount

oftheCustomer’sfinancialresponsibilityfortheADCEventorPotentialADC

Event.

TheresponsibleCustomerhasthirty(30)calendardaysfromthedateofsuch

notificationoftheamountoftheCustomer’sfinancialresponsibilitytosubmita

writtenappealtoMasterCard,togetherwithanydocumentationand/orother

informationthattheCustomerwishesMasterCardtoconsiderinconnection

withtheappeal.OnlyanappealthatbothcontendsthattheMasterCard

financialresponsibilitydeterminationwasnotinaccordancewiththeStandards

andspecifieswithparticularitythebasisforsuchcontentionwillbeconsidered.

Iftheappealistimelyandmeetsthesecriteria,MasterCardwillconsiderthe

appealandthedocumentationand/orotherinformationsubmittedtherewith

indeterminingwhetherornottheMasterCardfinalfinancialresponsibility

determinationwasmadeinaccordancewiththeStandards.Anappealthat

isnottimelyordoesnotmeetthesecriteriawillnotbeconsidered.The

MasterCarddecisionwithrespecttoanappealisfinalandthereareno

additionalinternalappealrights.

SecurityRulesandProcedures•7February201410-17

AccountDataProtectionStandardsandPrograms

10.3MasterCardSiteDataProtection(SDP)Program

ThissectiondoesnotrelieveaCustomerofanyresponsibilitysetforthin

sections10.2.2and10.2.3,includingtheresponsibilitytosubmittoMasterCard

onacontinuingbasisthroughoutthependencyoftheMasterCardinvestigation

theinformationrequiredbythosesections.IfMasterCarddeterminesthata

Customerkneworshouldhaveknownwithreasonablediligenceofdocuments

orotherinformationthattheCustomerwasrequiredtosubmittoMasterCard

duringthependencyoftheMasterCardinvestigationinaccordancewithsections

10.2.2or10.2.3,butfailedtodoso,suchdocumentsorotherinformationwill

notbeconsideredbyMasterCardindecidingtheappeal.

10.3MasterCardSiteDataProtection(SDP)Program

NOTE

ThissectionappliestoMasterCardandMaestroTransactions.

TheMasterCardSiteDataProtection(SDP)Programisdesignedtoencourage

Customers,Merchants,ThirdPartyProcessors(TPPs),andDataStorage

Entities(DSEs)toprotectagainstAccountdatacompromises.TheSDP

Programfacilitatestheidentificationandcorrectionofvulnerabilitiesinsecurity

processes,procedures,andWebsiteconfigurations.Forthepurposesofthe

SDPProgram,TPPsandDSEsarecollectivelyreferredtoas“ServiceProviders”

inthischapter.

AnAcquirermustimplementtheMasterCardSDPProgrambyensuringthatits

MerchantsandServiceProvidersarecompliantwiththePaymentCardIndustry

DataSecurityStandard(PCIDSS)andthatallapplicablethirdparty-provided

paymentapplicationsusedbyitsMerchantsandServiceProvidersarecompliant

withthePaymentCardIndustryPaymentApplicationDataSecurityStandard

(PCIPA-DSS),inaccordancewiththeimplementationscheduledefinedin

section10.3.1ofthismanual.Goingforward,thePaymentCardIndustryData

SecurityStandardandthePaymentCardIndustryPaymentApplicationData

SecurityStandardwillbecomponentsoftheSDPProgram;thesedocuments

setforthsecurityStandardsthatMasterCardhopeswillbeadoptedasindustry

standardsacrossthepaymentbrands.

ACustomerthatcomplieswiththeSDPProgramrequirementsmayqualifyfor

areduction,partialortotal,ofcertaincostsorassessmentsiftheCustomer,a

Merchant,oraServiceProvideristhesourceofanAccountdatacompromise.

MasterCardhassolediscretiontointerpretandenforcetheSDPProgram

Standards.

10-187February2014•SecurityRulesandProcedures

AccountDataProtectionStandardsandPrograms

10.3MasterCardSiteDataProtection(SDP)Program

10.3.1PaymentCardIndustryDataSecurityStandards

ThePaymentCardIndustryDataSecurityStandardandthePaymentCard

IndustryPaymentApplicationDataSecurityStandardestablishdatasecurity

requirements.CompliancewiththePaymentCardIndustryDataSecurity

StandardisrequiredforallIssuers,Acquirers,Merchants,ServiceProviders,

andanyotherpersonorentitythataCustomerpermits,directlyorindirectly,

tostore,transmit,orprocessAccountdata.MasterCardrequiresvalidationof

complianceonlyforthoseentitiesspecifiedintheSDPProgramimplementation

scheduleinsection10.3.4.AllMerchantsandServiceProvidersthatusethird

party-providedpaymentapplicationsmustonlyusepaymentapplicationsthat

arecompliantwiththePaymentCardIndustryPaymentApplicationData

SecurityStandard,asapplicable.TheapplicabilityofthePCIPA-DSStothird

party-providedpaymentapplicationsisdefinedinthePCIPA-DSSProgram

Guide.

ThePaymentCardIndustryDataSecurityStandard,thePaymentCardIndustry

PaymentApplicationDataSecurityStandard,thePCIPA-DSSProgramGuide,

andotherPCISecurityStandardsmanualsareavailableonthePCISecurity

StandardsCouncil(SSC)Websiteatwww.pcisecuritystandards.org.

10.3.2ComplianceValidationTools

Asdefinedintheimplementationscheduleinsection10.3.4,Merchantsand

ServiceProvidersmustvalidatetheircompliancewiththePaymentCard

IndustryDataSecurityStandardbyusingthefollowingtools:

OnsiteReviewsTheonsitereviewevaluatesMerchantorService

ProvidercompliancewiththePaymentCardIndustry

DataSecurityStandard.Onsitereviewsarean

annualrequirementforLevel1Merchantsandfor

Level1ServiceProviders.Merchantsmayusean

internalauditororindependentassessorrecognized

byMasterCardasacceptable.ServiceProvidersmust

useanacceptablethird-partyassessorasdefinedon

theSDPProgramWebsite.Onsitereviewsmustbe

conductedinaccordancewiththePaymentCard

IndustrySecurityAuditProceduresmanual.

ThePayment

CardIndustry

Self-assessment

Questionnaire

ThePaymentCardIndustrySelf-assessment

QuestionnaireisavailableatnochargeonthePCI

SSCWebsite.Tobecompliant,eachLevel2,3,and

4Merchant,andeachLevel2ServiceProvidermust

generateacceptableratingsonanannualbasis.

SecurityRulesandProcedures•7February201410-19

AccountDataProtectionStandardsandPrograms

10.3MasterCardSiteDataProtection(SDP)Program

NetworkSecurity

Scan

Thenetworksecurityscanevaluatesthesecurity

measuresinplaceataWebsite.Tofulfillthenetwork

scanningrequirement,allLevel1to3Merchantsand

allServiceProvidersasrequiredbytheimplementation

schedulemustconductscansonaquarterlybasis

usingavendorlistedonthePCISSCWebsite.Tobe

compliant,scanningmustbeconductedinaccordance

withtheguidelinescontainedinthePaymentCard

IndustryDSSSecurityScanningProceduresmanual.

10.3.3AcquirerComplianceRequirements

ToensurecompliancewiththeMasterCardSDPProgram,anAcquirermust:

•ForeachLevel1,Level2,andLevel3Merchant,submitaquarterlystatus

reportviaane-mailmessagetosdp@mastercard.comusingtheform

providedontheSDPProgramWebsite.Thissubmissionformmustbe

completedinitsentiretyandmayincludeinformationon:

–ThenameandprimarycontactinformationoftheAcquirer

–ThenameoftheMerchant

–TheMerchantidentificationnumberoftheMerchant

–ThenumberofTransactionsthattheAcquirerprocessedforthe

Merchantduringtheprevious12-monthperiod

–TheMerchant’slevelundertheimplementationscheduleprovidedin

section10.3.4ofthismanual

–TheMerchant'scompliancestatuswithitsapplicablecompliance

validationrequirements

–TheMerchant'santicipatedcompliancevalidationdateorthedate

onwhichtheMerchantlastvalidateditscompliance(the“Merchant

ValidationAnniversaryDate”)

•CommunicatetheSDPProgramrequirementstoeachLevel1,Level2,and

Level3Merchant,andvalidatetheMerchant’scompliancewiththePayment

CardIndustryDataSecurityStandardbyreviewingitsPaymentCard

IndustrySelf-assessmentQuestionnaireandtheReportsonCompliance

(ROC)thatresultedfromnetworksecurityscansandonsitereviewsofthe

Merchant,ifapplicable.

•CommunicatetheSDPProgramrequirementstoeachLevel1andLevel2

ServiceProvider,andensurethatMerchantsuseonlycompliantService

Providers.

InsubmittingaquarterlySDPstatusreportindicatingthattheMerchanthas

validatedcompliancewithin12monthsofthereportsubmissiondate,the

Acquirercertifiesthat:

10-207February2014•SecurityRulesandProcedures

AccountDataProtectionStandardsandPrograms

10.3MasterCardSiteDataProtection(SDP)Program

1.TheMerchanthas,whenappropriate,engagedandusedtheservicesof

adatasecurityfirm(s)consideredacceptablebyMasterCardforonsite

reviews,securityscanning,orboth.

2.UponreviewingtheMerchant’sonsitereviewresults,PaymentCard

IndustrySelf-assessmentQuestionnaire,ornetworkscanreports,the

AcquirerhasdeterminedthattheMerchantisincompliancewiththe

PaymentCardIndustryDataSecurityStandardrequirements.

3.Onanongoingbasis,theAcquirerwillmonitortheMerchant’scompliance.

IfatanytimetheAcquirerfindstheMerchanttobenoncompliant,

theAcquirermustnotifytheMasterCardSDPDepartmentinwritingat

sdp@mastercard.com.

Atitsdiscretionandfromtimetotime,MasterCardmayalsorequestthe

followinginformation:

•Merchantprincipaldata

•ThenameofanyTPPorDSEthatperformsTransactionprocessingservices

fortheMerchant’sTransactions

•WhethertheMerchantstoresAccountdata

WhenconsideringwhetheraMerchantstoresAccountdata,Acquirerscarefully

shouldsurveyeachMerchant’sdataprocessingenvironment.Merchantsthat

donotstoreAccountinformationinadatabasefilestillmayacceptpayment

CardinformationviaaWebpageandthereforestoreAccountdatatemporarily

inmemoryfiles.PertheMasterCarddatastoragedefinition,anytemporaryor

permanentretentionofAccountdataisconsideredtobestorage.AMerchant

thatdoesnotstoreAccountdataneverprocessesthedatainanyform,such

asinthecaseofaMerchantthatoutsourcesitsenvironmenttoaWebhosting

company,oraMerchantthatredirectscustomerstoapaymentpagehostedby

athird-partyServiceProvider.

10.3.4ImplementationSchedule

Allonsitereviews,networksecurityscans,andself-assessmentsmustbe

conductedaccordingtotheguidelinesinsection10.3.2.Forpurposesofthe

SDPProgram,ServiceProvidersinthissectionrefertoTPPsandDSEs.

TheAcquirermustensure,withrespecttoeachofitsMerchants,that“transition”

fromonePCIleveltoanother(forexample,theMerchanttransitionsfromLevel

4toLevel3duetoTransactionvolumeincreases),thatsuchMerchantachieves

compliancewiththerequirementsoftheapplicablePCIlevelassoonas

practical,butinanyeventnotlaterthanoneyearafterthedateoftheeventthat

resultsinorcausestheMerchanttotransitionfromonePCIleveltoanother.

SecurityRulesandProcedures•7February201410-21

AccountDataProtectionStandardsandPrograms

10.3MasterCardSiteDataProtection(SDP)Program

AllLevel1,2,and3MerchantsandallServiceProvidersthatuse

anythirdparty-providedpaymentapplicationsmustvalidatethat

eachpaymentapplicationusedislistedonthePCISSCWebsiteat

www.pcisecuritystandards.orgascompliantwiththePaymentCardIndustry

PaymentApplicationDataSecurityStandard,asapplicable.Theapplicability

ofthePCIPA-DSStothirdparty-providedpaymentapplicationsisdefinedin

thePCIPA-DSSProgramGuide.

Level1Merchants

AMerchantthatmeetsanyoneormoreofthefollowingcriteriaisdeemedto

beaLevel1MerchantandmustvalidatecompliancewiththePaymentCard

IndustryDataSecurityStandard:

•AnyMerchantthathassufferedahackoranattackthatresultedinan

Accountdatacompromise,

•AnyMerchanthavinggreaterthansixmilliontotalcombinedMasterCard

andMaestrotransactionsannually,

•AnyMerchantmeetingtheLevel1criteriaofVisa,and

•AnyMerchantthatMasterCard,initssolediscretion,determinesshould

meettheLevel1Merchantrequirementstominimizerisktothesystem.

Tovalidatecompliance,eachLevel1Merchantmustsuccessfullycomplete:

•AnannualonsiteassessmentconductedbyaPCISSCapprovedQualified

SecurityAssessor(QSA)orinternalauditor,and

•QuarterlynetworkscansconductedbyaPCISSCApprovedScanning

Vendor(ASV).

Level1Merchantsthatuseinternalauditorsforcompliancevalidationmust

ensurethatprimaryinternalauditorstaffengagedinvalidatingcompliancewith

thePaymentCardIndustryDataSecurityStandardattendthePCISSC-offered

InternalSecurityAssessor(ISA)ProgramandpassthePCISSCassociated

accreditationexaminationannuallyinordertocontinuetouseinternalauditors.

Level2Merchants

UnlessdeemedtobeaLevel1Merchant,thefollowingaredeemedtobe

aLevel2MerchantandmustvalidatecompliancewiththePaymentCard

IndustryDataSecurityStandard:

•AnyMerchantwithgreaterthanonemillionbutlessthanorequaltosix

milliontotalcombinedMasterCardandMaestrotransactionsannually,and

•AnyMerchantmeetingtheLevel2criteriaofVisa.

Tovalidatecompliance,eachLevel2Merchantmustsuccessfullycomplete:

•Anannualself-assessment,and

•QuarterlynetworkscansconductedbyaPCISSCASV.

10-227February2014•SecurityRulesandProcedures

AccountDataProtectionStandardsandPrograms

10.3MasterCardSiteDataProtection(SDP)Program

EachLevel2Merchantmustensurethatstaffengagedinself-assessing

theMerchant’scompliancewiththePaymentCardIndustryDataSecurity

StandardattendthePCISSC-offeredISAProgramandpasstheassociatedPCI

SSCaccreditationexaminationannuallyinordertocontinuetheoptionof

self-assessmentforcompliancevalidation.Level2Merchantsmayalternatively,

attheirowndiscretion,engageaPCISSC-approvedQSAforanonsite

assessmentinsteadofperformingaself-assessment.

Level3Merchants

UnlessdeemedtobeaLevel1orLevel2Merchant,thefollowingaredeemed

tobeaLevel3MerchantandmustvalidatecompliancewiththePayment

CardIndustryDataSecurityStandard:

•AnyMerchantwithgreaterthan20,000butlessthanorequaltoonemillion

totalcombinedMasterCardandMaestroelectroniccommerce(e-commerce)

transactionsannually,and

•AnyMerchantmeetingtheLevel3criteriaofVisa.

Tovalidatecompliance,eachLevel3Merchantmustsuccessfullycomplete:

•Anannualself-assessment,and

•QuarterlynetworkscansconductedbyaPCISSCASV.

Level4Merchants

AnyMerchantnotdeemedtobeaLevel1,Level2,orLevel3Merchantis

deemedtobeaLevel4Merchant.CompliancewiththePaymentCardIndustry

DataSecurityStandardisrequiredforaLevel4Merchant,althoughvalidation

ofcompliance(andallotherMasterCardSDPProgramAcquirerrequirements

setforthinsection10.3.3)isoptionalforaLevel4Merchant.However,a

validationofcomplianceisstronglyrecommendedforAcquirerswithrespectto

eachLevel4MerchantinordertoreducetheriskofAccountdatacompromise

andforanAcquirerpotentiallytogainapartialwaiverofrelatedassessments.

ALevel4MerchantmayvalidatecompliancewiththePaymentCardIndustry

DataSecurityStandardbysuccessfullycompleting:

•Anannualself-assessment,and

•QuarterlynetworkscansconductedbyaPCISSCASV.

IfaLevel4MerchanthasvalidateditscompliancewiththePaymentCard

IndustryDataSecurityStandardandthePaymentCardIndustryPayment

ApplicationDataSecurityStandardasdescribedinthissection,theAcquirer

may,atitsdiscretion,fulfillthereportingrequirementsdescribedinsection

10.3.3.

SecurityRulesandProcedures•7February201410-23

AccountDataProtectionStandardsandPrograms

10.3MasterCardSiteDataProtection(SDP)Program

Level1ServiceProviders

ALevel1ServiceProviderisanyTPP(regardlessofvolume)andanyDSEthat

stores,transmits,orprocessesmorethan300,000totalcombinedMasterCard

andMaestrotransactionsannually.

EachLevel1ServiceProvidermustvalidatecompliancewiththePaymentCard

IndustryDataSecurityStandardbysuccessfullycompleting:

•AnannualonsiteassessmentbyaPCISSCapprovedQSA,and

•QuarterlynetworkscansconductedbyaPCISSCASV.

Level2ServiceProviders

ALevel2ServiceProviderisanyDSEthatisnotdeemedaLevel1Service

Providerandthatstores,transmits,orprocesses300,000orlesstotalcombined

MasterCardandMaestrotransactionsannually.

EachLevel2ServiceProvidermustvalidatecompliancewiththePaymentCard

IndustryDataSecurityStandardbysuccessfullycompleting:

•Anannualself-assessment,and

•QuarterlynetworkscansconductedbyaPCISSCASV.

MasterCardhastherighttoauditCustomercompliancewiththeSDPProgram

requirements.Noncomplianceonoraftertherequiredimplementationdate

mayresultinassessmentsdescribedinTable10.1.

Table10.1—AssessmentsforNoncompliancewiththeSDPProgram

Failureofthefollowingto

complywiththeSDPProgram

mandate…Mayresultinanassessmentof…

ClassicationViolationspercalendaryear

Level1andLevel2MerchantsUptoUSD25,000forthefirstviolation

UptoUSD50,000forthesecondviolation

UptoUSD100,000forthethirdviolation

UptoUSD200,000forthefourthviolation

Level3MerchantsUptoUSD10,000forthefirstviolation

UptoUSD20,000forthesecondviolation

UptoUSD40,000forthethirdviolation

UptoUSD80,000forthefourthviolation

Level1andLevel2Service

Providers

UptoUSD25,000forthefirstviolation

UptoUSD50,000forthesecondviolation

UptoUSD100,000forthethirdviolation

UptoUSD200,000forthefourthviolation

10-247February2014•SecurityRulesandProcedures

AccountDataProtectionStandardsandPrograms

10.3MasterCardSiteDataProtection(SDP)Program

NoncompliancealsomayresultinMerchanttermination,deregistrationofaTPP

orDSEasaServiceProvider,orterminationoftheAcquirerasaCustomeras

providedinRule2.1.2oftheMasterCardRulesmanual.

TheAcquirermustprovidecomplianceactionplansandquarterlycompliance

statusreportsforeachLevel1,Level2,andLevel3Merchantusing

theSDPAcquirerSubmissionandComplianceStatusForm,availableat

http://www.mastercard.com/us/sdp/index.htmlorbycontactingtheMasterCard

SDPDepartmentatsdp@mastercard.com.

Acquirersmustcompletetheform(s)intheirentiretyandsubmittheform(s)

viae-mailmessagetosdp@mastercard.comonorbeforethelastdayofthe

quarter,asindicatedbelow.

Forthisquarter…Submittheform(s)nolaterthan…

1Januaryto31March31March

1Aprilto30June30June

1Julyto30September30September

1Octoberto31December31December

Latesubmissionorfailuretosubmittherequiredform(s)mayresultinan

additionalassessmenttotheAcquirerasdescribedforCategoryAviolationsin

Rule2.1.4oftheMasterCardRulesmanual.

10.3.4.1MasterCardPCIDSSRisk-basedApproach

AqualifyingLevel1orLevel2MerchantlocatedoutsideoftheU.S.Region

mayusetheMasterCardPCIDSSRisk-basedApproach,pursuanttowhich

theMerchant:

•Validatescompliancewiththefirstfourofthesixtotalmilestonessetforth

inthePCIDSSPrioritizedApproach,asfollows:

–ALevel1Merchantmustvalidatecompliancethroughanonsite

assessmentconductedbyaPCISSC-approvedQSA,orbyconductingan

onsiteassessmentusinginternalresourcesthathavebeentrainedand

certifiedthroughthePCISSC-offeredISAProgram.

–ALevel2MerchantmustvalidatecomplianceusingaSelf-Assessment

Questionnaire(SAQ)completedbyinternalresourcesthathave

beentrainedandcertifiedthroughthePCISSC-offeredISAProgram.

Alternatively,theLevel2MerchantmayvalidatePCIDSScompliance

viaanonsiteassessment.

•Annuallyrevalidatescompliancewithmilestonesonethroughfourusingan

SAQ.TheSAQmustbecompletedbyinternalstafftrainedandcurrently

certifiedthroughthePCISSC-offeredISAProgram.

SecurityRulesandProcedures•7February201410-25

AccountDataProtectionStandardsandPrograms

10.3MasterCardSiteDataProtection(SDP)Program

ToqualifyascompliantwiththeMasterCardPCIDSSRisk-basedApproach,a

Merchantmustsatisfyallofthefollowing:

•TheMerchantmustcertifythatitisnotstoringSensitiveCardAuthentication

Data.

•Onacontinuousbasis,theMerchantmustkeepfullysegregatedthe

“Card-not-present”Transactionenvironmentfromthe“face-to-face”

Transactionenvironment.Aface-to-faceTransactionrequirestheCard,

theCardholder,andtheMerchanttoallbepresenttogetheratthetime

andplaceoftheTransaction.

•ForaMerchantlocatedintheEuropeRegion,atleast95percentofthe

Merchant’sannualtotalcountofCard-presentMasterCardandMaestro

transactionsmustoccuratHybridPOSTerminals.

•ForaMerchantlocatedintheAsia/PacificRegion,CanadaRegion,Latin

AmericaandtheCaribbeanRegion,orSouthAsia/MiddleEast/AfricaRegion,

atleast75percentoftheMerchant’sannualtotalcountofCard-present

MasterCardandMaestrotransactionsmustoccuratHybridPOSTerminals.

•TheMerchantmustnothaveexperiencedanADCEventwithinthelast12

months.AtthediscretionofMasterCard,thisandothercriteriamaybe

waivediftheMerchantvalidatedfullPCIDSScomplianceatthetimeofthe

ADCEventorPotentialADCEvent.

•TheMerchantmustestablishandannuallytestanADCEventincident

responseplan.

InformationaboutthePCIDSSPrioritizedApproachisavailableat:

www.pcisecuritystandards.org/education/prioritized.shtml

10.3.4.2MasterCardPCIDSSComplianceValidationExemption

Program

AqualifyingLevel1orLevel2MerchantmayparticipateintheMasterCardPCI

DSSComplianceValidationExemptionProgram(the“ExemptionProgram”),

whichexemptstheMerchantfromtherequirementtoannuallyvalidateits

compliancewiththePCIDSS.

ToqualifyorremainqualifiedtoparticipateintheExemptionProgram,

adulyauthorizedandempoweredofficeroftheMerchantmustcertifyto

theMerchant’sAcquirerinwritingthattheMerchanthassatisfiedallofthe

following:

1.TheMerchantvalidateditscompliancewiththePCIDSSwithintheprevious

twelve(12)monthsor,alternatively,hassubmittedtoitsAcquirer,and

theAcquirerhassubmittedtoMasterCard,adefinedremediationplan

satisfactorytoMasterCarddesignedtoensurethattheMerchantachieves

PCIDSScompliancebasedonaPCIDSSgapanalysis;

2.TheMerchantdoesnotstoreSensitiveCardAuthenticationData.The

AcquirermustnotifyMasterCardthroughcompliancevalidationreportingof

thestatusofMerchantstorageofSensitiveCardAuthenticationData;

10-267February2014•SecurityRulesandProcedures

AccountDataProtectionStandardsandPrograms

10.3MasterCardSiteDataProtection(SDP)Program

3.TheMerchanthasnotbeenidentifiedbyMasterCardashavingexperienced

anADCEventduringthepriortwelve(12)months;

4.TheMerchanthasestablishedandannuallytestsanADCEventincident

responseplaninaccordancewithPCIDSSrequirements;and

5.Atleast75percentoftheMerchant’sannualtotalacquiredMasterCardand

MaestroTransactioncountisprocessedthroughDualInterfaceHybridPOS

Terminals,asdeterminedbasedontheMerchant’stransactionsprocessed

duringtheprevioustwelve(12)monthsviatheGCMSand/orSingle

MessageSystem.TransactionsthatwerenotprocessedbyMasterCardmay

beincludedintheannualacquiredTransactioncountifthedataisreadily

availabletoMasterCard.

AnAcquirermustretainallMerchantcertificationsofeligibilityforthe

ExemptionProgramforaminimumoffive(5)years.Uponrequestby

MasterCard,theAcquirermustprovideaMerchant’scertificationofeligibility

fortheExemptionProgramandanydocumentationand/orotherinformation

applicabletosuchcertification.AnAcquirerisresponsibleforensuringthat

eachExemptionProgramcertificationistruthfulandaccurate.

AMerchantthatdoesnotsatisfytheExemptionProgram’seligibilitycriteria,

includinganyMerchantwhoseTransactionvolumeisprimarilyfrom

e-commerceandMailOrder/TelephoneOrder(MO/TO)acceptancechannels,

mustcontinuetovalidateitsPCIDSScomplianceinaccordancewiththe

MasterCardSDPimplementationschedule.

AllMerchantsmustmaintainongoingcompliancewiththePCIDSSregardless

ofwhetherannualcompliancevalidationisarequirement.

10.3.4.3MandatoryComplianceRequirementsforCompromised

Entities

Undertheauditrequirementsetforthinsection10.2.2.1,theAcquirermust

ensurethatadetailedforensicsevaluationisconducted.

Attheconclusionoftheforensicsevaluation,MasterCardwillprovidea

MasterCardSiteDataProtection(SDP)AccountDataCompromiseInformation

Formforcompletionbythecompromisedentityitself,ifthecompromised

entityisaTPPorDSE,orbyitsAcquirer,ifthecompromisedentityisa

Merchant.Theformmustbereturnedviae-mailtopci-adc@mastercard.com

within30calendardaysofitsreceipt,andmustinclude:

•ThenamesoftheQSAandtheASVthatconductedtheforensicsevaluation,

and

•Theentity’scurrentlevelofcompliancewiththePaymentCardIndustry

DataSecurityStandard,and

•Agapanalysisprovidingdetailedstepsrequiredfortheentitytoachieve

fullcompliancewiththePaymentCardIndustryDataSecurityStandard.

SecurityRulesandProcedures•7February201410-27

AccountDataProtectionStandardsandPrograms

10.4ConnectingtoMasterCard—PhysicalandLogicalSecurityRequirements

Assoonaspractical,butnolaterthan60calendardaysfromtheconclusionof

theforensicsevaluation,thecompromisedentityoritsAcquirermustprovide

evidencefromaQSAandanASVthatthecompromisedentityhasachievedfull

compliancewiththePaymentCardIndustryDataSecurityStandard.

Suchevidence(forexample,aletterattestingtotheentity’scompliance,a

compliancecertificate,oracompliancestatusreport)mustbesubmittedto

MasterCardviae-mailtopci-adc@mastercard.com.

FailuretocomplywiththeserequirementsmayresultinSDPnoncompliance

assessmentsasdescribedinsection10.3.4.AnyMerchantorLevel1orLevel

2ServiceProviderthathassufferedaconfirmedAccountdatacompromise

willbeautomaticallyreclassifiedtobecomeaLevel1MerchantoraLevel1

ServiceProvider,respectively.Allcompliancevalidationrequirementsforsuch

Level1entitieswillapply.

10.4ConnectingtoMasterCard—PhysicalandLogical

SecurityRequirements

EachCustomerandanyagentthereofmustbeabletodemonstratetothe

satisfactionofMasterCardtheexistenceanduseofmeaningfulphysical

andlogicalsecuritycontrolsforanycommunicationsprocessororother

deviceusedtoconnecttheCustomer’sprocessingsystemstotheMasterCard

WorldwideNetwork(herein,“aMasterCardNetworkDevice”)andallassociated

components,includingallhardware,software,systems,anddocumentation

(hereincollectivelyreferredtoas“ServiceDeliveryPointEquipment”)located

on-siteattheCustomeroragentfacility.Front-endcommunicationsprocessors

includeMasterCardinterfaceprocessors(MIPs),networkinterfaceunits(NIUs),

anddebitinterfaceunits(DIUs).

Thecontrolsmustmeettheminimumrequirementsdescribedinthissection,

andpreferablywillincludetherecommendedadditionalparameters.

10.4.1MinimumSecurityRequirements

Ataminimum,theCustomeroritsagentmustputinplacethefollowing

controlsateachfacilityhousingServiceDeliveryPointEquipment:

1.EachnetworksegmentconnectingaMasterCardNetworkDevicetothe

Customer’sprocessingsystemsmustbecontrolledtightly,asappropriate

ornecessarytopreventunauthorizedaccesstoorfromotherpublicor

privatenetworksegments.

2.Theconnectivityprovidedbyeachsuchnetworksegmentmustbe

dedicatedwhollyandrestrictedsolelytothesupportofcommunications

betweenMasterCardandtheCustomer’sprocessingsystems.

3.TheCustomeroritsagentmustreplaceeachvendor-suppliedordefault

passwordpresentontheCustomer’sprocessingsystems,eachMasterCard

NetworkDevice,andanydeviceprovidingconnectivitybetweenthemwith

10-287February2014•SecurityRulesandProcedures

AccountDataProtectionStandardsandPrograms

10.4ConnectingtoMasterCard—PhysicalandLogicalSecurityRequirements

a“strongpassword.”Astrongpasswordcontainsatleasteightcharacters,

usesacombinationofletters,numbers,symbols,punctuation,orall,and

doesnotincludeanameorcommonword(s).

4.TheCustomeroritsagentmustconductregularperiodicreviewsofall

systemsanddevicesthatstoreAccountinformationtoensurethataccess

isstrictlylimitedtoappropriateCustomerpersonnelona“needtoknow”

basis.

5.TheCustomeroritsagentmustnotifyMasterCardwithin30businessdays

ofanychangeinthepersonneldesignatedtoadministertheMasterCard

NetworkDevice.RefertoAppendixCofthismanualforcontactinformation.

6.TheCustomeroritsagentmustmaintainanddocumentappropriateaudit

proceduresforeachMasterCardNetworkDevice.Auditreportsmustbe

maintainedandaccessibletotheCustomerforatleastoneyear,includinga

minimumof90daysinaneasilyretrievedelectronicformat.

7.TheCustomermustensurethatthesoftwareemployedinanysystemor

deviceusedtoprovideconnectivitytotheMasterCardWorldwideNetwork

isupdatedwithallappropriatesecuritypatches,revisions,andother

updatesassoonafterareleaseasispracticable.

8.ThephysicallocationoftheServiceDeliveryPointEquipmentmustbe

accessibleonlybyauthorizedpersonneloftheCustomeroritsagent.Visitor

accessmustbecontrolledbyatleastoneofthefollowingmeasures:

a.Requireeachvisitortoprovidegovernment-issuedphotoidentification

beforeenteringthephysicallocation;and/or

b.Requireeachvisitortobeescortedtothephysicallocationbyauthorized

personneloftheCustomeroritsagent.

9.IfthephysicallocationoftheServiceDeliveryPointEquipmentprovides

commonaccesstootherdevicesorequipment,thentheMasterCard

NetworkDevicemustbestoredinacabinetthatislockedbothinfrontand

therearatalltimes.Keystothecabinetmustbestoredinasecuredlocation.

10.TheCustomeroritsagentmusthavedocumentedproceduresforthe

removalofServiceDeliveryPointEquipmentfromthephysicallocation.

10.4.2AdditionalRecommendedSecurityRequirements

Customersandtheiragentsarestronglyencouragedtoputinplacethefollowing

additionalcontrolsateachfacilityhousingaMasterCardNetworkDevice:

1.PlacementoftheMasterCardNetworkDeviceinaphysicallocationthatis

enclosedbyfloor-to-ceilingwalls.

2.ContinualmonitoringoftheMasterCardNetworkDevicebycamerasor

othertypeofelectronicsurveillancesystem.Videorecordsshouldbe

maintainedforaminimumof90days.

SecurityRulesandProcedures•7February201410-29

AccountDataProtectionStandardsandPrograms

10.4ConnectingtoMasterCard—PhysicalandLogicalSecurityRequirements

10.4.3OwnershipofServiceDeliveryPointEquipment

MasterCardisthesoleandexclusiveownerofallServiceDeliveryPoint

EquipmentplacedbyMasterCardattheServiceDeliveryPoint.

Effectiveasofdateofplacement,theCustomerisgrantedanonexclusive,

non-assignableLicensetousetheServiceDeliveryPointEquipment.The

CustomermaynottakeanyactionadversetoMasterCardwithrespecttoits

ownershipoftheServiceDeliveryPointEquipment.

TheCustomeratalltimesremainsresponsibleforthesafetyandproperuse

ofallServiceDeliveryPointEquipmentplacedatalocationbyrequestofthe

Customer,andmustemployatthatlocationtheminimumsecurityrequirements

setforthinthissection10.4.Atitsownexpense,theCustomermustpromptly

returnallServiceDeliveryPointEquipmenttoMasterCarduponrequestof

MasterCardandwithoutsuchrequest,intheeventofbankruptcyorinsolvency.

10-307February2014•SecurityRulesandProcedures

Chapter11MATCHSystem

ThischapterisforAcquirerpersonnelresponsibleforinvestigatingandsigningpotential

newMerchantsandforaddingMerchantstotheMemberAlerttoControlHigh-risk

(Merchants)(MATCH™)system.

11.1MATCHOverview................................................................................................................11-1

11.1.1SystemFeatures...........................................................................................................11-1

11.1.2HowdoesMATCHSearchwhenConductinganInquiry?...........................................11-2

11.1.2.1RetroactivePossibleMatches..............................................................................11-2

11.1.2.2ExactPossibleMatches.......................................................................................11-3

11.1.2.3PhoneticPossibleMatches..................................................................................11-4

11.2MATCHStandards................................................................................................................11-4

11.2.1Certification.................................................................................................................11-5

11.2.2WhentoAddaMerchanttoMATCH...........................................................................11-5

11.2.3InquiringaboutaMerchant.........................................................................................11-6

11.2.6MATCHRecordRetention............................................................................................11-6

11.4MerchantRemovalfromMATCH..........................................................................................11-6

11.5MATCHReasonCodes.........................................................................................................11-7

11.5.1ReasonCodesforMerchantsListedbytheAcquirer...................................................11-7

SecurityRulesandProcedures•7February201411-i

MATCHSystem

11.1MATCHOverview

MasterCarddesignedMATCH™,theMemberAlerttoControlHigh-risk

(Merchants)system,toprovideAcquirerswiththeopportunitytodevelop

andreviewenhancedorincrementalriskinformationbeforeenteringintoa

MerchantAgreement.MATCHisamandatorysystemforMasterCardAcquirers.

TheMATCHdatabaseincludesinformationaboutcertainMerchants(andtheir

owners)thatanAcquirerhasterminated.

WhenanAcquirerconsiderssigningaMerchant,MATCHcanhelptheAcquirer

assesswhethertheMerchantwasterminatedbyanotherAcquirerdueto

circumstancesthatcouldaffectthedecisionwhethertoacquireforthisMerchant

and,ifadecisionismadetoacquire,whethertoimplementspecificactionor

conditionswithrespecttoacquiring.

WARNING!

MasterCarddoesnotverify,otherwiseconrm,oraskforconrmationof

eitherthebasisfororaccuracyofanyinformationthatisreportedtoorlisted

inMATCH.Itispossiblethatinformationhasbeenwrongfullyreportedor

inaccuratelyreported.Itisalsopossiblethatfactsandcircumstancesgivingrise

toaMATCHreportmaybesubjecttointerpretationanddispute.

11.1.1SystemFeatures

MATCHusesCustomer-reportedinformationregardingMerchantsandtheir

ownerstoofferAcquirersthefollowingfrauddetectionfeaturesandoptions

forassessingrisk:

•Acquirersmayaddandsearchforinformationregardinguptofiveprincipal

andassociatebusinessownersperMerchant.

•Acquirersmaydesignateregionsandcountriesfordatabasesearches.

•MATCHusesmultiplefieldstodeterminepossiblematches.

•MATCHeditsspecificfieldsofdataandreducesprocessingdelaysby

notifyinginquiringCustomersoferrorsasrecordsareprocessed.

•MATCHsupportsretroactivealertprocessingofdataresidingonthe

databaseforupto360days.

•Acquirersdeterminewhethertheywanttoreceiveinquirymatches,andif

so,thetypeofinformationthatthesystemreturns.

•MATCHprocessesdatasubmittedbyAcquirersonceperdayandprovides

dailydetailresponsefiles.

•AcquirersmayaccessMATCHdataonlineinrealtimeusingaPCatthe

Acquirer’ssite.

SecurityRulesandProcedures•7February201411-1

MATCHSystem

11.1MATCHOverview

ThroughdirectcommunicationwiththelistingAcquirer,aninquiringAcquirer

maydeterminewhethertheMerchantinquiredofisthesameMerchant

previouslyreportedtoMATCH,terminated,orinquiredaboutwithinthepast

360days.TheinquiringAcquirermustthendeterminewhetheradditional

investigationisappropriate,orifitshouldtakeothermeasurestoaddressrisk

issues.

11.1.2HowdoesMATCHSearchwhenConductinganInquiry?

MATCHsearchesthedatabaseforpossiblematchesbetweentheinformation

providedintheinquiryandthefollowing:

•Informationreportedandstoredduringthepastfiveyears

•Otherinquiriesduringthepast360days

MATCHsearchesforexactpossiblematchesandphoneticpossiblematches.

NOTE

AllMATCHresponsesreectingthatinquiryinformationisresidentonMATCH

aredeemed“possiblematches”becauseofthenatureofthesearchmechanisms

employedandtheinabilitytoreportatrueandexactmatchwithabsolute

certainty.

NOTE

Therearetwotypesofpossiblematches,includingadatamatch(forexample,

nametoname,addresstoaddress)andaphonetic(sound-alike)matchmade

usingspecialsoftware.

NOTE

Forconvenienceonly,theremainderofthismanualmaysometimesomitthe

word“possible”whenreferringto“possiblematches”or“apossiblematch.”

TheAcquirerdeterminesthenumberofphoneticmatches—onetonine—that

willcauseapossiblematchtobetrustworthy.

MATCHreturnsthefirst100responsesforeachinquirysubmittedbyan

Acquirer.MATCHreturnsallterminatedMerchantMATCHresponsesregardless

ofthenumberofpossiblematches.

11.1.2.1RetroactivePossibleMatches

Iftheinformationintheoriginalinquiryfindsnewpossiblematchesofa

MerchantorinquiryrecordintheMATCHdatabaseaddedsincetheoriginal

inquirywassubmittedandthisinformationhasnotbeenpreviouslyreported

totheAcquireratleastoncewithinthepast360days,thesystemreturnsa

retroactivepossiblematchresponse.

11-27February2014•SecurityRulesandProcedures

MATCHSystem

11.1MATCHOverview

11.1.2.2ExactPossibleMatches

MATCHfindsanexactpossiblematchwhendatainaninquiryrecordmatches

dataontheMATCHsystemletter-for-letter,number-for-number,orboth.An

exactmatchtoanyofthefollowingdataresultsinapossiblematchresponse

fromMasterCard:

Table11.1—ExactPossibleMatchCriteria

Field+Field+Field=Match

BusinessName=Ö

BusinessPhoneNumber=Ö

BusinessNationalTaxID+Country=Ö

BusinessStateTaxID+State=Ö

BusinessStreetAddress+City+State1=Ö

BusinessStreetAddress+City+Country2=Ö

PrincipalOwner’s(PO)FirstInitial+LastName=Ö

POFirstName+LastName=Ö

POPhoneNumber=Ö

POSocialSecurityNumber1=Ö

PONationalID2=Ö

POStreetAddress(lines1and2)+POCity+POState1=Ö

POStreetAddress(lines1and2)+POCity+POCountry2=Ö

PODriver’sLicense(DL)Number+DLState1=Ö

PODriver’sLicenseNumber+DLCountry2=Ö

NOTE

MATCHusesStreet,City,andStateiftheMerchant’scountryisUSA;otherwise,

Street,City,andCountryareused.

1.IfcountryisUSA.

2.IfcountryisnotUSA.

SecurityRulesandProcedures•7February201411-3

MATCHSystem

11.2MATCHStandards

11.1.2.3PhoneticPossibleMatches

TheMATCHsystemconvertscertainalphabeticdata,suchasBusinessNameand

PrincipalOwnerLastNametoaphoneticcode.Thephoneticcodegenerates

matchesonwordsthatsoundalike,suchas“Easy”and“EZ.”Thephonetic

matchingfeatureofthesystemalsomatchesnamesthatarenotnecessarily

aphoneticmatchbutmightdifferbecauseofatypographicalerror,suchas

“Rogers”and“Rokers,”oraspellingvariation,suchas“Lee,”“Li,”and“Leigh.”

MATCHevaluatesthefollowingdatatodetermineaphoneticpossiblematch.

Table11.2—PhoneticPossibleMatchCriteria

Field+Field+Field=Match

BusinessName=Ö

DoingBusinessAs(DBA)Name=Ö

BusinessStreetAddress+City+State3=Ö

BusinessStreetAddress+City+Country4=Ö

PrincipalOwner’s(PO)FirstInitial+LastName=Ö

POStreetAddress(lines1and2)+POCity+POState3=Ö

POStreetAddress(lines1and2)+POCity+POCountry4=Ö

NOTE

MATCHusesStreet,City,andStateiftheMerchant’scountryisUSA;otherwise,

Street,City,andCountryareused.

11.2MATCHStandards

MasterCardmandatesthatallAcquirerswithMerchantactivityuseMATCH.5

Tousemeansbothto:

•AddinformationaboutaMerchantthatisterminatedwhileorbecausea

circumstanceexists(Seesection11.2.2),and

•InquireagainsttheMATCHdatabase

Customersmustactdiligently,reasonably,andingoodfaithtocomplywith

MATCHStandards.

3.IfcountryisUSA

4.IfcountryisnotUSA

5.AcquirersgloballyareassessedanannualMATCHusagefeeofUSD4,000.Inaddition,Acquirersare

assessedaMATCHinquiryfee(perMemberID/ICAnumber)foreachMATCHinquiry.

11-47February2014•SecurityRulesandProcedures

MATCHSystem

11.2MATCHStandards

11.2.1Certication

EachAcquirerthatconductsMerchantacquiringActivitymustbecertifiedby

MasterCardtouseMATCHbecauseitisamandatorysystem.AnAcquirerthat

doesnotcomplywiththeserequirementsmaybeassessedfornoncompliance,

asdescribedinthischapter.

CertificationistheprocessbywhichMasterCardconnectsanAcquirertothe

MATCHsystem,sothattheAcquirermaysendandreceiveMATCHrecords

toandfromMasterCard.TobecertifiedforMATCHusage,Acquirersmust

requestaccessforeachMemberID/ICAnumberunderwhichacquiringActivity

isconducted.

NOTE

AnAcquirerthatconductsMerchantacquiringActivityunderaMemberID/ICA

numberthatdoesnothaveaccesstotheMATCHsystemisnotconsidered

certied.

AnAcquirerthatisnotMATCH-certifiedissubjecttononcompliance

assessmentsasdescribedinTable11.3.

11.2.2WhentoAddaMerchanttoMATCH

IfeithertheAcquirerortheMerchantactstoterminatetheacquiringrelationship

(suchasbygivingnoticeoftermination)and,atthetimeofthatact,the

AcquirerhasreasontobelievethataconditiondescribedinTable11.4exists,

thentheAcquirermustaddtherequiredinformationtoMATCHwithinfive

calendardaysoftheearlierofeither:

1.AdecisionbytheAcquirertoterminatetheacquiringrelationship,regardless

oftheeffectivedateofthetermination,or

2.ReceiptbytheAcquirerofnoticebyoronbehalfoftheMerchantofa

decisiontoterminatetheacquiringrelationship,regardlessoftheeffective

dateofthetermination.

Acquirersmustactdiligently,reasonably,andingoodfaithtocomplywith

MATCHsystemrequirements.

AcquirersmaynotuseorthreatentouseMATCHasacollectiontoolforminor

Merchantdiscretionaryactivity.OneofthedefinedreasoncodesinTable11.4

mustbemetorsuspected(atdecisiontoterminate)tojustifyaMerchant

addition.AcquirersthatuseorthreatentouseMATCHasacollectiontoolfor

minorMerchantdiscretionaryactivityaresubjecttononcomplianceassessments

asdescribedinTable11.3.

AnAcquirerthatfailstoenteraMerchantintoMATCHissubjecttoa

noncomplianceassessment,andmaybesubjecttoanunfavorablerulingina

compliancecasefiledbyasubsequentAcquirerofthatMerchant.

SecurityRulesandProcedures•7February201411-5

MATCHSystem

11.4MerchantRemovalfromMATCH

11.2.3InquiringaboutaMerchant

AnAcquirermustcheckMATCHbeforesigninganagreementwithaMerchant

inaccordancewithsection7.1ofthismanual.

AnAcquirerthatentersintoaMerchantAgreementwithoutfirstsubmittingan

inquirytoMATCHabouttheMerchantmaybesubjecttoanunfavorableruling

inacompliancecasefiledbyasubsequentAcquirerofthatMerchant.

AcquirersmustconductinquiriesundertheproperMemberIDforreporting

compliancereasons.IfanAcquirerdoesnotconducttheinquiryunderthe

properMemberID(thatis,theMemberIDthatisactuallyprocessingforthe

Merchant),MasterCardmayfindtheAcquirerinnoncomplianceandmay

imposeanassessment.

FailuretocomplywitheithertherequirementofaddingaterminatedMerchant

orinquiringaboutaMerchantmayresultinnoncomplianceassessmentsas

describedinTable11.3.

11.2.6MATCHRecordRetention

AnAcquirershouldretainallMATCHrecordsreturnedbyMasterCard

tosubstantiatethattheAcquirercompliedwiththerequiredprocedures.

MasterCardrecommendsthattheAcquirerretaintheserecordsinamanner

thatallowsforeasyretrieval.

MerchantrecordsremainontheMATCHsystemforfiveyears.Eachmonth,

MATCHautomaticallypurgesanyMerchantinformationthathasbeeninthe

databaseforfiveyears.

NOTE

TheMATCHsystemdatabasestoresinquiryrecordsfor360days.

11.4MerchantRemovalfromMATCH

MasterCardmayremoveaMerchantlistingfromMATCHforthefollowing

reasons:

•TheAcquirerreportstoMasterCardthattheAcquireraddedtheMerchantto

MATCHinerror.

•TheMerchantlistingisforreasoncode12(PaymentCardIndustryData

SecurityStandardNoncompliance)andtheAcquirerhasconfirmedthatthe

MerchanthasbecomecompliantwiththePaymentCardIndustryData

SecurityStandard.TheAcquirermustsubmittherequesttoremovea

MATCHreasoncode12MerchantlistingfromMATCHinwritingonthe

Acquirer’sletterheadtoMerchantFraudControl.Suchrequestmustinclude

thefollowinginformation:

1.AcquirerIDNumber

11-67February2014•SecurityRulesandProcedures

MATCHSystem

11.5MATCHReasonCodes

2.MerchantIDNumber

3.MerchantName

4.DoingBusinessAs(DBA)Name

5.BusinessAddress

a.StreetAddress

b.City

c.State

d.Country

e.PostalCode

6.PrincipalOwner(PO)Data

a.PO’sFirstNameandLastName

b.PO’sCountryofResidence

RefertosectionC.2ofAppendixCofthismanualforthecontact

informationofMerchantFraudControl.

AnyrequestrelatingtoaMerchantlistedforreasoncode12must

contain:

–TheAcquirer’sattestationthattheMerchantisincompliance

withthePaymentCardIndustryDataSecurityStandard,and

–AletterorcertificateofvalidationfromaMasterCardcertified

forensicexaminer,certifyingthattheMerchanthasbecome

compliantwiththePaymentCardIndustryDataSecurity

Standard.

IfanAcquirerisunwillingorunabletosubmitarequestto

MasterCardwithrespecttoaMerchantremovalfromaMATCH

listingasaresultoftheMerchantobtainingcompliancewiththe

PaymentCardIndustryDataSecurityStandard,theMerchantitself

maysubmitarequesttoMasterCardforthisreason.TheMerchant

mustfollowthesameprocessasdescribedaboveforAcquirersto

submittheMATCHremovalrequest.

11.5MATCHReasonCodes

MATCHreasoncodesidentifywhetheraMerchantwasaddedtotheMATCH

systembytheAcquirerorbyMasterCard,andthereasonforthelisting.

11.5.1ReasonCodesforMerchantsListedbytheAcquirer

ThefollowingreasoncodesindicatewhyanAcquirerreportedaterminated

MerchanttoMATCH.

SecurityRulesandProcedures•7February201411-7

MATCHSystem

11.5MATCHReasonCodes

Table11.4—MATCHListingReasonCodesUsedbyAcquirers

MATCH

Reason

CodeDescription

01AccountDataCompromise

TheMerchantunknowinglyorunintentionallyfacilitated,byanymeans,theunauthorized

disclosureoruseofAccountinformation.

02CommonPointofPurchase(CPP)

TheMerchantknowinglycausedorfacilitated,byanymeans,theunauthorizeddisclosure

oruseofAccountinformation.

03Laundering

TheMerchantwasengagedinlaunderingactivity.LaunderingmeansthataMerchant

presentedtoitsAcquirerTransactionrecordsthatwerenotvalidTransactionsforsalesof

goodsorservicesbetweenthatMerchantandabonafideCardholder.

04ExcessiveChargebacks

WithrespecttoaMerchantreportedbyaMasterCardAcquirer,theMerchant’schargebacks

inanysinglemonthexceeded1%ofitsMasterCardsalesTransactionsinthatmonth,and

thosechargebackstotaledUSD5,000ormore.

WithrespecttoamerchantreportedbyanAmericanExpressacquirer(ICAnumbers102

through125),themerchantexceededthechargebackthresholdsofAmericanExpress,as

determinedbyAmericanExpress.

05ExcessiveFraud

TheMerchanteffectedfraudulentTransactionsofanytype(counterfeitorotherwise)

meetingorexceedingthefollowingminimumreportingStandard:theMerchant’s

fraud-to-salesdollarvolumeratiowas8%orgreaterinacalendarmonth,andtheMerchant

effected10ormorefraudulentTransactionstotalingUSD5,000ormoreinthatcalendar

month.

06ReservedforFutureUse

(RefertoTable11.5)

07FraudConviction

TherewasacriminalfraudconvictionofaprincipalownerorpartneroftheMerchant.

08MasterCardQuestionableMerchantAuditProgram

TheMerchantwasdeterminedtobeaQuestionableMerchantasperthecriteriasetforthin

theMasterCardQuestionableMerchantAuditProgram(refertosection8.4ofthismanual).

09Bankruptcy/Liquidation/Insolvency

TheMerchantwasunableorislikelytobecomeunabletodischargeitsfinancialobligations.

11-87February2014•SecurityRulesandProcedures

MATCHSystem

11.5MATCHReasonCodes

MATCH

Reason

CodeDescription

10ViolationofStandards

WithrespecttoaMerchantreportedbyaMasterCardAcquirer,theMerchantwasinviolation

ofoneormoreStandardsthatdescribeprocedurestobeemployedbytheMerchantin

TransactionsinwhichCardsareused,including,bywayofexampleandnotlimitation,

theStandardsforhonoringallCards,displayingtheMarks,chargestoCardholders,

minimum/maximumTransactionamountrestrictions,andprohibitedTransactionssetforth

inChapter5oftheMasterCardRulesmanual.

WithrespecttoamerchantreportedbyanAmericanExpressacquirer(ICAnumbers102

through125),themerchantwasinviolationofoneormoreAmericanExpressbylaws,

rules,operatingregulations,andpoliciesthatsetforthprocedurestobeemployedbythe

merchantintransactionsinwhichAmericanExpresscardsareused.

11MerchantCollusion

TheMerchantparticipatedinfraudulentcollusiveactivity.

12PCIDataSecurityStandardNoncompliance

TheMerchantfailedtocomplywithPaymentCardIndustry(PCI)DataSecurityStandard

requirements.

13IllegalTransactions

TheMerchantwasengagedinillegalTransactions.

14IdentityTheft

TheAcquirerhasdeterminedthattheidentityofthelistedMerchantoritsprincipalowner(s)

wasunlawfullyassumedforthepurposeofunlawfullyenteringintoaMerchantAgreement.

OneadditionalreasoncodemayapplytoMerchantslistedinMATCH.Acquirers

nolongermayaddMerchantstoMATCHusingthereasoncodeinTable11.5;

however,thiscodestillmayappearinlegacyMATCHreports.

Table11.5—MATCHReasonCodesNoLongerAvailableforListingPurposes

MATCH

Reason

CodeDescription

06ViolationofMerchantAgreement

TheMerchantwasinviolationofasignificanttermorconditionoftheMerchantAgreement.

Asusedherein,asignificanttermorconditionmeansonethatconcernsthetruthfulness

oftheMerchantorthecommercialreasonablenessoftheMerchant'smannerofdoing

businessanddoesnotmeanatechnicalviolationoftheMerchantAgreement,suchas

oneresultinginaminorfinancialdispute.

SecurityRulesandProcedures•7February201411-9

Chapter12Omitted

Thischapterhasbeenomitted.

SecurityRulesandProcedures•7February201412-i

Chapter13FraudManagementProgram(FMP)

ThischapterdescribestheFraudManagementProgram(FMP)Standardsandappliestoall

MasterCardCustomers,ServiceProviders,andPaymentFacilitators.

13.1AboutFMP...........................................................................................................................13-1

13.1.2FMPLevel2Non-CustomerReviews...........................................................................13-1

SecurityRulesandProcedures•7February201413-i

FraudManagementProgram(FMP)

13.1AboutFMP

TheMasterCardFraudManagementProgram(FMP)isatoolforassessinga

MasterCardCustomer’scurrentcapabilitytomanage,anticipate,andprotect

againstinternalandexternalrisksintheissuingandacquiringportfolio.

FMPalsodeterminestheeffectivenessofexistingfraudlosscontrolsandother

riskreductionmeasuresandassistsMasterCardCustomersinidentifyingspecific

areaswheresuchmeasuresmaybeinadequate.

Inaddition,FMPprovidesindustrybestpracticestosupportbusinessgrowthby

enhancingtheoveralloperationalefficiencyandprofitabilityoftheissuingand

acquiringportfoliowhilemaintaininglossesatanacceptablelevel.

FMPconsistsofthreemandatorylevelsandoneoptionallevel.Thethree

mandatorylevelsareLevel1reviewsforprospectiveMasterCardPrincipal

CustomersandMasterCardAffiliateCustomers,Level2Non-Customerreviews,

andLevel3Customerreviews.AMaestroCustomeridentifiedbyMasterCard>>

asaGroup3IssuerpursuanttotheMaestroIssuerLossControlProgrammay

alsoberequiredtoundergoaLevel3Customerreview.ACustomermayalso

choosetoparticipateinLevel4CustomerConsultativereviews.Thischapter

describestheStandardsforeachreviewlevel.

13.1.2FMPLevel2Non-CustomerReviews

TheFMPLevel2Non-Customerreviewisanannualreviewconductedfor

selectedServiceProvidersandPaymentFacilitators,atthesolediscretionof

SecurityandRiskServicesstaff.

MasterCardwillexaminetheServiceProvider’sorPaymentFacilitator'sabilityto

supportMasterCardCustomerssothattheycanadheretotheminimumfraud

losscontrolProgramrequirementsdescribedinChapter6ofthismanual.

AServiceProviderorPaymentFacilitatorthatfailsanFMPLevel2Non-Customer

reviewissubjecttoderegistration.

SecurityRulesandProcedures•7February201413-1

AppendixAOmitted

Thischapterhasbeenomitted.

SecurityRulesandProcedures•7February2014A-i

AppendixBFormsetSpecications

ThisappendixcontainsspecicationsfortheinterchangecopyofMasterCard®Card

Transactionformsets.

B.1MasterCardFormsetSpecifications..........................................................................................B-1

B.1.1FormsetPhysicalDimensions.........................................................................................B-1

B.1.2NumberofCopiesandRetentionRequirements.............................................................B-1

B.1.3PaperStockCharacteristics.............................................................................................B-1

B.1.4ColorofInterchangeCopy.............................................................................................B-1

B.1.5Carbon............................................................................................................................B-1

B.1.6RegistrationMark............................................................................................................B-2

B.1.6.1RegistrationMarkLocation.....................................................................................B-2

B.1.7FormsetNumbering........................................................................................................B-2

B.1.7.1FormsetNumberLocation......................................................................................B-2

B.1.8InformationSlipSpecifications.......................................................................................B-3

B.2FormsetPrintingStandards.....................................................................................................B-3

B.2.1FinancialTransactionFormsets.......................................................................................B-3

B.2.2InformationSlipFormsets...............................................................................................B-4

B.2.3Imprinters.......................................................................................................................B-5

SecurityRulesandProcedures•7February2014B-i

FormsetSpecications

B.1MasterCardFormsetSpecications

AformsetisaTransactioninformationdocument(TID)producedwithamanual

imprinter.ThisappendixdescribestheStandardsfortheinterchangecopyof

Point-of-Sale(POS)Transaction,refundTransaction,ManualCashDisbursement>>

Transaction,andinformationformsets,includingphysicaldimensions,weight,

color,carbonpaper,registrationmarks,numbering,andprinting.

B.1.1FormsetPhysicalDimensions

Formsetsmustbethesizeofastandard80-columnCard(3.250inchesx7.375

inches,or8.260cmx18.744cm)orastandard51-columnCard(3.250inchesx

4.852inches,or8.260cmx12.332cm),withanupperright-handcornercut.

B.1.2NumberofCopiesandRetentionRequirements

Eachformsetmustconsistofatleasttwocopies,onecompletecopyforthe

Merchant/Acquirer,andonecompletecopyforthecustomer.MasterCard

recommendsthattheMerchantortheAcquirerprocessthecopysignedbythe

Cardholder.Ifthisistheonlycopyretained,theMerchantmustholdthecopy

(microfilmorotherwisereproducedcopy)foratleast13monthstosatisfy>>

theMasterCardretentionrequirement.

B.1.3PaperStockCharacteristics

Formsetsmustbenolessthan28-poundstockandnomorethan103-pound

stock,U.S.RegionStandards.

B.1.4ColorofInterchangeCopy

Thecoloroftheinterchangecopyofaformsetmustbemanilaorwhiteif

Cardstock(forexample,95-poundstock,U.S.Regionstandardsorheavier),

andmustbewhiteifpaperstock(forexample,28-poundstock,U.S.Region

standardsorheavierbutlessthan95-poundstock).

B.1.5Carbon

Thecarbonpaperusedtoimprinttheinterchangecopyofaformsetmustbe

blackandofopticalcharacterrecognition(OCR)quality.Allformsetsordered

byCustomerssupplyingformsetstoMerchantsmustbemanufacturedsothat

theAccountnumbercannotbeidentifiedonanycarbonsthatmaybediscarded

afterasalesTransactioniscompleted.Thefollowingtypesofformsetsare

examplesthatcomplywiththisrule:

SecurityRulesandProcedures•7February2014B-1

FormsetSpecications

B.1.6RegistrationMark

•Carbonlessformsets

•Carbononthebackformsets

•Formsetswithcarbonsthatareperforatedinsuchamannerthatno

completeAccountnumberremainsonthecarbontobediscarded

B.1.6RegistrationMark

Iftheinterchangecopyofan80-columnformsethasaregistrationmark,

thentheregistrationmarkmustbepreprintedandofuniformdensityof

non-reflective(preferablyblack)ink.Thestrokewidthofthemarkmustbe

0.030inches±0.010inches(0.0762cm±0.0254cm),andthelengthofeach

legofthemark,measuredonitsinneredge,mustbeatleast0.400inches

(1.017cm).Themarkmustbealignedwiththealigningedgewithnovisible

skew(±2degrees).

B.1.6.1RegistrationMarkLocation

Iftheinterchangecopyofan80-columnformsethasaregistrationmark,then

thelocationoftheregistrationmarkinrelationtotheleadingandaligning

edgescannotvaryfromdocumenttodocumentmorethan±0.050inches(±

127cm).Theleadingedgeoftheverticallegoftheregistrationmarkshallbe

2.40625inches(6.116cm)fromtheleftedgeoftheinterchangecopy(withthe

stubremoved)andthebottomedgeofthehorizontallegshallbe0.625inches

(1.589cm)fromthebottomedge.

B.1.7FormsetNumbering

EachAcquirermustsupplyitsMerchantswithconsecutivelypre-numbered

formsetswithsequentialreferencenumbers.Eachreferencenumbermust

consistofsevendigits,withtheseventhdigitfromtherightbeingaTransaction

code(thenumber“5”onPOSTransactionslips,thenumber“6”onrefund>>

Transactionslips,andthenumber“7”onManualCashDisbursement

Transactionslips),andmustbein7Bfontwithnominalhorizontalspacingof

sevencharacterstotheinch.

B.1.7.1FormsetNumberLocation

Onan80-columnCardsizeformset,thesequentialreferencenumbermustbe

locatedinthe0.500inches(1.271cm)clearbandareaatthetopfrontofeach

copyoftheform.Thefirst(orloworder)digitofthereferencenumbermustbe

aminimumof1.4375inches(3.653cm)fromtheright-mostedgeoftheformset

tothebeginningofthatcharacter;theseventh(orhighorder)digitmustbea

maximumof2.625inches(6.672cm)fromtheright-mostedgeoftheformset

totheendofthatcharacter;andthecenterlineofthenumbersmustbe0.219

inches±0.040inches(0.557cm±0.102cm)fromthetopoftheformset.

B-27February2014•SecurityRulesandProcedures

FormsetSpecications

B.1.8InformationSlipSpecications

InformationslipsprovidetheCardholderwithadditionaldetailsrelatedtoa

POSTransaction,refundTransaction,orManualCashDisbursementTransaction>>

(herein,"financialTransactions").Theinformationslipmustbethesamesize,

weight,andcolorasallotherMasterCardformsets.

B.2FormsetPrintingStandards

TheStandardslistedbelowapplytotheprintingofformsets.

B.2.1FinancialTransactionFormsets

ThissectionappliestotheprintingoftheinterchangecopyoftheMasterCard

CardformsetsforfinancialTransactions.RefertosectionB.1.8forprinting>>

requirementsspecifictoinformationslips.

1.Thereversesideofanyinterchangecopyshallbeblank.

2.Thespacereservedforimprintingontheinterchangecopymustremain

clearofanyprinting.Thisspaceshallbenotlessthan3.125inches(7.943

cm)longby2.125inches(5.401cm)highlyinghorizontallyacrossthetop

andcommencingattheupperleft-handcorner(withthestubsremoved).

3.Theinterchangecopiesofformsetsmusthaveanareanotlessthan4.250

inches(10.802cm)longand0.500inches(1.271cm)highlyinghorizontally

acrossthebottomandcommencingatthelowerright-handcorner,left

clearofanyprinting.

4.Thisareashallbenotlessthan4.500inches(11.437cm)longand0.625

inches(1.589cm)high,andthebalanceoftheareawithin0.625inches

(1.589cm)ofthebottomshallbeleftclearofanymagneticinkcharacter

recognition(MICR)andOCRactiveprintingormarkingswiththeexception

ofMICRencoding.

5.Theinterchangecopiesofformsetsmusthaveanareanotlessthanthe

lengthoftheslipby0.500inches(1.271cm)highlyinghorizontallyacross

thetopoftheslip,leftclearofanypreprintingexceptforthesequential

referencenumberonan80-columnslipandalsodiscretionarydata(located

between0.375inchesand1.3125inches[0.953cmand3.3359cm]fromthe

right-handedgein7Bfont).

6.Iftheformsethasaregistrationmark,asquare,formedbyaclearband1/8

inches(0.318cm)fromtheexternaledgesandtipsofaminimumlength

registrationmarkandnotlessthan11/16inchesby11/16inches(1.747cmx

1.747cm),shallbeleftclearofanyprintingexceptfortheregistrationmark.

7.TheprintingonthefaceofthecopiesofrefundTransactionslipsshall>>

beinredink.TheprintingonthefaceofthecopiesofPOSTransaction

andManualCashDisbursementTransactionslipsmustnotbeinredink.

MasterCardrecommendsthattheprintingonPOSTransactionslipsbein

SecurityRulesandProcedures•7February2014B-3

FormsetSpecications

B.2.2InformationSlipFormsets

eitherblueorblackinkandonManualCashDisbursementslipsineither

greenorblackink.

B.2.2InformationSlipFormsets

Followingisalistofrequirementsforprintinginformationslips:

1.Thefollowingareasshallbeleftclearofprinting:

•0.500inches(1.271cm)highlyinghorizontallyacrosstheentirelength

ofthetopoftheslip.

•4.500inches(11.437cm)longby0.625inches(1.589cm)highlying

horizontallyacrossthebottomoftheslipcommencingatthelower

right-handcorner.

•1.344inches(3.415cm)longby0.375inches(0.953cm)highlying

horizontallystarting4.875inches(12.390cm)fromtheleftedgeand

0.970inches(2.468cm)fromthetopedgeoftheslip.

•0.875inches(2.224cm)longby0.375inches(0.953cm)highlying

horizontallystarting6.219inches(15.805cm)fromtheleftedgeand

0.970inches(2.468cm)fromthetopedgeoftheslip.

•6.156inches(15.647cm)longby0.375inches(0.953cm)highlying

horizontallystarting0.375inches(0.953cm)fromtheleftedgeand

2.281inches(5.798cm)fromthetopedge.

•1.250inches(3.177cm)longby0.375inches(0.953cm)highlying

horizontallystarting6inches(15.250cm)fromtheleftedgeand2.281

inches(5.798cm)fromthetopedge.

2.MasterCardrecommendsusingblackinkforallprinting.

3.ForTransactiondateidentification,theinformationslipmustcontaina

computer-printeddatearea.Entertheelementsofthedateinthisareaby

indicatingthesequence(forexample,month-day-year)inEnglishand,at

theAcquirer’soption,alsointhelocallanguage.

4.ForsituationswhentheTransactiondateisnotavailable,eachinformation

slipwillbepreprintedwiththeexpression,“Transactiondatenotavailable”

inEnglishand,attheAcquirer’soption,alsointhelocallanguage.

5.Thereversesideshallbeblank.

B-47February2014•SecurityRulesandProcedures

FormsetSpecications

B.2.3Imprinters

EachCustomerisresponsibleforsupplyingtoitsMerchantsconducting

face-to-facePOSTransactions,onsuchtermsasmaybeagreeduponbetween>>

them,andformaintainingateachCustomerlocationthatdisbursescashto

Cardholders,imprinterscapableofproducingasatisfactoryimprintfroma

Cardupontheinterchangecopyofaformset.Theimprintermustcontaina

platethatwillimprintontheinterchangecopyoftheformsetthenameand

numberoftheMerchant,orthenameoftheCustomerdisbursingthecash

disbursement,andthecityandstate(orcountry,ifthelocationisoutsidethe

UnitedStates)wheretheTransactionoccurred.

SecurityRulesandProcedures•7February2014B-5

AppendixCOmitted

Thischapterhasbeenomitted.

SecurityRulesandProcedures•7February2014C-i

AppendixDBestPracticesGuides

ThisappendixcontainsadescriptionofthepublicationsintheMasterCard“BestPractices”

seriesandaccessinstructionsviaMasterCardConnect™.

D.1Acquirers’BestPracticesGuide..............................................................................................D-1

SecurityRulesandProcedures•7February2014D-i

BestPracticesGuides

D.1Acquirers’BestPracticesGuide

TheAcquirers’BestPracticesGuidecoverscriticalissuesofwhichAcquirers

andtheirMerchantsshouldbeawareinordertorecognizeandtocombat

fraud.Itreviewstheentireprocess,fromsigningMerchants,totrainingthem,

toongoingmonitoring.Theguidealsodescribescommonfraudulentschemes

tohelpAcquirersrecognizeillegalactivityintheirbusinesses.

SecurityRulesandProcedures•7February2014D-1

AppendixEOmitted

Thischapterhasbeenomitted.

SecurityRulesandProcedures•7February2014E-i

Denitions

AccessDevice

Denitions

Thefollowingtermsusedinthismanualhavethemeaningssetforthbelow.

AccessDevice

AdeviceotherthanaCardthatusesatleastonePaymentApplicationtoprovideaccesstoan

AccountincompliancewiththeStandards.AContactlessPaymentDeviceisatypeofAccess

Device.ACirrusAccessDevice,MaestroAccessDevice,andMasterCardAccessDeviceiseachan

AccessDevice.AlsoseeMobilePaymentDevice.

Account

AnaccountmaintainedbyoronbehalfofaCardholderbyanIssuerfortheprocessingof

Transactions,andwhichisidentifiedwithanIIN/BINdesignatedbytheCorporationinitsrouting

tablesforroutingtotheInterchangeSystem.SeeCirrusAccount,MaestroAccount,MasterCard

Account.

Acquirer

ACustomerinitscapacityasanacquirerofaTransaction.

Activity(ies)

TheundertakingofanyactthatcanbelawfullyundertakenonlypursuanttoLicensebythe

Corporation.

AfliateCustomer,Afliate

ACustomerthatparticipatesindirectlyinActivitythroughtheSponsorshipofaPrincipalor,solely

withrespecttoMasterCardActivity,throughtheSponsorshipofanAssociation.AnAffiliate

maynotSponsoranyotherCustomer.

AssociationCustomer,Association

AMasterCardCustomerthatparticipatesdirectlyinMasterCardActivityusingitsassignedBINsand

whichmaySponsoroneormoreMasterCardAffiliatesbutmaynotdirectlyissueMasterCardCards

oracquireMasterCardTransactionswithouttheexpresspriorwrittenconsentoftheCorporation.

AutomatedT ellerMachine(ATM)

Anunattendedself-servicePOIdevicethatperformsbasicbankingfunctionssuchasaccepting

deposits,cashwithdrawals,orderingtransfersamongaccounts,loanpaymentsandaccount

balanceinquiries.

ATMOwnerAgreement

AnagreementbetweenanATMownerandaCustomerthatsetsforththetermspursuantto

whichtheATMacceptsCards.

ATMTerminal

AnATMthatenablesaCardholdertoeffectaTransactionwithaCardinaccordancewiththe

Standards.

ATMTransaction

AcashwithdrawaleffectedatanATMTerminalwithaCardandprocessedthroughthe

MasterCardATMNetwork.AnATMTransactionisidentifiedwithMCC6011(AutomatedCash

Disbursements—CustomerFinancialInstitution).

SecurityRulesandProcedures•7February2014G-1

Denitions

Card

AcardissuedbyaCustomerpursuanttoLicenseandinaccordancewiththeStandardsandthat

providesaccesstoanAccount.Unlessotherwisestatedherein,Standardsapplicabletotheuse

andacceptanceofaCardarealsoapplicabletoanAccessDeviceand,inaCard-not-present

environment,anAccount.ACirrusCard,MaestroCard,andMasterCardCardiseachaCard.

Cardholder

TheauthorizeduserofaCardorAccessDeviceissuedbyaCustomer.

ChipCard(SmartCard,IntegratedCircuitCard,ICCard,orICC)

ACardwithanembeddedEMV-compliantchipcontainingmemoryandinteractivecapabilities

usedtoidentifyandstoreadditionaldataaboutaCardholder,anAccount,orboth.

ChipTransaction

AContactChipTransactionoraContactlessChipTransaction.

CirrusAccessDevice

AnAccessDevicethatusesatleastoneCirrusPaymentApplicationtoprovideaccesstoaCirrus

AccountwhenusedatanATMTerminalorPIN-basedIn-BranchTerminal.

CirrusAccount

AnaccounteligibletobeaCirrusAccount,assetforthinRule6.1.3.2oftheMasterCardRules

manual,andidentifiedwithaBIN/IINassociatedwithaPortfoliodesignatedbytheCorporationas

aCirrusPortfolioinitsroutingtables.

CirrusCard

ACardthatprovidesaccesstoaCirrusAccount.

CirrusCustomer

ACustomerthathasbeengrantedaCirrusLicenseinaccordancewiththeStandards.

CirrusPaymentApplication

APaymentApplicationthatstoresCirrusAccountdata.

ContactChipTransaction

ATransactioninwhichdataisexchangedbetweentheChipCardandthePOITerminalthrough

thereadingofthechipusingthecontactinterface,inconformancewithEMVspecifications.

ContactlessChipTransaction,ContactlessTransaction

ATransactioninwhichdataisexchangedbetweentheChipCardorAccessDeviceandthe

POITerminalthroughthereadingofthechipusingthecontactlessinterface,bymeansofradio

frequencycommunications.MasterCardPayPassMagneticStripeProfileTransactions,MasterCard

PayPass-M/ChipTransactionsandMaestroPayPassTransactionsareContactlessChipTransactions.

“ContactlessTransaction”isanalternativetermforContactlessChipTransaction.

ContactlessPaymentDevice

AmeansotherthanaCardbywhichaCardholdermayaccessanAccountataPOITerminalin

accordancewiththeStandards.AContactlessPaymentDeviceisatypeofAccessDevicethat

exchangesdatawiththePOITerminalbymeansofradiofrequencycommunications.

G-27February2014•SecurityRulesandProcedures

Denitions

Corporation

MasterCardInternationalIncorporated,MaestroInternationalInc.,andtheirsubsidiariesand

affiliates.Asusedherein,CorporationalsomeansthePresidentandChiefExecutiveOfficerof

MasterCardInternationalIncorporated,orhisorherdesignee,orsuchofficersorotheremployees

responsiblefortheadministrationand/ormanagementofaprogram,service,product,systemor

otherfunction.UnlessotherwisesetforthintheStandards,andsubjecttoanyrestrictionimposed

bylaworregulation,orbytheBoardofDirectorsofMasterCardInternationalIncorporated,

orbytheMasterCardInternationalIncorporatedCertificateofIncorporationortheMasterCard

IncorporatedCertificateofIncorporation(aseachsuchCertificateofIncorporationmaybe

amendedfromtimetotime),eachsuchpersonisauthorizedtoactonbehalfoftheCorporation

andtosoactinhisorhersolediscretion.

Cross-borderTransaction

ATransactionthatoriginatesviaaPoint-of-Interaction(POI)Terminallocatedinadifferentcountry

fromthecountryinwhichtheCardwasissued.

Customer

AfinancialinstitutionorotherentitythathasbeenapprovedforParticipation.ACustomermay

beaPrincipal,Association,orAffiliate.AlsoseeCirrusCustomer,MaestroCustomer,MasterCard

Customer,Member.

DataStorageEntity(DSE)

AServiceProviderthatperformsanyoneormoreoftheservicesdescribedinRule7.1ofthe

MasterCardRulesmanualasDSEProgramService.

DigitalWalletOperator(DWO)

AServiceProviderthatperformsanyoneormoreoftheservicesdescribedinRule7.1ofthe

MasterCardRulesmanualasDWOProgramService.AlsoseeStagedDigitalWalletOperatorand

Pass-throughDigitalWalletOperator.

DigitalWalletOperatorMark,DWOMark

AmarkidentifyingaparticularPass-throughDigitalWalletand/orStagedDigitalWallet,andwhich

maybedisplayedatthePOItodenotethataretailer,oranyotherperson,firm,orcorporation,

acceptspaymentseffectedbymeansofthatPass-throughDigitalWalletand/orStagedDigital

Wallet.A“StagedDWOMark”anda“Pass-throughDWOMark”arebothtypesofDWOMarks.

DomesticTransaction

SeeIntracountryTransaction.

DualInterfaceHybridPOSTerminal

AHybridPOSTerminalthatiscapableofprocessingContactlessChipTransactionsbymeansof

itscontactlessinterfaceandContactChipTransactionsbymeansofitscontactinterface.Dual

InterfaceHybridPOSTerminalsinclude,butarenotlimitedto,thosewhichsupportmobile

contactlesschipTransactionsbymeansofnearfieldcommunications(NFC)technology.

SecurityRulesandProcedures•7February2014G-3

Denitions

HybridATMT erminal

AnATMTerminalthat:

1.IscapableofprocessingbothchipTransactionsandmagneticstripeTransactions;

2.Hastheequivalenthardware,software,andconfigurationasaTerminalwithfullEMVLevel1

andLevel2typeapprovalstatuswithregardtothechiptechnicalspecifications;and

3.HassatisfactorilycompletedtheCorporation’sTerminalIntegrationProcess(TIP)inthe

appropriateenvironmentofuse.

HybridMPOST erminal

AnMPOSTerminalthatmeetsallofthecriteriaofaHybridPOSTerminal.

HybridPIN-basedIn-BranchTerminal

APIN-basedIn-BranchTerminalthat:

1.IscapableofprocessingbothchipTransactionsandmagneticstripeTransactions;

2.Hastheequivalenthardware,software,andconfigurationasaTerminalwithfullEMVLevel1

andLevel2typeapprovalstatuswithregardtothechiptechnicalspecifications;and

3.HassatisfactorilycompletedtheCorporation’sTerminalIntegrationProcess(TIP)inthe

appropriateenvironmentofuse.

HybridPOITerminal

APOITerminal,includinganyPOSorMPOSTerminal(“HybridPOSTerminal”,“HybridMPOS

Terminal”),ATMTerminal(“HybridATMTerminal”),orPIN-basedIn-BranchTerminal(“Hybrid

PIN-basedIn-BranchTerminal”),that:

1.IscapableofprocessingbothchipTransactionsandmagneticstripeTransactions;

2.Hastheequivalenthardware,software,andconfigurationasaTerminalwithfullEMVLevel1

andLevel2typeapprovalstatuswithregardtothechiptechnicalspecifications;and

3.HassatisfactorilycompletedtheCorporation’sTerminalIntegrationProcess(TIP)inthe

appropriateenvironmentofuse.

IndependentSalesOrganization(ISO)

AServiceProviderthatperformsanyoneormoreoftheservicesdescribedinRule7.1ofthe

MasterCardRulesmanualasISOProgramService.

InterchangeSystem

ThecomputerhardwareandsoftwareoperatedbyandonbehalfoftheCorporationforthe

routing,processing,andsettlementofTransactionsincluding,withoutlimitation,theMasterCard

WorldwideNetwork,theMasterCardATMNetwork,theDualMessageSystem,theSingle

MessageSystem,theGlobalClearingManagementSystem(GCMS),andtheSettlementAccount

Management(SAM)system.

InterregionalTransaction

ATransactionthatoriginatesviaaPOITerminallocatedinadifferentRegionfromtheRegionin

whichtheCardwasissued.

G-47February2014•SecurityRulesandProcedures

Denitions

IntracountryTransaction

ATransactionthatoriginatesviaaPOITerminallocatedinthesamecountryasthecountryin

whichtheCardwasissued.ATransactionconductedwithaCardbearingoneormoreofthe

BrandMarks,eitheraloneorincombinationwiththemarksofanotherpaymentscheme,and

processedasaTransaction,asshownbytheCardtypeidentificationintheTransactionrecord,

viaeithertheInterchangeSystemoradifferentnetwork,qualifiesasanIntracountryTransaction.

“DomesticTransaction”isanalternativetermforIntracountryTransaction.

IntraregionalTransaction

ATransactionthatoccursataPOITerminallocatedinadifferentcountryfromthecountryin

whichtheCardwasissued,withinthesameRegion.

Issuer

ACustomerinitscapacityasanissuerofaCardorAccount.

License,Licensed

ThecontractbetweentheCorporationandaCustomergrantingtheCustomertherighttouseone

ormoreoftheMarksinaccordancewiththeStandards.Tobe“Licensed”meanstohavesucha

rightpursuanttoaLicense.

Maestro

MaestroInternationalIncorporated,aDelawareU.S.A.corporationoranysuccessorthereto.

MaestroAccessDevice

AnAccessDevicethatusesatleastoneMaestroPaymentApplicationtoprovideaccesstoa

MaestroAccountwhenusedataPOITerminal.

MaestroAccount

AnaccounteligibletobeaMaestroAccount,assetforthinRule6.1.2.1oftheMasterCardRules

manual,andidentifiedwithaBIN/IINassociatedwithaPortfoliodesignatedbytheCorporationas

aMaestroPortfolioinitsroutingtables.

MaestroCard

ACardthatprovidesaccesstoaMaestroAccount.

MaestroCustomer

ACustomerthathasbeengrantedaMaestroLicenseinaccordancewiththeStandards.

MaestroPaymentApplication

APaymentApplicationthatstoresMaestroAccountdata.

MaestroTransaction

ATransactioneffectedwithaMaestroAccessDeviceorAccount.

ManualCashDisbursementTransaction

AdisbursementofcashperformedupontheacceptanceofaMasterCardCardor,ata

PIN-basedIn-BranchTerminal,aMaestroorCirrusCardbyaCustomerfinancialinstitution

teller.AManualCashDisbursementTransactionisidentifiedwithMCC6010(ManualCash

Disbursements—CustomerFinancialInstitution).

SecurityRulesandProcedures•7February2014G-5

Denitions

Marks

Thenames,logos,tradenames,logotypes,trademarks,servicemarks,tradedesignations,and

otherdesignations,symbols,andmarksthattheCorporationowns,manages,licenses,orotherwise

ControlsandmakesavailableforusebyCustomersandotherauthorizedentitiesinaccordance

withaLicense.A“Mark”meansanyoneoftheMarks.

MasterCard

MasterCardInternationalIncorporated,aDelawareU.S.A.corporation.

MasterCardAccessDevice

AnAccessDevicethatusesatleastoneMasterCardPaymentApplicationtoprovideaccesstoa

MasterCardAccountwhenusedataPOITerminal.

MasterCardAccount

Anytypeofaccount(credit,debit,prepaid,commercial,etc.)identifiedasaMasterCardAccount

withaprimaryaccountnumber(PAN)thatbeginswithaBINintherangeof510000to559999.

MasterCard-brandedApplicationIdentier(AID)

AnyoftheCorporation’sEMVchipapplicationidentifiersforMasterCard,Maestro,andCirrus

PaymentApplicationsasdefinedintheM/ChipRequirementsmanual.

MasterCardCard

ACardthatprovidesaccesstoaMasterCardAccount.

MasterCardCustomer

ACustomerthathasbeengrantedaMasterCardLicenseinaccordancewiththeStandards.Also

seeMember.

MasterCardEurope

MasterCardEuropesprl,aBelgianprivatelimitedliability(company).

MasterCardIncorporated

MasterCardIncorporated,aDelawareU.S.A.corporation.

MasterCardPaymentApplication

APaymentApplicationthatstoresMasterCardAccountdata.

MasterCardPayPassMagneticStripeProleTransaction

AContactlessChipTransactioninwhichthePOSTerminalreceivesstaticanddynamicdatafrom

thechipandconstructsmessagesthatcanbetransportedinastandardmagneticstripemessage

format,incompliancewiththeStandards.

MasterCardPayPass-M/ChipTransaction

AContactlessChipTransactioninwhichthePOSTerminalandthechipexchangedata,enabling

thechiptoapprovetheTransactionofflineontheIssuer’sbehalfortorequestonlineauthorization

fromtheIssuer,incompliancewiththeStandards.

MasterCardTransaction

ATransactioneffectedwithaMasterCardAccessDeviceorAccount.

G-67February2014•SecurityRulesandProcedures

Denitions

Member,Membership

AfinancialinstitutionorotherentitythatisapprovedtobeaMasterCardCustomerinaccordance

withtheStandardsandwhich,asaMasterCardCustomer,hasbeengrantedmembership

(“Membership”)inandhasbecomeamember(“Member”)oftheCorporation.“Membership”

alsomeans“Participation”.

Merchant

Aretailer,oranyotherperson,firmorcorporationthat,pursuanttoaMerchantAgreement,

agreestoacceptCardswhenproperlypresented.

MerchantAgreement

AnagreementbetweenaMerchantandaCustomerthatsetsforththetermspursuanttowhich

theMerchantisauthorizedtoacceptCards.

MobilePaymentDevice

ACardholder-controlledmobilephonecontainingaPaymentApplicationcompliantwiththe

Standards,andwhichusesanintegratedkeyboardandscreentoaccessanAccount.AMobile

PaymentDeviceisatypeofContactlessPaymentDevice.

MobilePOS(MPOS)Terminal

AnMPOSTerminalenablesamobiledevicetobeusedasaPOSTerminal.Card“reading”and

softwarefunctionalitythatmeetstheCorporation’srequirementsmayresidewithinthemobile

device,onaserveraccessedbythemobiledevice,orinaseparateaccessoryconnected(suchas

viaBluetoothoraUSBport)tothemobiledevice.Themobiledevicemaybeanymulti-purpose

mobilecomputingplatform,including,bywayofexampleandnotlimitation,afeaturephone,

smartphone,tablet,orPersonalDigitalAssistant(PDA).

Participation

TherighttoparticipateinActivitygrantedtoaCustomerbytheCorporation.ForaMasterCard

Customer,ParticipationisanalternativetermforMembership.

Pass-throughDigitalWallet

FunctionalitybywhichthePass-throughDigitalWalletOperatorstoresMasterCardorMaestro

AccountdataprovidedbytheCardholdertotheDWOforpurposesofeffectingapayment

initiatedbytheCardholdertoaMerchantorSub-merchant,andupontheperformanceofa

Transaction,transferstheAccountdatatotheMerchantorSub-merchantortoitsAcquirerorthe

Acquirer’sServiceProvider.

Pass-throughDigitalWalletOperator(DWO)

TheoperatorofaPass-throughDigitalWallet.

PaymentApplication

ThemagneticstripeorM/ChipfunctionalitythatstoresAccountdataonorinaCardorContactless

PaymentDeviceandenablesthereadingand/ortransmissionofsuchdatatoaPOITerminalvia

acontactorcontactlessinterfacetoeffectaTransaction,inaccordancewiththeStandards.A

MasterCardPaymentApplication,MaestroPaymentApplication,andCirrusPaymentApplicationis

eachaPaymentApplication.

SecurityRulesandProcedures•7February2014G-7

Denitions

PaymentFacilitator

AMerchantregisteredbyanAcquirertofacilitateTransactionsonbehalfofSub-merchants.Unless

otherwisestatedherein,anyreferencetoMerchantsencompassesPaymentFacilitatorsand

Sub-merchants.TheStandardsapplicabletoaMerchantareapplicabletoaPaymentFacilitator

andaSub-merchant.

PIN-basedIn-BranchT erminal

AnattendedPOIdevice,locatedonthepremisesofaCustomerorotherfinancialinstitution

designatedasitsauthorizedagentbytheCorporation,thatfacilitatesacashwithdrawalTransaction

byaCardholder.

PIN-basedIn-BranchT erminalTransaction

AcashwithdrawalTransactioneffectedbyafinancialinstitutiontellerataPIN-basedIn-Branch

TerminalandidentifiedwithMCC6010(ManualCashDisbursements—CustomerFinancial

Institution).

PointofInteraction(POI)

ThelocationatwhichaTransactionoccurs,asdeterminedbytheCorporation.

POITerminal

AnyattendedorunattendedPOIdevicethatmeetstheCorporationrequirementsandthatpermits

aCardholdertoeffectaTransactioninaccordancewiththeStandards.SeeATMTerminal,

PIN-basedIn-BranchTerminal,POSTerminal.

Portfolio

AllCardsissuedbearingthesamemajorindustryidentifier,BIN/IIN,andanyadditionaldigitsthat

uniquelyidentifyCardsforroutingpurposes.

Point-of-Sale(POS)T erminal

AnattendedorunattendedPOIdevicelocatedinorataMerchant’spremisesthatenablesa

CardholdertoeffectaTransactionforthepurchaseofproductsorservicessoldbysuchMerchant

withanAccessDevice,inaccordancewiththePOSTerminalsecurityandotherapplicable

Standards.

POSTransaction

ThesaleofproductsorservicesbyaMerchanttoaCardholderpursuanttoacceptanceofa

CardbytheMerchant.APOSTransactionmaybeaCard-presentTransactiontakingplaceina

face-to-faceenvironmentoratanunattendedPOSTerminal,oraCard-not-presentTransaction

takingplaceinanon-face-to-faceenvironment(forexample,ane-commerce,mailorder,phone

order,orrecurringpaymentTransaction).

PrincipalCustomer,Principal

ACustomerthatparticipatesdirectlyinActivityusingitsassignedBINs/IINsandwhichmay

SponsoroneormoreAffiliates.

Program

ACustomer’sCardissuingprogram,Merchantacquiringprogram,ATMTerminalacquiring

program,orall.

G-87February2014•SecurityRulesandProcedures

Denitions

ProgramServices

AnyservicedescribedinRule7.1oftheMasterCardRulesmanualorelsewhereintheStandards

thatdirectlyorindirectlysupportsaProgramandregardlessofwhethertheentityprovidingthe

serviceisregisteredasaServiceProviderofoneormoreCustomers.TheCorporationhasthe

solerighttodeterminewhetheraserviceisaProgramService.

Region

AgeographicregionasdefinedbytheCorporationfromtimetotime.SeeAppendixAofthe

MasterCardRulesmanual.

Rules

TheStandardssetforthinthismanual.

ServiceProvider

ApersonthatperformsProgramService.TheCorporationhasthesolerighttodeterminewhether

apersonisormaybeaServiceProviderandifso,thecategoryofServiceProvider.AService

ProviderisanagentoftheCustomerthatreceivesorotherwisebenefitsfromProgramService,

whetherdirectlyorindirectly,performedbysuchServiceProvider.

ServiceProviderRegistrationFacilitator

AServiceProviderthatperformsServiceProvideridentificationandregistrationservices.

Settlement

TheprocessbywhichCustomersexchangefinancialdataandvalueresultingfromTransactions.

SettlementDate

DatethatfundsarecommittedforsettlementbetweenanAcquirerandanIssuer.

Sponsor,Sponsorship

TherelationshipdescribedintheStandardsbetweenaPrincipalorAssociationandanAffiliatethat

engagesinActivityindirectlythroughthePrincipalorAssociation.Insuchevent,thePrincipal

orAssociationistheSponsoroftheAffiliateandtheAffiliateisSponsoredbythePrincipalor

Association.“Sponsorship”meanstheSponsoringofaCustomer.

StagedDigitalWallet

FunctionalitybywhichtheStagedDigitalWalletOperatoreffectsatwo-stagepaymenttoaretailer

tocompleteapurchaseinitiatedbyaconsumer,asfollows:

•Paymentstage—Inthepaymentstage,theStagedDWOpaystheretailerbymeansof:

–AtransactionconductedusingMasterCardorMaestroAccountorotheraccountdata

assignedtotheconsumerbytheDWOorbyanissuer,actingfororonbehalfoftheDWO

(herein,a“consumer-assignedpaymentaccount”);or

–AfundstransfertoanaccountheldbytheStagedDWOfororonbehalfoftheretailer.

•Fundingstage—Inthefundingstage,theStagedDWOusesMasterCardorMaestroAccount

orotheraccountdataprovidedtotheStagedDWObytheconsumer(herein,the“funding

account”)toperformatransactionthatfundsorreimbursestheStagedDigitalWallet.

Neithertheretailernor,iftheretailerisaMerchant,itsAcquirerortheAcquirer’sServiceProvider

receivesMasterCardorMaestroAccountdataandotherinformationidentifyingthenetworkbrand

andpaymentcardissuerforthefundingaccount.

SecurityRulesandProcedures•7February2014G-9

Denitions

StagedDigitalWalletOperator(DWO)

TheoperatorofaStagedDigitalWallet.

Standards

TheAmendedandRestatedCertificateofIncorporationandthebylaws,operatingrules,

regulations,policies,andproceduresoftheCorporation,includingbutnotlimitedtoanymanuals,

guidesorbulletins,asmaybeamendedfromtimetotime.

Stand-InParameters

AsetofauthorizationrequirementsestablishedbytheCorporationortheIssuerthatareaccessed

bytheInterchangeSystemusingtheStand-InProcessingServicetodeterminetheappropriate

responsestoauthorizationrequests.

Stand-InProcessingService

AserviceofferedbytheCorporationinwhichtheInterchangeSystemauthorizesordeclines

TransactionsonbehalfofandusesStand-InParametersprovidedbytheIssuer(orinsome

cases,bytheCorporation).TheStand-InProcessingServicerespondsonlywhentheIssueris

unavailable,theTransactioncannotbedeliveredtotheIssuer,ortheIssuerexceedstheresponse

timeparameterssetbytheCorporation.

Sub-merchant

Amerchantthat,pursuanttoanagreementwithaPaymentFacilitator,isauthorizedtoaccept

Cardswhenproperlypresented.

Terminal

AnATMTerminalorPIN-basedIn-BranchTerminal.

ThirdPartyProcessor(TPP)

AServiceProviderthatperformsanyoneormoreoftheservicesdescribedinRule7.1ofthe

MasterCardRulesmanualasTPPProgramService.

Transaction

AfinancialtransactionarisingfromtheproperacceptanceofanAccessDeviceorAccountata

CardacceptancelocationandidentifiedinmessageswithaCardProgramidentifier.SeeATM

Transaction,ManualCashDisbursementTransaction,MerchandiseTransaction,POSTransaction,

SharedDepositTransaction.

Volume

TheaggregatefinancialvalueofagroupofTransactions.“Volume”doesnotmeanthenumber

ofTransactions.

G-107February2014•SecurityRulesandProcedures

Security Rules And Procedures—Merchant Edition SPME Entire Manual Public

Navigation menu

Versions of this User Manual:

Views

Navigation