MRC Advocacy: Voice of the Merchant
Member advocacy is of the utmost importance to us here at the MRC and the work we have been doing on behalf of our merchant members has proven to benefit the payments industry across the board.
The retail payments industry is ever-evolving, it is complex and varied and new payments regulations, standards and policies continue to keep us all busy.
New technologies and fraud trends affect payments in unprecedented ways. MRC advocacy on behalf of our merchant members continues to grow as a major benefit both for members and for the wider payment ecosystem.
MRC is focused on several key areas:
- Providing MRC members with the most up to date information on new payments regulations, rules, mandates, standards, and policies
- Providing a strong, collective merchant voice when engaging financial regulators and policy makers globally
- Building and maintaining strong relationships with the card networks
- Redefining industry issues to enable merchants to better resolve problems, e.g., working with eCommerce super-brands to redefine Friendly Fraud to First Party Misuse and effecting change at industry level
- Addressing Data privacy, security, and consumer protection matters
- MRC Letter to the European Commission: Regarding the Continued Impact of PSD2:
In response to the European Commission request for input to the review of the impact and application of the Payments Services Directive (PSD2), the MRC submitted a letter on behalf of members impacted by the Regulations in the EU before the deadline of July 5, 2022.
The letter focused on two main points raised by MRC members; specifically how the Commission could better ensure consistency in interpretation of the regulation across the National Conduct Authorities to help make the reporting requirements more efficient for merchants operating across the region, and how certain aspects of the Directive inadvertently facilitated the proliferation of first-party misuse (formerly friendly fraud).
The MRC welcomes the PSD2 review and will continue, over the coming months, to work together with the European Commission and bring the Voice of Merchant members directly to the regulator’s table.
- Visa Takes an Important Step in the Fight Against First-Party Misuse/Friendly Fraud:
After years of collaboration with the MRC and MRC members, Visa recently announced historic changes to the scheme rules around Friendly Fraud/First-Party Misuse.
Visa is modifying their dispute process with the goal of empowering merchants to leverage data and reduce illegitimate chargebacks. It can’t be overstated what a significant impact these changes will have for merchants and their fraud mitigation strategies.
These policy modifications will be detailed by Visa representatives in an MRC-hosted webinar on 23 June 2022.
Read more about these changes directly from Visa, and learn more about the partnership between Visa and the MRC for additional context.
- Relationship Building with the Card Networks:
The MRC has established strong relations with each of the major card networks, Visa, Mastercard, American Express, and Discover. MRC works together especially with Visa and Mastercard to advocate on behalf of merchants, to ensure the merchant voice is heard as scheme rules are being considered, raising visibility on the impact of rule changes on merchants.
MRC has encouraged the card networks to provide a webinar in advance of each scheduled bulletin announcing rule changes that impact merchants. These are scheduled to take place in February and August annually, in advance of the usual April and October bulletin releases.
In the member-only webinars, the networks provide an overview of the upcoming rule changes as well as the expected impact on merchants. This goes a long way to preparing our members for the changes coming down the line and helps open a line of communication between the card schemes and MRC merchant members. This is solving a decades-long issue where merchants find out details, long after rule changes have been implemented.
- First Party Misuse (formerly known as Friendly Fraud or chargeback fraud):
The MRC gathered a group of the largest eCommerce merchants amongst the membership, as well as some of the biggest card issuers globally, to form the Merchant-Issuer Executive Committee. This grouped discussed and redefined friendly fraud. The new definition, under the revised term ‘first party misuse’ is already being used across the industry and is being considered by the card networks.
The problem of first party misuse represents up to 80% of all fraud related chargebacks for many of our merchant members. It was recognized as one of the biggest areas of concern, with considerable growth in the issue over the lock-down period in recent years. MRC gathered relevant information from merchant members on the extent of the issue, with the purpose of discussing it with, and educating, regulators globally and to talk about the need to change payment regulations to allow issuers to question their cardholders as disputes are raised as fraud claims, where the card issuer knows the claims are false. Issuers are currently under regulatory pressure to dispute any fraud claims on behalf of their customers and this is leading to a rise in consumers being aware of the ability to charge back purchases, and for OCGs (organized crime gangs) to use mules to purchase high value goods on their personal cards and claim back the cost via this regulatory ‘loophole’.
MRC has already contributed to the latest PSD2 review noting the need, to the European Commission, to review article 71 of the payment services directive. Discussions are also ongoing in the U.S. with the CFPB, FTC and other merchant organizations, raising awareness of the industry challenge and how payments regulators can help resolve the problem.
In our 2022 Global Payments & Fraud Survey Report, first party misuse Is one of the highest-ranking fraud challenges our members report.
- SCA Requirements:
Regulation calls for SCA requirements to be in place. Implementation was enforced beginning December 31, 2020. The MRC has advocated EU Regulators (18) to move the enforcement date, by country, based on reports of industry readiness, or lack thereof. Our merchant community, lead by Microsoft and Amazon, have published SCA readiness dashboards by country. Through this initiative, we created a deadline dashboard by country and a Slack channel for merchants and issuers to discuss challenges. Find out more.
The MRC applied for a portion of the EU Commission Internal Security Fund and was awarded €500K for a public-private partnership project so that MRC merchant members and Law Enforcement agencies would have a platform to work together against cybercrime. MRC also partners with the IC3 (Internet Crime Complaint Center) and has a Memorandum of understanding in place with Europol.
MRC Advocacy Efforts in India
India’s Financial Regulator, the Reserve Bank of India (RBI) introduced new payments regulations including an e-mandate on recurring transactions, effective 30 September 2021, and guidelines relating to Card on File set to be implemented by 31 December 2021. While the regulations were designed to provide consumer protection, eCommerce merchants operating in India have raised concerns about the deadlines, and the lack of time to make the necessary changes and enable compliance. Additional concerns were raised around the merchants’ challenge to manage basic functions such as dispute resolution (chargebacks). If card details can no longer be held, transactions will be more difficult to identify.
The MRC has prioritized advocating for merchants on this topic, and to further that goal, has written to the RBI in September 2021 to ask for the timeline changes in order to prepare the payments ecosystem for those regulations and ensure compliance. This was followed by a meeting between merchants, card issuers, PSPs, retail associations, as well as four representatives from the Indian Financial Regulator (RBI) in November 2021. It was clear all participants want to collaborate, to facilitate enablement across the ecosystem, but they also recognized that all stakeholders need to cooperate to reach compliance. The MRC followed up with the RBI again after the meeting to highlight concerns raised during the session.
This meeting was an excellent example of how advocacy can increase communication and transparency for all stakeholders by facilitating a constructive multi-lateral conversation.
*UPDATE January 2022*
The Reserve Bank of India (RBI) has extended the upcoming card payment regulation compliance deadline by six months, from 31 December 2021 to 30 June 2022.
The MRC has been engaging the RBI, merchant members, regulating bodies and other industry organizations in the country throughout 2021, advocating for an extension to the compliance deadline regarding the storing of card on file (CoF) data and tokenization requirements.
In addition to these discussions, the MRC facilitated a Merchant Round Table meeting with leading retail brands operating in India, also attended by RBI representatives. These efforts, along with a follow-up MRC webinar on the topic delivered by Microsoft and Google, helped inform the Regulator and pave the way for this decision.
Click here for more detail regarding these updates and the continued efforts of the MRC to act as the voice of the merchant in APAC.
*UPDATE May 2022*
On 19 May 2022, the MRC held a closed-door discussion on India’s payments regulation on card on file tokenization. With the regulatory deadline of 30 June 2022 looming, the purpose of the meeting was to learn from the group of stakeholders the current state of ecosystem readiness, and to determine appropriate next steps for the Reserve Bank of India (RBI) - India’s financial regulator - to consider.
This productive discussion between the regulator and industry leaders covered a great deal of ground, and ended with two important requests for the RBI to consider:
- Just as acquirers processing offline payments can store card numbers, please permit acquiring banks to save cards for online transactions as well, to prevent customers across use cases from being marginalized/ unsatisfactorily serviced.
- Empower merchants to continue serving customers using card data on file until there are token and non-token solutions that are demonstrably ready and tested at scale for all use cases.
*UPDATE June 2022*
The Reserve Bank of India’s (RBI) policies regarding e-mandates on recurring transactions and guidelines relating to Card on File transactions continue to evolve as conversations between local stakeholders and the regulator proceed.
In the latest development, on 16 June, the RBI issued an industry update on the e-mandate framework for Card on File. This update increases the limit for the transaction value that requires an additional factor of authentication, which is a significant boon for merchants operating in India, particularly subscription-based merchants.
Though there are still additional issues that need to be resolved to optimize the balance between security and efficiency in this market, the MRC is excited by this step in the right direction and looks forward to continued cooperation with the regulator and merchants in India.
*ADDITIONAL UPDATE June 2022*
Per an announcement from the Reserve Bank of India (RBI), issued on 24 June 2022, the regulator has “decided to extend the timeline for storing of CoF data by three months, i.e., till September 30, 2022, after which such data shall be purged.”
The MRC applauds this extension, as it indicates the regulator is listening to and working with local stakeholders to reach the desired balance of security and efficiency in the region.
From section 3 and 4 of the recent announcement:
3. On a review of the issues involved and after detailed discussions with all stakeholders, it is observed that considerable progress has been made in terms of token creation. Transaction processing based on these tokens has also commenced, though it is yet to gain traction across all categories of merchants. Further, an alternate system in respect of transactions where cardholders decide to enter the card details manually at the time of undertaking the transaction (commonly referred to as “guest checkout transactions”) has not been implemented by the industry stakeholders, so far.
4. Given the above, it has been decided to extend the timeline for storing of CoF data by three months, i.e., till September 30, 2022, after which such data shall be purged.
The MRC is working with merchants and issuers to ensure upcoming regulation enforcement does not have a negative impact on the industry. On September 14, 2019, new requirements for authenticating online retail payments were introduced in Europe as part of the Payments Services Directive update (PSD2). The industry was proven not to be ready at that time, so the European Banking Authority (EBA) facilitated an extension to the implementation deadline of the regulation, to December 31, 2020. The MRC shares the goal of a robust implementation of Strong Customer Authentication (SCA); however, our merchant members have shown us in recent months that the ecosystem is not yet ready for the regulation to be implemented.
Microsoft's SCA Scorecard for August 2021 is available on LinkedIn (click here for details).
For more information on how Microsoft built their scorecard, see the following articles on LinkedIn Pulse:
The MRC has called on the EBA and the European Commission to use their influence to encourage all NCAs (National Conduct Authorities) to adopt a flexible approach to the implementation of SCA and give industry scope beyond the December 31 deadline. The MRC also wrote to 18 NCAs directly to suggest the deadline for the operational application of SCA should be pushed out by at least 6 months.
Click here to view the MRC's correspondence with the European Commission, European Banking Authority, the Commission's responses, and a joint letter from the European Payment Institutions Federation signed by MRC, Visa, Mastercard, the European Hotel Forum, and many more.
The MRC has also engaged consumer associations in Europe to ensure they are fully informed on the impact on consumers from January 1 when card issuers are forced to decline transactions that do not appear to be SCA compliant. In some countries, the reports are showing this figure could be up to 50% of transactions.
The MRC has produced a Country SCA deadline dashboard to note the enforcement deadlines for European countries. See it here.
Other merchant scorecards are available to Regulators and Card Issuers. Contact us for access to these.
The MRC heard from card issuers and merchants that it is extremely hard to test for and debug problems highlighted when processing SCA-ready transactions, so we established a Slack channel where the community is working together to solve issues. If you wish to join the Slack channel (open to merchants and card issuers), contact firstname.lastname@example.org.
To sign up for testing with Visa, email Visa at email@example.com. To sign up for the Mastercard test platform, visit https://3dss.netcetera.com/mastercard-psd2-testing/.
Who makes the regulation in Europe and who implements it?
The European Commission produced the regulation (PSD2). The regulation specifically relating to SCA has been enforceable since September 14, 2019. In effect, all regulated bodies (banks, credit institutions, etc.) should be compliant since that date. However, on that date, nothing really changed.
The EBA -- European Banking Authority -- are the enforcers of the regulation in the EU (European Union). They enforce the NCAs -- the national competent / conduct authorities, normally the Central Banks of each nation -- to ensure compliance in each nation. It was the EBA, in September 2019, that allowed the NCAs time before which they had to enforce the regulation in each nation. This flexibility ended at the close of 2020.
The Commission and the EBA have noted all parties have been aware of the regulation since 2017. They are currently not willing to extend the deadline for enforcement for that reason. The FCA was able to make an early decision most likely because of Brexit, i.e. they have left the EU and as such are not required to comply with EU regulation, in theory. That said, the UK will wish to remain competitive, so they aim to comply but have allowed another 9 months for their regulated bodies (issuers and acquirers) to comply with the regulation.
While each NCA can make its own decision on delaying the date, they are required to enforce the regulation under the EBA. To date, some NCAs have decided to move their dates (see the MRC SCA deadline chart for more information).
Global Customer Verification Methods
The MRC is collecting data from members to collate the various authentication/ verification methods for consumers in different countries. This has proven useful for businesses wishing to comply with payments regulations in this space and those wishing to expand to other countries.
The data is ever-changing and the spreadsheet is available here.