Global Security Bulletin No. 4, 15 April 2016 ©2016 Mastercard

Updates for the Business Risk Assessment and Mitigation Program

Topic(s): E-Commerce, Fraud/Risk, MCC, Merchant, Rules/Standards, Security

May Apply To: Acquirers Processors

Summary: MasterCard requires compliance with its Standards that prohibit the use of MasterCard® cards and systems for illegal or brand-damaging activities and adherence to Standards that support the Business Risk Assessment and Mitigation (BRAM) compliance program. This article: • Reminds acquirers of their obligations under the Standards and the MasterCard BRAM program; • Identifies certain illegal or brand-damaging products and services that are being added to the BRAM program, and others that are not being added at this time but have the potential to create brand risk or fraud in the payments system; • Provides a reminder of acquirers’ responsibilities for coding card-not-present (CNP) gambling transactions, as well as contains information on recent regulatory actions regarding Internet gambling transactions in Norway and Germany; • Contains information on recent regulatory actions regarding financial merchants, such as foreign exchange traders, in Japan; • Reminds acquirers of the recent changes to the BRAM program: – The elimination of the BRAM Monitoring Program (BMP), – The expiration of the letters of understanding (LOUs), and – The launch of the Merchant Monitoring Program (MMP) with Merchant Monitoring Service Provider (MMSP) registration requirements; and • Provides tips for responding to BRAM noncompliance notifications. Action Indicator: A Attention warranted

Effective Date: Immediately

Background The MasterCard Standards require each customer to comply with all applicable laws and the Standards, and not to engage in or facilitate any action that is illegal or that, in the opinion of MasterCard, damages or may damage the goodwill or reputation of MasterCard.

Updates for the Business Risk Assessment and Mitigation Program 8 Global Security Bulletin No. 4, 15 April 2016 ©2016 MasterCard. Proprietary. All rights reserved. Production Review—Due The BRAM program is intended to help ensure that MasterCard systems and marks are not used in any action that is illegal or that damages or may damage the goodwill or reputation of MasterCard.

In the spirit of keeping the industry informed of new trends in the marketplace, MasterCard has identified certain additional products that are either illegal or brand-damaging, and other products, services, and merchant models that may pose risk to our collective brands.

The products, services, and merchant models mentioned in this article do not represent an exhaustive list of illegal or brand-damaging activities. Each acquirer is reminded to review each of its merchants and their services on an ongoing basis to determine the legality and legitimacy of the goods or services being offered for sale.

Regulatory Information Regarding Internet Gambling MasterCard is providing the following updated regulatory information from the Norwegian and German governments as it relates to Internet gambling transactions. Internet gambling in jurisdictions where it is illegal is deemed by MasterCard as a BRAM violation.

Norwegian Gaming Authority (Gambling Act in Norway) The state-owned company, Norsk Tipping (betting and lotteries), and the state-controlled foundation, Norsk Rikstoto (horse betting), are the only two gambling operators that may legally operate online gambling in Norway.

In 2010, the Norwegian government implemented a payment ban to block transactions of gambling merchants that do not hold a permit in Norway. Financial institutions in Norway are prohibited from acquiring stakes and prizes for gambling merchants that do not hold a Norwegian license. Therefore, any gambling merchant operating within Norway must be licensed by the Norwegian government.

German Gambling Authority (Gambling Regulation in Germany) The German Gambling Interstate Treaty from 2012 bans most online gambling activities, such as real money slot machines, casino and poker games. In particular, offering such games on the Internet under a German domain or path (i.e. “xyz.com/DE”) or in German language may be deemed a violation of the Internet ban. Only sports betting, horserace betting and commercial lottery brokers are allowed to conduct online gambling activity, provided that the operator holds a valid license.

Updates for the Business Risk Assessment and Mitigation Program Global Security Bulletin No. 4, 15 April 2016 9 ©2016 MasterCard. Proprietary. All rights reserved. Production Review—Due A certain number of licenses for remote gambling and betting were issued by the Ministry of Internal Affairs and Federal Matters of Schleswig-Holstein between 2012 and 2013. These will remain valid until their expiration, but only for the territory of the German Federal State of Schleswig-Holstein. Any other offering of online gambling without a license is prohibited.

Regulatory Information Regarding Financial Organizations Offering or Advertising Services in Japan MasterCard is providing the following updated regulatory information from the Japanese government as it relates to financial organizations, such as foreign exchange traders, that are offering or advertising services to consumers in Japan.

Financial Services Agency of Japan The Financial Services Agency of Japan (“FSA”) has identified an increase of financial merchants that are not licensed by the FSA. These include foreign exchange traders that are offering or advertising excessive high leverage deals to consumers in Japan, mainly over the Internet. The Financial Instruments and Exchange Act, which became effective June 2006 and was reformed in 2007, requires financial merchants that transact with, or advertise to consumers in Japan, to obtain a license from the FSA.

For example, merchants that facilitate the selling or buying of financial securities or insurance policies to consumers in Japan without permission from the FSA will be in violation of the Act.

To help ensure compliance, acquirers can check the merchant’s licensed status by accessing the FSA’s list of licensed (registered) financial organizations at: http://www.fsa.go.jp/en/regulated/licensed/

Illegal/Brand-Damaging Products (Added to BRAM Program) In addition to previously published products/services, MasterCard is alerting acquirers that the following products/services are illegal or brand-damaging and are prohibited products as outlined in the BRAM program.

Medical and Dental Devices Effective immediately, medical and dental devices that are counterfeit, not approved by regulatory entities, or are expired, are added to the BRAM program.

Updates for the Business Risk Assessment and Mitigation Program 10 Global Security Bulletin No. 4, 15 April 2016 ©2016 MasterCard. Proprietary. All rights reserved. Production Review—Due Medical devices include, but are not limited to, the following: • Condoms; • Prescription and colored contact lenses; • Diagnostic testing kits for HIV, diabetes, pregnancy, etc.; • Intravascular catheters; • Implants for breast and other parts of the body; and • Instruments and machines for hospitals, doctors, and dentists.

NOTE Medical/dental devices cover a large spectrum of products.

The United States regulates medical devices to ensure that they meet safety standards. The U.S. Food, Drug and Cosmetic Act (“FDC Act”) requires approval of diagnostic testing kits before they are imported or marketed in the United States and prohibits the promotion of devices for unapproved uses. Specifically, introducing unapproved (adulterated or misbranded) medical devices into interstate commerce is a violation of the FDC Act, and importing and/or facilitating the sale or distribution of imported merchandise contrary to law is a criminal violation.

Contact lenses (including decorative/theatrical/color and corrective lenses) are also regulated as medical devices pursuant to the FDC Act. The sale of contact lenses to consumers without a valid prescription is also unlawful.

The European Union (E.U.) and the United Kingdom (U.K.) also regulate medical devices to ensure that they meet E.U. and U.K. safety standards. Medical devices sold in the E.U. must meet the requirements of the E.U. Medical Devices Directives. Medical devices sold in the U.K. must meet the requirements of the U.K. Medical Devices Regulations 2002. Further, unauthorized use of a trademark in the U.K. would be considered counterfeiting and an offense under the Trade Marks Act 1994.

Updates for the Business Risk Assessment and Mitigation Program Global Security Bulletin No. 4, 15 April 2016 11 ©2016 MasterCard. Proprietary. All rights reserved. Production Review—Due Mobile Repeaters (United Kingdom Only) Effective immediately, mobile (cellular phone) repeaters that are sold without the proper license in the United Kingdom are added to the BRAM program as part of the Illegal Electronic Devices category.

The U.K. Office of Communications (Ofcom) has a duty to manage and protect the radio spectrum. Ofcom investigates companies that illegally sell and distribute mobile repeaters.

Mobile repeaters increase the cellular signal of a mobile network operator (MNO) in areas that suffer from poor coverage. However, although the repeater may increase the signal for the owner, the use of such a device can increase the amount of dropped calls within the rest of the mobile signal area, which is detrimental to the majority of users within that area.

These devices are in high demand by consumers. However, the use of these devices is illegal in the U.K., absent a license to operate. Only MNOs are licensed in the U.K. to use equipment that transmits in the cellular frequency bands.

For additional information, refer to:

http://consumers.ofcom.org.uk/phone/mobile-phones/coverage/mobile-repeaters/

http://licensing.ofcom.org.uk/radiocommunication-licences/mobile-wireless-broadband/ cellular-wireless-broadband/policy-and-background/repeaters-boosters/

http://stakeholders.ofcom.org.uk/spectrum/technical/rtte/rtte_faq/

http://stakeholders.ofcom.org.uk/enforcement/spectrum-enforcement/jammers/

Products/Services to Watch or Monitor MasterCard recommends that its customers monitor the following products, services, and merchant models. Although these products, services, and merchant models are not currently included in the BRAM program, customers acquiring transactions for these products, services, and merchant models should monitor them closely for deceptive practices as well as compliance with any laws and regulations.

e-Voucher Merchant Models e-Voucher models may be used to circumvent MasterCard Standards on Internet gambling if the e-Voucher load (deposit) is not coded with MCC 7995 (Gambling Transactions). Further, if the e-Voucher loads are transferred onto a prepaid card, the card may also be used to circumvent MasterCard Standards.

Updates for the Business Risk Assessment and Mitigation Program 12 Global Security Bulletin No. 4, 15 April 2016 ©2016 MasterCard. Proprietary. All rights reserved. Production Review—Due e-Voucher merchant models operate as MasterCard’s Digital Wallet Operator (DWO) model where the cardholder loads funds and those funds can be used to purchase goods or services from an online retailer that accepts that e-Voucher. So instead of purchasing a coupon/voucher for a specific retailer, the cardholder is loading funds (to a wallet) to be used.

Acquirers must ensure that they accurately identify these models and code them accordingly. If the merchant loads a “voucher” (i.e. deposits to a wallet) then it may be considered a DWO and therefore MasterCard Rules related to the operation and registration must be followed, including the usage of the most appropriate MCC, which would be based, in part, on the product for which the e-Voucher is used.

Fantasy Sports Merchants These models have been in the news recently, and rules and regulations governing these models are evolving. Many United States Attorneys General and United States state legislatures are examining the legality of daily fantasy sports (DFS) merchants with some states banning DFS, some imposing licensing requirements, and some legalizing DFS subject to certain consumer protections being put in place. Since the landscape continues to change, acquirers should monitor state regulations to ensure that DFS transactions only occur in jurisdictions where they are lawful.

MasterCard reminds its customers that this merchant type requires the following: 1) registration in the MasterCard Registration Program (MRP) (U.S. Region merchants only); and 2) proper MCC coding of 7994 (Video Game Arcades/Establishments) for all merchants of this type. In addition, if this merchant type is regulated as gambling in any non-U.S. jurisdiction, then it must be coded with MCC 7995.

MasterCard suggests that acquirers regularly review their merchant’s registration status and ensure that they are complying with applicable laws. In the meantime, MasterCard will continue to monitor the situation.

Lottery Courier Service Merchants These models purport to be courier services where the merchants purchase lottery tickets on behalf of a cardholder. The cardholder provides payment to the merchant, then the merchant purchases and holds the lottery tickets. If a ticket wins, the merchant pays the cardholder the winnings minus commissions. MasterCard does not consider this model a courier service. If the transaction is for the purchase of a lottery ticket on behalf of a cardholder, then it must be coded as a lottery merchant with MCC 7800 (Government-owned Lottery - U.S. Region only), MCC 9406 (Government-owned Lottery [Specific Countries]), or MCC 7995 where MCC 7800 and MCC 9406 are not applicable.

Updates for the Business Risk Assessment and Mitigation Program Global Security Bulletin No. 4, 15 April 2016 13 ©2016 MasterCard. Proprietary. All rights reserved. Production Review—Due UseNet Merchants/Internet Forums/Bulletin Board Systems These forums allow users to read and post messages as well as post images and links to videos. However, these images and links may be illegal or brand damaging if they are related to child exploitation, offensive adult content, or infringe intellectual property rights.

Another model type is where a merchant downloads content from forum-type sites to build their database of content. Unlike a typical forum or bulletin board site where an individual must download each image/video manually and search hundreds of content links, this new model performs those functions for individuals, organizes the content into categories, and filters the content for ease of identification and downloading so that individuals can obtain the exact content desired. This model offers free subscriptions that provide for limited access and downloads. To obtain more downloads per day, a cardholder can upgrade by purchasing a subscription. The cardholder then has access to all of the content and is allowed to download the content desired.

Either model that takes payment via a MasterCard card and offers illegal or brand-damaging content may be considered a BRAM violation. MasterCard suggests that acquirers review their merchant’s model and content to ensure that they are complying with all laws and MasterCard Standards.

Proxy Avoidance/Anonymizer Sites These websites provide customers with the ability to use the Internet anonymously. They facilitate the connection from any location in the world to any other location using domain name system (DNS) or virtual private network (VPN) technology. For example, these websites allow access to Internet sites in one country but reflect the Internet protocol (IP) address of another country, thereby masking the true geographic location of the customer.

In some situations, this service is used to access sites that have an IP address block, such as streaming services and gambling sites. Therefore, if the sole purpose of the service is to circumvent rules or regulations related to IP address blocking, then it may be considered a BRAM violation.

Mobile Phone Applications MasterCard has been alerted that there are applications (apps) for mobile devices that may circumvent MasterCard Rules and Standards. These apps may be used for activities such as circumventing gambling rules, the purchase and downloading of intellectual property infringing content, the purchase of pharmaceuticals or illegal drugs, or other illegal or brand-damaging activity.

MasterCard recommends that acquirers understand and monitor not only the merchant’s web presence and mobile presence, but also any merchant apps to ensure compliance.

Updates for the Business Risk Assessment and Mitigation Program 14 Global Security Bulletin No. 4, 15 April 2016 ©2016 MasterCard. Proprietary. All rights reserved. Production Review—Due Updates on BRAM-related Products/Services

Synthetic Drugs As announced in Global Security Bulletin No. 2, 15 February 2012 and Global Security Bulletin No. 7, 15 July 2013, synthetic drugs are illegal to process, possess, distribute, or sell in certain countries and jurisdictions. Synthetic drugs are products with psychoactive and/or stimulant characteristics.

The sales of these synthetic drugs (cannabinoids, cathinone, and other compounds) are on the rise, and an increasing number of products are being created and sold. They are often marketed as incense, potpourri, bath salts or plant food. The producers and sellers of these products target their marketing to youths. These products may or may not be illegal in all jurisdictions and will continue to be subject to further regulation worldwide.

For instance, China has recently released further advisement on prohibited drugs/chemicals/psychotropic substances. Therefore, MasterCard recommends that acquirers perform their due diligence to ensure compliance with all rules and regulations worldwide.

Electronic Cigarettes (e-cigarettes) MasterCard announced electronic cigarettes as a “product to watch” in Global Security Bulletin No. 2, 15 February 2012.

MasterCard requests that merchants in the business of selling electronic cigarettes be coded with MCC 5993.

MCC 5993—Cigar Stores and Stands MCC Description - Retailers that sell tobacco, cigarettes, cigars, pipes, and smokers’ supplies.

At this time, a merchant solely selling e-cigarettes does not need to be registered in the MRP. However, if the merchant sells other tobacco products in addition to e-cigarettes, then the merchant must be coded with the MCC 5993 and must be registered in the MRP.

Expiration of the LOUs from the Discontinued BMP—Reminder As announced in Global Security Bulletin No. 7, 15 July 2015, the BRAM Monitoring Program (BMP) was replaced with the Merchant Monitoring Program (MMP). With the replacement of the BMP with the MMP, the LOUs signed by acquirers for participation in the BMP expired as of 31 December 2015.

Updates for the Business Risk Assessment and Mitigation Program Global Security Bulletin No. 4, 15 April 2016 15 ©2016 MasterCard. Proprietary. All rights reserved. Production Review—Due As a reminder, the MMP is a voluntary program where acquirers may register their service provider(s) with MasterCard to participate. Acquirers that register to participate in the MMP may be afforded a level of assessment mitigation if the acquirer performs all program and reporting requirements.

The MMP is open for registration. To register, please complete the registration form found using the following link in the Library within MasterCard Connect and follow the directions for submission.

https://w201.mastercardconnect.com/hsm3ca267/homememb/library/shared/ Forms_Library/Forms.htm

Tips for Properly Responding to a BRAM Suspected Noncompliance with MasterCard Standards Notification To assist customers in responding to a BRAM-related suspected noncompliance with MasterCard Standards notification, MasterCard has developed a BRAM Response Form. This form can be used to assist customers with their responses to MasterCard to help ensure that all data, reports, figures and documents required are delivered to MasterCard. The BRAM Response Form is not required to be completed and submitted to MasterCard along with a formal response to an investigation but it is provided as a helpful guide. However, should a customer choose to use the form, it may be included in the formal response along with all required data and documents.

When responding to a suspected noncompliance with MasterCard Standards notification, customers must provide a formal response by the response due date to MasterCard and include: • All documentation requested in the investigation letter • All data requested in the investigation letter • MMSP report (rescan and historical monitoring reports) • Legal opinion (if applicable) • Final formal response on acquirer letterhead.

Failure to respond by the due date may result in an additional assessment for non-response.

To further help customers provide MasterCard with a complete formal response, MasterCard is providing the following helpful tips.

Updates for the Business Risk Assessment and Mitigation Program 16 Global Security Bulletin No. 4, 15 April 2016 ©2016 MasterCard. Proprietary. All rights reserved. Production Review—Due Investigation Process – Acquirer • Review initial underwriting/due diligence • Review historical processing volumes and transaction sizes (along with credits, reported fraud and chargebacks) • Review past risk management actions related to the merchant • Review approved and violating URLs • Perform test transactions (if applicable) • Contact the merchant and perform an investigation with the merchant • Determine whether a Merchant Monitoring Service Provider (MMSP) was used for BRAM content monitoring and/or merchant transaction laundering detection; if so, rescan the URL and provide the rescan report and the historical monitoring report in the response • Cease the merchant’s illegal or brand-damaging activity.

Investigation Tips • Proactively investigate all incidents of suspected noncompliance • Conduct a full investigation and gather all of the known facts available at the time and ensure that ongoing developments are also recorded • Maintain a comprehensive investigation report • Work ahead of deadlines to help ensure investigation reports and updates are delivered in a timely manner • Develop clear and obtainable action plans and timelines to resolve issues and deliver requirements on time • Develop a set of procedures and supporting process flows for noncompliance investigations • In cases of noncompliance, submit a comprehensive investigation response to MasterCard providing answers to all questions and all required documentation.

Updates for the Business Risk Assessment and Mitigation Program Global Security Bulletin No. 4, 15 April 2016 17 ©2016 MasterCard. Proprietary. All rights reserved. Production Review—Due Formal Responses to MasterCard • Provide a strong and detailed remediation plan that details the incident, all investigative information and steps, and all corrective action • Provide copies of all applications, agreements, MasterCard Alert to Control High-risk (Merchants) (MATCH) inquiries, and all due diligence documents from onboarding and all risk related actions • Provide a summary of all actions taken when underwriting/onboarding the merchant and all ongoing monitoring conducted after onboarding • Provide sales volumes and transaction counts in USD by month and then grand total of all months • Provide screen prints of volumes that can be verified (merchant supplied figures will not be accepted) for the approved and violating sites • Provide a review of the approved and violating URLs, URL registrants, and relationships to other merchant accounts and URLs • Provide a list of all Service Providers used and their functions • Provide screen prints and reports from the acquirer’s registered MMSP reflecting the monitoring of the merchant and all URLs.

Questions? Customers with questions about the information in this article should contact:

Jeffrey D. De Petro Business Leader, Franchise Integrity, Customer Performance Integrity

Phone: 1-914-249-2907

Email: [email protected]