Navigating Card Association Rules for Open Payments

Smart Card Alliance Payments Summit February 6, 2014

Copyright [insert date set by system] by [CH2M HILL Entity] • Company Confidential Background n Card Association Rules describe the responsibilities of merchants that accept association-branded (e.g., Visa®, MasterCard®, American Express®, Discover®) bank cards for payment n Each card association has their own set of rules, which include all requirements for payment acceptance n Visa and MasterCard both make their rules (and interchange rates) publically available online:

http://usa.visa.com/merchants/operations/op_regulations.html http://www.mastercard.com/us/company/en/whatwedo/ merchant_rules.html n Until recently, association rules were geared almost entirely toward payment acceptance in retail environments Copyright February 2014 by CH2M HILL Transit agencies are different than retail merchants when it comes to accepting payments n The speed of payment acceptance is critical – Transit is an ideal use case for contactless payment – A response time of 500ms is the benchmark set by the industry n Agencies are looking to reduce costs with open payments – Processing fees need to be lower than current cost of collection – Agencies need to avoid costs associated with fraudulent use n Agencies need to support transit-specific payment rules – Agencies want to reduce and replace agency-issued media – Traditional fare rules (e.g., passes, transfers) still need to be supported

Transit Need Applicable Rules Payment Speed • Contactless payment at unattended terminals (non-signature) • Offline acceptance Cost Reduction • Payment aggregation • Chargeback protection Transit-Specific Payment Rules • Use of cards as non-banking (i.e., transit) account identifiers

Copyright February 2014 by CH2M HILL The need for fast transaction speeds means that a full online authorization is not possible n Card associations allow for contactless payments to be accepted “offline” and without signature within certain transaction limits

Transit agencies must ensure that transaction values (i.e., fares) fall below these thresholds n Solutions such as the Transit MasterCard Interface Processor (T-MIP) can provide local authentication to help reduce declines

Agencies must determine if the risk associated with declines outweighs the costs for integrating this type of solution n The introduction of the EMV standard in the U.S. may provide additional protections when accepting offline transactions

Agencies should specify support for the offline card authentication methods in the standard (i.e., DDA and CDA)

Copyright February 2014 by CH2M HILL Transaction aggregation can be used to reduce payment processing costs n Aggregation allows agencies to combine payments accepted from a card and process them as a single transaction

Agencies must determine if cost savings outweigh the risk of decline when combined payments are processed – Example interchange for $2 fare: $0.138 (6.9%) – Example interchange for two $2 fares: $0.176 (4.4%) n Card associations each have rules for pre-authorization amounts, and the time and value limits over which aggregation can occur

Agencies must ensure that aggregation rules are met for each card type that will be accepted – Visa: 3 days up to $15 – MasterCard: 14 days up to $15 (includes chargeback protection)

Association Rules Governing Transit-Specific Needs

Copyright February 2014 by CH2M HILL Maintaining local records of card usage can allow continued support for existing fare rules n Processing using local transit accounts can support transfers, pass products, fare capping, and other fare rules using bank cards

Agencies must ensure they comply with rules governing the use of cards to access transit (i.e., closed-loop) accounts n Many contactless cards maintain offline transaction counters that card issuers use as a means of fraud protection

Agencies must send periodic transactions to update counters for payments processed within a closed-loop account n Some contactless cards transmit a different (i.e., pseudo) account number than the one printed on the card

Issuer look-up services can support transit account identification based on the Primary Account Number (PAN)

Copyright February 2014 by CH2M HILL What are some key strategies for navigating association rules? n Work with your payment processor to understand rules that apply and can be leveraged – A payment processor should be selected and involved in the early phases of system design – The processor needs to fully understand how the system will function and what the agency is trying to achieve – The processor can help identify and reduce costs, and represent the agency if association rules require clarification n Look for to avoid handling cards differently based on type – Look for commonalities in rules where they exist – Where rules vary, adopt the more stringent version for all transactions

Copyright February 2014 by CH2M HILL Security is central to all open payment acceptance n The Payment Card Industry Data Security Standard (PCI-DSS) provides a universal set of security requirements for the acceptance of open payments and the handling of card data n There are strategies agencies can adopt to reduce the challenge of achieving PCI compliance: – Purchase equipment that has already been PCI certified – Avoid the storage of card data whenever possible, using methods such as tokenization – For a hosted solution, specify that the system supplier be responsible for PCI compliance (certified by a qualified third-party)

Trevor Findley Senior Solutions Architect [email protected]