Security Rules and Procedures 30 July 2015

Security Rules and
Procedures
30 July 2015
Summary of Changes, 30 July 2015

This manual reflects changes associated with announcements in MasterCard bulletins from 15
September 2014 to 15 July 2015, and additional terminology changes.
To locate the changes listed below online, on the Adobe toolbar, click Find. In the Find box,
type >> and then press ENTER. To move to the next change, press ENTER again.
Description of Change Where to Look
Removed definitions of the following terms: Dual Interface Hybrid POS Appendix F
Terminal.
Updated definitions of the following terms: Interregional Transaction; Appendix F

Intraregional Tranaction.
Added definitions of the following terms: Digital Goods; Dual Interface; Appendix F
Identification & Verification (ID&V); Multi-Account Chip Card.
NOTE: The changes to Appendix F (Definitions) cannot be located

online using the Find box. Please scroll to Appendix F at the end of
the manual to locate these changes.
Added access instructions for the Card Production Physical Security 2.4
Requirements and the Card Production Logical Security Requirements.
Clarified the CVC 2 value verification requirements for Issuers. 3.9.2
Clarified the CVC 2 value provision requirements for Acquirers. 3.9.4
Added section 6.2.1.4—Product Portfolio Management. 6.2.1.4
Updated the recommended additional monitoring parameters for Issuers. 6.2.1.5 (renumbered)
Added section 6.2.1.6—Additional Prepaid Monitoring Requirements. 6.2.1.6
Added section 6.2.1.7—Fraud Detection Tool Implementation. 6.2.1.7
Added section 6.2.1.8—Cardholder Communication Strategy. 6.2.1.8
Clarified the Merchant deposit monitoring parameters for Acquirers. 6.2.2.2
Moved the 150 percent threshold recommendation for Acquirer fraud loss 6.2.2.3
control monitoring reports from section 6.2.2.2—Acquirer Merchant
Deposit Monitoring Requirements to section 6.2.2.3.
Updated the recommended additional monitoring parameters for 6.2.2.3

Acquirers.
©1991–2015 MasterCard. Proprietary. All rights reserved.

Security Rules and Procedures • 30 July 2015 2
Updated references from website monitoring to Merchant monitoring. 6.2.2.3

7.2
13.2.2
Added MATCH compliance requirements for Acquirers. 7.1.2
NOTE: The MATCH compliance requirements added to section 7.1.2

were inadvertently omitted from the article, "Revised Standards
for the Payment Facilitator and Service Provider Programs,"
published in Global Security Bulletin No. 10, 15 October 2014.
Removed MCC 9754 from the types of non-face-to-face gambling 9.1

Merchants required to be registered using the MRP.
9.4.2
Added MCCs 7801 and 7802 to the types of non-face-to-face gambling 9.1
Merchants required to be registered using the MRP.
9.4.2
Removed MCC 9399 from the types of state lottery Merchants required to 9.1
be registered using the MRP.
9.4.4
Added MCC 7800 to the types of state lottery Merchants required to be 9.1
registered using the MRP.
9.4.4
Added website URL to the information requested for each Merchant, 9.2
Submerchant, or other entity required to be registered through the MRP
system.
Updated applicable references from MasterCard POS Transaction to Chapter 10

MasterCard Transaction.
Updated applicable references from Maestro POS Transaction to Maestro Chapter 10

Transaction.
Removed the definition of Point-of-Sale (POS) Transaction from the list of 10.2
Account Data Compromise Event terminology.
Updated the ADC FR determination process. 10.2.5.5
Added references of fraudulent inter-European Maestro POS Transactions 12.2

to references of fraudulent intra-European Maestro POS Transactions.
12.6
Added section 12.8—Digital Goods Transactions. 12.8

Removed section 13.1.1.1—Merchant Risk Review Offering. 13.1.1.1 (deleted)

Contents
Contents
Summary of Changes, 30 July 2015....................................................................2
Chapter 1: Customer Obligations...................................................................... 13

1.1 Compliance with the Standards..................................................................................14
1.2 Conflict with Law.......................................................................................................14
1.3 The Security Contact.................................................................................................. 14
Chapter 2: Card Production Standards............................................................15

2.1 Compliance with Card Production Standards..............................................................16
2.2 Monitoring of Personnel.............................................................................................16
2.3 Contracting with Card Registration Companies.......................................................... 17
2.4 Working with Vendors............................................................................................... 18
2.4.1 Order Request Required to Produce Cards...........................................................19
2.4.2 Stockpiling Plastics..............................................................................................19
2.5 Cards Without Personalization................................................................................... 19
2.6 Card Count Discrepancies.......................................................................................... 19
2.7 Reporting Card Loss or Theft...................................................................................... 19
2.8 Disposition of Unissued Cards and Account Information.............................................20
Chapter 3: Card and TID Design Standards.................................................. 21

3.1 Principles of Standardization...................................................................................... 22
3.2 MasterCard Account Number.....................................................................................22
3.3 Maestro and Cirrus Account Numbers........................................................................ 23
3.4 Signature Panel.......................................................................................................... 24
3.5 Magnetic Stripe or MasterCard HoloMag Encoding.................................................... 24
3.5.1 Card Validation Code 1 (CVC 1)......................................................................... 24
3.5.2 Service Code...................................................................................................... 24
3.5.3 Cardholder Name............................................................................................... 24
3.5.4 Expiration Date...................................................................................................26
3.6 Chip Cards................................................................................................................. 26
3.6.1 Chip Card Applications....................................................................................... 28
3.6.2 Multiple Application Chip Cards......................................................................... 28
3.6.3 Use of M/Chip Card Application Specifications....................................................29
3.7 Contactless Cards and Payment Devices..................................................................... 29
3.8 Mobile Payment Devices.............................................................................................30
3.9 Card Validation Code (CVC)....................................................................................... 30
3.9.1 Issuer Requirements for CVC 1........................................................................... 31

Contents

3.9.4 Acquirer Requirements for CVC 2....................................................................... 32
3.9.5 CVC Calculation Methods.................................................................................. 33
3.10 Service Codes...........................................................................................................34
3.10.1 Issuer Information.............................................................................................35
3.10.2 Acquirer Information........................................................................................ 35
3.10.3 Valid Service Codes...........................................................................................36
3.10.4 Additional Service Code Information.................................................................37
3.11 Transaction Information Documents (TIDs)................................................................37
3.11.1 Formset Contents............................................................................................. 38
3.11.2 POS Terminal Receipt Contents......................................................................... 38
3.11.3 Primary Account Number Truncation and Expiration Date Omission.................. 39
Chapter 4: Terminal and PIN Security Standards....................................... 40

4.1 Personal Identification Numbers (PINs)........................................................................41
4.2 PIN Selection and Usage.............................................................................................41
4.3 PIN Verification...........................................................................................................42
4.4 PIN Authorization Requests........................................................................................ 42
4.5 PIN Encipherment.......................................................................................................42
4.6 PIN Key Management.................................................................................................43
4.6.1 PIN Transmission Between Customer Host Systems and the Interchange
System........................................................................................................................ 43
4.6.2 On-behalf Key Management...............................................................................44
4.7 PIN at the POI for MasterCard Magnetic Stripe Transactions....................................... 45
4.8 Terminal Security Standards........................................................................................ 45
4.9 Hybrid Terminal Security Standards............................................................................. 46
4.10 PIN Entry Device Standards....................................................................................... 46
4.11 Wireless POS Terminals and Internet/Stand-alone IP-enabled POS Terminal
Security Standards............................................................................................................48
4.12 POS Terminals Using Electronic Signature Capture Technology (ESCT)....................... 48
4.13 Component Authentication......................................................................................49
4.14 Triple DES Migration Standards.................................................................................49
Chapter 5: Card Recovery and Return Standards...................................... 50

5.1 Card Recovery and Return..........................................................................................51
5.1.1 Card Retention by Merchants............................................................................. 51
5.1.2 ATM Card Retention........................................................................................... 52
5.1.3 Payment of Rewards........................................................................................... 54
5.1.4 Reporting Fraudulent Use of Cards..................................................................... 55
5.1.5 Reporting Lost and Stolen Cards......................................................................... 56
5.2 Criminal and Counterfeit Investigations......................................................................57
5.2.1 Initiating an Investigation....................................................................................57

Contents
5.2.2 Providing a Progress Report................................................................................ 57

5.2.3 Requesting an Arrest and Criminal Prosecution................................................... 57
5.2.4 Fees and Reimbursement of Expenses.................................................................57
5.2.5 Investigation of Counterfeits and Major Criminal Cases...................................... 58
Chapter 6: Fraud Loss Control Standards...................................................... 59

6.1 Customer Responsibility for Fraud Loss Control.......................................................... 61
6.2 MasterCard Fraud Loss Control Program Standards.................................................... 61
6.2.1 Issuer Fraud Loss Control Programs.....................................................................61
6.2.2 Acquirer Fraud Loss Control Programs................................................................ 65
6.2.3 Noncompliance with Fraud Loss Control Program Standards............................... 67
6.3 MasterCard Counterfeit Card Fraud Loss Control Standards....................................... 67
6.3.1 Counterfeit Card Notification..............................................................................67
6.3.2 Responsibility for Counterfeit Loss...................................................................... 68
6.3.3 Acquirer Counterfeit Liability Program................................................................ 69
6.4 Maestro Issuer Loss Control Program (LCP)................................................................. 71
6.4.1 Group 1 Issuers—Issuers with Dynamic Geo-Controls......................................... 71
6.4.2 Group 2 Issuers—Issuers without Dynamic Geo-Controls.................................... 72
6.4.3 Group 3 Issuers—Issuers Experiencing Fraud in Excess of Established Levels
(“High Fraud”)............................................................................................................ 73
6.4.4 Fraud Detection Tool Implementation................................................................. 73
6.4.5 Cardholder Communication Strategy.................................................................. 74
Chapter 7: Merchant, Submerchant, and ATM Owner Screening

and Monitoring Standards....................................................................................75
7.1 Screening New Merchants, Submerchants, and ATM Owners..................................... 76
7.1.1 Merchant Screening Procedures.......................................................................... 76
7.1.2 Submerchant Screening Procedures.................................................................... 77
7.1.3 ATM Owner Screening Procedures...................................................................... 78
7.1.4 Evidence of Compliance with Screening Procedures............................................ 78
7.1.5 Retention of Investigative Records.......................................................................79
7.1.6 Assessments for Noncompliance with Screening Procedures............................... 80
7.2 Ongoing Monitoring.................................................................................................. 80
7.3 Merchant Education................................................................................................... 81
7.4 Additional Requirements for Certain Merchant and Submerchant Categories............. 81
Chapter 8: MasterCard Fraud Control Programs........................................ 82

8.1 Presenting Valid Transactions......................................................................................84
8.1.1 Notifying MasterCard—Acquirer Responsibilities.................................................84
8.1.2 Notifying MasterCard—Issuer Responsibilities..................................................... 84
8.1.3 MasterCard Audit............................................................................................... 84

Contents
8.2 Global Merchant Audit Program.................................................................................86

8.2.1 Acquirer Responsibilities..................................................................................... 87
8.2.2 Tier 3 Special Merchant Audit.............................................................................87
8.2.3 Chargeback Responsibility.................................................................................. 89
8.2.4 Exclusion from the Global Merchant Audit Program............................................ 90
8.2.5 Notification of Merchant Identification................................................................92
8.2.6 Merchant Online Status Tracking (MOST) System................................................ 93
8.3 Excessive Chargeback Program...................................................................................94
8.3.1 ECP Definitions...................................................................................................94
8.3.2 Reporting Requirements..................................................................................... 95
8.3.3 Assessments....................................................................................................... 96
8.3.4 Issuer Reimbursement.........................................................................................98
8.3.5 Additional Tier 2 ECM Requirements.................................................................. 98
8.4 Questionable Merchant Audit Program (QMAP)..........................................................99
8.4.1 QMAP Definitions...............................................................................................99
8.4.2 MasterCard Commencement of an Investigation.............................................. 101
8.4.3 MasterCard Notification to Issuers.................................................................... 101
8.4.4 MasterCard Notification to Acquirers................................................................ 102
8.4.5 Merchant Termination.......................................................................................102
8.4.6 MasterCard Determination............................................................................... 102
8.4.7 Chargeback Responsibility................................................................................ 103
8.4.8 Fraud Recovery................................................................................................. 103
8.4.9 QMAP Fees.......................................................................................................103
8.5 Issuer Monitoring Program (IMP).............................................................................. 104
8.5.1 Identification Criteria........................................................................................ 104
8.5.2 MasterCard Audit and Questionnaire................................................................104
8.5.3 Subsequent Issuer Identifications in the IMP......................................................105
Chapter 9: MasterCard Registration Program........................................... 106

9.1 MasterCard Registration Program Overview..............................................................107
9.2 General Registration Requirements...........................................................................107
9.2.1 Merchant Registration Fees and Noncompliance Assessments........................... 108
9.3 General Monitoring Requirements............................................................................109
9.4 Additional Requirements for Specific Merchant Categories....................................... 109
9.4.1 Non-face-to-face Adult Content and Services Merchants.................................. 109
9.4.2 Non–face-to-face Gambling Merchants.............................................................109
9.4.3 Pharmaceutical and Tobacco Product Merchants............................................... 111
9.4.4 State Lottery Merchants (U.S. Region Only)....................................................... 112
9.4.5 Skill Games Merchants (U.S. Region Only).........................................................113

Contents
Chapter 10: Account Data Protection Standards and Programs...... 115

10.1 Account Data Protection Standards........................................................................ 116
10.2 Account Data Compromise Events......................................................................... 116
10.2.1 Policy Concerning Account Data Compromise Events and Potential Account
Data Compromise Events...........................................................................................117
10.2.2 Responsibilities in Connection with ADC Events and Potential ADC Events......118
10.2.3 Forensic Report...............................................................................................122
10.2.4 Alternative Standards Applicable to Certain Merchants................................... 123
10.2.5 MasterCard Determination of ADC Event or Potential ADC Event................... 124
10.2.6 Assessments and/or Disqualification for Noncompliance................................. 131
10.2.7 Final Financial Responsibility Determination.................................................... 131
10.3 MasterCard Site Data Protection (SDP) Program......................................................132
10.3.1 Payment Card Industry Data Security Standards.............................................. 132
10.3.2 Compliance Validation Tools........................................................................... 133
10.3.3 Acquirer Compliance Requirements................................................................ 133
10.3.4 Implementation Schedule............................................................................... 135
10.4 Connecting to MasterCard—Physical and Logical Security Requirements................ 141
10.4.1 Minimum Security Requirements.....................................................................141
10.4.2 Additional Recommended Security Requirements............................................142
10.4.3 Ownership of Service Delivery Point Equipment.............................................. 142
Chapter 11: MATCH System................................................................................144

11.1 MATCH Overview...................................................................................................145
11.1.1 System Features..............................................................................................145
11.1.2 How does MATCH Search when Conducting an Inquiry?................................ 145
11.2 MATCH Standards..................................................................................................148
11.2.1 Certification................................................................................................... 149
11.2.2 When to Add a Merchant to MATCH..............................................................149
11.2.3 Inquiring about a Merchant............................................................................ 149
11.2.4 MATCH Noncompliance Assessments............................................................. 150
11.2.5 Exceptions to MATCH Standards.....................................................................150
11.2.6 MATCH Record Retention............................................................................... 151
11.3 Merchants Listed by MasterCard............................................................................ 151
11.3.1 Questionable Merchants................................................................................. 151
11.4 Merchant Removal from MATCH............................................................................151
11.5 MATCH Reason Codes........................................................................................... 152
11.5.1 Reason Codes for Merchants Listed by the Acquirer........................................152
11.5.2 Reason Codes for Merchants Listed by MasterCard.........................................154
11.6 Requesting Access to and Using MATCH................................................................ 155
11.7 Legal Notice........................................................................................................... 156

Contents
Chapter 12: System to Avoid Fraud Effectively (SAFE) Reporting

Standards.....................................................................................................................157
12.1 SAFE Overview....................................................................................................... 158
12.2 SAFE Fraud Reporting Standards............................................................................ 158
12.2.1 Digital Secure Remote Payment Transactions and Tokenized Account Data......158
12.3 SAFE Reason Codes................................................................................................159
12.4 Data Accuracy and Integrity................................................................................... 160
12.5 Timely Reporting of MasterCard and Debit MasterCard Transactions...................... 160
12.5.1 Tier I Reporting Requirement.......................................................................... 161
12.5.2 Tier II Reporting Requirement ........................................................................ 161
12.5.3 Tier III Reporting Requirement.........................................................................161
12.6 Timely Reporting of Maestro Transactions...............................................................161
12.7 Timely Reporting of Cirrus Transactions.................................................................. 161
12.8 Digital Goods Transactions..................................................................................... 161
12.9 Fraud-related Chargebacks.....................................................................................162
12.10 High Clearing Transaction Volume........................................................................ 162
12.11 Transaction Amount............................................................................................. 162
12.12 Resubmitting Rejected Transactions...................................................................... 162
12.13 Noncompliance Assessments................................................................................163
12.14 Variances ............................................................................................................ 163
Chapter 13: Global Risk Management Program....................................... 164

13.1 About the Global Risk Management Program.........................................................165
13.1.1 Customer Onboarding Reviews.......................................................................165
13.1.2 Third Party Risk Reviews..................................................................................166
13.1.3 Customer Risk Reviews................................................................................... 166
13.1.4 Customer Consultative Reviews...................................................................... 166
13.2 Global Risk Management Program Review Topics................................................... 167
13.2.1 Issuer Global Risk Management Program Review Topics.................................. 167
13.2.2 Acquirer Global Risk Management Program Review Topics..............................167
13.3 Global Risk Management Program Reports.............................................................168
13.4 Customer Risk Review Conditions.......................................................................... 169
13.4.1 Customer Risk Review Issuer Criteria ..............................................................169
13.4.2 Customer Risk Review Acquirer Criteria.......................................................... 169
13.4.3 Basis Points Calculation.................................................................................. 170
13.5 Global Risk Management Program Fees..................................................................170
13.6 Noncompliance with Fraud Loss Control Standards.................................................170
Appendix A: Track Data Content and Format........................................... 171

A.1 Track 1 Data Content and Format............................................................................ 172

Contents
A.2 Track 2 Data Content and Format............................................................................ 174
Appendix B: Formset Specifications...............................................................178

B.1 MasterCard Formset Specifications........................................................................... 179
B.1.1 Formset Physical Dimensions.............................................................................179
B.1.2 Standard Wording............................................................................................ 179
B.1.3 Number of Copies and Retention Requirements................................................179
B.1.4 Paper Stock Characteristics............................................................................... 180
B.1.5 Color of Interchange Copy............................................................................... 180
B.1.6 Carbon.............................................................................................................180
B.1.7 Registration Mark............................................................................................. 180
B.1.8 Formset Numbering..........................................................................................180
B.1.9 Information Slip Specifications.......................................................................... 181
B.2 Formset Printing Standards ......................................................................................181
B.2.1 Financial Transaction Formsets.......................................................................... 181
B.2.2 Information Slip Formsets................................................................................. 182
B.2.3 Imprinters.........................................................................................................183
Appendix C: Contact Information................................................................... 184

C.1 Security and Risk Services.........................................................................................185
C.2 Merchant Fraud Control...........................................................................................185
C.3 Account Data Compromise Events........................................................................... 186
C.4 Card Design Management....................................................................................... 186
™
C.5 MasterCard Connect Applications......................................................................... 187
C.6 Customer Operations Services..................................................................................187
C.7 Questionable Merchant Activity............................................................................... 188
Appendix D: Best Practices Guides................................................................. 190

D.1 Acquirers’ Best Practices Guide................................................................................ 191
D.2 MasterCard Debit Card and ATM Debit/Credit Card Fraud Guide............................. 191
D.3 Issuers’ Best Practices Guide.....................................................................................191
D.4 Prepaid Card Fraud and Risk Management Best Practices Guide............................... 191
D.5 Security Guidelines for Merchants’ Terminals............................................................192
D.6 How to Access the “Best Practices” Guides..............................................................192
Appendix E: Card Production Services.......................................................... 193

E.1 Card Production Services.......................................................................................... 194

Contents
Appendix F: Definitions........................................................................................196
Notices...........................................................................................................................227

Customer Obligations
Chapter 1 Customer Obligations

This chapter describes general Customer compliance and Program obligations relating to
MasterCard Card issuing and Merchant acquiring Program Activities.
1.1 Compliance with the Standards.............................................................................................. 14

1.2 Conflict with Law....................................................................................................................14
1.3 The Security Contact...............................................................................................................14

Customer Obligations
1.1 Compliance with the Standards
1.1 Compliance with the Standards

This manual contains Standards. Each Customer must comply fully with these Standards.
All of the Standards in this manual are assigned to noncompliance category A under the
compliance framework set forth in Chapter 2 of the MasterCard Rules manual (“the
compliance framework”), unless otherwise specified in the table below. The noncompliance
assessment schedule provided in the compliance framework pertains to any Standard in the
Security Rules and Procedures manual that does not have an established compliance Program.
The Corporation may deviate from the schedule at any time.
Section Number Section Title Category
1.3 The Security Contact C
2.3 Contracting with Card C

Registration Companies
7.1.5 Retention of Investigative C

Records
B.1.2 Standard Wording B
1.2 Conflict with Law

A Customer is excused from compliance with a Standard in any country or region of a country
only to the extent that compliance would cause the Customer to violate local applicable law
or regulation, and further provided that the Customer promptly notifies the Corporation, in
writing, of the basis for and nature of an inability to comply. The Corporation has the
authority to approve local alternatives to these Standards.
1.3 The Security Contact

Each Customer must have a Security Contact listed for each of its Member IDs/ICA numbers in
the Member Information tool on MasterCard Connect™.

Card Production Standards
Chapter 2 Card Production Standards

This chapter may be of particular interest to Customers that issue Cards, and includes requirements
for personnel responsible for the tasks associated with producing Cards.
2.1 Compliance with Card Production Standards...........................................................................16

2.2 Monitoring of Personnel......................................................................................................... 16
2.3 Contracting with Card Registration Companies.......................................................................17
2.4 Working with Vendors............................................................................................................ 18
2.4.1 Order Request Required to Produce Cards....................................................................... 19
2.4.2 Stockpiling Plastics.......................................................................................................... 19
2.5 Cards Without Personalization................................................................................................ 19
2.6 Card Count Discrepancies....................................................................................................... 19
2.7 Reporting Card Loss or Theft...................................................................................................19
2.8 Disposition of Unissued Cards and Account Information......................................................... 20

2.1 Compliance with Card Production Standards
2.1 Compliance with Card Production Standards

As used in this section, and unless otherwise specified, the term “Card production” is
applicable with respect to Cards and other types of Access Devices, including Contactless
Payment Devices and Mobile Payment Devices.
An Issuer engaged in Card production must comply with all applicable Standards, including
but not limited to those set forth in this chapter and in the following documents:
• Card Design Standards
• Card Production Physical Security Requirements
• Card Production Logical Security Requirements
• Security Requirements for Mobile Payment Provisioning
The Card Production Physical Security Requirements and the Card Production Logical Security
Requirements documents are available on the Payment Card Industry Security Standards
Council (PCI SSC) website under the Card Production tab at www.pcisecuritystandards.org/
security_standards/documents.php.
An Issuer that uses a Card production vendor to produce Cards on its behalf must also comply
with the Standards set forth in section 2.4 of this manual.
It is recommended that an Issuer that issues and/or personalizes Cards onsite at a bank
branch, retail store, or other location outside of a Card production vendor facility refer to the
Security Guidelines for Instant Card Issuance and Instant Card Personalization manual for
information relating to the secure issuance of Cards and protection of Cardholder data at such
locations.
Card production activities subject to compliance with these Standards include, by way of
example and not limitation, the treatment and safeguarding of Cards, Card manufacture,
printing, embossing, encoding, and mailing, as well as to any phase of the production and
distribution of Cards or Card account information.
Refer to Appendix E of this manual for detailed descriptions of Card production activities.
2.2 Monitoring of Personnel

Where permissible by law, Issuers must conduct credit and criminal record checks for all
personnel handling embossed or unembossed Cards, including part-time and temporary
personnel.
In addition, where permissible by law, Issuers may not employ such personnel with one or
more known criminal convictions, high credit risk backgrounds, or both, in Card storage and
processing areas.
Issuers also may not allow such personnel access to account numbers, embossed or
unembossed Cards, embossing or encoding equipment, nor may they engage such personnel
in security or waste processing work.

2.3 Contracting with Card Registration Companies
2.3 Contracting with Card Registration Companies

A card registration company (“Company”) is any entity that stores Card account numbers
and, upon notification by the Cardholder, reports the loss or theft of the Card(s) to the
Issuer(s).
Any Issuer having a contractual agreement with a Company pursuant to which the Company
registers that Issuer’s Cardholder account numbers must ensure that the contract includes the
following obligations on the part of the Company:
• The Company shall maintain any Cardholder information, including, without limitation,
names, addresses, phone numbers, and account numbers in strictest confidence and
disclose them only to the Issuer. The Company shall keep any media containing this type of
information in an area limited to selected personnel having access on a need-to-know
basis. Before discarding such media, the Company shall destroy it in a manner that will
render the data unreadable.
• The Company shall control and limit access to account numbers stored in a computer
environment by establishing procedures that must include, but are not limited to, a
password system for computer remote terminal (CRT) access and control over dial-up lines
or any other means of access.
• The Company may not use the name of MasterCard in any promotion or advertising,
except as provided by a contractual agreement with the Issuer for purposes of soliciting
and providing services to the Issuer’s Cardholders. MasterCard reserves the right to approve
any such materials.
• The Company must maintain a 24-hours-per-day, seven-days-per-week service to receive
Cardholder reports on lost or stolen Cards. The Company shall transmit each report
immediately and in any event no later than two hours after receiving the report, by the
most expeditious means, for example, phone or fax, to the appropriate Issuer.
At a minimum, the notification must include:
– Account number
– Issuer’s name
– Cardholder’s name, address, and phone number
– Phone number where the Cardholder can be reached
– Whether the Card was lost or stolen
– Time and location of the reported loss or theft
• The Company shall report any loss or theft of Cardholder information whether due to act
or omission, to MasterCard and to the Issuer with which it has a contract within 24 hours
of discovery of the loss or theft.
• The Company must convey a Cardholder request for a replacement Card to the Issuer.
• The contract must include an indemnification clause holding MasterCard, its officers, its
directors and employees, its Customers, and the Issuer having the contract with the
Company not liable for any loss or damage claimed by or on behalf of the Cardholder,
Issuer, or other person or entity alleged to be attributable to the Company’s failure to

2.4 Working with Vendors
properly provide the services described in the contract or failure to safeguard account
information.
• The Company must be covered by liability, fidelity, fire, and theft insurance and must have
a disaster recovery plan to ensure continuity of services in the event of natural or other
events that disrupt or threaten to disrupt service unless otherwise agreed to in writing by
MasterCard. Coverage must be reasonable and adequate in consideration of the nature
and volume of work performed, the plant location, physical condition, and security of the
plant, and the number and duties of employees.
• The Company must comply with all applicable laws, rules, and regulations, including,
without limitation, consumer protection laws, applicable to the services offered and
performed by the Company.
2.4 Working with Vendors

Before employing the services of a vendor to perform any of the Card production services
described in Appendix E of this manual, a Customer must ensure that the vendor has been
certified by MasterCard under the Global Vendor Certification Program (GVCP).
Prior to certification and annual recertification of a vendor facility under the GVCP,
MasterCard conducts an on-site audit of the facility to evaluate its compliance with the
applicable physical, logical, and mobile payment provisioning security Standards set forth in
the following documents:
• Card Production Physical Security Requirements
• Card Production Logical Security Requirements
• Security Requirements for Mobile Payment Provisioning
>>>The Card Production Physical Security Requirements and the Card Production Logical
Security Requirements documents are available on the PCI SSC website under the Card
Production tab at www.pcisecuritystandards.org/security_standards/documents.php.<<<
A certified vendor facility is issued a compliance certification, which is subject to annual
renewal provided the vendor facility remains in good standing. The “List of Certified
Vendors,” as published monthly in the Global Security Bulletin, contains the name of each
vendor facility then certified and a description of the specific services that the facility is
authorized to perform.
Any agreement between an Issuer and a vendor for Card production services should contain
terms stating that the vendor agrees to safeguard and control usage of account data and to
comply with all applicable Standards then in effect, including but not limited to those set forth
in section 2.4 and in the Card Design Standards manual.
For more information about the GVCP, contact MasterCard by sending an email to gvcp-
helpdesk@mastercard.com.

2.5 Cards Without Personalization
2.4.1 Order Request Required to Produce Cards

No vendor may print or manufacture any Card, sample, or facsimile, on plastic or any other
material, except in response to a specific order from a Customer or from MasterCard. A
Customer may order Cards by using the Card Order Request (Form 488), available in the
Library section of MasterCard Connect™, or an equivalent document that provides the same
information.
Form 488 (or an equivalent document) must be completed and retained by the vendor and
Customer, and must be made available to MasterCard upon request.
MasterCard reserves the right to request, from time to time, Card samples for review, and will
communicate any such request via the Submit a Card Design Request (Manufacturer)
process on MasterCard Connect™.
2.4.2 Stockpiling Plastics

An Issuer may not encourage a vendor to stockpile plastics or Cards or use a vendor known to
engage in the practice of stockpiling plastics or Cards. Stockpiling is the practice of
manufacturing excess plastics or Cards in anticipation of future orders from Customers.
2.5 Cards Without Personalization

A Customer must not send “unfinished” Cards (as used herein, “unfinished” means a Card
that has not yet been personalized with a primary account number [PAN] or expiration date)
via the mail. Unfinished Cards must be shipped via secure shipping methods as described in
the Card Production Physical Security Requirements. In the rare event that rapid delivery is
required and secure shipping methods are infeasible, the Issuer may use an express courier
service that provides shipment tracking, recipient authentication, and receipt confirmation for
the shipment of no more than 500 unfinished Cards per day.
2.6 Card Count Discrepancies

Upon receiving a shipment of Cards, the Issuer must verify that the correct Card quantity was
delivered and take immediate action to resolve any Card count discrepancy and recover any
missing Cards. The Issuer may use the Card count noted on each sealed carton in the Card
count verification. Sealed cartons may also be opened at random, audited, and resealed. All
open cartons and all sealed cartons with no Card count noted on the carton must have the
contents counted.
2.7 Reporting Card Loss or Theft

Within 24 hours of discovery, a Customer must report to MasterCard the suspected or
confirmed loss or theft of any Cards while in transit from a vendor or in the Customer’s

2.8 Disposition of Unissued Cards and Account Information
possession. The report must be sent via email to gvcp-helpdesk@mastercard.com and contain
the following information:
• Issuer name and Member ID/ICA number
• Card type and quantity
• With respect to the loss or theft of Cards while in transit from a vendor:
– The vendor name
– The location from which the Cards were shipped
– The date and method of shipment
– The address to which the Cards were shipped
• Pertinent details about the loss and the investigation
• Name and phone number of contact for additional information
• Name and phone number of person reporting the loss or theft
2.8 Disposition of Unissued Cards and Account Information

A Customer that ceases to issue Cards must promptly destroy or otherwise properly dispose of
all unissued Cards and all media containing Card Account information.

Card and TID Design Standards
Chapter 3 Card and TID Design Standards

This chapter may be of particular interest to Issuers and vendors certified by MasterCard responsible
for the design, creation, and control of Cards. It provides specifications for all MasterCard, Maestro,
and Cirrus Card Programs worldwide.
3.1 Principles of Standardization................................................................................................... 22

3.2 MasterCard Account Number................................................................................................. 22
3.3 Maestro and Cirrus Account Numbers.....................................................................................23
3.4 Signature Panel.......................................................................................................................24
3.5 Magnetic Stripe or MasterCard HoloMag Encoding.................................................................24
3.5.1 Card Validation Code 1 (CVC 1)...................................................................................... 24
3.5.2 Service Code................................................................................................................... 24
3.5.3 Cardholder Name............................................................................................................24
3.5.4 Expiration Date................................................................................................................26
3.6 Chip Cards..............................................................................................................................26
3.6.1 Chip Card Applications....................................................................................................28
3.6.1.1 Compliance Assessment and Security Testing........................................................... 28
3.6.1.2 Integrated Circuit Chip Providers..............................................................................28
3.6.2 Multiple Application Chip Cards...................................................................................... 28
3.6.3 Use of M/Chip Card Application Specifications................................................................ 29
3.7 Contactless Cards and Payment Devices..................................................................................29
3.8 Mobile Payment Devices......................................................................................................... 30
3.9 Card Validation Code (CVC)....................................................................................................30
3.9.1 Issuer Requirements for CVC 1........................................................................................ 31
3.9.4 Acquirer Requirements for CVC 2....................................................................................32
3.9.5 CVC Calculation Methods............................................................................................... 33
3.10 Service Codes....................................................................................................................... 34
3.10.1 Issuer Information......................................................................................................... 35
3.10.2 Acquirer Information..................................................................................................... 35
3.10.3 Valid Service Codes....................................................................................................... 36
3.10.4 Additional Service Code Information............................................................................. 37
3.11 Transaction Information Documents (TIDs).............................................................................37
3.11.1 Formset Contents..........................................................................................................38
3.11.2 POS Terminal Receipt Contents......................................................................................38
3.11.3 Primary Account Number Truncation and Expiration Date Omission............................... 39

3.1 Principles of Standardization
3.1 Principles of Standardization

All Cards must be usable in all standard magnetic stripe Card-reading devices, and if a chip is
present, in all hybrid terminals and devices, so that the electronic interchange of Transaction
data is possible.
All embossed Cards must be usable in all standard imprinters—the embossed information
must produce a clear imprint and comply with all positioning and type font Standards.
All Cards containing a chip must be EMV-compliant. Such Cards are called Chip Cards.
All Chip Cards must have a single primary application defined by MasterCard that resides on
the chip and on the magnetic stripe; the Account information appearing on the Card front
must be for the primary application resident on the magnetic stripe. No Payment Application
resident on the chip of a Card issued in the United States Region may have a higher
application priority than the Card’s primary application.
All Payment Applications on a Chip Card must have a valid date (if applicable) and expiration
date within or the same as the dates present on the Card front. The valid dates appearing on
the Card front must be those of the primary application on the Card.
NOTE: A Hybrid Point-of-Sale (POS) Terminal can read both magnetic-stripe and chip
Transactions and must be EMV-compliant, as set forth in section 4.8 of this manual.
NOTE: In 1996, Europay (now a wholly owned subsidiary of MasterCard and renamed
MasterCard Europe SPRL), MasterCard, and Visa developed Standards for integrated circuit
Cards (ICCs), terminals, and applications. EMVCo, LLC, established in 1999, is the organization
that oversees and maintains the EMV specifications.
All Issuers must comply with the Card Design Standards, available on MasterCard Connect™,
including but not limited to requirements relating to the following:
• Physical Card materials, dimensions, and measurements for the Card's embossing,
magnetic stripe, chip, Marks, and other Card features
• Card design
• Use of Card activation and selective authorization disclosure stickers.
3.2 MasterCard Account Number

The account number identifies the Issuer’s bank identification number (BIN), Issuer-assigned
portion of the account number, and check digit, as shown in Table 3.1.

3.3 Maestro and Cirrus Account Numbers
Table 3.1—MasterCard Account Number Sample Configuration
MasterCard Account number = 5412 75XX XXXX 9999

Configuration is as follows:
5412 75 XX XXXX 999 9

Issuer BIN assigned by Issuer-assigned portion of the Check digit
MasterCard Account number
MasterCard assigns BINs from a block of numbers reserved by the International Organization
for Standardization (ISO) for the exclusive use of MasterCard. MasterCard BINs range from
510000–559999.
The check digit is calculated using the Luehn Formula for Computing Modulus 10 (“Double-
Add-Double”) Check Digit.
3.3 Maestro and Cirrus Account Numbers

The primary account number (PAN) of a Maestro Account or Cirrus Account must be no less
than 12 numeric digits and no more than 19 numeric digits in length. The PAN includes the
Issuer identification number (IIN, or BIN), the Issuer-assigned portion of the individual Account
number, and a check digit calculated using the Luehn Formula for Computing Modulus 10
(“Double-Add-Double”) Check Digit.
The IIN typically appears in the first six digits of the PAN, and must be assigned by the ISO
Registration Authority, or a delegated authority such as MasterCard. In the event that an
Issuer is found to be using an IIN that has been assigned by ISO to another entity, then within
three months from the date on which ISO makes its final determination of the proper
assignment of the IIN, the Issuer must replace all Cards using such IIN and MasterCard will
reassign the IIN to the appropriate entity in its routing tables.
A Customer may request MasterCard to assign an IIN(s) for Maestro and Cirrus Cards. In the
Europe Region, MasterCard assigns IINs from the 639000 to 639099 and 670000 to 679999
ranges, with IINs in the ranges 675900 to 675999 and 676770 to 676774 assigned only for
Maestro Card issuance in the United Kingdom. These ranges are reserved by ISO for exclusive
use by MasterCard. IINs from these ranges are assigned to Customers for the issuance of
Cards and may not be used for any other purpose without the prior written agreement of
MasterCard. These ranges must not be used to issue cards bearing competing global or
regional brands.

3.4 Signature Panel
3.4 Signature Panel

Upon issuance or reissuance, an Issuer must include written notice to all Cardholders to sign
all Cards immediately when received and before initial use. Only the authorized Cardholder
(the person whose name appears on the Card front) may sign the Card back. The name
signed by the authorized Cardholder must match the name that appears on the Card front,
regardless of the language used by the Cardholder to sign his or her name. The Issuer must
state this as a condition of Card use. (The vehicle-assigned MasterCard Corporate Fleet Card is
exempt from this requirement.)
3.5 Magnetic Stripe or MasterCard HoloMag Encoding

The specifications for the physical and magnetic characteristics of the magnetic stripe on
Cards must comply with ISO 7813 Credit Cards—Magnetic Stripe Encoding for Tracks 1 and 2.
Production of Card plastics with low coercivity magnetic tape is prohibited. Alternatively, the
Issuer may use MasterCard HoloMag™ in place of the magnetic stripe.
The Issuer of a MasterCard Card must ensure that the encoded magnetic stripe contains Track
1 and Track 2 data, and also includes the information specified in this chapter.
For a Maestro Card or Cirrus Card, only the encoding of Track 2 data is required; the encoding
of Track 1 data is optional. If Track 3 is encoded, the encoding must comply with ISO 4909
Bank Cards—Magnetic Stripe Content for Track 3.
An Acquirer must transmit the full unedited magnetic stripe data with each magnetic stripe-
based electronically authorized Transaction.
NOTE: The transmission of the entire contents of Track 1 or Track 2 data must be unaltered
and unedited, and cannot be truncated.
3.5.1 Card Validation Code 1 (CVC 1)

Track 1 and Track 2 of the magnetic stripe must be encoded with a CVC 1 value. Refer to
section 3.9.5 of this manual for Card validation code requirements, calculation methods, and
verification data.
3.5.2 Service Code

Track 1 and Track 2 of the magnetic stripe must contain an encoded three-digit service code
value. Refer to section 3.10 of this manual for service code usage requirements.
3.5.3 Cardholder Name
NOTE: The Cardholder’s name must be present in the Account Information Area and encoded
on the magnetic stripe.

3.5 Magnetic Stripe or MasterCard HoloMag Encoding
The encoded Cardholder Name field in Track 1 is a variable length, alphanumeric field, with a
maximum length of 26 characters within (up to) three subfields. Due to the variable length of
the field, the starting position of each remaining field depends on the ending position of the
Cardholder name. The Cardholder Name and Content Format table shown in Appendix A
defines the specifications for encoding the Cardholder name on the magnetic stripe.
NOTE: Characters “%”, “^”, and “?” cannot be used in the Cardholder Name field, because
they are used only for specified encoding purposes.
Use the following specifications to encode the Cardholder name on the magnetic stripe of all
Cards:
• If the Card is a MasterCard Corporate Card product, the Cardholder name encoded on
Track 1 and the name present in the Account Information Area should be the same,
although the formats are different.
For example:
BROWN/ROBERT S
• Issuers engaged in the instant issuance and/or instant personalization of Cards under the
MasterCard Unembossed or MasterCard Electronic Programs or the issuance of non-
personalized prepaid Cards must ensure that when a Program name appears on the Card
front in place of the Cardholder name, the same Program name is also encoded in the
Cardholder Name field in Track 1.
• The magnetic stripe may encode a Cardholder’s title, such as Dr., Sir, or Mrs. A separator
period (.) must precede the title.
For example:
BROWN/ROBERT S.DR
• If two Cardholder names are present in the Account Information Area on the same Card,
encode in any of the following four formats:
BROWN/ROBERT S or
BROWN/AGNES T or
BROWN/ROBERT AGNES or
BROWN/ROBERT S.MR MRS
• If a Card has a company name present in the Account Information Area, in addition to a
Cardholder name, encode the Cardholder name.
For example:
Present in the Account Information Area: ROBERT S. BROWN

ALPHA COMPANY

3.6 Chip Cards
Encoded on the magnetic stripe: BROWN/ROBERT S
NOTE:
The subfields surname, initials or first name, and title may contain spaces. For example:
Present in the Account Information Area: RT REV ROBERT J SMITH
Encoded on the magnetic stripe: SMITH/ROBERT J.RT REV
3.5.4 Expiration Date

The following requirements apply for the encoded expiration date:
• The Card-read stripe must include the encoded Account’s expiration date. Acceptable
expiration date values are the following:
Year 00–99
Month 01–12
• The format for the encoded expiration date is YYMM to comply with ISO specifications.
• The encoded expiration date on Track 1 must be the same as the expiration date encoded
on Track 2 and present in the Account Information Area.
• Do not encode the start date for dual dating, except as part of the Discretionary Data field
on Track 1 and Track 2 of the magnetic stripe.
A Maestro or Cirrus Card must not use a maximum validity period of more than 20 years from
the date of issuance or, for non-expiring Cards, the designated default value of 4912
(December 2049) must be used. For a Maestro or Cirrus Card issued in the Europe Region and
using the Europay Security Platform (ESP) PIN Verification Value (PVV), the maximum validity
period is the current year plus four (effectively a five-year validity period).
The expiration date of a Chip Card must not exceed the expiration date of any of the
certificates contained within the chip. In the case of a non-expiring Chip Card:
1. The settings within the chip must force every Transaction online for authorization or
decline the Transaction if online authorization is not possible;
2. The Chip Card must not contain an offline Card Authentication Method (CAM) certificate;
and
3. The Issuer must utilize full EMV processing.
3.6 Chip Cards

Chip Cards, also known as integrated circuit or smart Cards, are credit or debit Cards
containing computer chips with memory and interactive capabilities and can be used to
identify and store additional data about the Cardholder, Cardholder account, or both. Chip
Cards may have contact functionality or both contact and contactless functionality.

3.6 Chip Cards
Issuers of Chip Cards must comply with all applicable Standards, including but not limited to
the Standards set forth in the M/Chip Requirements manual and other M/Chip
documentation, and with the EMV specifications.
The Issuer of a Chip Card must implement M/Chip as the EMV payment application on the
Card, in accordance with a current M/Chip Card application specification.
A contact Chip Card may be issued or re-issued under an online-only Card Program (herein,
an “online-only contact chip Card”). An online-only contact chip Card is configured to always
require a POS Terminal to obtain online authorization from the Issuer for a contact chip
Transaction.
Effective as of the dates described below, the Issuer of a contact Chip Card must perform an
online Card authentication method (online CAM) for each online-authorized contact Chip
Transaction by validating the Authorization Request Cryptogram (ARQC) contained in the
Authorization Request/0100 or Financial Transaction Request/0200 message and populating
DE 55, including an Authorization Response Cryptogram (ARPC), in the Authorization Request
Response/0110 or Financial Transaction Request Response/0210 message. Alternatively, if the
Issuer’s host system does not support ARQC validation, the Issuer must be enrolled in the
MasterCard M/Chip Cryptogram Pre-Validation Service.
• Any Issuer located in the Asia/Pacific, Canada, Europe, Latin America and the Caribbean, or
Middle East/Africa Region that is not in compliance must establish a compliance action plan
by 1 January 2015.
• All Issuers located in the Asia/Pacific, Canada, Europe, Latin America and the Caribbean, or
Middle East/Africa Region must be in compliance by 17 April 2015.
• All Issuers located in the United States Region must be in compliance by 1 October 2015.
All Chip Cards, except Cards issued under an online-only Card Program, must support Static
Data Authentication (SDA) (unless prohibited within a Region) or Dynamic Data
Authentication (DDA) as the offline CAM, to reduce the risk of counterfeit fraud. (Support of
both DDA and Combined Data Authentication [CDA] is highly recommended.) Online-only
contact chip Cards are not required to support offline CAM for contact chip Transactions.
Any Chip Card issued or reissued in the Europe Region on or after 1 January 2011 and any
Chip Card issued or re-issued in the Asia/Pacific Region, Canada Region, Latin America and
the Caribbean Region, or Middle East/Africa Region on or after 16 October 2015:
• Must, at a minimum, support DDA as the offline CAM for contact chip Transactions, except
Cards issued under an online-only Card Program; and
• Must not support SDA.
Any Chip Card issued or reissued in the United States Region, if configured to support offline
authorization, must support DDA or both DDA and CDA as the offline CAM(s) for contact
chip Transactions and must not support SDA.
NOTE: Issuers must define their priority of PIN verification methods within the chip. Offline
PIN verification is recommended as the first priority.
Support of CDA on Chip Cards is optional.

3.6 Chip Cards
3.6.1 Chip Card Applications

All Payment Applications must be type-approved by MasterCard, prior to Chip Card
production. Furthermore, the composition of the chip, operating system (if present), and the
EMV application must have successfully passed a Compliance Assessment and Security Testing
(CAST) security evaluation.
Issuers must define within the chip the preferred verification method for Point-of-Interaction
(POI) Transactions. A non-Customer that personalizes Payment Applications acts on behalf of
the Card Issuer and must conform to MasterCard security Standards.
Issuers using M/Chip 4 should refer to the M/Chip Personalization Data Specifications and
Profiles and the M/Chip 4 Version 1.1 Issuer Guide to Debit and Credit Parameter
Management for more information.
Issuers using M/Chip Advance should refer to the M/Chip Advance Personalization Data
Specifications and the M/Chip Advance—Issuer Guide for more information.
3.6.1.1 Compliance Assessment and Security Testing

MasterCard has established the CAST process to assist its Issuers in promoting the continuous
improvement of security Standards for the implementation of all Chip Cards by MasterCard.
Issuers may only issue Chip Cards that have been certified under the CAST process and appear
on the CAST Approved Products list (Chip Cards that have undergone a successful evaluation
against the CAST Security Guidelines using a recognized evaluation laboratory). Cards will
typically remain on the CAST Approved Products list for three years from the evaluation date.
Prior to Chip Card production, purchase, and distribution, Issuers must confirm with their
vendor(s) that the Chip Card will be on the CAST Approved Products list over the intended
period of issuance and adjust their procurement quantities accordingly.
For information regarding CAST, refer to the Compliance Assessment and Security Testing
Program manual or contact the Chip Help Desk at chip_help@mastercard.com.
3.6.1.2 Integrated Circuit Chip Providers

An Issuer must obtain all EMV chips for embedding on a Card from an EMV chip
manufacturer that has been approved in advance by MasterCard.
MasterCard publishes a list of approved EMV chip manufacturers periodically in a Global
Security Bulletin. Or for more information, contact the Chip Help Desk at
chip_help@mastercard.com.
3.6.2 Multiple Application Chip Cards

Any Card Program may reside on a chip, and any combination of Card Programs may reside
together on a single Chip Card. All credit, debit, charge, and stored-value applications residing
on a single Chip Card must be offered by, and are the responsibility of the Card Issuer.
Additionally, all other applications stored on a Chip Card by any Issuer, or any other party at
an Issuer’s request, must conform to all relevant technical specifications of MasterCard or its
agent.

3.7 Contactless Cards and Payment Devices
3.6.3 Use of M/Chip Card Application Specifications

Chip Card products that incorporate any implementation of the MasterCard M/Chip Card
application specifications may only be used on MasterCard, Maestro, and Cirrus Cards and
Access Devices, unless otherwise agreed in writing by MasterCard.
The M/Chip Card application specifications are available on MasterCard Connect™ in the Chip
Information Center.
3.7 Contactless Cards and Payment Devices

MasterCard prohibits the encoding of the Cardholder name in the contactless chip of a
contactless-enabled Card ("Contactless Card") or Contactless Payment Device that allows
such information to be transmitted via the radio frequency (RF) contactless interface. This
restriction applies to all newly issued and re-issued contactless-enabled Cards and Contactless
Payment Devices.
Effective as of the dates described below, the Issuer of a Contactless Card or Contactless
Payment Device must perform an online CAM for each online-authorized EMV Mode
Contactless Transaction by validating the Authorization Request Cryptogram (ARQC)
contained in the Authorization Request/0100 or Financial Transaction Request/0200 message.
Alternatively, if the Issuer's host system does not support ARQC validation, the Issuer must be
enrolled in the MasterCard M/Chip Cryptogram Pre-Validation Service.
• Any Issuer located in the Asia/Pacific, Canada, Europe, Latin America and the Caribbean, or
Middle East/Africa Region that is not in compliance must establish a compliance action plan
by 1 January 2015.
• All Issuers located in the Asia/Pacific, Canada, Europe, Latin America and the Caribbean, or
Middle East/Africa Region must be in compliance by 17 April 2015.
• All Issuers located in the United States Region must be in compliance by 1 October 2015.
A Contactless Card or Contactless Payment Device with M/Chip functionality that is issued or
re-issued in the Asia/Pacific, Canada, Europe, Latin America and the Caribbean, or Middle
East/Africa Region:
• Must support CDA as the offline CAM, unless it supports online-only authorization of
Contactless Transactions; and
• Must not support SDA as the offline CAM.
A Contactless Card or Contactless Payment Device with M/Chip functionality that is issued or
re-issued in the United States Region:
• Must be configured to support both online and offline authorization of Contactless
Transactions; and
• Must support CDA as the offline CAM and must not support SDA.
Refer to the M/Chip Requirements for additional details.

3.8 Mobile Payment Devices
3.8 Mobile Payment Devices

There is no limitation on the type of account that may co-reside on the same Mobile Payment
Device user interface, so long as such accounts are not linked, but rather exist independently
and are accessed by a separate and distinct Payment Application hosted on the same or
different user interfaces.
Mobile Payment Devices may support MasterCard contactless payment and/or Digital Secure
Remote Payment (DSRP) functionality. If an Issuer chooses to add this functionality to a Secure
Element (SE)-based Mobile Payment Device, the application software, personalization data,
and all other aspects of the functionality must comply with the requirements set forth in the
Standards, including but not limited to the following as may be published by MasterCard from
time to time:
• Mobile MasterCard PayPass User Interface Application Requirements,
• M/Chip Mobile Issuer Implementation Guide v1.1,
• the contactless branding Standards, and
• any other applicable technical specifications.
For Mobile Payment Devices supporting MasterCard contactless payment or DSRP functionality
that do not use an SE, Issuers should refer to the MasterCard Cloud-Based Payment (MCBP)
documentation.
Issuers should also refer to the mobile payment security guidelines set forth in the Security
Guidelines for Mobile Payment Solutions.
The SE must be CAST-approved and have received a mobile payment certificate number
(MPCN). Issuers may choose a CAST-approved SE (with corresponding MPCN) from the list
published on MasterCard Connect. The Mobile Payment Device itself does not undergo a
CAST approval. Prior to issuance of the SE-based Mobile Payment Device, the Payment
Application must also pass the functional and security testing program, for which a letter of
approval will be issued by MasterCard.
For information regarding CAST, refer to the Compliance Assessment and Security Testing
Program manual. For information regarding a letter of approval, refer to the M/Chip Mobile
Issuer Implementation Guide v1.1.
3.9 Card Validation Code (CVC)

The CVC is a security feature with components identified elsewhere in this manual. Use of
CVCs makes it more difficult for counterfeiters to alter Cards and reuse them for fraudulent
purposes.
NOTE: CVC 1 and CVC 2 are mandatory security features for all MasterCard Cards.
CVC 1 must be encoded on Track 1 and Track 2 in three contiguous positions in the
Discretionary Data field of the magnetic stripe on all MasterCard Cards.

Maestro Cards and Cirrus Cards issued or reissued on or after 11 January 2013 and with a
PAN of 16 digits or less must support CVC 1 on the magnetic stripe and Chip CVC in the
Track 2 Equivalent Data field.
Chip CVC must be encoded in the Track 2 Equivalent Data field in three contiguous positions
within the Discretionary Data field of the chip on all Chip Cards and must be different than
the CVC 1 value encoded on the magnetic stripe.
All Chip Card Issuers, including those using the Chip-to-Magnetic Stripe Conversion Service,
must use different values for CVC 1 and Chip CVC for all new and reissued Cards.
The following applies to contactless-enabled Cards (“Contactless Cards”) and Contactless
Payment Devices:
• All magnetic stripe profile Contactless Cards and Contactless Payment Devices must
generate a dynamic CVC 3.
• All M/Chip Contactless Cards and Contactless Payment Devices issued before 1 January
2010 that are capable of performing a Magnetic Stripe Mode Contactless Transaction must
either be encoded with a static CVC 3 or be able to generate a dynamic CVC 3.
• All M/Chip Contactless Cards and Contactless Payment Devices issued on or after 1 January
2010 that are capable of performing a Magnetic Stripe Mode Contactless Transaction must
generate a dynamic CVC 3.
Refer to the M/Chip Requirements for additional details.
Refer to Appendix A for track data layout, format, and content requirements. Refer to section
3.9.5 for CVC calculation methods.
Refer to the M/Chip Requirements for information about Chip CVC.
Refer to the M/Chip Processing Services—Service Description manual for information about
the Chip-to-Magnetic Stripe Conversion Service.
3.9.1 Issuer Requirements for CVC 1

MasterCard Issuers must:
• Encode the CVC 1 on Tracks 1 and 2
• Verify the encoded CVC 1 when processing a Card-read authorization request
The Issuer verifies the CVC 1 value from the Card-read data as transmitted in the
authorization request during the online authorization process. The Issuer’s host can perform
the verification.
NOTE: Certification is required for Issuers to validate the CVC 1 value during the authorization
process and to signal CVC 1 validation errors. Refer to Chapter 4 of the Authorization Manual
for more information.
When an Issuer is “timed out” or unavailable, the Stand-In Processing Service provides an
authorization request response. If an Issuer is signed up for CVC 1 verification, the Stand-In
Processing Service performs an additional test to verify that the CVC 1 value is valid.

MasterCard may mandate participation in the CVC 1 verification in the Stand-In Processing
Service for an Issuer with both 35 basis points of Transactions authorized by means of Stand-
In processing and significant counterfeit activity within a calendar quarter. Refer to Chapter 6
of the Authorization Manual for more information.

An Issuer must verify the CVC 2 value when provided by the Merchant and transmitted by the
Acquirer in Data Element (DE) 48 (Additional Data—Private Use), subelement 92 (CVC 2) of
the Authorization Request/0100 message >>>or Financial Transaction Request/0200
message<<<. Issuers must verify the CVC 2 value by providing a valid CVC 2 response code of
M (valid CVC 2 [match]), N (invalid CVC 2 [non-match]), or P (CVC 2 not processed—Issuer
temporarily unavailable) in DE 48, subelement 87 (Card Validation Code Result) of the
Authorization Request Response/0110 message >>>or Financial Transaction Request
Response/0210 message<<<.
For Intracountry Maestro POS Transactions occurring within the U.K., Ireland, and France only,
the following applies:
• If an Issuer receives CVC 2 data in an authorization request and it is invalid (for example,
DE 48, subelement 92 [CVC 2] is not blank and the data does not match the data held in
the Issuer's records), the authorization request must be declined.
• If an authorization request with invalid CVC 2 data is approved, the Issuer cannot use a
fraud-related message reason code to charge back the Transaction.

An Issuer must enable a dynamic CVC 3 on the contactless chip for all magnetic stripe profile
Contactless Transactions performed by magnetic stripe profile Contactless Chip Cards and
Contactless Payment Devices.
All new contactless-enabled Chip Cards and Contactless Payment Devices issued on or after 1
January 2010 that are capable of performing magnetic stripe profile Contactless Transactions
must generate a dynamic CVC 3.
An Issuer must verify the CVC 3 value and provide the result in the response when processing
the authorization received from a Contactless Transaction.
3.9.4 Acquirer Requirements for CVC 2

When the Merchant provides the CVC 2 value, the Acquirer must include the CVC 2 value in
DE 48, subelement 92 of the Authorization Request/0100 message >>>or Financial
Transaction Request/0200 message<<<. The Acquirer is also responsible for ensuring that the
Merchant receives the CVC 2 response code provided by the Issuer in DE 48, subelement 87
of the Authorization Request Response/0110 message >>>or Financial Transaction Request
Response/0210 message<<<.
All non-face-to-face gambling Transactions conducted with a MasterCard Card must include
the CVC 2 value in DE 48, subelement 92 of the Authorization Request/0100 message.

3.9.5 CVC Calculation Methods

The Issuer may calculate the CVC 1, CVC 2, and Chip CVC by one of two methods:
• Issuer proprietary calculation—which gives the Issuer the option to derive the CVC
algorithmically.
• Data Encryption Standard (DES) software—where the Issuer can perform the
calculation through a DES software application within a host system or through use of a
tamper-resistant security module (TRSM).
Issuers that choose the DES software method must use the DES algorithm procedure to
generate the CVC 1, CVC 2, and Chip CVC.
The DES algorithm procedure is described below and is also published in the following
documents:
• ANSI X3.92-1981 American National Standard, Data Encryption Algorithm
• ISO/IEC 18033-3:2010, Information technology—Security techniques—Encryption
algorithms—Part 3: Block ciphers (see Annex A)
The DES method algorithm generates the three-digit CVC 1 for the Discretionary Data field of
Track 1 and Track 2. The Issuer also uses this method to develop the three-digit CVC 2 and
Chip CVC. This algorithm procedure applies only to Issuers that implement the CVC
generation process in their host systems.
MasterCard requires two 64-bit cryptographic DES keys for use in the generation process. An
Issuer may use the same two 64-bit DES keys for generating the CVC 1, CVC 2, and Chip
CVC (but not the CVC 3) provided that separate service codes are used. The same keys should
not be shared among multiple Issuers, such as when Issuers use a common Service Provider
for CVC 1, CVC 2, and Chip CVC processing.
MasterCard strongly discourages Issuers from using a CVC 2 value of “000.”
The DES algorithm procedure is performed by following the eight steps below:
1. If the primary account number (PAN) is longer than 16 digits, extract the last 16 digits of
the PAN.
2. Construct a string of bits by concatenating (left to right) the sequence of 4-bit values (or
nibbles), each of which is the binary representation of a numeric digit in the CVC Data
Elements, in the order indicated in Table 3.2:
NOTE: The Issuer must perform independent calculations to produce each CVC value.
Table 3.2—CVC Data Elements
For CVC 1 For CVC 2 For Chip CVC Length (all)
Output from Step 1 Output from Step 1 Output from Step 1 16

3.10 Service Codes
For CVC 1 For CVC 2 For Chip CVC Length (all)
Card expiration date (as Card expiration date (as Card expiration date (as 41
presented in Track 2 encoding) presented in the Account presented in Track 2
Information Area of the Card Equivalent Data encoding)
front)
Service code value must NOT Service code value must be Service code value must be 3
be “000” “000” “999”
Total 232
3. Apply ISO/IEC 9797-1 “MAC Algorithm 3”, “Padding Method 1” to the string created in
Step 2, using two independent DES keys, to produce an 8-byte result.
4. From the result of Step 3, going from left to right, a nibble at a time, extract all nibbles
that correspond to numeric digits (0-9); left-justify these digits in a 16–position field.
5. From the result of Step 3, going from left to right, a nibble at a time, extract all nibbles
that correspond to hexadecimal characters (A–F). To compensate for hexadecimal, subtract
10 from each extracted hexadecimal digit.
6. Concatenate the resulting digits from Step 5 to the right of the digits extracted in Step 4.
7. Set the CVC to the first three left-most digits of the decimal string created in Step 6.
8. Run the program three times, once for each CVC, using the CVC data elements indicated
in Table 3.2.
3.10 Service Codes

The service code, a three-digit number that complies with ISO 7813 (Identification Cards—
Financial Transaction Cards), is encoded on Track 1 and Track 2 of the magnetic stripe of a
Card and indicates to a magnetic stripe-reading terminal the Transaction acceptance
parameters of the Card. Each digit of the service code represents a distinct element of the
Issuer’s Transaction acceptance policy. However, not all combinations of valid digits form a
valid service code, nor are all service code combinations valid for all Card Programs. Issuers
may encode only one service code on Cards, and the same value must be encoded on both
Track 1 and Track 2 in their respective, designated positions.
Service codes provide Issuers with flexibility in defining Card acceptance parameters, and
provide Acquirers with the ability to interpret Issuers’ Card acceptance preferences for all POI
conditions.
Service codes apply to magnetic stripe-read Transactions only. In the case of Chip Cards used
in Hybrid POS Terminals, the Hybrid POS Terminal uses the data encoded in the chip to
complete the Transaction.
1 For OBKM, the format of the Card expiration date may be as presented as either YYMM or MMYY. See On-Behalf
Key Management (OBKM) Interface Specifications.
2 The output from Step 1 is 16 digits long. The resulting string reflects 23 digits (16+4+3) and is 92 bits long.

3.10 Service Codes
NOTE:
A value of 2 or 6 in position 1 of the service code indicates that a chip is present on a Card
which contains the MasterCard application that is present on the magnetic stripe.
3.10.1 Issuer Information

Currently, MasterCard recommends using service code value 101 (international Card, normal
authorization, normal Cardholder verification, no restrictions) for most Card applications. For
more information, refer to Table 3.3 in this chapter.
For a Maestro Card, the Issuer must use the following values in the service code:
• A value of 1 or 2 in position 1;
• A value of 0 or 2 (recommended) in position 2; and
• A value of 0, 1, or 6 in position 3. If a value of 1 or 6 is used, the Issuer must accept
Transactions that do not contain PIN data.
For a Cirrus (ATM-only) Card, the Issuer must use the following values in the service code:
• A value of 1 or 2 in position 1;
• A value of 0 or 2 in position 2; and
• A value of 0, 1, or 3 (recommended) in position 3.
A Debit MasterCard Card Issuer must not encode a value of 5 or 7 in position 3 of the service
code.
A MasterCard Electronic Card Issuer must encode a value of 2 (positive online authorization
required) in position 2 of the service code.
Issuers may use service codes to support the issuance of ICC applications and PIN
requirements.
For purposes of fraud prevention, Issuers are strongly recommended to set authorization
parameters that decline any Transaction containing the invalid service code values of 000 or
999.
3.10.2 Acquirer Information

Acquirers must ensure that their Hybrid Terminals do not reject or otherwise decline to
complete a Transaction solely because of the service code encoded on the magnetic stripe.
Acquirers are not required to act on the service codes at this time unless:
• A value of 2 or 6 is present in position 1 of the service code for a MasterCard, Maestro, or
Cirrus Payment Application. The Hybrid Terminal must first attempt to process the
Transaction as a chip Transaction; or
• The Terminal is located in the Europe Region and has magnetic stripe-reading capability,
and a value of 2 is present in position 2 of the service code for a MasterCard Payment
Application. The Acquirer must ensure that authorization is obtained before the Merchant
completes a magnetic stripe-read Transaction.

3.10 Service Codes
3.10.3 Valid Service Codes

Table 3.3 defines service code values for MasterCard, MasterCard Electronic, Maestro, and
Cirrus Payment Applications and each position of the three-digit service code.
NOTE: Service codes are three positions in length. To identify valid service code values,
combine the valid numbers for each of the three positions in this table. The value 000 is not a
valid service code and must not be encoded on the magnetic stripe of MasterCard,
MasterCard Electronic, Maestro, or Cirrus cards.
Table 3.3—Service Code Values
Definition Position 1 Position 2 Position 3
International Card 1
International Card—Integrated Circuit Card 2
National Use Only 5
National Use Only—Integrated Circuit Card 6
Private Label or Proprietary Card 7
Normal Authorization 0
Positive Online Authorization Required 2
PIN Required 0
Normal Cardholder Verification, No Restrictions 1
Normal Cardholder Verification—Goods and services only

2
at Point of Sale (no cash back)
ATM Only, PIN Required 3
PIN Required—Goods and services only at Point of Sale (no

5
cash back)
Prompt for PIN if PIN Pad Present 6
Prompt for PIN if PIN Pad Present—Goods and services only

7
at Point of Sale (no cash back)

3.11 Transaction Information Documents (TIDs)
3.10.4 Additional Service Code Information

The following information explains the service code values in Table 3.3.
• Normal authorization is an authorized Transaction according to the established rules
governing Transactions at the POI.
• Positive Online Authorization Required service codes (value of 2 in position 2) indicate that
an electronic authorization must be requested for all Transactions. This service code value
must be used on MasterCard Electronic™ cards, but is optional for MasterCard
Unembossed cards.
• Normal Cardholder verification indicates that the Cardholder verification method (CVM)
must be performed in accordance with established rules governing Cardholder verification
at the POI.
• ICC-related service codes (value of 2 or 6 in position 1) are permitted only on Chip Cards
containing a MasterCard, Maestro, or Cirrus Payment Application type-approved by
MasterCard or its agent.
• ICC-related service codes (value of 2 or 6 in position 1) may not be used for stand-alone
stored value (purse) applications that reside on MasterCard, Maestro, or Cirrus cards. In
these instances, a value of 1 must be placed in the first position.
• National Use Only service codes (value of 5 or 6 in position 1) are permitted only on
National Use Only Cards approved by MasterCard. This includes PIN-related service codes
on National Use Only Cards (for example, 506) governed by local PIN processing rules.
• Private label or proprietary service codes (value of 7 in position 1) on Cards that contain a
valid MasterCard BIN are permitted only on private label or proprietary Cards approved by
MasterCard.
Issuers may not use PIN-related service codes for Card Programs unless MasterCard has
approved the indicated use of a PIN.

Transaction Information Documents (TIDs) used in interchange Transactions must comply with
the Standards set forth in this section.
Below is a list of the types of TIDs discussed in this section:
• Retail sale
• Credit
• Cash disbursement
• Information
NOTE: The Acquirer must retain a copy of the TID for at least 13 months.
If the Merchant uses a manual imprinter, the TID produced is called a formset or slip. For
MasterCard formset specifications, refer to Appendix B.

If a Transaction begins at an electronic terminal, the Merchant may substitute a terminal

receipt for a formset. Terminal receipts have no prescribed physical specifications, but must be
numbered sequentially for reference purposes.
A TID must not reflect the following information:
• The PIN, any part of the PIN, or any fill characters representing the PIN
• The CVC 2, which is present in a white panel adjacent to the signature panel of the Card
MasterCard prohibits the recording of PIN data and CVC data in any manner for any purpose.
3.11.1 Formset Contents

Each copy of a retail sale, credit, or cash disbursement formset shall satisfy minimum statutory
and regulatory requirements in the jurisdiction in which the slip originates and any applicable
regulations, issued by the U.S. Board of Governors of the Federal Reserve System or other
regulatory authorities, and shall contain the following:
• In the case of retail sale and credit slips, a space for the description of goods, services, or
other things of value sold by the Merchant to the customer and the cost thereof, in
sufficient detail to identify the Transaction.
• Adequate spaces for:
– The customer’s signature
– Card imprint and the Merchant or bank identification plate imprint
– Date of the Transaction
– Authorization number (except on credit slips)
– Currency conversion field
– Description of the positive identification supplied by the Cardholder on cash
disbursements and retail sale slips for certain unique Transactions.
• A legend clearly identifying the slip as a retail sale, credit, or cash disbursement and
identifying the receiving party of each copy.
• On the customer copy of the formset, the words (in English, local language, or both):
“IMPORTANT—retain this copy for your records,” or words to similar effect.
• Such other contents as are not inconsistent with these rules.
MasterCard recommends that each retail sale, credit, and cash disbursement slip bear a means
of identifying the Customer that distributed the slip to the Merchant.
3.11.2 POS Terminal Receipt Contents

Each copy of a POS Terminal receipt shall satisfy all requirements of applicable law, and shall
contain the following information:
• Doing Business As (DBA) Merchant name, city and state, country, or the point of banking
location
• Transaction date
• PAN of the Card or Contactless Payment Device presented by the Cardholder (refer to
"Primary Account Number (PAN) Truncation and Expiration Date Omission" in Chapter 3 of
the Transaction Processing Rules for PAN truncation requirements). When a Contactless

Payment Device is presented, the POS Terminal receipt will display the PAN associated with
that Contactless Payment Device, which may differ from the PAN on a Card linked to the
same Account.
• Transaction amount in the original Transaction currency
• Adequate space for the customer’s signature, unless the Transaction is completed with a
PIN as the CVM or no CVM is used (signature space required on Merchant copy only)
• Authorization approval code (except on credit receipts). Optionally, the Acquirer also may
print the Transaction certificate, the application cryptogram, or both for Chip Card
Transactions.
Each receipt shall clearly identify the Transaction as a retail sale, credit, or cash disbursement.
3.11.3 Primary Account Number Truncation and Expiration Date Omission

For information on this topic, refer to “Primary Account Number (PAN) Truncation and
Expiration Date Omission” (under “Providing a Transaction Receipt”) in Chapter 3 of the
Transaction Processing Rules manual.

Terminal and PIN Security Standards
Chapter 4 Terminal and PIN Security Standards

This chapter may be of particular interest to Issuers of Cards that support PIN as a Cardholder
verification method (CVM) and Acquirers of Terminals that accept PIN as a CVM. Refer to the
applicable technical specifications and the Transaction Processing Rules manual for additional
Terminal and Transaction processing requirements relating to the use of a PIN.
4.1 Personal Identification Numbers (PINs).....................................................................................41

4.2 PIN Selection and Usage..........................................................................................................41
4.3 PIN Verification....................................................................................................................... 42
4.4 PIN Authorization Requests..................................................................................................... 42
4.5 PIN Encipherment................................................................................................................... 42
4.6 PIN Key Management............................................................................................................. 43
4.6.1 PIN Transmission Between Customer Host Systems and the Interchange System.............. 43
4.6.2 On-behalf Key Management........................................................................................... 44
4.7 PIN at the POI for MasterCard Magnetic Stripe Transactions.................................................... 45
4.8 Terminal Security Standards.....................................................................................................45
4.9 Hybrid Terminal Security Standards..........................................................................................46
4.10 PIN Entry Device Standards....................................................................................................46
4.11 Wireless POS Terminals and Internet/Stand-alone IP-enabled POS Terminal Security
Standards..................................................................................................................................... 48
4.12 POS Terminals Using Electronic Signature Capture Technology (ESCT).................................... 48
4.13 Component Authentication.................................................................................................. 49
4.14 Triple DES Migration Standards............................................................................................. 49

4.1 Personal Identification Numbers (PINs)
4.1 Personal Identification Numbers (PINs)

An Issuer must give each of its Cardholders a personal identification number (PIN) in
conjunction with MasterCard Card issuance, or offer the Cardholder the option of receiving a
PIN. The Issuer must give the Cardholder a PIN in conjunction with Maestro Card and Cirrus
Card issuance. The PIN allows Cardholders to access the MasterCard ATM Network® accepting
the MasterCard®, Maestro®, and Cirrus® brands, and to conduct Transactions at Cardholder-
activated terminal (CAT) 1 devices, Maestro Merchant locations, and Hybrid Point-of-Sale
(POS) Terminals.
An Issuer should refer to the guidelines for PIN and key management set forth in the Issuer
PIN Security Guidelines.
An Acquirer must comply with the latest edition of the following documents, available at
www.pcisecuritystandards.org:
• Payment Card Industry PIN Security Requirements
• Payment Card Industry POS PIN Entry Device Security Requirements
• Payment Card Industry Encrypting PIN Pad Security Requirements
4.2 PIN Selection and Usage

An Issuer is responsible for generating, storing, processing, and supporting the change of
PINs. As part of its function, the Issuer must support and manage the PIN through its life cycle.
Several standardized PIN generation methods compliant with International Organization for
Standardization (ISO) 9564 allow for the verification of the PIN on platforms without the need
to store the PIN. These methods eliminate the need for expanded secure storage and permit
the PIN verification to be based on computing a value rather than comparing the decrypted
PIN against a stored value.
The PIN may be generated by the Issuer, or selected by the Cardholder. MasterCard strongly
recommends that Issuers provide an opportunity to Cardholders to replace the assigned PIN
with a self-selected PIN.
PINs must be numeric, alphabetic, or alphanumeric. The PIN must be at least four and no
more than six characters in length, except that for Cards issued in the Canada and United
States Regions, the PIN may be up to 12 characters in length. If an alphabetic or alphanumeric
PIN is generated, the Issuer should advise the Cardholder that many PIN entry devices only
contain numeric characters and must provide the numeric equivalent of the first six alpha
characters of the PIN.
An Issuer must not generate or allow its Cardholders to select PINs that contain the letters Q
or Z.
Issuers should refer to the Issuer PIN Security Guidelines for further information about
Cardholder and Issuer PIN selection.

4.3 PIN Verification
4.3 PIN Verification

An Issuer must be capable of verifying PINs based on a maximum of six characters. The Issuer
may use the PIN verification algorithm of its choice.
If a Card is encoded with a PIN Verification Value (PVV), then the Issuer may use the
MasterCard PIN verification service for authorization processing. If a proprietary algorithm is
used for the PVV calculation or the PVV is not encoded on the Card, then PIN verification will
not be performed on a Transaction authorized by means of the Stand-In Processing Service.
A Customer in a Region other than the Europe Region may refer to “PIN Processing for Non-
Europe Region Customers” in the Authorization Manual, Chapter 9, “Authorization Services
Details” for more information about the MasterCard PIN verification service, in which the
MasterCard Network performs PIN verification on behalf of Card Issuers. Europe Region
Customers should refer to Chapter 12, "PIN Processing for Europe Region Customers," of the
Authorization Manual.
Refer to “PIN Generation Verification” in Single Message System Specifications, Chapter 6,
“Encryption” for more information about PIN verification that the MasterCard Network
performs directly for Debit MasterCard Card and Maestro and Cirrus Card Issuers, and the two
PIN verification methods (IBM 3624 and ABA) that the PIN verification service supports. The
ANSI format of PIN block construction is also described in that chapter.
4.4 PIN Authorization Requests

Refer to the following manuals for additional support of Transactions that contain a PIN in the
Authorization Request/0100 message:
• Authorization Manual, Chapter 9—Authorization Services Details
• Customer Interface Specification, Chapter 5—Program and Service Format Requirements
4.5 PIN Encipherment

All Customers and their agents performing PIN Transaction processing must comply with the
security requirements for PIN encipherment specified in the Payment Card Industry PIN
Security Requirements.
All Issuers and their agents performing PIN processing should also refer to the MasterCard
Issuer PIN Security Guidelines document regarding PIN encipherment.

4.6 PIN Key Management

Key management is the process of creating, distributing, maintaining, storing, and destroying
cryptographic keys, including the associated policies and procedures used by processing
entities.
All Acquirers and their agents performing PIN Transaction processing must comply with the
security requirements for PIN and key management specified in the Payment Card Industry PIN
Security Requirements.
In addition, all Acquirers and their agents must adhere to the following Standards for PIN
encryption:
1. Perform all PIN encryption, translation, and decryption for the network using hardware
encryption.
2. Do not perform PIN encryption, translation, or decryption under Triple Data Encryption
Standard (DES) software routines.
3. Use the Triple DES algorithm to perform all encryption.
All Issuers and their agents performing PIN processing should refer to the Issuer PIN Security
Guidelines regarding all aspects of Issuer PIN and PIN key management, including PIN
selection, transmission, storage, usage guidance, and PIN change.
4.6.1 PIN Transmission Between Customer Host Systems and the Interchange
System
The Interchange System and Customers exchange PIN encryption keys (PEKs) in two manners:
statically and dynamically. Directly connected Customers that are processing Transactions
that contain a PIN may use either static or dynamic key encryption to encipher the PIN.
MasterCard strongly recommends using dynamic PEKs. Static PEKs must be replaced as
indicated in the references below.
For information about PIN key management and related services, including requirements for
key change intervals and emergency keys, refer to the manuals listed in Table 4.1, which are
available through the MasterCard Connect™ Publications product.
Table 4.1—PIN Key Management References
For Transaction authorization request messages routed

through… Refer to…
MasterCard Network/Dual Message System Authorization Manual
MasterCard Network/Single Message System Single Message System

Specifications

For Transaction authorization request messages routed

through… Refer to…
MasterCard Key Management Center via the On-behalf Key On-behalf Key Management
Management (OBKM) Interface (OBKM) Procedures
and
On-behalf Key Management
(OBKM) Interface Specifications
4.6.2 On-behalf Key Management

MasterCard offers the On-behalf Key Management (OBKM) service to Europe Region
Customers as a means to ensure the secure transfer of Customer cryptographic keys to the
MasterCard Key Management Center. OBKM services offer Customers three key exchange
options:
• One-Level Key Hierarchy—Customers deliver their cryptographic keys in three clear text
components to three MasterCard Europe security officers. The security officers then load
the key components into the Key Management Center.
• Two-Level Key Hierarchy—The Key Management Center generates and delivers
transport keys to Customers in three separate clear text components. Customers use the
transport keys to protect and send their cryptographic keys to Key Management Services in
Waterloo, Belgium. Key Management Services then loads the Customer keys into the Key
Management Center.
• Three-Level Key Hierarchy—The Key Management Center uses public key techniques to
deliver transport keys to Customers in three separate clear text components. Customers
use the transport keys to protect and send their cryptographic keys to Key Management
Services in Waterloo, Belgium. Key Management Services then loads the Customer keys
into the Key Management Center.
MasterCard recommends that Customers use the Two-Level or Three-Level Key Hierarchy, both
of which use transport keys to establish a secure channel between the Customer and the Key
Management Center.
MasterCard has developed a Cryptography Self Test Tool (CSTT) to assist Customers in
meeting OBKM interface requirements. Customers must use the CSTT before exchanging keys
with Key Management Services using the Two-Level and Three-Level Hierarchies.
Customers must register to participate in the OBKM service. For more information, contact
key_management@mastercard.com or refer to the On-behalf Key Management (OBKM)
Procedures and On-behalf Key Management (OBKM) Interface Specifications, available via the
MasterCard Connect™ Publications product.

4.7 PIN at the POI for MasterCard Magnetic Stripe Transactions
4.7 PIN at the POI for MasterCard Magnetic Stripe Transactions

MasterCard may authorize the use of a PIN for MasterCard magnetic stripe Transactions at
selected Merchant types, POS Terminal types, or Merchant locations in specific countries.
MasterCard requires the use of a PIN at CAT 1 devices. Acquirers and Merchants that support
PIN-based MasterCard magnetic stripe Transactions must provide Cardholders with the option
of a signature-based Transaction, unless the Transaction occurs at a CAT 1 device or at a CAT
3 device with offline PIN capability for Chip Transactions.
MasterCard requires Merchants to provide a POS Terminal that meets specific requirements for
PIN processing wherever an approved implementation takes place. When applicable, each
Transaction must be initiated with a Card in conjunction with the PIN entered by the
Cardholder at the terminal. The Acquirer must be able to transmit the PIN in the Authorization
Request/0100 message in compliance with all applicable PIN security Standards.
Acquirers and Merchants must not require a Cardholder to disclose his or her PIN, other than
by private entry into a secure PIN entry device (PED) as described in section 4.9 of this manual.
Acquirers must control Terminals equipped with PIN pads. If a terminal is capable of
prompting for the PIN, the Acquirer must include the PIN and full magnetic stripe-read data in
the Authorization Request/0100 message.
MasterCard will validate the PIN when processing for Issuers that provide the necessary keys
to MasterCard pursuant to these Standards. All other POI Transactions containing PIN data will
be declined in Stand-In processing.
4.8 Terminal Security Standards

The Acquirer must ensure that each Terminal:
1. Has a magnetic stripe reader capable of reading Track 2 data and transmitting such data
to the Issuer for authorization;
2. Permits the Cardholder to enter PIN data in a private manner;
3. Prevents a new Transaction from being initiated before the prior Transaction is completed;
and
4. Validates the authenticity of the Card or other Access Device.
For magnetic stripe Transactions, the following checks must be performed by the Acquirer
(either in the Terminal or the Acquirer host system), before the authorization request is
forwarded:
1. Longitudinal Redundancy Check (LRC)—The magnetic stripe must be read without LRC
error.
2. Track Layout—The track layout must conform to the specifications in Appendix A.
With respect to the electronic functions performed by a Terminal, the following requirements
apply:

4.9 Hybrid Terminal Security Standards
1. A Transaction may not be declined due to bank identification number (BIN)/Issuer

identification number (IIN) validation.
2. A Transaction may not be declined as a result of edits or validations performed on the
primary account number (PAN) length, expiration date, service code, discretionary data, or
check digit data of the Access Device.
3. Tests or edits on Track 1 must not be performed for the purpose of disqualifying a Card
from eligibility for Interchange System processing.
4.9 Hybrid Terminal Security Standards

The Acquirer must ensure that a Hybrid Terminal complies with all of the following Standards:
• Each Hybrid POS Terminal that reads and processes EMV-compliant payment applications
must read and process EMV-compliant MasterCard and Maestro Payment Applications.
• Each Hybrid ATM and Hybrid PIN-based In-Branch Terminal that reads and processes EMV-
compliant payment applications must read and process EMV-compliant MasterCard,
Maestro, and Cirrus Payment Applications.
• Each Hybrid Terminal must perform a Chip Transaction when a Chip Card or Access Device
is presented in compliance with all applicable Standards, including those Standards set
forth in the M/Chip Requirements manual.
• Each offline-capable Hybrid POS Terminal must support offline Static Data Authentication
(SDA) and offline Dynamic Data Authentication (DDA) as Card authentication methods
(CAMs). Each offline-capable Hybrid POS Terminal certified by MasterCard on or after 1
January 2011 also must support offline Combined Data Authentication (CDA) as a CAM.
• Except in the United States Region, each offline-capable Hybrid POS Terminal certified by
MasterCard on or after 1 January 2011 must support offline PIN processing as a
Cardholder verification method (CVM). In Taiwan, this requirement applies to Hybrid POS
Terminals certified by MasterCard on or after 1 January 2013.
• In the United States Region, each Hybrid POS Terminal that supports PIN must support both
online PIN and offline PIN processing.
• Each Hybrid POS Terminal that supports offline PIN processing must support both clear text
and encrypted PIN options.
4.10 PIN Entry Device Standards

A PED on an ATM Terminal, PIN-based In-Branch Terminal, or POS Terminal must have a
numeric keyboard to enable the entry of PINs, with an ‘enter key’ function to indicate the
completion of entry of a variable length PIN.
In all Regions except the Canada and United States Regions, a PED must accept PINs having
four to six numeric characters. In the Canada and U.S. Regions, a PED must support PINs of up
to 12 alphanumeric characters. It is recommended that all PEDs support the input of PINs in
letter-number combinations as follows:

4.10 PIN Entry Device Standards
1 Q, Z 6 M, N, O
2 A, B, C 7 P, R, S
3 D, E, F 8 T, U, V
4 G, H, I 9 W, X, Y
5 J, K, L
An Acquirer must ensure that all PEDs that are part of POS Terminals meet the following
Payment Card Industry (PCI) requirements:
1. All PEDs must be compliant with the Payment Card Industry PIN Security Requirements
manual.
2. All newly installed, replaced, or refurbished PEDs must be compliant with the PCI POS PED
Security Requirements and Evaluation Program.
3. All PEDs must be in compliance with the PCI POS PED Security Requirements and
Evaluation Program or appear on the MasterCard list of approved devices.
As a requirement for PED testing under the PCI POS PED Security Requirements and Evaluation
Program, the PED vendor must complete the forms in the Payment Card Industry POS PIN
Entry Device Security Requirements manual, along with the Payment Card Industry POS PIN
Entry Device Evaluation Vendor Questionnaire. The vendor must submit all forms together
with the proper paperwork, including the required PED samples, to the evaluation laboratory.
If a Customer or MasterCard questions a PED with respect to physical security attributes (those
that deter a physical attack on the device) or logical security attributes (functional capabilities
that preclude, among other things, the output of a clear text PIN or a cryptographic key),
MasterCard has the right to effect an independent evaluation performed at the
manufacturer’s expense.
MasterCard will conduct periodic security reviews with selected Acquirers and Merchants.
These reviews will ensure compliance with MasterCard security requirements and generally
accepted best practices.
WARNING:
The physical security of the PED depends on its penetration characteristics. Virtually any
physical barrier may be defeated with sufficient effort.
For secure transmission of the PIN from the PED to the Issuer host system, the PED must
encrypt the PIN using the approved algorithm(s) for PIN encipherment listed in ISO 9564-2 and
the appropriate PIN block format as provided in ISO 9564-1.

4.11 Wireless POS Terminals and Internet/Stand-alone IP-enabled POS Terminal Security Standards
If the PIN pad and the secure component of the PED are not integrated into a single tamper-
evident device, then for secure transmission of the PIN from the PIN pad to the secure
component, the PIN pad must encrypt the PIN using the approved algorithm(s) for PIN
encipherment listed in ISO 9564-2.
4.11 Wireless POS Terminals and Internet/Stand-alone IP-enabled POS

Terminal Security Standards
MasterCard has established security requirements for the encryption of sensitive data by POS
Terminals. These requirements apply to POS Terminals that use wide area wireless
technologies, such as general packet radio service (GPRS) and code division multiple access
(CDMA), to communicate to hosts and stand-alone IP-connected terminals that link via the
Internet.
All wireless POS Terminals and Internet/IP-enabled POS Terminals must support the encryption
of Transaction and Cardholder data between the POS Terminal and the server system with
which they communicate, using encryption algorithms approved by MasterCard.
If the deployed Internet/IP-enabled POS Terminals are susceptible to attacks from public
networks, Acquirers must ensure that they are approved by the MasterCard IP POS Terminal
Security (PTS) Testing Program.
Internet/IP-enabled POS Terminals may be submitted for security evaluation at laboratories
recognized by the MasterCard IP PTS Testing Program for subsequent approval.
All Acquirers deploying wireless POS Terminals or Internet/IP-enabled POS Terminals must refer
to the following required security documents:
• POS Terminal Security Program—Program Manual
• POS Terminal Security Program—Security Requirements
• POS Terminal Security Program—Derived Test Requirements
• POS Terminal Security Program—Vendor Questionnaire
• Payment Card Industry Data Security Standard (produced by the PCI Security Standards
Council)
• Any other related security documents that MasterCard may publish from time to time.
4.12 POS Terminals Using Electronic Signature Capture Technology

(ESCT)
An Acquirer that deploys POS Terminals using Electronic Signature Capture Technology (ESCT)
must ensure the following:
• Proper electronic data processing (EDP) controls and security are in place, so that digitized
signatures are recreated on a Transaction-specific basis. The Acquirer may recreate the
signature captured for a specific Transaction only in response to a retrieval request for the
Transaction.

4.13 Component Authentication
• Appropriate controls exist over employees with authorized access to digitized signatures
maintained in the Acquirer or Merchant host computers. Only employees and agents with
a “need to know” should be able to access the stored, electronically captured signatures.
• The digitized signatures are not accessed or used in a manner contrary to the Standards.
MasterCard reserves the right to audit Customers to ensure compliance with these
requirements and may prohibit the use of ESCT if it identifies inadequate controls.
4.13 Component Authentication

All components actively participating in the Interchange System must authenticate each other
by means of cryptographic procedures, either explicitly by a specific authentication protocol or
implicitly by correct execution of a cryptographic service possessing secret information (for
example, the shared key or the logon ID).
A component actively participates in the Interchange System if, because of its position in the
system, it can evaluate, modify, or process security-related information.
4.14 Triple DES Migration Standards

Triple Data Encryption Standard (DES), minimum double key length (hereafter referred to as
“Triple DES”), must be implemented as follows:
• All newly installed PEDs, including replacement and refurbished PEDs that are part of POS
Terminals, must be Triple DES capable. This requirement applies to POS Terminals owned by
Customers and non-Customers.
• All Customer and processor host systems must support Triple DES.
• It is strongly recommended that all PEDs that are part of POS Terminals be Triple DES
compliant and chip-capable.
• All PEDs that are part of ATM Terminals must be Triple DES compliant.
• All PIN-based Transactions routed to the Interchange System must be Triple DES compliant.
MasterCard recognizes that Customers may elect to use other public key encryption methods
between their POS Terminals or ATMs and their host(s). In such instances, MasterCard must
approve the alternate method chosen in advance of its implementation and use.
Approval will be dependent, in part, on whether MasterCard deems the alternate method to
be as secure as or more secure than Triple DES. Approval is required before
implementation can begin. All Transactions routed to the Interchange System must be Triple
DES compliant.

Card Recovery and Return Standards
Chapter 5 Card Recovery and Return Standards

This chapter may be of particular interest to Customers that issue MasterCard® cards. It includes
guidelines for personnel responsible for Card retention and return, reporting of lost and stolen
Cards, and criminal and counterfeit investigations.
5.1 Card Recovery and Return.......................................................................................................51

5.1.1 Card Retention by Merchants.......................................................................................... 51
5.1.1.1 Returning Recovered Cards...................................................................................... 51
5.1.1.2 Returning Counterfeit Cards.................................................................................... 51
5.1.1.3 Liability for Loss, Costs, and Damages......................................................................52
5.1.2 ATM Card Retention........................................................................................................52
5.1.2.1 Handling ATM-Retained Cards................................................................................. 53
5.1.2.2 Returning ATM-Retained Cards to Cardholders........................................................ 53
5.1.2.3 Fees for ATM Card Retention and Return................................................................. 53
5.1.3 Payment of Rewards........................................................................................................54
5.1.3.1 Reward Payment Standards......................................................................................54
5.1.3.2 Reward Amounts..................................................................................................... 54
5.1.3.3 Reimbursement of Rewards..................................................................................... 55
5.1.3.4 Reward Payment Chargebacks................................................................................. 55
5.1.4 Reporting Fraudulent Use of Cards.................................................................................. 55
5.1.5 Reporting Lost and Stolen Cards......................................................................................56
5.1.5.1 MasterCard Receiving Reports................................................................................. 56
5.2 Criminal and Counterfeit Investigations...................................................................................57
5.2.1 Initiating an Investigation................................................................................................ 57
5.2.2 Providing a Progress Report............................................................................................. 57
5.2.3 Requesting an Arrest and Criminal Prosecution................................................................57
5.2.4 Fees and Reimbursement of Expenses..............................................................................57
5.2.5 Investigation of Counterfeits and Major Criminal Cases................................................... 58

5.1 Card Recovery and Return

The following sections address Customer responsibilities associated with Card retention and
return, rewards for Card capture, reporting of lost and stolen Cards, and criminal and
counterfeit investigations.
5.1.1 Card Retention by Merchants

Acquirers and Merchants should use their best efforts to recover a Card by reasonable and
peaceful means if:
• The Issuer advises the Acquirer or Merchant to recover the Card in response to an
authorization request.
• The Electronic Warning Bulletin file or an effective regional Warning Notice lists the
account number.
After recovering a Card, the recovering Acquirer or Merchant must notify its authorization
center or its Acquirer and receive instructions for returning the Card. If mailing the Card, the
recovering Acquirer or Merchant first should cut the Card in half through the magnetic stripe.
Maestro Card capture at a Point-of-Sale (POS) Terminal is not permitted with respect to
Interregional Transactions or Intraregional Transactions that occur within the Asia/Pacific, Latin
America and the Caribbean, or United States Regions.
5.1.1.1 Returning Recovered Cards

The Acquirer must follow these procedures when returning a recovered Card to the Issuer:
1. If the Merchant has not already done so, the Acquirer must render the Card unusable by
cutting it in half vertically through the magnetic stripe.
2. The Acquirer must forward the recovered Card to the Issuer within five calendar days of
receiving the Card along with the first copy (white) of the Interchange Card Recovery Form
(ICA-6). The additional copies are file copies for the Acquirer’s records. Unless otherwise
noted in the “Other Information” section of the Member Information tool, a recovered
Card must be returned to the Security Contact of the Issuer.
NOTE: A sample of the Interchange Card Recovery Form (ICA-6) appears in the Business Forms
™
section of MasterCard Connect .
A Merchant may return a Card inadvertently left at the Merchant location if the Cardholder
claims the Card before the end of the next business day and presents positive identification.
With respect to unclaimed Cards, a Merchant must follow the Acquirer's requirements as set
forth in the Merchant Agreement.
5.1.1.2 Returning Counterfeit Cards

The Acquirer or Merchant must return counterfeit Cards to the Issuer by following the
instructions provided by its authorization center. The following information identifies an Issuer:

• The Issuer’s MasterCard bank identification number (BIN) present in the Account
Information Area.
• The Member ID imprinted in the Card Source Identification area on the back of the Card.
In the absence of a BIN or Member ID, the Issuer may be identified by any other means,
including the bank name printed on the front or back of the Card or the magnetic stripe. If
the Issuer is still unidentifiable, return the Card to the MasterCard vice president of the
Security and Risk Services Department.
NOTE: The above method of identifying the Issuer applies only to the return of a counterfeit
Card, not to determining the Customer responsible for the counterfeit losses associated with
such Cards. For more information, refer to Chapter 6—Fraud Loss Control Standards of this
manual.
5.1.1.3 Liability for Loss, Costs, and Damages

Neither MasterCard nor any Customer shall be liable for loss, costs, or other damages for
claims declared against them by an Issuer for requested actions in the listing of an account or
a Group or Series listing on the Electronic Warning Bulletin file or in the applicable regional
Warning Notice by the Issuer. Refer to the Account Management System User Manual for
information about the procedures for listing accounts.
If an Acquirer erroneously uses these procedures without the Issuer’s guidance and authorizes
Merchant recovery of a Card not listed on the Electronic Warning Bulletin file or in the
applicable regional Warning Notice, neither MasterCard or its Customers shall be liable for
loss, costs, or other damages if a claim is made against them.
No Customer is liable under this section for any claim unless the Customer has:
• Written notice of the assertion of a claim within 120 days of the assertion of the claim, and
• Adequate opportunity to control the defense or settlement of any litigation concerning the
claim.
5.1.2 ATM Card Retention

Card retention must occur only at the Issuer’s command. Cards captured because of ATM
Terminal malfunction or Cardholder error, over which the ATM Terminal owner has no control,
are the only allowable exceptions. If the ATM Acquirer cannot determine within two business
days if a Card was captured because of a machine malfunction, Cardholder error, or a
command sent by the Issuer, the Card will be deemed to be a Card captured on command of
the Issuer.
An ATM Terminal Acquirer that as an Issuer sends Card capture commands must honor the
commands sent by other Issuers at all of its ATMs that are capable of Card capture.
In the Europe Region, the Acquirer of any ATM Terminal capable of Card capture must honor
the Card capture commands sent by any Issuer.
Completion messages must indicate, to the best knowledge of the Acquirer, the action taken
by the ATM for each Card capture request.

5.1.2.1 Handling ATM-Retained Cards

An ATM Terminal Acquirer must handle retained Cards in accordance with the following
requirements:
1. Log all retained MasterCard Cards under dual control immediately upon removal from the
ATM. With respect to retained Maestro and Cirrus Cards, it is the responsibility of the
Acquirer to establish appropriate procedures for documenting a Card capture.
2. Destroy retained Cards by cutting them in half vertically through the magnetic stripe, if the
Card is captured on command of the Issuer or if an Acquirer’s procedures do not include
returning retained Cards to Cardholders. A Maestro Card issued outside of the Europe
Region and captured by an ATM Terminal located in the Europe Region must be destroyed
and discarded.
When a captured card appears to be fraudulent (for example, a plain white plastic or
cardboard card), the Acquirer may (at its option) retain, preserve, and release such card to
appropriate law enforcement authorities.
5.1.2.2 Returning ATM-Retained Cards to Cardholders

Cards retained at the request of an Issuer must never be returned to the Cardholder without
the permission of the Issuer. However, Cards erroneously retained by the Acquirer because of
a machine malfunction, system failure, or Cardholder error may be held at the ATM location,
in a secure place, for two business days following capture and released to the Cardholder
subsequent to all of the following:
1. The Acquirer checks the Electronic Warning Bulletin file or applicable regional Warning
Notice (required for MasterCard® Cards only).
2. The Cardholder presents reasonable identification (for example, a current driver's license,
passport, or similar identification with a picture or descriptive data and a signature that is
comparable to the signature on the captured Card, if applicable).
3. The Cardholder signs a disposition log or receipt, or the Acquirer otherwise maintains a
record of the action taken.
The Acquirer then must notify the Issuer and explain that the Card was retained, the
circumstances of the retention, and that the Card was returned to the Cardholder.
If the Cardholder does not return to claim the Card before the end of the second business day
following Card capture, the Card's magnetic stripe must be destroyed.
An Acquirer will not incur liability for fraudulent or unauthorized Transactions initiated with a
Card that such Acquirer has returned to a Cardholder following the Card's capture at an ATM
Terminal, provided that the Acquirer complied with the requirements described in this section.
5.1.2.3 Fees for ATM Card Retention and Return

The Acquirer must not charge the Issuer any fee for the ATM retention or return of a Card.

5.1.3 Payment of Rewards

The Acquirer may, at its option, pay the Merchant or financial institution teller a reward for
capturing a Card in accordance with local practice. The person capturing the Card receives the
reward.
5.1.3.1 Reward Payment Standards

The Acquirer must follow these Standards when paying a reward:
1. Pay no less than USD 50 to the Merchant capturing a Card listed on the Electronic
Warning Bulletin file or in the Warning Notice and no less than EUR 50 to the Merchant
capturing a Card listed under Region D on the Electronic Warning Bulletin file.
2. Pay the Merchant USD 100 (EUR 100 when the Merchant is in the Europe Region and the
valid Card was issued in the Europe Region), if a Merchant initiates an authorization call
because of a suspicious Transaction or captures a Card not listed on the Electronic
Warning Bulletin file or in the Warning Notice.
3. Pay a reward to a financial institution teller for the capture of another Customer’s Card if it
is the Acquirer’s practice to pay its tellers rewards for picking up its own Cards. The
amount of the reward should be the same amount paid for the capture of the Acquirer’s
own Cards within the limits set forth in section 5.1.3.2.
4. Charge the Issuer for reimbursement of the reward paid upon dispatching each Card
captured by either a Merchant or a financial institution teller. The Fee Collection/1740
message with an Integrated Product Messages (IPM) message reason code (Data Element
25) equal to 7601 will settle the reward.
5.1.3.2 Reward Amounts

The Acquirer should follow these guidelines for determining reward amounts.
Table 5.1—Amount Determinations
IF the capture… THEN pay this amount…
Resulted from a “Merchant Suspicious” phone call USD 100 (EUR 100 when the Merchant is in the
Europe Region and the valid Card was issued in
the Europe Region)
Did not result from a “Merchant Suspicious” USD 50 (EUR 50 in the Europe Region)
phone call
Leads to the capture of additional Cards USD 50/EUR 50 for each Card captured, with a
maximum total of USD 250/EUR 250 for any one
incident

The stipulation that the person capturing the recovered Card receives the reward as stated in
section 5.1.3 does not prevent Customers from making mutually acceptable agreements
between themselves regarding rewards.
The recovering Customer may collect an administrative fee of USD 15 for expenses incurred in
processing the captured Card. A recovering Customer in the Europe Region may collect an
administrative fee of EUR 15 for such expenses. The capturing Customer may add this fee to
the amount of the reward reimbursement or collect the fee independently, using the Fee
Collection/1740 message.
5.1.3.3 Reimbursement of Rewards

The following specifications apply to reward reimbursement.
• Upon dispatching the Card to the Issuer, the Acquirer will obtain reimbursement for the
reward paid and the USD 15 or EUR 15 fee by processing the Fee Collection/1740
message.
• If a Customer returns a Card to an Issuer and a reward is not paid, the recovering
Customer may, at its discretion, collect a USD 15 or EUR 15 fee by processing a Fee
Collection/1740 message record.
• Upon receipt of the Interchange Card Recovery Form (ICA-6), the Issuer should match it to
the Fee Collection/1740 message record based on the Acquirer Member ID, account
number, and recovery date comparisons.
• If an exempt Customer has an electronic reward payment processed, clearing receives the
record by an information slip. The Transaction is part of the Net Settlement System for
settlement purposes.
5.1.3.4 Reward Payment Chargebacks

A reward reimbursement draft may be charged back only when the incorrect Customer is
charged. The senior vice president of the Security and Risk Services Department will resolve
any dispute concerning reward reimbursement.
5.1.4 Reporting Fraudulent Use of Cards

An Issuer must submit all fraudulent Transactions on its Accounts to the System to Avoid
Fraud Effectively (SAFE) on a monthly basis as described in Chapter 12. For the benefit of all
Customers, MasterCard analyzes the data and produces statistics relating to the fraudulent
use of MasterCard accounts and all chargebacks that originate from Transactions using
accounts with a fraud status.
An Issuer must report fraudulent Transactions even if it recovered losses through chargebacks,
compliance cases, restitution, insurance, or any other means.
An Acquirer receiving a Transaction that cannot be identified by a MasterCard BIN or Member
ID is liable for that Transaction. If it is determined that the Transaction is a fraudulent or
counterfeit Transaction, the Acquirer must notify, in writing, the Security and Risk Services
Department of such an occurrence. This notification must include all mandatory information
as described in Chapter 7 of the SAFE Products User Guide.

5.1.5 Reporting Lost and Stolen Cards

A Customer, or a Third Party Processor (TPP) acting as the Customer's or its Sponsor's
authorized agent, that receives a lost or stolen Card report must promptly notify the Issuer of
the report. The Customer should send the notice via phone and direct it to the Issuer’s Security
Contact identified in the Member Information tool available on MasterCard Connect™. If an
Issuer requests to receive such notice by another method, then the Customer should comply
with the Issuer's request.
The notice must include all relevant available information, such as:
• Member ID of the institution sending the notice
• Issuer’s name
• Cardholder’s account number
• Cardholder’s name and address
• Phone number and an address where the Cardholder can be reached
If the Customer cannot immediately reach the Issuer by phone, the Customer must make
another attempt at the first opportunity during the Issuer’s normal business hours. Issuers
must accept all collect calls placed to report a lost or stolen Card.
NOTE: The Issuer will be responsible for the reasonable costs of transmitting the notice.
For international notifications only, in lieu of a phone message, a telex or cable message is
acceptable. The Issuer is responsible for the reasonable costs of transmitting the notice and
must accept collect calls. The notice should include the same information previously
mentioned. In addition, the Customer making the report should follow the international
notice with a written confirmation within three business days.
The Customer that receives and transmits the report may submit to the Issuer an IPM Fee
Collection/1740 message with message reason code 7600 to collect the USD 15 lost or stolen
Card report fee in addition to any transmission costs that it may incur.
If the account number is unknown, the reporting Customer still may use the IPM Fee
Collection/1740 message by zero-filling the Account Number field and by providing the
Cardholder’s name and address, and the Issuer's name or service mark, in the Data Text field.
NOTE: Issuers may direct Cardholders to the MasterCard Assistance Center at 1-800-307-7309.
5.1.5.1 MasterCard Receiving Reports

MasterCard will help its Customers by receiving lost or stolen Card reports, and will (at each
Customer’s option) either take the report and promptly notify the Issuer or, if the report is by
phone, direct the call to the Issuer (when such capability is available). MasterCard will, only at
each Issuer’s request, promptly update the authorization negative file used for Stand-In
processing.
MasterCard may charge the Issuer USD 15 per report in addition to any transmission costs
that it may incur for receiving and transmitting the report.

5.2 Criminal and Counterfeit Investigations

On request, each Customer must provide other Customers with reasonable investigative
assistance in the geographical area covered by its own Card plan, and will be entitled to
reimbursement from the requesting Customer for both actual expenses and an hourly
investigative fee as MasterCard may establish periodically. Procedures for requesting such
assistance follow.
5.2.1 Initiating an Investigation

To initiate an investigation, the requesting Customer must perform the following steps:
1. Complete part A of the Investigation Request and Report Form (ICA-7A)
2. Send the appropriate copies of the five-part form to:
– The Security Contact of the investigating Customer, and
– The Security and Risk Services Department at the address provided in Appendix C.
In case of an emergency, the Customer may initiate an investigation by phone or telex.
However, the request must contain all pertinent information in the Investigation Request and
Report Form. The Customer must forward the appropriate copies of the form within 36 hours
after making the phone or telex request.
5.2.2 Providing a Progress Report

The investigating Customer must acknowledge the receipt of the Investigation Request and
Report Form within three business days. Within 15 business days of receiving the Investigation
Request and Report Form, the investigating Customer must furnish a progress report on the
results of the investigation. If the investigation cannot be completed within 15 days, the
investigating Customer should complete the investigation as soon as viable. The investigating
Customer should use the same Investigation Request and Report Form to summarize the
results of an investigation.
The form also serves as an invoice to the requesting Customer for the personnel hours and
expenses associated with the investigation. The Customer conducting the investigation must
complete part B of the form and route the copies according to the instructions on the
Investigation Request and Report Form.
5.2.3 Requesting an Arrest and Criminal Prosecution

When a Customer requests that another Customer cause the arrest and subsequent criminal
prosecution of an individual for misuse of a Card, the requesting Customer must supply all
necessary witnesses at the various criminal proceedings.
5.2.4 Fees and Reimbursement of Expenses

The investigating Customer may collect from the requesting Customer USD 50 for each half
hour of investigative work performed. The Investigation Request and Report Form (ICA-7A)
details all costs and expenses incurred by investigative personnel on behalf of the requesting

Customer, or the amount specifically authorized by the requesting Customer to be used for
investigation expenses.
NOTE: A sample of the Investigation Request and Report Form (ICA-7A) appears in the
™
Business Forms section of MasterCard Connect .
When a Customer requests that another Customer cause the arrest and subsequent criminal
prosecution of an individual for misuse of a Card, the requesting Customer must pay all
related expenses at the various criminal proceedings.
MasterCard can authorize the expenditure of any funds necessary to conduct a counterfeit or
major criminal investigation, including reimbursement of a Customer’s expenses in any
particular case that caused a hardship to that Customer.
To settle investigation fees and expenses, Customers should use the IPM Fee Collection/1740
message with message reason code 7610.
5.2.5 Investigation of Counterfeits and Major Criminal Cases

The various regional MasterCard vice presidents of the Security and Risk Services Department
have the authority to manage the investigation of a counterfeit or criminal case. When
requested, Customers are required to provide the regional vice president with any assistance
necessary.

Fraud Loss Control Standards
Chapter 6 Fraud Loss Control Standards

This chapter may be of particular interest to personnel responsible for fraud loss control programs,
counterfeit loss procedures and reimbursement, and Acquirer counterfeit liability.
6.1 Customer Responsibility for Fraud Loss Control....................................................................... 61

6.2 MasterCard Fraud Loss Control Program Standards................................................................. 61
6.2.1 Issuer Fraud Loss Control Programs..................................................................................61
6.2.1.1 Issuer Authorization Requirements........................................................................... 61
6.2.1.2 Issuer Fraud Monitoring Requirements..................................................................... 62
6.2.1.3 Issuer Network Monitoring Requirements................................................................ 62
6.2.1.4 Product Portfolio Management................................................................................ 62
6.2.1.5 Recommended Additional Issuer Monitoring............................................................63
6.2.1.6 Additional Prepaid Monitoring Requirements........................................................... 63
6.2.1.7 Fraud Detection Tool Implementation.......................................................................64
6.2.1.8 Cardholder Communication Strategy....................................................................... 65
6.2.2 Acquirer Fraud Loss Control Programs............................................................................. 65
6.2.2.1 Acquirer Authorization Monitoring Requirements.................................................... 65
6.2.2.2 Acquirer Merchant Deposit Monitoring Requirements.............................................. 65
6.2.2.3 Recommended Additional Acquirer Monitoring....................................................... 66
6.2.3 Noncompliance with Fraud Loss Control Program Standards............................................67
6.3 MasterCard Counterfeit Card Fraud Loss Control Standards.................................................... 67
6.3.1 Counterfeit Card Notification.......................................................................................... 67
6.3.1.1 Notification by Issuer............................................................................................... 67
6.3.1.2 Notification by Acquirer........................................................................................... 68
6.3.1.3 Failure to Give Notice...............................................................................................68
6.3.2 Responsibility for Counterfeit Loss................................................................................... 68
6.3.2.1 Loss from Internal Fraud.......................................................................................... 68
6.3.2.2 Transactions Arising from Identified Counterfeit Cards............................................. 68
6.3.2.3 Transactions Arising from Unidentified Counterfeit Cards.........................................69
6.3.2.4 Loss or Theft of Unfinished Cards............................................................................ 69
6.3.3 Acquirer Counterfeit Liability Program............................................................................. 69
6.3.3.1 Acquirer Counterfeit Liability................................................................................... 69
6.3.3.2 Acquirer Liability Period........................................................................................... 70
6.3.3.3 Relief from Liability.................................................................................................. 70
6.3.3.4 Application for Relief............................................................................................... 70
6.4 Maestro Issuer Loss Control Program (LCP)..............................................................................71
6.4.1 Group 1 Issuers—Issuers with Dynamic Geo-Controls...................................................... 71

6.4.2 Group 2 Issuers—Issuers without Dynamic Geo-Controls................................................. 72

6.4.2.1 Authorization Controls............................................................................................ 72
6.4.3 Group 3 Issuers—Issuers Experiencing Fraud in Excess of Established Levels (“High
Fraud”).................................................................................................................................... 73
6.4.4 Fraud Detection Tool Implementation.............................................................................. 73
6.4.5 Cardholder Communication Strategy...............................................................................74

6.1 Customer Responsibility for Fraud Loss Control
6.1 Customer Responsibility for Fraud Loss Control

A Customer must establish adequate fraud loss controls for each of its issuing and acquiring
Programs and use them actively and effectively. A Digital Activity Customer must establish
adequate fraud loss controls for each of its Digital Activity Programs and use them actively and
effectively.
An Acquirer must transmit full magnetic stripe or chip data for all Point-of-Interaction (POI)
Card-read Transactions.
An Issuer must, at a minimum, incorporate the Card security features described in Chapter 3
of this manual and the Card Design Standards, and comply with the Card production
Standards described in Chapter 2 of this manual.
Sections 6.2 and 6.3 of this chapter apply to MasterCard Customers. Section 6.4 of this
chapter applies to Maestro Customers.
Global Risk Management Program staff, in its sole discretion, will determine a Customer’s
compliance with these fraud loss control Standards and has the authority, either directly or
through its designee, to perform audits and to mandate implementation and use of controls
deemed necessary to achieve compliance.
6.2 MasterCard Fraud Loss Control Program Standards

The existence and use of meaningful controls are an effective means to limit total fraud losses
and losses for all fraud types. This section describes minimum requirements for Issuer and
Acquirer fraud loss control programs.
6.2.1 Issuer Fraud Loss Control Programs

An Issuer’s fraud loss control program must meet the following minimum requirements, and
preferably will include the recommended additional parameters. The program must
automatically generate daily fraud monitoring reports or real-time alerts. Issuer staff trained to
identify potential fraud must analyze the data in these reports within 24 hours.
6.2.1.1 Issuer Authorization Requirements

An Issuer must implement a rules-based authorization strategy with the following parameters:
• Decision matrix for Card validation code (CVC) 1, CVC 2, and CVC 3 validation results
• Limits on single-day and multiple-day Transaction velocity (number of Transactions)
• Limits on single-day and multiple-day monetary spending (value of Transactions)
• Limits for high-risk Card acceptor business codes (MCCs) and locations on a daily or, if
necessary, more frequent basis
• Limits for particular POI entry modes (such as magnetic stripe-read, primary account
number [PAN] key-entry, chip-read, Card-Not-Present [CNP])
• Limits for particular country codes

• Decision matrix for expiration date errors

• Decision matrix for Track 1 validation errors
• Decision matrix for geographic anomalies
6.2.1.2 Issuer Fraud Monitoring Requirements

An Issuer must generate daily reports or real-time alerts monitoring both authorization and
clearing data, if possible, at the latest on the day following the Transaction(s) for the following
parameters:
• Single Transaction exceeding a certain amount (established by the Issuer)
• Multiple Transactions exceeding a certain amount (established by the Issuer)
• PAN key-entry Transactions exceeding a certain amount and/or number (established by the
Issuer)
• Transactions taking place at high-risk MCCs and Merchant locations
An Issuer with the conditions present in Table 6.1 must implement additional fraud loss
controls.
Table 6.1—Additional Issuer Fraud Loss Control Requirement
An Issuer with both of the following… Must...
• Greater than two times the global MasterCard Implement additional fraud loss control
fraud basis points average monitoring programs to detect fraudulent
• USD 200,000, or more, annually in fraud losses Transactions
6.2.1.3 Issuer Network Monitoring Requirements

An Issuer must use the network monitoring service provided by MasterCard for all
Transactions arising from a prepaid Card Program that are processed by means of the
Interchange System (“Processed Transactions”). Refer to Rule 6.10 of the MasterCard Rules
manual for more information about prepaid Card Programs.
In the event that MasterCard detects fraudulent or potentially fraudulent activity (“suspicious
activity”) involving a prepaid Account, MasterCard may impose a temporary block on the
affected PAN of such prepaid Account with respect to all authorization requests received for
Transactions that are of the same type as the suspicious activity (for example, ATM
Transactions or CNP Transactions). MasterCard will attempt to notify the Issuer of the block,
and thereby enable the Issuer to implement additional controls.
6.2.1.4 Product Portfolio Management

>>>
An Issuer is required to monitor its Account Portfolios for the following:
• Total Transaction fraud basis points

• Domestic Transaction fraud basis points

• Cross-border Transaction fraud basis points
• Fraud basis points by Transaction type (for example, electronic commerce [e-commerce]
Transactions, mail order/telephone order [MO/TO] Transactions, Card-present Transactions)
• MasterCard® SecureCode™ fully authenticated Transaction fraud basis points
<<<
6.2.1.5 Recommended Additional Issuer Monitoring

MasterCard recommends that Issuers additionally monitor the following parameters:
• Account-generated attacks
• CVC 1, CVC 2, and CVC 3 validation failures
• Expiration date failures
• Invalid account number (mis-posting) Transactions
• Cardholder-activated terminal (CAT) Transactions
• Account Data Compromise (ADC) Event or Potential ADC Event Transactions
• Credit Transactions (such as refunds) and Merchant authorization reversals
• >>>PIN, MasterCard SecureCode token, or Authorization Request Cryptogram (ARQC)
validation failures<<<
• >>>Cardholder verification method (CVM)<<<
• >>>Stand-In verification of CVC 1<<<
6.2.1.6 Additional Prepaid Monitoring Requirements

>>>An Issuer must comply with the following additional monitoring requirements for its
prepaid Card Programs.<<<
>>>
Fraud Detection
An Issuer must develop, implement, and maintain formal prepaid Portfolio standards to
monitor funding situations. An Issuer also must:
• Assess and monitor exposure to unfunded commitments; and
• Regularly analyze trends in Account volume and growth.
<<<
>>>
Program Monitoring
Adequate fraud controls must be in place to monitor the following Program activity:
• Number of Accounts per Cardholder
• Number of loads performed per day—Loads arising from payment Card acceptance at a
Point-of-Sale (POS) location identified with one of the following MCCs may require
enhanced review:

– MCC 4829 (Money Transfer—Merchant)

– MCC 6050 (Quasi Cash—Customer Financial Institution)
– MCC 6051 (Quasi Cash—Merchant)
• Number of loads arising from payment Card acceptance performed daily and over time
(specific time period)
• Number of loads performed at the same agent daily and over time
• Value of loads performed at the same agent daily and over time
• Origination of load—cash, Automated Clearing House (ACH), card-to-card balance
transfer, or wire method used for load transfer (for example, e-commerce, MO/TO, or
recurring payment Transaction)
• Refunds
• Reload and withdrawal patterns
<<<
>>>
Card Limits
Adequate fraud controls must be in place to monitor the following Card activity:
• Minimum and maximum initial load values
• Card reloading procedures
• Maximum number of loads per Card per day
• Maximum value on each Card per day
• Accepted payment methods to purchase, load, or reload the Card
<<<
6.2.1.7 Fraud Detection Tool Implementation

>>>
An Issuer is required to implement a fraud detection tool, which appropriately complements
the fraud strategy deployed by the Issuer. The combination of the authorization controls and
the fraud detection tool should ensure that an Issuer controls fraud to an acceptable level.
The performance of an Issuer’s fraud detection tool at least should achieve minimum
performance requirements. The following performance indicators are required to help an
Issuer manage an effective fraud detection tool. Such performance indicators must include,
but are not limited to:
• Fraud Account detection rates
• Average number of Transactions per fraud case
• Average fraud case duration
• Average loss per fraud case
• Percentage of e-commerce Transactions of USD 25 (or the local currency equivalent) or less
for the purchase of Digital Goods reported via the System to Avoid Fraud Effectively (SAFE),

compared to the total of e-commerce Transactions of USD 25 (or the local currency
equivalent) or less reported via SAFE.
<<<
6.2.1.8 Cardholder Communication Strategy

>>>
An Issuer must implement a Cardholder communication strategy. A communication strategy
consists of defining (i) the criteria for contacting a Cardholder, (ii) the communication channel
for contacting the Cardholder, and (iii) the actions to be taken in case of failure to contact the
Cardholder. Such communication channels may include short message service (SMS) alerts,
email messages, phone calls, and letters.
<<<
6.2.2 Acquirer Fraud Loss Control Programs

An Acquirer’s fraud loss control program must meet the following minimum requirements,
and preferably will include the recommended additional parameters. The program must
automatically generate daily fraud monitoring reports or real-time alerts. Acquirer staff trained
to identify potential fraud must analyze the data in these reports within 24 hours.
To comply with the fraud loss control Standards, Acquirers also must transmit complete and
unaltered data in all Card-read authorization request messages.
Additionally, Acquirers with high fraud levels must:
• Install “read and display” terminals in areas determined to be at high risk for fraud or
counterfeit activity, or
• Install Hybrid POS Terminals
6.2.2.1 Acquirer Authorization Monitoring Requirements

Daily reports or real-time alerts monitoring Merchant authorization requests must be
generated at the latest on the day following the authorization request, and must be based on
the following parameters:
• Number of authorization requests above a threshold set by the Acquirer for that Merchant
• Ratio of non-Card-read to Card-read Transactions that is above the threshold set by the
Acquirer for that Merchant
• PAN key entry ratio that is above the threshold set by the Acquirer for that Merchant
• Repeated authorization requests for the same amount or the same Cardholder account
• Increased number of authorization requests
• “Out of pattern” fallback Transaction volume
6.2.2.2 Acquirer Merchant Deposit Monitoring Requirements

Daily reports or real-time alerts monitoring Merchant deposits must be generated at the latest
on the day following the deposit, and must be based on the following parameters:

• Increases in Merchant deposit volume

• Increase in a Merchant’s average ticket size and number of Transactions per deposit
• Change in frequency of deposits
• >>>Frequency of Transactions on the same Account, including credit (refund)
Transactions<<<
• Unusual number of credits, or credit dollar volume, exceeding a level of sales dollar volume
appropriate to the Merchant category
• Large credit Transaction amounts, significantly greater than the average ticket size for the
Merchant’s sales
• >>>Credits issued by a Merchant subsequent to the Acquirer’s receipt of a chargeback with
the same PAN<<<
• >>>Credits issued by a Merchant to a PAN not used previously at the Merchant
location<<<
• >>>Increases in Merchant chargeback volume<<<
90-day Rule
The Acquirer must compare daily deposits against the average Transaction count and amount
for each Merchant over a period of at least 90 days, to lessen the effect of normal variances in
a Merchant’s business. For new Merchants, the Acquirer should compare the average
Transaction count and amount for other Merchants within the same MCC assigned to the
Merchant. In the event that suspicious credit or refund Transaction activity is identified, if
appropriate, the Acquirer should consider the suspension of Transactions pending further
investigation.
6.2.2.3 Recommended Additional Acquirer Monitoring

MasterCard recommends that Acquirers additionally monitor the following parameters:
• Fallback methods
• Credit Transactions (such as refunds) and Merchant authorization reversals
• Transactions conducted at high-risk Merchants
• PAN key-entry Transactions exceeding ratio
• Abnormal hours or seasons
• Inactive Merchants
• Transactions with no approval code
• >>>Transaction decline rate<<<
• Inconsistent authorization and clearing data elements for the same Transactions
• >>>MasterCard SecureCode authentication rate<<<
• >>>Fraud volume per Merchant<<<
>>>

6.3 MasterCard Counterfeit Card Fraud Loss Control Standards
150 Percent Recommendation

To optimize the effectiveness of fraud analysis staff, a Merchant that appears in the Acquirer’s
monitoring reports should exceed the average for all of the Acquirer’s Merchants by 150
percent or more. However, the amount over the average is at the Acquirer’s discretion.
<<<
>>>
Merchant Monitoring Recommendation

MasterCard recommends that Acquirers use a Merchant monitoring solution to review their e-
commerce Merchants’ activity to avoid processing illegal or brand-damaging Transactions.
<<<
6.2.3 Noncompliance with Fraud Loss Control Program Standards

Following a Global Risk Management Program review, a noncompliant Customer will receive a
formal written report with requirements that must be satisfied within an established period to
achieve compliance with the fraud loss control Standards. For the assessments that may apply
if a Customer fails to take the required actions to achieve compliance, refer to section 13.6 of
this manual.

MasterCard actively assists law enforcement in the pursuit of organized and informal criminal
groups engaged in counterfeit fraud. Although MasterCard has achieved substantial success
in this area, including numerous convictions of counterfeiters and seizures of their physical
plants, organized criminal elements continue to expand, with new groups emerging almost
daily.
In addition to implementing the fraud loss controls described in section 6.2, Customers must
also make a good-faith attempt to limit counterfeit losses. At a minimum, an Issuer is required
to incorporate the Card security features described in Chapter 3 on all Cards, and an Acquirer
must transmit full magnetic stripe or chip data on all Card-read POS Transactions.
6.3.1 Counterfeit Card Notification

All Customers must notify MasterCard immediately upon suspicion or detection of counterfeit
Cards.
6.3.1.1 Notification by Issuer

An Issuer must notify MasterCard immediately upon detection of a counterfeit Card bearing
its bank identification number (BIN) or, in the absence of a valid BIN, its Member ID. This step
must be completed by the most prompt and practical means possible, employing such
methods as email, tape transmissions, phone, or telex communication.

6.3.1.2 Notification by Acquirer

An Acquirer detecting or suspecting a counterfeit Card bearing neither a valid BIN nor a valid
Member ID immediately must notify its regional Security and Risk Services representative and
the Issuer by phone, email, or telex communication. MasterCard will add the account number
to the Account Management System.
6.3.1.3 Failure to Give Notice

Failure by the Acquirer or Issuer to give notice within 24 hours of detecting a counterfeit Card
relieves MasterCard of any responsibility for any resulting loss incurred by any party failing to
give notice.
6.3.2 Responsibility for Counterfeit Loss

Certain losses resulting from counterfeit Transactions are the responsibility of either the Issuer
or Acquirer based on the circumstances described in this section.
6.3.2.1 Loss from Internal Fraud

MasterCard is not responsible for any loss arising from or related to any fraudulent, dishonest,
or otherwise wrongful act of any officer, director, or employee of a Customer, or of a
Customer’s Service Provider, agent, or representative.
6.3.2.2 Transactions Arising from Identified Counterfeit Cards

The Issuer is responsible for any counterfeit loss resulting from or related to the use of an
identified counterfeit Card. An identified counterfeit Card is determined by the BIN identified
in the Transaction record or, in the absence of a BIN, by the Member ID identified in the
Transaction record. The Issuer is not responsible for counterfeit losses that were or could have
been charged back in accordance with the Standards or for counterfeit losses that were
assumed by the Acquirer as a result of a compliance case ruling.
DEFINITION:
A key-entered counterfeit Transaction occurs when the counterfeit Card is present at the POI
and authorization is obtained in accordance with the Standards (but not as described for a
Card-read Transaction).
DEFINITION:
An imprinted counterfeit Transaction occurs when the embossed counterfeit Card is present
at the POI, the Card acceptor uses an imprinter to record the Card information, and
authorization is obtained, if at all, in accordance with the Standards (but not as described for
a Card-read Transaction).

DEFINITION:
A magnetic stripe-read counterfeit Transaction involving the use of a counterfeit Card at the
POI, in which authorization is effected electronically and in accordance with the Standards,
with magnetic stripe data obtained from lost or stolen Card stock is read via the Terminal and
transmitted to the Issuer during the authorization process.
6.3.2.3 Transactions Arising from Unidentified Counterfeit Cards

The Acquirer is responsible for any counterfeit loss resulting from or related to the acceptance
by a Merchant of a Card that cannot be identified by the BIN or Member ID imprinted in the
Transaction record.
6.3.2.4 Loss or Theft of Unfinished Cards

If a counterfeit Card resulting from the loss or theft of Cards that had not yet been
personalized or were otherwise unfinished is recovered, the Issuer that ordered the production
of the Cards is responsible for losses arising from the use of the counterfeit Card. The Issuer is
determined by the Card source identification printed on the Card back.
6.3.3 Acquirer Counterfeit Liability Program

The Acquirer Counterfeit Liability Program is intended to combat increases in worldwide
counterfeiting in the credit card industry. The Program shifts partial counterfeit loss liability to
Acquirers that exceed worldwide counterfeit Standards.
Global Risk Management Program staff uses the Acquirer counterfeit volume ratio (ACVR) to
evaluate all Customers’ volumes of acquired counterfeit. The ACVR is a Customer’s dollar
volume of acquired counterfeit as a percentage of the total dollar volume acquired by that
Customer.
Global Risk Management Program staff monitors the 20 Customers with the highest ACVRs
on a quarterly basis. MasterCard notifies each Customer with liability of its own ACVR, the
worldwide average, the reported counterfeit, and the amount of Customer liability calculated
on a quarterly basis.
MasterCard uses funds obtained from Acquirers that exceed established annual thresholds to
provide the following support:
• Recover the costs associated with the administration of this Program,
• Fund the development of new fraud control programs, and
• Supplement the MasterCard liability limit for the reimbursement of Issuers’ counterfeit
losses.
6.3.3.1 Acquirer Counterfeit Liability

An Acquirer is liable for any counterfeit volume that is above a threshold of 10 times the
worldwide ACVR.
Global Risk Management Program review teams will provide a report to Acquirers whose
ACVR exceeds 10 times the worldwide average with recommendations on how to reduce the

volume of acquired counterfeit Transactions. If an Acquirer implements all of the programs

recommended by Global Risk Management Program staff, or takes necessary action to curb
counterfeit, MasterCard will review the actions taken and may adjust the cumulative liability
that would otherwise be imposed by the Program.
Counterfeit experience inconsistent with the implementation of the required programs will
result in further Customer Risk Reviews by MasterCard.
For more information about the Global Risk Management Program, refer to Chapter 13 of this
manual.
6.3.3.2 Acquirer Liability Period

The Acquirer’s ACVR liability is computed for the period from 1 January through 31 December.
ACVR liability is determined after final submission of counterfeit reimbursement claims for
each 12-month cycle.
6.3.3.3 Relief from Liability

To qualify for relief from liability, an Acquirer must meet the following criteria:
1. The Acquirer must comply with the Acquirer loss control program Standards described in
section 6.2.2.
2. The Acquirer must issue internal procedures designating responsibilities for monitoring the
exception reports, explaining how they should be used, and defining actions to be taken
when thresholds are exceeded. Customers will need to maintain internal records that
clearly demonstrate supervisory review of such procedures and the periodic review of
results by senior management.
3. The Acquirer must transmit the full, unedited ISO:8583 authorization message from
terminal-read Transactions to the system.
4. The Acquirer that is subject to liability may be required by MasterCard to take additional
action to attempt further to reduce its level of counterfeit losses.
MasterCard will provide relief from reversal of responsibility to Acquirers that exceed the
threshold under the Acquirer Counterfeit Liability Program and that fully meet the
aforementioned criteria.
NOTE: Acquirers must submit a written application for relief in order for MasterCard to
provide relief from responsibility.
6.3.3.4 Application for Relief

An Acquirer must submit the written application for relief under signature of an appropriate
officer, such as the Card center manager of that Customer. The following information must be
included in the application:
• Certification that the requisite controls are in place
• A detailed description of the controls
• The specific parameters being used
• A copy of the procedures document described in section 6.3.3.3

6.4 Maestro Issuer Loss Control Program (LCP)
• Sample copies of the automated exception reports

The application for relief must be submitted to the vice president of Security and Risk Services
at the address provided in Appendix C.
The effective date of the provisions of relief will be no sooner than 90 days after the Acquirer
has fully implemented the requisite controls. Release from responsibility for the Acquirer will
not be granted until all of the requirements are in place for at least 90 days. Continued
eligibility for relief will be subject to periodic review by Security and Risk Services staff, and
may be revoked at any time.

An Issuer must deploy effective fraud control strategies to protect the reputation and integrity
of the Maestro brand.
The Maestro Issuer Loss Control Program (LCP) focuses on the following three groups:
• Group 1 Issuers—Issuers with dynamic geo-controls
• Group 2 Issuers—Issuers without dynamic geo-controls
• Group 3 Issuers—Issuers experiencing fraud in excess of established levels
MasterCard may require a Customer to implement measures in addition to the minimum
requirements set forth in this section.
6.4.1 Group 1 Issuers—Issuers with Dynamic Geo-Controls

A Group 1 Issuer is an Issuer with a dynamic geo-control solution in place. A Group 1 Issuer
typically:
1. Places each Cardholder into a defined segment of the Issuer’s Portfolio based on the
Cardholder’s recent travel behavior, for example:
a. Cardholders that travel outside of the Issuer’s Region (“Interregional Cardholders”)
b. Cardholders that travel outside of the country of Card issuance but not outside of the
Issuer’s Region (“Intraregional Cardholders”)
c. Cardholders that do not travel outside of the country of Card issuance (“Domestic
Cardholders”)
d. Affluent (“VIP”) Cardholders, Cardholders that reside abroad, and frequent travelers
2. Implements daily and weekly spending limits for high-risk Transactions, per defined
Portfolio segment.
3. Offers a variety of channels by which a Cardholder may switch from one segment to
another.
4. Regularly optimizes segment definitions and spending profiles to achieve the best balance
between Card utility and fraud reduction.

NOTE:
This strategy is particularly relevant to Maestro Chip Card Issuers operating in Regions where
EMV migration is advanced or complete. In this situation, the majority of Intraregional
Transactions and Interregional Transactions conducted in a face-to-face environment are Chip
Transactions.
A Group 1 Issuer may contact its local Customer Fraud Management representative to discuss
the implementation of additional controls.
6.4.2 Group 2 Issuers—Issuers without Dynamic Geo-Controls

A Group 2 Issuer is an Issuer that does not have a dynamic geo-control solution in place. A
Group 2 Issuer must implement the following minimum controls.
6.4.2.1 Authorization Controls

A Group 2 Issuer must implement a rules-based authorization strategy. The strategy must be
regularly reviewed and updated as appropriate. Spending limits set by the Issuer within its
authorization strategy should be set to have minimum impact on valid Transactions and
maximum impact on fraud reduction.
A Group 2 Issuer must include the following parameters in its authorization system:
• A single Transaction exceeding a certain amount (established by the Issuer)
• Multiple Transactions exceeding a certain amount (established by the Issuer)
The Issuer should set specific limits with respect to:
• High-risk MCCs;
• Particular Merchant locations determined to be high-risk;
• Particular POS entry modes (for example, magnetic stripe-read, chip-read, or key-entered);
and
• Particular country codes.
A Group 2 Issuer should also include rules and parameters based on authorization and
clearing data relating to the following:
• Account-generated attacks
• CVC 1, CVC 2, and CVC 3 validation failures
• PIN, MasterCard® SecureCode™ token, or ARQC validation failures
• Mismatches between “Card Verification Results (CVR)” in the Issuer Application Data of
Data Element (DE) 55 and “CVM Results”
• Expiration date failures
• Invalid Account number (mis-posted) Transactions
• Unattended POS Terminal Transactions
• ADC Event or Potential ADC Event Transactions
• Refund Transactions and Merchant authorization reversals
• Dormant Card list (monthly)

A Group 2 Issuer should also:

1. Monitor authorization data, including the use of real-time alerts;
2. In a dual message environment, monitor clearing data; and
3. Generate daily reports, at the latest on the day after the monitored Transaction(s) occur or
are received through clearing.
6.4.3 Group 3 Issuers—Issuers Experiencing Fraud in Excess of Established Levels

(“High Fraud”)
A Group 3 Issuer is any Issuer (regardless of whether the Issuer satisfies the definition of a
Group 1 Issuer or Group 2 Issuer) that meets either of the following criteria for fraud in excess
of established levels (“high fraud”):
1. The Issuer’s Maestro Transaction fraud basis points in any month exceed two times the
Regional average or two times the worldwide average; and/or
2. The Issuer’s total fraud in any month within fraud types required to be reported to SAFE
exceeds a figure set by MasterCard.
A Group 3 Issuer may be:
1. Contacted by its local Customer Fraud Management representative to establish an action
plan for achieving compliance with the Standards, including the implementation of
recommended fraud reduction measures; and/or
2. Required to undertake a Global Risk Management Program review; and/or
3. Required to deploy a dynamic geo-control or other appropriate fraud management
solution.
A Group 3 Issuer experiencing high fraud for three consecutive months may be prohibited
from submitting more than seven fraud-related chargebacks involving the same Maestro
Account (for purposes of this rule, “Account” means the PAN and expiration date). If an Issuer
fails to take appropriate fraud reduction measures within a specified time period and
continues to experience high fraud, the Issuer may be prohibited from charging back Maestro
Transactions using message reason code 70 or 4870 (Chip Liability Shift). Any such Issuer will
be listed in the Global Security Bulletin during the period of chargeback limitation. A listed
Issuer may, at any time, request an audit by MasterCard of the adequacy of its fraud and
security controls and its removal from the Global Security Bulletin listing.
6.4.4 Fraud Detection Tool Implementation

Each Maestro Issuer must implement a fraud detection tool that is effective in limiting any
fraud to a volume that is within established levels, as such are described in section 6.4.3.
The fraud detection tool must achieve minimum performance requirements. Performance
indicators should include, but are not limited to, fraud Account detection rates, average
number of Transactions per fraud case, average fraud case duration, and average loss per
fraud case.

6.4.5 Cardholder Communication Strategy

Each Maestro Issuer must implement a Cardholder communication strategy. A communication
strategy consists of defining (i) the criteria for contacting a Cardholder, (ii) the communication
channel for contacting the Cardholder, and (iii) the actions to be taken in case of failure to
contact the Cardholder. Such communication channels may include SMS alerts, email
messages, phone calls, and letters.

Merchant, Submerchant, and ATM Owner Screening and Monitoring Standards
Chapter 7 Merchant, Submerchant, and ATM Owner

Screening and Monitoring Standards
This chapter may be of particular interest to Customer personnel responsible for screening and
monitoring Merchants, Submerchants, and ATM Owners.
7.1 Screening New Merchants, Submerchants, and ATM Owners.................................................. 76

7.1.1 Merchant Screening Procedures.......................................................................................76
7.1.2 Submerchant Screening Procedures................................................................................. 77
7.1.3 ATM Owner Screening Procedures...................................................................................78
7.1.4 Evidence of Compliance with Screening Procedures.........................................................78
7.1.5 Retention of Investigative Records................................................................................... 79
7.1.6 Assessments for Noncompliance with Screening Procedures............................................ 80
7.2 Ongoing Monitoring............................................................................................................... 80
7.3 Merchant Education................................................................................................................81
7.4 Additional Requirements for Certain Merchant and Submerchant Categories.......................... 81

7.1 Screening New Merchants, Submerchants, and ATM Owners

A Customer is responsible for ensuring that the procedures set forth in this section for the
screening of a prospective Merchant, Submerchant, or ATM owner are performed before the
Customer enters into a Merchant Agreement or ATM Owner Agreement or a Payment
Facilitator of the Customer enters into a Submerchant Agreement.
The performance of these screening procedures does not relieve a Customer from the
responsibility of following good commercial banking practices. The review of an annual report
or an audited statement, for example, might suggest the need for further inquiry.
7.1.1 Merchant Screening Procedures

Each Acquirer, before entering into a Merchant Agreement with a Merchant, must verify that
the prospective Merchant is a bona fide business. Such verification must include at least all of
the following:
• For each prospective Merchant with more than USD 100,000 in projected or actual annual
combined MasterCard and Maestro Point-of-Sale (POS) Transaction volume, conduct a
credit check (such as by obtaining a credit report from a credit bureau). If the credit check
raises questions or does not provide sufficient information, the Acquirer also should
conduct a credit check of:
– The owner, if the prospective Merchant is a sole proprietor; or
– The partners, if the prospective Merchant is a partnership; or
– The principal shareholders, if the prospective Merchant is a corporation.
A credit check must also be performed if required by applicable law or regulation.
• Perform background investigations and reference checks of the prospective Merchant.
• Check for the validity of the business address and other information provided by the
prospective Merchant.
• Submit an inquiry to the MasterCard Alert to Control High-risk (Merchants) (MATCH™)
system if the prospective Merchant proposes to accept MasterCard Cards. The MATCH
inquiry for a prospective Merchant proposing to conduct electronic commerce (e-
commerce) Transactions must include the Universal Resource Locator (URL) address of its
website.
• Investigate the prospective Merchant's previous and other relationships with Customers or
Payment Facilitators, if any.
NOTE: A Customer must participate in the MATCH system unless excused by MasterCard or
prohibited by law.
An Acquirer is not required to conduct a credit check of a public or private company that has
annual sales revenue in excess of USD 50 million (or the foreign currency equivalent), provided
the Acquirer reviews, and finds satisfactory for purposes of the acquiring being considered,
the most recent annual report of the Merchant, including audited financial statements. A

private company that does not have a recent audited financial statement is subject to a credit
check and inspection even if its annual sales revenue exceeds USD 50 million.
As a best practice, the Acquirer also should:
• Inspect the prospective Merchant's premises (both physical locations and Internet URLs, as
applicable) and records to ensure that the prospective Merchant has the proper facilities,
equipment, inventory, agreements, and personnel required and if necessary, license or
permit and other capabilities to conduct the business.
• Ensure that the prospective Merchant is able to support the provision of products or
services to be marketed, and has procedures and resources to timely and appropriately
respond to Cardholder inquiries and to support refund requests.
7.1.2 Submerchant Screening Procedures

Each Payment Facilitator, before signing a Submerchant Agreement, must verify that the
prospective Submerchant is a bona fide business. Such verification must include all of the
following:
• For each prospective Submerchant with more than USD 100,000 in projected or actual
annual combined MasterCard and Maestro POS Transaction volume, conduct a credit check
(such as by obtaining a credit report from a credit bureau). If the credit check raises
questions or does not provide sufficient information, the Payment Facilitator also should
conduct a credit check of:
– The owner, if the prospective Submerchant is a sole proprietor; or
– The partners, if the prospective Submerchant is a partnership; or
– The principal shareholders, if the prospective Submerchant is a corporation.
A credit check must also be performed if required by the Acquirer or applicable law or
regulation.
• Perform background investigations and reference checks of the prospective Submerchant.
• Check for the validity of the business address and other information provided.
• Request that the Acquirer for which the Payment Facilitator is an agent submit an inquiry
to the MATCH™ system if the prospective Submerchant proposes to accept MasterCard
Cards (the Acquirer itself must directly perform the MATCH system inquiry). The MATCH
inquiry for a prospective Submerchant proposing to conduct e-commerce Transactions
must include the URL address of the prospective Submerchant's website.
NOTE:
A Customer must participate in the MATCH system unless excused by MasterCard or
prohibited by law.
As a best practice, the Payment Facilitator also should:

• Inspect the prospective Submerchant's premises (both physical locations and Internet URLs,
as applicable) and records to ensure that it has the proper facilities, equipment, inventory,

agreements, and personnel required and if necessary, license or permit and other
capabilities to conduct the business.
• Ensure that the prospective Submerchant is able to support the provision of products or
services to be marketed, and has procedures and resources to timely and appropriately
respond to Cardholder inquiries and to support refund requests.
• Investigate the prospective Submerchant's previous and other relationships with Customers
or Payment Facilitators, if any.
>>>The Acquirer must ensure that the Payment Facilitator does not sponsor as a Submerchant
any entity listed on the MATCH system as having been terminated for a reason described in
section 11.5.1 of this manual.<<<
>>>The Acquirer must add each Submerchant terminated for any such reason to the MATCH
system per section 11.2.2.<<<
7.1.3 ATM Owner Screening Procedures

Each Acquirer, before signing an ATM Owner Agreement with an ATM owner, must verify that
the prospective ATM owner is a bona fide business. Such verification must include at least all
of the following:
• Conduct a credit check (such as by obtaining a credit report from a credit bureau). If the
credit check raises questions or does not provide sufficient information, the Acquirer also
should conduct a credit check of:
– The owner, if the prospective ATM owner is a sole proprietor; or
– The partners, if the prospective ATM owner is a partnership; or
– The principal shareholders, if the prospective ATM owner is a corporation.
• Perform background investigations and reference checks of the prospective ATM owner.
• Confirm that all ATMs claimed by a prospective ATM owner exist and are operational.
• Verify the location and condition of all ATMs deployed by a prospective ATM owner.
An Acquirer is not required to conduct a credit check of a prospective ATM owner public or
private company that has annual sales revenue in excess of USD 50 million (or the foreign
currency equivalent), provided the Acquirer reviews, and finds satisfactory for purposes of the
acquiring being considered, the most recent annual report of the prospective ATM owner,
including audited financial statements. A private company that does not have a recent audited
financial statement is subject to a credit check and inspection even if its annual sales revenue
exceeds USD 50 million.
As a best practice, the Acquirer also should perform an inspection of the prospective ATM
owner’s premises and records to ensure that it has the proper facilities, equipment, inventory,
agreements, and personnel required and if necessary, license or permit and other capabilities
to conduct the business.
7.1.4 Evidence of Compliance with Screening Procedures

As evidence that the Acquirer is in compliance with the screening requirements set forth in
this chapter, MasterCard requires, at a minimum, the following information:

• A report from a credit bureau, or, if the credit bureau report is incomplete or unavailable,
the written results of additional financial and background checks of the business, its
principal owners, and officers;
• With respect to the screening of a Merchant or Submerchant for MasterCard POS
Transaction processing, proof of the Acquirer’s inquiry into the MATCH system, including a
copy of the inquiry record;
• With respect to the screening of a Merchant, a statement from the Merchant about
previous Merchant Agreements, including the name(s) of the entity(ies) where the
Merchant has or had the agreement(s) and the reason(s) for terminating the agreement(s),
if applicable.
7.1.5 Retention of Investigative Records

The Acquirer must retain all records concerning the investigation of a Merchant, Submerchant,
or ATM owner for a minimum of two years after the date that the Merchant Agreement,
Submerchant Agreement, or ATM Owner Agreement, as applicable, is terminated or expires.
MasterCard recommends that Acquirers retain the following records as a best practice:
• Signed Merchant Agreement
• Previous Merchant statements
• Corporate or personal banking statements
• Credit reports
• Site inspection report, to include photographs of premises, inventory verification, and the
name and signature of the inspector of record
• Merchant certificate of incorporation, licenses, or permits
• Verification of references, including personal, business, or financial
• Verification of the authenticity of the supplier relationship for the goods or services (invoice
records) that the Merchant is offering the Cardholder for sale
• Date-stamped MATCH inquiry records
• Date-stamped MATCH addition record
• All Customer correspondence with the Merchant or ATM owner
• All correspondence relating to Issuer, Cardholder, or law enforcement inquiries concerning
the Merchant, Submerchant, ATM owner, or any associated Service Provider
• Signed Service Provider contract, including the name of agents involved in the due
diligence process
• Acquirer due diligence records concerning the Service Provider and its agents
Refer to Chapter 7 of the MasterCard Rules manual for more information about Service
Providers.
NOTE: MasterCard recommends that the Acquirer retain these records to verify compliance
with the screening procedures, in the event that MasterCard conducts an audit as described in
section 7.1.6.

7.2 Ongoing Monitoring
7.1.6 Assessments for Noncompliance with Screening Procedures

MasterCard may audit an Acquirer for compliance with the screening procedures set forth in
this chapter, and each Customer must comply with and assist any such audit. MasterCard will
review the applicable records retained by the Acquirer to determine whether an Acquirer has
complied with these screening procedures.
If MasterCard determines that an Acquirer has not complied with these screening procedures,
and if the Acquirer does not correct all deficiencies that gave rise to the violation to the
satisfaction of MasterCard within 30 days of knowledge or notice of such deficiencies,
MasterCard may assess the Acquirer up to USD 100,000 for each 30-day period following the
aforementioned period, with a maximum aggregate assessment of USD 500,000 during any
consecutive 12-month period. Any such assessment(s) will be in addition to any other financial
responsibility that the Acquirer may incur, as set forth in the Standards. Violators will also be
subject to chargebacks of fraudulent Transactions.
Failure to inquire to the MATCH system before signing a Merchant Agreement for MasterCard
POS Transaction processing or before a Payment Facilitator signs a Submerchant Agreement
for MasterCard POS Transaction processing may result in an assessment of up to USD 5,000
for each instance of noncompliance.
7.2 Ongoing Monitoring

An Acquirer must monitor and confirm regularly that the Transaction activity of each of its
Merchants (sales, credits, and chargebacks) is conducted in a legal and ethical manner and in
full compliance with the Standards, and ensure that a Payment Facilitator conducts such
monitoring with respect to each of its Submerchants, in an effort to deter fraud. Monitoring
must focus on changes in activity over time, activity inconsistent with the Merchant’s or
Submerchant’s business, or exceptional activity relating to the number of Transactions and
Transaction amounts outside the normal fluctuation related to seasonal sales. Specifically for
MasterCard POS Transaction processing, ongoing monitoring includes, but is not limited to,
the Acquirer fraud loss controls relating to deposit (including credits) and authorization activity
described in section 6.2.2.
With respect to an e-commerce Merchant, the Acquirer regularly, as reasonably appropriate in
light of all circumstances, must review and monitor the Merchant’s website(s) and business
activities to confirm and to reconfirm regularly that any activity related to or using a Mark is
conducted in a legal and ethical manner and in full compliance with the Standards. The
Acquirer must ensure that a Payment Facilitator conducts such monitoring with respect to
each of its Submerchant’s website(s).
As a best practice, MasterCard recommends that Acquirers use a >>>Merchant<<<
monitoring solution to review their e-commerce Merchants’ and Submerchants’ activity to
avoid processing illegal or brand-damaging Transactions.

7.3 Merchant Education
7.3 Merchant Education

Once an acquiring relationship is established, an Acquirer must institute a fraud prevention
program, including an education process consisting of periodic visits to Merchants,
distribution of related educational literature, and participation in Merchant seminars.
Instructions to Merchants must include Card acceptance procedures, use of the Electronic
Warning Bulletin file or Warning Notice, authorization procedures including Code 10
procedures, proper completion of Transaction information documents (TIDs) (including primary
account number [PAN] truncation), timely presentment of the Transaction to the Acquirer, and
proper handling pursuant to Card capture requests. Customers must thoroughly review with
Merchants the Standards against the presentment of fraudulent Transactions. In addition,
Customers must review the data security procedures to ensure that only appropriate Card
data is stored, magnetic stripe data never is stored, and any storage of data is done in
accordance with the Standards for encryption, Transaction processing, and other prescribed
practices.
An Acquirer must also ensure that a Payment Facilitator conducts appropriate education
activities for each of its Submerchants.
7.4 Additional Requirements for Certain Merchant and Submerchant

Categories
An Acquirer of a non-face-to-face adult content and services Merchant or Submerchant, non–
face-to-face gambling Merchant or Submerchant, non–face-to-face pharmaceutical and
tobacco product Merchant or Submerchant, state lottery Merchant or Submerchant (U.S.
Region only), skill games Merchant or Submerchant (U.S. Region only), and/or Merchant or
Submerchant reported under the Excessive Chargeback Program (ECP) must comply with the
registration and monitoring requirements of the MasterCard Registration Program (MRP) for
each such Merchant or Submerchant, as described in Chapter 9.

MasterCard Fraud Control Programs
Chapter 8 MasterCard Fraud Control Programs

This chapter may be of particular interest to Customer personnel responsible for monitoring
Merchant and/or Issuer activity for compliance with fraud loss control Standards.
8.1 Presenting Valid Transactions...................................................................................................84

8.1.1 Notifying MasterCard—Acquirer Responsibilities..............................................................84
8.1.2 Notifying MasterCard—Issuer Responsibilities.................................................................. 84
8.1.3 MasterCard Audit............................................................................................................84
8.1.3.1 Initiation of MasterCard Audit................................................................................. 85
8.1.3.2 Information Required by MasterCard....................................................................... 85
8.1.3.3 Notification to Customers of Chargeback Period......................................................86
8.2 Global Merchant Audit Program..............................................................................................86
8.2.1 Acquirer Responsibilities.................................................................................................. 87
8.2.2 Tier 3 Special Merchant Audit..........................................................................................87
8.2.3 Chargeback Responsibility............................................................................................... 89
8.2.4 Exclusion from the Global Merchant Audit Program.........................................................90
8.2.4.1 Systematic Exclusions...............................................................................................91
8.2.4.2 Exclusion After GMAP Identification.........................................................................91
8.2.5 Notification of Merchant Identification............................................................................ 92
8.2.5.1 Distribution of Reports.............................................................................................92
8.2.6 Merchant Online Status Tracking (MOST) System............................................................. 93
8.2.6.1 MOST Mandate....................................................................................................... 93
8.2.6.2 MOST Registration...................................................................................................93
8.3 Excessive Chargeback Program............................................................................................... 94
8.3.1 ECP Definitions................................................................................................................94
8.3.2 Reporting Requirements.................................................................................................. 95
8.3.2.1 Chargeback-Monitored Merchant Reporting Requirements...................................... 95
8.3.2.2 Excessive Chargeback Merchant Reporting Requirements.........................................95
8.3.3 Assessments....................................................................................................................96
8.3.3.1 ECP Assessment Calculation.................................................................................... 97
8.3.4 Issuer Reimbursement..................................................................................................... 98
8.3.5 Additional Tier 2 ECM Requirements............................................................................... 98
8.4 Questionable Merchant Audit Program (QMAP)...................................................................... 99
8.4.1 QMAP Definitions............................................................................................................99
8.4.2 MasterCard Commencement of an Investigation........................................................... 101
8.4.3 MasterCard Notification to Issuers................................................................................. 101
8.4.4 MasterCard Notification to Acquirers.............................................................................102

8.4.5 Merchant Termination................................................................................................... 102

8.4.6 MasterCard Determination............................................................................................ 102
8.4.7 Chargeback Responsibility............................................................................................. 103
8.4.8 Fraud Recovery..............................................................................................................103
8.4.9 QMAP Fees................................................................................................................... 103
8.5 Issuer Monitoring Program (IMP)........................................................................................... 104
8.5.1 Identification Criteria.....................................................................................................104
8.5.2 MasterCard Audit and Questionnaire.............................................................................104
8.5.3 Subsequent Issuer Identifications in the IMP.................................................................. 105

8.1 Presenting Valid Transactions

A Merchant must present to its Acquirer only valid Transactions between itself and a bona fide
Cardholder.
A Merchant must not present a Transaction that it knows or should have known to be
fraudulent or not authorized by the Cardholder, or authorized by a Cardholder who is in
collusion with the Merchant for a fraudulent purpose. Within the scope of this rule, the
Merchant is responsible for the actions of its employees.
8.1.1 Notifying MasterCard—Acquirer Responsibilities

An Acquirer must immediately notify Merchant Fraud Control staff in writing when, in regard
to a Merchant with whom it has entered into a MasterCard Merchant Agreement:
• The Acquirer may have reason to believe that the Merchant is engaging in collusive or
otherwise fraudulent or inappropriate activity, or
• The Acquirer determines that the Merchant’s ratio of chargebacks, credits to sales exceeds
criteria established by MasterCard.
An Acquirer must accept chargebacks for all fraudulent MasterCard Point-of-Sale (POS)
Transactions that took place during the period when the Merchant was in violation of Rule
5.12 of the MasterCard Rules manual (“the Valid Transactions Rule”).
Moreover, if an Acquirer fails to identify and declare a Merchant in violation of the Standard,
MasterCard may do so after an audit of the Customer’s Merchant file and records.
8.1.2 Notifying MasterCard—Issuer Responsibilities

If an Issuer becomes aware of any Merchant in violation of the Valid Transactions Rule,
through Cardholder complaints or otherwise, the Issuer immediately must notify Merchant
Fraud Control staff at the address and fax number provided in Appendix C.
8.1.3 MasterCard Audit

MasterCard, in its sole discretion, and either itself or by use of a third party, may conduct an
audit of an Acquirer’s Merchant files and records to determine whether the Merchant is in
violation of the Valid Transactions Rule. Merchant Fraud Control staff will notify the Acquirer
of a decision to conduct such an audit. An Acquirer and its Merchants must cooperate fully.
During the audit, MasterCard may list the Merchant on the MasterCard Alert to Control High-
risk (Merchants) (MATCH™) system under MATCH reason code 00 (Questionable Merchant/
Under Investigation).
In the course of the audit, staff will develop allegations from any available sources, including,
but not limited to, internal studies, analyses, Customer input and complaints, and from
information derived from compliance actions regarding activities by Merchants which would
raise serious concerns as to whether such Merchants have caused to be entered into
interchange Transactions which the Merchants knew or should have known were fraudulent
or resulted in excessive costs to the industry.

It is the obligation of the Acquirer to monitor each Merchant closely.

MasterCard may assess the Acquirer for costs and expenses incurred related to the audit.
8.1.3.1 Initiation of MasterCard Audit

If MasterCard suspects that a Merchant may be in violation of the Valid Transactions Rule,
MasterCard will send a letter to the Security Contact listed in the Member Information tool.
The Security Contact is responsible for distributing the letter to the person responsible for the
Acquirer’s Merchant audit programs. The letter explains why MasterCard is conducting the
audit and assessments associated with violations of the Valid Transactions Rule. Customers
must return the requested information to Merchant Fraud Control for each Merchant listed in
the letter within 30 calendar days of the date of the cover letter.
8.1.3.2 Information Required by MasterCard

The following is a list of some of the items that MasterCard may require Acquirers to provide
during the course of an audit, initiated by MasterCard to determine whether an Acquirer’s
Merchant was in violation of the Valid Transactions Rule:
1. A detailed statement of facts explaining whether, when, and how the Customer became
aware of fraudulent activity or chargeback or customer service issues, the steps taken by
the Customer to control the occurrence of fraud, and the circumstances surrounding the
Merchant’s termination.
2. All internal documents about the opening and signing of the Merchant including its
application, Merchant Agreement, credit report, and certified site inspection report. (The
Acquirer should include the Merchant’s opening and closing dates.)
3. All internal Customer documents regarding the due diligence procedures followed before
signing the Merchant, including background checks of the company and its principals, and
the telephone logs for trade and bank references that the Customer verified during the
due diligence procedure.
4. Internal reports, where applicable, confirming inquiry by the Customer into the MATCH
system before signing the Merchant and, if applicable, input of the Merchant to the
MATCH system database within five business days after its decision to close the Merchant
as specified in these rules.
If a Service Provider of an Acquirer facilitates the signing of a Merchant, the Service Provider
must include the due diligence documents.
Additionally, if an Acquirer’s Service Provider assisted in the signing of the Merchant, the
Customer must provide all Service Provider due diligence documents regarding the
representative that signed the Merchant.
Staff will establish an audit (review) period for which the Acquirer must provide the following
supporting documentation:
1. Authorization logs for the Merchant.
2. If requested to do so, the Acquirer must provide a monthly breakdown of chargebacks
and credits by count, amount, and Issuer bank identification number (BIN) for the
suspected violation period, as specified by MasterCard.

8.2 Global Merchant Audit Program
3. A complete record of the Merchant sales volume, including the number of Transactions at
the location, for the period for which MasterCard requests the authorization logs.
Customers outside the U.S. Region that do not report their local fraud to the System to
Avoid Fraud Effectively (SAFE) may not include local sales in the Merchant’s sales volume.
MasterCard may require the Customer to provide additional information deemed relevant to
the audit. In the event that an Acquirer refuses to disclose information requested by
MasterCard, MasterCard may, in its sole discretion for the purpose of the audit, presume that
the information would not be favorable to the Acquirer and declare the Merchant in violation
of the Valid Transactions Rule.
8.1.3.3 Notification to Customers of Chargeback Period

If MasterCard determines that a Merchant is in violation of the Valid Transactions Rule,
MasterCard will publish a Global Security Bulletin identifying the Merchant and specifying the
appropriate chargeback period. The Issuer has 120 calendar days from the date of the Global
Security Bulletin to charge back Transactions to the Acquirer (using IPM message reason code
4849—Questionable Merchant Activity).
In the case of Transactions occurring after the date of the Global Security Bulletin, but within
the dates specified, the Issuer has 120 calendar days from the date of the Transaction to
charge back the Transactions. The Issuer must include the number of the Global Security
Bulletin (for example, “Global Security Bulletin No. XX”) in the Data Record Text (Data Element
72) when processing the chargeback.

The Global Merchant Audit Program (GMAP) uses a rolling six months of data to identify
MasterCard Merchant locations that, in any calendar month, meet the criteria set forth in
Table 8.1.
Table 8.1—Fraud Criteria for Global Merchant Audit Program Tier Classification
If in any calendar month, the MasterCard

A MasterCard Merchant location is classified Merchant location meets the following fraud
in the following GMAP tier... criteria...
Tier 1—Informational Fraud Alert • Three fraudulent Transactions

• At least USD 3,000 in fraudulent Transactions
• A fraud-to-sales dollar volume ratio minimum
of 3% and not exceeding 4.99%

If in any calendar month, the MasterCard

A MasterCard Merchant location is classified Merchant location meets the following fraud
in the following GMAP tier... criteria...
Tier 2—Suggested Training Fraud Alert • Four fraudulent Transactions

of 5% and not exceeding 7.99%
Tier 3—High Fraud Alert • Five fraudulent Transactions

of 8%
If a MasterCard Merchant location is identified in multiple tiers during any rolling six-month
period, GMAP will use the highest tier for the Merchant identification.
NOTE: If a MasterCard Merchant has more than one location (or outlet), the program criteria
apply to each location independently.
8.2.1 Acquirer Responsibilities

MasterCard will notify an Acquirer of the identification of a Tier 1, Tier 2, or Tier 3 Merchant
via the Merchant Online Status Tracking (MOST) tool. GMAP Merchant identifications are
provided for information only and no Acquirer response is necessary. If MasterCard notifies an
Acquirer via MOST that a Tier 3 special Merchant audit has been initiated, the Acquirer must
respond as described in section 8.2.2.
When a Merchant is identified in Tier 1, Tier 2, or Tier 3, the Acquirer should evaluate the
fraud control measures and Merchant training procedures in place for the Merchant.
MasterCard strongly recommends that the Acquirer act promptly to correct any identified
deficiencies. Suggested enhancements are described in the GMAP Best Practices Guide for
Acquirers and Merchants to Control Fraud.
MasterCard, in its sole discretion, may conduct an audit to determine whether a Merchant
location is in violation of the Valid Transactions Rule, as described in section 8.1.3, and may
assign chargeback liability.
8.2.2 Tier 3 Special Merchant Audit

If GMAP identifies a Merchant location in Tier 3, MasterCard will determine whether to
initiate an audit of the Merchant location (“a Tier 3 special Merchant audit”). If MasterCard
decides to conduct a Tier 3 special Merchant audit, the audit will proceed as follows:
1. MasterCard notifies Acquirer. The Acquirer will receive notification from MasterCard,
through MOST, that a Tier 3 special Merchant audit has been initiated.

2. Acquirer response due within 30-day response period. No later than 30 days after
the Tier 3 special Merchant audit notification date (“the 30-day response period”), the
Acquirer must respond to the audit notification through MOST by either:
a. Notifying MasterCard that the Acquirer has terminated the Merchant (if the Acquirer
determines that the Merchant must be reported to the MATCH system, the Acquirer
may do so through MOST), or;
b. Completing the online questionnaire, if the Acquirer did not terminate the Merchant.
This questionnaire is used to inform MasterCard of 1) any exceptional or extenuating
circumstances pertaining to the identified Merchant’s fraud and 2) the fraud control
measures in place at the Merchant location.
Upon review of the completed online questionnaire, MasterCard, at its sole discretion,
may:
– Grant the Merchant location an exclusion for the Merchant identification, or;
– Provide the Acquirer with the opportunity to implement additional fraud control
measures (“the fraud control action plan”), as directed by MasterCard, at the Merchant
location, or;
– Assign chargeback responsibility to the Acquirer for the Merchant location.
3. Fraud control action plan required within 90-day action period. If MasterCard
requires the Acquirer to implement a fraud control action plan, MasterCard will provide
the plan to the Acquirer through MOST. The Acquirer has 90 days from the first day of the
month following the month in which the Merchant was identified in GMAP (“the 90-day
action period”) to take all required actions, including but not limited to confirmation that
such fraud control action plan has taken effect. MasterCard may extend the 90-day action
period at its sole discretion. For Acquirers that implement a fraud control action plan, the
identified Merchant is again eligible to be newly identified in GMAP commencing on the
sixth month following the month in which the Merchant was first identified in GMAP.
Fraudulent Transactions reported to SAFE will be reviewed under the Program
commencing on the fourth and fifth months following the month in which the Merchant
was first identified in GMAP, and will continue incrementally thereafter until the Merchant
resumes a six-month rolling review period, provided the Merchant does not exceed the
GMAP Tier 1, 2, or 3 thresholds.
The Acquirer of a Merchant subject to a Tier 3 special Merchant audit must provide
satisfactory documentation to substantiate that reasonable controls to combat fraud have
been implemented, including implementation of a MasterCard directed fraud control action
plan.
Refer to Figure 8.1 for a sample timeline of a Tier 3 special Merchant audit.

Figure 8.1—Tier 3 Special Merchant Audit Sample Timeline
8.2.3 Chargeback Responsibility

MasterCard will review each Acquirer of a Merchant location subject to a Tier 3 special
Merchant audit on a case-by-case basis and determine, at the sole discretion of MasterCard, if
a chargeback liability period is applicable. The chargeback liability period is for six months and
begins on the first day of the fourth month following the GMAP Tier 3 identification.
MasterCard, at its sole discretion, may extend the chargeback liability period to 12 months.
MasterCard reserves the right to list the Acquirer ID, Acquirer name, Merchant name,
Merchant location, and chargeback liability period of any Tier 3 Merchant in a Global Security
Bulletin.
When MasterCard lists the Acquirer and Merchant information in a Global Security Bulletin,
Issuer chargeback rights will apply. Each Issuer then has a right to use message reason code
4849—Questionable Merchant Activity to charge back to the Acquirer any fraudulent
Transactions from the Merchant that are reported to SAFE with the following fraud types:
• 00—Lost Fraud,
• 01—Stolen Fraud,

• 04—Counterfeit Card Fraud,

• 06—Card Not Present3 Fraud, or
• 07—Multiple Imprint Fraud.
Each Transaction charged back must have occurred during the published chargeback period
and must be reported to SAFE within the applicable time frame (refer to Chapter 12 of this
manual). Issuers may not use message reason code 4849 to charge back Transactions from an
Acquirer and Merchant identified in GMAP if the fraud type is:
• 02—Never Received Issue,
• 03—Fraudulent Application,
• 05—Account Takeover Fraud, or
• 51—Bust-out Collusive Merchant.
Once MasterCard lists the Acquirer ID, Acquirer name, Merchant name, Merchant location,
and chargeback responsibility period in a Global Security Bulletin, the Issuer may not use
message reason code 4849—Questionable Merchant Activity, in any of the following
situations:
• The Transaction was not reported properly to SAFE within the applicable time frame
specified in this manual.
• The Transaction was reported to SAFE as a fraud type of Never Received Issue (02),
Fraudulent Application (03), Account Takeover Fraud (05), or Bust-out Collusive Merchant
(51).
• If the SecureCode global liability shift for electronic commerce (e-commerce) Transactions is
in effect, and all of the following conditions occur:
– The Merchant is Universal Cardholder Authentication Field (UCAF™)-enabled, and
– The Issuer provided the UCAF data for that Transaction, and
– All other e-commerce Authorization Request/0100 message and clearing requirements
were satisfied, and
– The Authorization Request Response/0110 message reflected the Issuer’s approval of the
Transaction.
• If an intracountry or intraregional chip liability shift or the interregional Chip Liability Shift
Program (Level 1) is in effect, the Transaction was processed at a chip compliant Terminal,
the Transaction was reported to SAFE as counterfeit fraud, and either the Transaction was
identified properly as 1) an offline chip Transaction in the clearing record, or 2) as an online
Transaction in the Authorization Request/0100 message, and the Authorization Request
Response/0110 message reflected the Issuer’s approval of the Transaction.
8.2.4 Exclusion from the Global Merchant Audit Program

The following sections address exclusions from GMAP.
3 Refer to Issuer restrictions on chargebacks for message reason code 4849 for the MasterCard® SecureCode™ global
liability shift as described later in this section.

8.2.4.1 Systematic Exclusions

The following Transactions systematically are excluded for the purposes of determining the
identification of a Merchant in GMAP:
• Debit Fraud—This includes all fraud related to Cirrus (CIR) and Maestro (MSI).
• All Never Received Issue, Fraudulent Application, Account Takeover (ATO), and
Bust-out Collusive Merchant fraud types—This includes all Transactions reported to
SAFE as fraud type:
– 02—Never Received Issue
– 03—Fraudulent Application
– 05—Account Takeover Fraud
– 51—Bust-out Collusive Merchant
8.2.4.2 Exclusion After GMAP Identification

After MasterCard provides notification to an Acquirer that a Tier 3 special Merchant audit has
been initiated, the Acquirer may request that MasterCard exclude the Merchant for good
cause.
When requesting an exclusion, the Acquirer must submit the completed special Merchant
audit online questionnaire within 30 days of the Tier 3 special Merchant audit notification and
provide such other supporting information that MasterCard requires.
MasterCard staff will decide whether to exclude a Merchant from GMAP.
When evaluating exclusion requests, MasterCard may consider such matters as:
• A fraud-to-sales dollar volume ratio below 8 percent—If the Merchant’s MasterCard
dollar volume is not systematically available for calculation, the Acquirer will have the
opportunity to provide this data to MasterCard for review. To recalculate the Merchant
fraud-to-sales dollar volume ratio, the Acquirer must present supporting documentation to
show only the MasterCard sales for the identified location during the applicable months in
which the identification criteria are met.
If the supporting documentation demonstrates that the Merchant location did not exceed
the Tier 3 fraud thresholds, the Acquirer will receive an exclusion for the Merchant.
If the supporting documentation demonstrates that the Merchant’s fraud-to-sales ratio
exceeds 8 percent, MasterCard will take action as described in section 8.2.2.
• The fraud control Program currently in place at the Merchant location—MasterCard
will review information pertaining to the fraud control Program currently in place at the
Merchant location to establish if additional fraud control measures could have prevented or
reduced the fraud.
• A chain Merchant—A chain Merchant is defined in the IPM Clearing Formats under Data
Element (DE) 43 (Card Acceptor Name/Location) as one of multiple Merchant outlets
having common ownership and selling the same line of goods or services. MasterCard
Standards further indicate that subfield 1 (Card Acceptor Name) of this data element must
contain a unique identifier at the end of this field if the Merchant has more than one
location in the same city. It is the Acquirer’s responsibility to ensure that all Merchants of

this nature are identified properly. Merchants with multiple locations that are in compliance
with this Standard are identified uniquely in the audit programs.
Acquirers with a Merchant subject to a Tier 3 special Merchant audit based on a calculation
inclusive of more than one location may apply for an exclusion. To apply for such an
exclusion, the Acquirer must provide MasterCard with fraud and sales data for each
location within the chain. If the same Merchant ID number is used to identify all of the
Merchant locations, the Acquirer must further provide a copy of the sales draft for each
Transaction identified as fraudulent.
Exclusions based on other exceptional or extenuating circumstances—An Acquirer may
request an exclusion for a Merchant location from a Tier 3 special Merchant audit based on
exceptional or extenuating circumstances by providing appropriate information.
The following are examples of information that MasterCard will consider with regard to an
exclusion request for exceptional or extenuating circumstances:
1. SAFE data error:
– Erroneous Transaction amount reported
– Reported Transaction amount inflated as a result of currency conversion
– Transaction reported under incorrect Acquirer ID or Merchant name
– Duplicate Transactions reported
– Non-fraudulent Transaction reported to SAFE in error (such as a dispute)
2. The Merchant captured fraudulent Card(s) transacted at its location.
3. The Merchant assisted with the apprehension and conviction of criminal(s) that transacted
fraudulent Cards at its location.
4. The Merchant identified fraudulent Transactions before shipping merchandise and issued
credits to the Cardholder account in a timely fashion, provided the credit was not issued in
response to a retrieval request or chargeback.
8.2.5 Notification of Merchant Identification

When a Merchant location is identified in GMAP, MasterCard will report the Merchant
identification in MOST, detailing the identification.
In addition, the Acquirer will receive the Global Merchant Audit Program Report.
Acquirers must use MOST to respond to a Tier 3 special Merchant audit notification.
NOTE: Acquirers are responsible for ensuring that they are capable of receiving notification of
Merchants identified in GMAP. If an Acquirer does not receive an automated notification, it is
™
the Acquirer's responsibility to obtain this information through MasterCard Connect .
8.2.5.1 Distribution of Reports

Refer to the MOST Users’ Manual for information about the distribution of GMAP reports.

8.2.6 Merchant Online Status Tracking (MOST) System

The MOST system resides on the MasterCard Connect platform, and is used to administer the
process for Merchants identified in GMAP. The MOST system allows an Acquirer to:
• View each Merchant identified in GMAP
• Determine the reasons that a Merchant was identified in GMAP
• Retrieve full Transaction details for each identified Merchant via Fraud Reporter
• View the status of each Merchant subject to a Tier 3 special Merchant audit
• Complete an online questionnaire as required by MasterCard for a Tier 3 special Merchant
audit
• Determine the chargeback liability period for each Merchant subject to a Tier 3 special
Merchant audit
8.2.6.1 MOST Mandate

Acquirers must use the MOST system available on MasterCard Connect when required by
MasterCard to respond to a Tier 3 special Merchant audit in MOST. MasterCard will assess a
USD 100 processing fee per individual Merchant identification for an Acquirer that does not
solely use MOST to respond to a Tier 3 special Merchant audit.
MasterCard will assess the USD 100 processing fee only one time for each required Tier 3
special Merchant audit response. The fee will be collected by debiting the Acquirer’s
MasterCard Consolidated Billing System (MCBS) account.
In addition, MasterCard may assess an Acquirer a USD 100 processing fee if the Tier 3 special
Merchant audit response is completed in MOST and is submitted using any other additional
method. However, if an Acquirer responds to a Tier 3 special Merchant audit via MOST and
then chooses to submit supporting documentation via another communication method, or to
engage in dialogue with MasterCard staff, then MasterCard will not assess the Acquirer a
processing fee.
MOST and MATCH have been incorporated into one suite of mandated products for which
Acquirers globally are assessed a combined annual fee of USD 4,000.
8.2.6.2 MOST Registration

To use MOST, a user must be licensed for each acquiring Customer/ICA number at a child
level, regardless of a parent/child relationship. To request access to MOST, a user signs in to
MasterCard Connect with his or her User ID and password, then orders MOST for specific
Customers/ICA numbers from the MasterCard Connect Store.
The order then is routed to the user’s Security Administrator for approval. If a different
company owns the Customer/ICA number data, then the order is routed to the Security
Administrator of the company that owns the data. The Security Administrator is responsible
for approving the user’s order for MOST. After the appropriate Security Administrators approve
the order, it is routed to MasterCard for processing. The user has access to MOST after
MasterCard approves the order. Users must have an RSA SecurID® to use MOST. If the user
does not have a SecurID, one will be issued as part of the access approval process.

8.3 Excessive Chargeback Program
MasterCard will decline orders for MOST that are not complete and accurate. MasterCard
reserves the right to request written authorization from a Customer’s Security Contact,
Principal Contact, or MATCH Contact to validate the user’s request for MOST. If MasterCard
declines an order, the user must submit a subsequent order for MOST through the MasterCard
Connect Store.
For additional assistance with ordering MOST, contact the Customer Operations Services team
using the information provided in section C.6 of Appendix C.

MasterCard designed the Excessive Chargeback Program (ECP) to encourage each Acquirer to
closely monitor, on an ongoing basis, its chargeback performance at the Merchant level and
to determine promptly when a MasterCard Merchant has exceeded or is likely to exceed
monthly chargeback thresholds.
8.3.1 ECP Definitions

The following terms used in the ECP have the meanings set forth below.
Merchant
A Merchant is defined as any distinct MasterCard Merchant location, whether a
Merchant’s physical location or a Merchant’s Internet site or uniform resource locator (URL)
that is identified by a distinct billing descriptor by the Acquirer in the Transaction record.
Chargeback-to-Transaction Ratio (CTR)
The CTR is the number of MasterCard chargebacks received by the Acquirer for a
Merchant in a calendar month divided by the number of the Merchant’s MasterCard sales
Transactions in the preceding month acquired by that Acquirer. (A CTR of 1% equals 100
basis points, and a CTR of 1.5% equals 150 basis points.)
Chargeback-Monitored Merchant (CMM)
A CMM is a Merchant that has a CTR in excess of 100 basis points and at least 100
chargebacks in a calendar month.
Excessive Chargeback Merchant (ECM)
A Merchant is an ECM if in each of two consecutive calendar months (the “trigger
months”), the Merchant has a minimum CTR of 150 basis points and at least 100
chargebacks in each month. This designation is maintained until the ECM’s CTR is below
150 basis points for two consecutive months.
Tier 1 ECM
A Merchant is a Tier 1 ECM during the first through sixth month (whether consecutive or
non-consecutive) that the Merchant is identified as an ECM.
Tier 2 ECM
A Merchant is a Tier 2 ECM during the seventh through twelfth month (whether
consecutive or non-consecutive) that the Merchant is identified as an ECM.

8.3.2 Reporting Requirements

It is the Acquirer’s responsibility on an ongoing basis to monitor each of its Merchants in
accordance with the Standards, including but not limited to sections 6.2.2, 7.2, 7.3, and 7.4
of this manual.
The ECP requires an Acquirer to calculate, for each calendar month, the CTR in basis points
for each of its Merchants and report to MasterCard any Merchant that is a CMM or ECM as
defined in section 8.3.1.
MasterCard will assess an Acquirer of an ECM the reporting fee set forth in section 8.3.2.2.
8.3.2.1 Chargeback-Monitored Merchant Reporting Requirements

Each calendar month, an Acquirer must submit to MasterCard a separate CMM report for
each of its Merchant(s) that qualifies as a CMM for the previous calendar month. For the
purpose of determining if an Acquirer is obligated to submit a CMM report, the Acquirer must
calculate the CTR as set forth in section 8.3.1. The Acquirer must submit this report no later
than 45 days from the end of the calendar month.
The Acquirer must submit the CMM report in a form and manner required by MasterCard.
The Acquirer also must provide a copy of the CMM report and these ECP Standards to the
specific CMM.
The Acquirer must continue to provide CMM reporting until the Merchant is no longer
identified as a CMM for two consecutive months.
8.3.2.1.1 CMM Report Contents
The CMM report must include all of the following information:
• The name and location of the CMM
• The calendar month of CMM qualification being reported
• The CTR of the CMM for the reported calendar month
• The Card acceptor business code/Merchant category code (MCC) assigned to the CMM
and a description of the nature of the CMM’s business
• The number and gross dollar volume (GDV) of the CMM’s MasterCard sales Transactions in
the reported calendar month and in the preceding month
• The number and GDV of chargebacks of the CMM’s MasterCard sales Transactions for the
reported calendar month
• Any additional information as MasterCard may require
8.3.2.1.2 Late CMM Report Submission Assessment
If MasterCard determines that a Merchant is a CMM and the Acquirer fails to submit a timely
CMM report to MasterCard for that Merchant, MasterCard may assess the Acquirer up to USD
5,000 per month for each month that a specific monthly CMM report is overdue.
8.3.2.2 Excessive Chargeback Merchant Reporting Requirements

Within 30 days of the end of the second trigger month, and on a monthly basis thereafter, the
Acquirer must submit a separate ECM report for each of its ECMs (in lieu of a CMM report)

until that ECM’s CTR is below 150 basis points for two consecutive months. The Acquirer also
must provide a copy of the ECM report and these ECP Standards to the specific ECM.
MasterCard will assess the Acquirer a reporting fee of USD 100 for each ECM report
submitted.
The Acquirer must continue to provide monthly ECM reporting until the Merchant is no longer
identified as an ECM for two consecutive months. If during those months the Merchant is
identified as a CMM, then the CMM reporting requirements will apply.
8.3.2.2.1 ECM Report Contents
The ECM report must include all of the information required for the CMM report, and the
following additional information:
• A description of the Acquirer’s chargeback controls in place to monitor the ECM’s activities
• An evaluation of the practices that caused the ECM to exceed the ECP Standard
• An Acquirer action plan to reduce the ECM’s CTR
• An electronic file that contains chargeback Transaction details for each chargeback received
by the Acquirer for the ECM in the calendar month
• Any additional information as MasterCard may require from time to time
MasterCard will assess the Acquirer a reporting fee of USD 100 for each ECM report
submitted.
8.3.2.2.2 Late ECM Report Submission Assessment
If MasterCard determines that a Merchant is an ECM and the Acquirer fails to submit a timely
ECM report to MasterCard for that ECM, MasterCard may assess the Acquirer up to USD 500
per day for each of the first 15 days that the ECM report for that ECM is overdue and up to
USD 1,000 per day thereafter until the delinquent ECM report is submitted.
8.3.3 Assessments
In addition to any applicable assessments for ECM reports or late report submissions,
MasterCard may assess the Acquirer for Issuer reimbursement fees and violation assessments
for excessive chargebacks arising from an ECM. MasterCard calculates the Issuer
reimbursement fees and assessments as described in section 8.3.3.1 and they apply in each
calendar month that the ECM exceeds a CTR of 150 basis points after the first trigger month.
For the purposes of calculating Issuer reimbursement fees and assessments only (and not for
the purpose of satisfying the reporting requirements contained herein), an Acquirer may offer
an alternative CTR calculation that more accurately “maps back” or links the chargebacks to
the relevant sales Transactions.
For the first 12 months of a Merchant’s identification as an ECM, MasterCard will consider the
Merchant’s actual chargeback volume as a factor in its determination of Acquirer liability.
During this period, MasterCard will assess the Acquirer the lesser of:
• The total of the Issuer reimbursement plus violation assessment amounts, calculated as
described in section 8.3.3.1 for a given month, or
• The Merchant’s chargeback dollar volume reported by the Acquirer for that month.

8.3.3.1 ECP Assessment Calculation

MasterCard determines an Acquirer’s liability for the monthly Issuer reimbursement fees and
assessments for each ECM as set forth below. MasterCard calculates the Issuer reimbursement
fees in the following Steps 1, 2, and 3, and calculates the violation assessment in Step 4.
1. Calculate the CTR for each calendar month that the ECM exceeded a CTR of 150 basis
points (which may also be expressed as 1.5% or 0.015).
2. From the total number of chargebacks in the above CTR calculation, subtract the number
of chargebacks that account for the first 150 basis points of the CTR. (This amount is
equivalent to 1.5 percent of the number of monthly sales Transactions used to calculate
the CTR.) The result is the number of chargebacks above the threshold of 150 basis
points.
3. Multiply the result from Step 2 by USD 25. This is the Issuer reimbursement.
4. Adjust the result in Step 3 to reflect the extent that the Acquirer has exceeded the 150
basis points threshold by multiplying the value in Step 3 by the CTR (expressed as basis
points). Divide this result by 100. This amount is the violation assessment.
Repeat Steps 1–4 for each calendar month (other than the first trigger month) that the ECM
exceeded a CTR of 150 basis points or 1.5 percent.
Example: The Acquirer for Merchant ABC acquired MasterCard sales Transactions and
chargebacks over a six-month period as follows:
Month January February March April May June July
Sales 95,665 95,460 95,561 95,867 95,255 95,889 95,758

Transactions
Chargebacks 1,050 1,467 1,635 1,556 1,495 1,052 985
CTR in basis — 153 171 163 156 110 103

points
February and March are the trigger months, as these are two consecutive months where the
CTR exceeded 150 basis points. At the end of July, Merchant ABC was no longer an ECM as
its CTR was below 150 basis points for two consecutive months. MasterCard calculates
assessments and Issuer reimbursements for each of the months March through July.
For example, the assessment for April (using March sales Transactions and April chargeback
volumes) is calculated as follows:
• The CTR = April chargebacks/March sales Transactions = 1,556/95,561 = 0.01628 or 163
basis points (rounded)
• The number of chargebacks in excess of the 150 basis points is determined by subtracting
1.5 percent of the March sales Transactions from the number of April chargebacks. 1.5
percent of the March sales Transactions (95,561 x 0.015) is 1,433. 1,556 – 1,433 = 123
chargebacks

• The Issuer reimbursement for April is 123 x USD 25 = USD 3,075

• The violation assessment is (USD 3,075 x 163)/100 or 501,225/100 = USD 5,012.25
Using this methodology, the Issuer reimbursement fees and assessments for the Acquirer for
Merchant ABC are as follows.
Month Issuer Reimbursement Assessment Total
February (first trigger 0 0 0

month)
March (second trigger USD 5,075.00 USD 8,678.25 USD 13,753.25

month)
April USD 3,075.00 USD 5,012.25 USD 8,087.25
May USD 1,425.00 USD 2,223.00 USD 3,648.00
June 0 0 0
July 0 0 0
Total USD 9,575.00 USD 15,913.50 USD 25,488.50
Example: For the month of March, the Acquirer reported Merchant ABC chargeback volume
of 1,635 chargebacks totaling USD 12,145. This amount is less than the calculated amount of
the Issuer reimbursement plus violation assessment total of USD 13,753.25, as shown above
for March. Therefore, MasterCard will assess the Acquirer the lesser chargeback volume
amount rather than the greater calculated amount.
8.3.4 Issuer Reimbursement

MasterCard will remit Issuer reimbursement fees to Issuers through the MCBS. Actual
reimbursements will vary depending on the extent and duration of the violation and the
number of chargebacks processed by each Issuer, and will be paid out of the amounts
collected for the Issuer reimbursement fees described in section 8.3.3.1 on a pro rata basis.
8.3.5 Additional Tier 2 ECM Requirements

After a Merchant has been a Tier 1 ECM for six months (whether consecutive or non-
consecutive), the Merchant will be deemed a Tier 2 ECM in its seventh month as an ECM.
With respect to a Tier 2 ECM, MasterCard may:
1. Advise the Acquirer with regard to the action plan and other measures that the Acquirer
should take or consider taking to reduce the Merchant’s CTR; and/or

8.4 Questionable Merchant Audit Program (QMAP)
2. Require the Acquirer to undergo a Global Risk Management Program Customer Risk
Review, at the Acquirer’s expense, as described in Chapter 13 of this manual.
After a Merchant has been an ECM for 12 months (whether consecutive or non-consecutive),
the Acquirer will be deemed to be in violation of Rule 5.11.7 of the MasterCard Rules manual
(“the Illegal or Brand-damaging Transactions Rule”), and in addition to the assessments
described in section 8.3.3, is subject to noncompliance assessments of up to USD 50,000 per
month after the twelfth month that the Merchant remains an ECM.

The Questionable Merchant Audit Program (QMAP) establishes minimum standards of
acceptable Merchant behavior and identifies Merchants that may fail to meet such minimum
standards by participating in collusive or otherwise fraudulent or inappropriate activity. The
QMAP also permits an Issuer to obtain partial recovery of up to one-half of actual fraud losses
resulting from fraudulent Transactions at a Questionable Merchant, based on SAFE reporting.
The criteria to identify a Questionable Merchant and the fraud recovery process are described
below.
8.4.1 QMAP Definitions

For purposes of the QMAP, the following terms have the meanings set forth below:
Cardholder bust-out account means an account for which all of the following conditions
are true:
1. The Issuer closed the account prior to the earlier of (i) the Issuer requesting that
MasterCard commence an investigation as to whether a Merchant is a Questionable
Merchant, or (ii) MasterCard notifying the Issuer that MasterCard has commenced an
investigation as to whether a Merchant is a Questionable Merchant; and
2. A Transaction arising from use of the account has not been charged back for either an
authorization-related chargeback (as set forth in section 3.2 of the Chargeback Guide) or
fraud-related chargeback (as set forth in section 3.3 of the Chargeback Guide) during the
180 days prior to the earlier of (i) the Issuer requesting that MasterCard commence an
investigation as to whether a Merchant is a Questionable Merchant, or (ii) MasterCard
notifying the Issuer that MasterCard has commenced an investigation as to whether a
Merchant is a Questionable Merchant; and
3. At least one of the following is true:
a. The account in question is “linked” to one or more Cardholder bust-out accounts. As
used herein, to be “linked” means that personal, non-public information previously
provided by an applicant in connection with the establishment of one or more
Cardholder bust-out accounts (name, address, telephone number, social security
number or other government-issued identification number, authorized user, demand
deposit account number, and the like) has been provided by an applicant in
connection with the establishment of the subject account; or

b. The account is linked to one or more Cardholder bust-out accounts used in

Transactions with a Merchant that MasterCard identified as a Questionable Merchant
in a Global Security Bulletin; or
c. The Cardholder requests that one or more additional persons be designated as an
additional Cardholder of the account within a short period of time; or
d. The Cardholder requests that the credit limit of the account be increased soon after
the account is opened; or
e. The Cardholder makes frequent balance queries or “open-to-buy” queries; or
f. No payment has been made of charges to the account; or
g. The Issuer closed the account after a failed payment (dishonored check or the like) of
charges to the account.
Case Scope Period means the 180-calendar-day period preceding the date on which
MasterCard commences an investigation into the activities of a suspected Questionable
Merchant.
Questionable Merchant means a Merchant that satisfies all of the following criteria:
1. The Merchant submitted at least USD 50,000 in Transaction volume during the Case
Scope Period;
2. The Merchant submitted at least five (5) Transactions to one or more Acquirers during the
Case Scope Period; and
3. At least fifty (50) percent of the Merchant’s total Transaction volume involved the use of
Cardholder bust-out accounts
OR
At least three (3) of the following four (4) conditions apply to the Merchant’s Transaction
activity during the Case Scope Period:
a. The Merchant’s fraud-to-sales Transaction ratio was seventy (70) percent or greater.
b. At least twenty (20) percent of the Merchant’s Transactions submitted for
authorization were declined by the Issuer or received a response of “01—Refer to
issuer” during the Case Scope Period.
c. The Merchant has been submitting Transactions for fewer than six (6) months.
d. The Merchant’s total number or total dollar amount of fraudulent Transactions,
authorization declines, and Issuer referrals was greater than the Merchant’s total
number or total dollar amount of approved Transactions.
NOTE: Transaction activity (“on-us” or otherwise) that is not processed through MasterCard
systems is not considered in determining whether a Merchant meets the criteria of a
Questionable Merchant.
MasterCard has sole discretion, based on information from any source, to determine whether
a Merchant meeting these criteria is a Questionable Merchant.

8.4.2 MasterCard Commencement of an Investigation

MasterCard, at its sole discretion, may commence a QMAP investigation of a Merchant.
During the pendency of such an investigation, MasterCard may identify the Merchant being
investigated in MATCH using MATCH reason code 00 (Questionable Merchant/Under
Investigation).
If an Issuer has reason to believe that a Merchant may be a Questionable Merchant, the Issuer
must promptly notify MasterCard via email message at qmap@mastercard.com. Transactions
that occurred during the Case Scope Period may qualify as eligible for recovery under the
QMAP.
In the notification, the Issuer must provide the basis for the Issuer’s reason to believe that the
Merchant may be a Questionable Merchant, and must provide all of the following
information:
1. Issuer name and Member ID;
2. Acquirer name and Member ID;
3. Merchant name and address (city, state or province, and country);
4. Total number of Transactions conducted at the Questionable Merchant by the Issuer’s
Cardholders;
5. Total dollar volume of Issuer losses at the Questionable Merchant;
6. Percentage of Transactions attributed to Cardholder bust-out accounts, if applicable; and
7. Details of each Issuer-confirmed fraudulent Transaction, including Cardholder account
number, Transaction date and time, and Transaction amount in U.S. dollars.
If an Acquirer becomes aware that it is acquiring for a Questionable Merchant, the Acquirer
must notify MasterCard promptly via email message at qmap@mastercard.com.
8.4.3 MasterCard Notification to Issuers

Should MasterCard commence a QMAP investigation, MasterCard will notify any Issuer that
MasterCard determines had accounts used in Transactions with the Merchant being
investigated during the Case Scope Period. Any such notification will be sent via email
message to the Issuer’s Security Contact then listed in the Member Information—MasterCard
application available on MasterCard Connect. With the notification, MasterCard will provide
details of Transactions arising from use of the Issuer’s accounts at the Merchant during the
Case Scope Period.
Within 60 days following such notice, an Issuer must report to SAFE all fraudulent
Transactions conducted during the Case Scope Period associated with the Merchant being
investigated. Transactions conducted on Cardholder bust-out accounts should be reported
using fraud type code 51 (Bust-out Collusive Merchant).
NOTE: To accelerate the determination by MasterCard of whether a Merchant is a

Questionable Merchant, Issuers are urged to report fraudulent Transactions to SAFE as
expeditiously as feasible. For purposes of making such a determination, MasterCard only
considers Transactions that take place (and the resulting fraudulent Transactions timely
reported to SAFE) during the Case Scope Period.

8.4.4 MasterCard Notification to Acquirers

Following the MasterCard evaluation of Transactions reported to SAFE by Issuers, MasterCard
may notify any Acquirer of the investigated Merchant that such Merchant has initially met the
criteria of a Questionable Merchant. Such notification will be sent via email message to the
Security Contact then listed for the Acquirer in the Member Information—MasterCard
application available on MasterCard Connect.
Within 15 calendar days from the date of the MasterCard notification, the Acquirer may
contest the MasterCard preliminary finding that a Merchant is a Questionable Merchant. In
such an event, the Acquirer shall provide to MasterCard any supplemental information
necessary to review the preliminary finding.
MasterCard has a right, but not an obligation, to audit an Acquirer’s records for the purpose
of attempting to determine whether a Merchant is a Questionable Merchant. An Acquirer
must provide MasterCard such other or additional information as MasterCard may request to
assist in the investigation.
The Acquirer must submit all documentation and records via email message to
qmap@mastercard.com.
8.4.5 Merchant Termination

If the Acquirer determines that the Merchant under investigation (or any other of its
Merchants) is a Questionable Merchant and terminates the Merchant Agreement for that
reason, the Acquirer must add the Merchant to MATCH using MATCH reason code 08
(MasterCard Questionable Merchant Audit Program) within five (5) calendar days of the
decision to terminate the Merchant.
8.4.6 MasterCard Determination

MasterCard will determine if a Merchant is a Questionable Merchant.
If MasterCard determines that the Merchant is not a Questionable Merchant, MasterCard will
so notify each Issuer and Acquirer that provided information pertinent to the investigation.
Such notice will be provided via email message to the Security Contact listed for the Customer
in the Member Information—MasterCard application available on MasterCard Connect. In
addition, MasterCard will delete the MATCH listing of the Merchant for MATCH reason code
00.
If MasterCard determines that the Merchant is a Questionable Merchant, MasterCard will:
1. Notify the Merchant’s Acquirer, and
2. Identify the Merchant as a Questionable Merchant in a Global Security Bulletin for each of
twelve (12) consecutive months, and
3. Modify the Merchant’s MATCH record to reflect a reason code change from 00 (Under
Investigation) to 20 (MasterCard Questionable Merchant Audit Program).
If the Acquirer terminates the Merchant Agreement because MasterCard determines the
Merchant to be a Questionable Merchant, the Acquirer is required to identify the Merchant in
MATCH with reason code 08 (MasterCard Questionable Merchant Audit Program).

8.4.7 Chargeback Responsibility

When MasterCard identifies a Questionable Merchant in a Global Security Bulletin,
MasterCard will also specify a chargeback period (“start” and “end” dates) of at least one
year. If an Acquirer continues to acquire from a Merchant after MasterCard declares the
Merchant a Questionable Merchant, the Acquirer is responsible for valid chargebacks using
message reason code 4849—Questionable Merchant Activity for a period of one year
following publication of the Global Security Bulletin initially listing the Questionable Merchant;
provided, MasterCard may extend the chargeback responsibility period. An Issuer has 120
days following the publication date of a Global Security Bulletin identifying a Questionable
Merchant to charge back fraudulent Transactions that occur during the specified chargeback
period to the Acquirer using reason code 4849—Questionable Merchant Activity.
8.4.8 Fraud Recovery

Following the identification of a Questionable Merchant in a Global Security Bulletin, and
using data reported to SAFE, MasterCard will notify any Issuer deemed by MasterCard to be
eligible for partial recovery of loss due to fraudulent Transactions at a Questionable Merchant.
The notice will disclose the amount of the recovery, less an administrative fee described in
section 8.4.9, and the date that the amount will be credited to the Issuer’s MCBS account.
An Issuer is not eligible to receive partial recovery of any Transaction:
1. For a Merchant not listed in the Global Security Bulletin, or
2. Taking place after the Global Security Bulletin’s date of publication, or
3. Not reported to MasterCard via SAFE as described in section 8.4.3 of this manual, or
4. For which the Issuer received recovery via any existing remedy in the MasterCard system,
including chargeback, recovery process, or the Issuer’s own collection process.
MasterCard reserves the right to request additional information as a condition of determining
whether a Transaction satisfactorily meets the eligibility requirements for Issuer partial
recovery. In addition, MasterCard will not pay claims in excess of the amount collected from
the Acquirer(s) for that purpose.
MasterCard will debit the fraud recovery amount from the Acquirer account and credit the
Issuer account (less any administrative fee). MasterCard will process Issuer fraud recoveries via
MCBS.
8.4.9 QMAP Fees

MasterCard may charge each Issuer an administrative fee equal to 10 percent of the Issuer
recovery amount from a Questionable Merchant determination.
MasterCard may charge an Acquirer an audit fee not to exceed USD 2,500 for each
identification of a Merchant as a Questionable Merchant.

8.5 Issuer Monitoring Program (IMP)

MasterCard designed the Issuer Monitoring Program (IMP) to encourage each Issuer to closely
monitor, on an ongoing basis, its performance with respect to fraud, chargeback, and
authorization decline rates to determine when the Issuer has exceeded or is likely to exceed
quarterly fraud loss, fraud-related chargeback, and Cross-border Transaction authorization
decline thresholds.
8.5.1 Identification Criteria

MasterCard will analyze quarterly metrics related to fraud losses, fraud-related chargebacks,
and Cross-border Transaction authorization declines for purposes of identifying an Issuer in
the IMP. MasterCard will require an Issuer to participate in an IMP audit if any of the following
criteria are met:
1. The Issuer reported at least USD 100,000 in quarterly fraud losses to SAFE, with such
losses representing at least three times the gross country MasterCard fraud basis point
average; or
2. The Issuer declined at least sixty (60) percent of its Cross-border Transactions submitted for
authorization during the quarter; or
3. The Issuer has five (5) or more primary account numbers (PANs) on which the Issuer
initiated at least thirty-five (35) fraud-related chargebacks per PAN, and such PANs
represent at least two (2) percent of the total number of PANs on which the Issuer
charged back at least one fraudulent Transaction.
NOTE:
From time to time, MasterCard will align the number of fraud-related chargebacks used by
the IMP with the number of fraud-related chargebacks used by the Fraud Notification Service
(FNS) counter.
® ®
For the third criterion only, identification in the IMP will be based on MasterCard , Maestro ,
®
and Cirrus Card Transactions, to further align with the FNS counter. For the first and second
criteria, identification in the IMP will be based on MasterCard Card Transactions only; Maestro
and Cirrus Card Transactions will not be included.
8.5.2 MasterCard Audit and Questionnaire

MasterCard will commence an IMP audit if an Issuer meets or exceeds at least one of the IMP
identification criteria listed in section 8.5.1. MasterCard will proceed with the IMP audit,
unless an exclusion is granted by MasterCard or until such time as the Issuer remains below
the IMP identification criteria for two (2) consecutive quarters.
Upon commencement of the IMP audit, MasterCard will notify the identified Issuer of such
decision. At the time of notification, MasterCard will also provide the Issuer with a
questionnaire concerning the Issuer’s fraud loss control program.

Within 30 calendar days from the date of the MasterCard notification, the Issuer must submit
to MasterCard complete and accurate responses to the questionnaire and provide examples of
daily fraud monitoring reports. Within the questionnaire, the Issuer may also report any
extenuating circumstances (including, but not limited to, an Account Data Compromise [ADC]
Event) that demonstrates why that quarter’s results were anomalous. MasterCard will consider
such information to determine if an exclusion for that quarter is warranted.
8.5.3 Subsequent Issuer Identifications in the IMP

Upon determination by MasterCard of the Issuer’s required participation in the IMP audit, the
Issuer must take reasonable steps to improve its fraud loss control program.
If the Issuer’s Activity meets or exceeds the identification criteria as set forth in section 8.5.1
for a second time within a given 12-month period (that is, the Issuer’s second IMP
identification), the Issuer must provide to MasterCard a detailed action plan describing the
steps that the Issuer will take to improve its fraud management and risk mitigation
performance. MasterCard also reserves the right to require the Issuer to undergo a Global Risk
Management Program Customer Risk Review.
For all subsequent identifications of the Issuer in the IMP, the Issuer may be subject to the
following quarterly assessments.
Quarterly Assessment Description Assessment Amount
Third IMP Identification USD 25,000
Fourth IMP Identification USD 50,000
Each Subsequent IMP Identification USD 100,000

MasterCard Registration Program
Chapter 9 MasterCard Registration Program

This chapter may be of particular interest to Customer personnel responsible for registering
Merchants, Submerchants, and other entities with MasterCard. The MasterCard Registration
Program (MRP) formerly was referred to as the Merchant Registration Program.
9.1 MasterCard Registration Program Overview.......................................................................... 107

9.2 General Registration Requirements....................................................................................... 107
9.2.1 Merchant Registration Fees and Noncompliance Assessments........................................108
9.3 General Monitoring Requirements........................................................................................ 109
9.4 Additional Requirements for Specific Merchant Categories....................................................109
9.4.1 Non-face-to-face Adult Content and Services Merchants............................................... 109
9.4.2 Non–face-to-face Gambling Merchants......................................................................... 109
9.4.3 Pharmaceutical and Tobacco Product Merchants............................................................111
9.4.4 State Lottery Merchants (U.S. Region Only)....................................................................112
9.4.5 Skill Games Merchants (U.S. Region Only)..................................................................... 113

9.1 MasterCard Registration Program Overview
9.1 MasterCard Registration Program Overview

MasterCard requires Customers to register the following Merchant types, including
Submerchants, and other entities using the MasterCard Registration Program (MRP) system,
available via MasterCard Connect™:
• Non-face-to-face adult content and services Merchants—MCCs 5967 and 7841 (refer to
section 9.4.1)
• Non–face-to-face gambling Merchants—MCCs >>>7801, 7802,<<< and 7995 (refer to
section 9.4.2)
• Non–face-to-face pharmaceutical Merchants—MCC 5122 and MCC 5912 (refer to section
9.4.3)
• Non–face-to-face tobacco product Merchants—MCC 5993 (refer to section 9.4.3)
• State lottery Merchants (U.S. Region only)—MCC >>>7800<<< (refer to section 9.4.4)
• Skill games Merchants (U.S. Region only)—MCC 7994 (refer to section 9.4.5)
For a skill games Merchant, the Customer must submit the registration request to
MasterCard by sending an email to mrp@mastercard.com.
• Merchants reported under the Excessive Chargeback Program (refer to section 8.3)
During registration, the Acquirer must provide each website URL from which Transactions as
described in this section may arise, whether the website is that of a Merchant, a Payment
Facilitator’s Submerchant, or other entity. With respect to Transactions submitted by a Staged
Digital Wallet Operator (DWO), each individual website URL at which Transactions as described
in this section may be effected must be individually registered.
If a Customer acquires Transactions for any of the Merchant types listed herein without first
registering the Merchant or Submerchant in accordance with the Standards described in this
section, MasterCard may assess the Customer as set forth in section 9.2.1 of this manual. In
addition, the Acquirer must ensure that the violation is corrected promptly.
Refer to the MasterCard Registration Program User Manual for directions for completing
registration tasks available in the MRP system.
9.2 General Registration Requirements

The Customer must provide all of the information requested for each Merchant, Submerchant,
or other entity required to be registered through the MRP system. For each such entity, the
requested information includes:
• The name, doing business as (DBA) name, and address
• >>>The central access phone number or customer service phone number, website URL, or
email address<<<
• The name(s), address(es), and tax identification number(s) (or other relevant national
identification number) of the principal owner(s)

9.2 General Registration Requirements
• A detailed description of the service(s), product(s), or both that the entity will offer to
Cardholders
• A description of payment processing procedures, Cardholder disclosures, and other
practices including, but not limited to:
– Data solicited from the Cardholder
– Authorization process (including floor limits)
– Customer service return policies for card transactions
– Disclosure made by the Merchant before soliciting payment information (including
currency conversion at the Point of Interaction [POI])
– Data storage and security practices
• The identity of any previous business relationship(s) involving the principal owner(s) of the
entity
• A certification, by the officer of the Customer with direct responsibility to ensure
compliance of the registered entity with the Standards, stating that after conducting a
diligent and good faith investigation, the Customer believes that the information contained
in the registration request is true and accurate
Only MasterCard can modify or delete information about a registered entity. Customers must
submit any modification(s) about a registered entity in writing to MasterCard, with an
explanation for the request. MasterCard reserves the right to deny a modification request.
Customers should send any additional requested information and modification requests to the
vice president of Merchant Fraud Control at the address provided in Appendix C.
For requirements specific to Merchants that are required to implement the MasterCard Site
Data Protection (SDP) Program, refer to section 10.3 of this manual.
9.2.1 Merchant Registration Fees and Noncompliance Assessments

MasterCard assesses the Acquirer an annual USD 500 registration fee for each Merchant and
Submerchant under the categories listed in section 9.1, except Merchants reported under the
Excessive Chargeback Program. MasterCard will collect the fee from the Acquirer via the
MasterCard Consolidated Billing System (MCBS).
MasterCard may assess a Customer that acquires Transactions for any of these Merchant or
Submerchant types without first registering the Merchant in accordance with the
requirements of the MRP. A violation will result in an assessment of up to USD 10,000.
If, after notice by MasterCard of the Acquirer’s failure to register a Merchant or Submerchant,
that Acquirer fails to register its Merchant within 10 days of notice, the Acquirer will be
subject to additional assessments of USD 5,000 per month for up to three months, and USD
25,000 per month thereafter, until the Acquirer satisfies the requirement. In addition, the
Acquirer must ensure that the violation is corrected promptly. Such Merchant or Submerchant
may also be deemed by MasterCard, in its sole discretion, to be in violation of Rule 5.11.7 of
the MasterCard Rules manual (“the Illegal or Brand-damaging Transactions Rule”).

9.3 General Monitoring Requirements
9.3 General Monitoring Requirements

The monitoring requirements described in this section apply to Customers that acquire non-
face-to-face adult content and services Transactions, non–face-to-face gambling Transactions,
non–face-to-face pharmaceutical and tobacco product Transactions, state lottery Transactions
(U.S. Region only), skill games Transactions (U.S. Region only), or Transactions from Merchants
reported under the Excessive Chargeback Program:
• The Acquirer must ensure that each such Merchant implements real-time and batch
procedures to monitor continually all of the following:
– Simultaneous multiple Transactions using the same Account number
– Consecutive or excessive attempts using the same Account number
When attempted fraud is evident, a Merchant should implement temporary bank
identification number (BIN) blocking as a fraud deterrent.
• The Acquirer must ensure that each such Merchant complies with the fraud control
Standards in Chapter 6 of this manual and maintains a total chargeback-to-interchange
sales volume ratio below the Excessive Chargeback Program thresholds. For information
about the Excessive Chargeback Program, refer to section 8.3 of this manual.
9.4 Additional Requirements for Specific Merchant Categories

Customers should review thoroughly these additional requirements for specific Merchant
categories.
9.4.1 Non-face-to-face Adult Content and Services Merchants

A non-face-to-face adult content and services Transaction occurs when a consumer uses an
Account in a Card-not-present environment to purchase adult content or services, which may
include but is not limited to subscription website access; streaming video; and videotape and
DVD rentals and sales.
An Acquirer must identify all non-face-to-face adult content and services Transactions using
one of the following MCC and TCC combinations, as appropriate:
• MCC 5967 (Direct Marketing—Inbound Telemarketing Merchants) and TCC T; or
• MCC 7841 (Video Entertainment Rental Stores) and TCC T.
Before an Acquirer may process non-face-to-face adult content and services Transactions from
a Merchant or Submerchant, it must register the Merchant with MasterCard as described in
section 9.2 of this manual.
9.4.2 Non–face-to-face Gambling Merchants

A non–face-to-face gambling Transaction occurs in a Card-not-present environment when a
consumer uses an Account to place a wager or purchase chips or other value usable for
gambling provided by a wagering or betting establishment as defined by >>>MCC 7801

(Internet Gambling), MCC 7802 (Government Licensed Horse/Dog Racing), or<<< MCC 7995
(Gambling Transactions).
Before acquiring Transactions reflecting non–face-to-face gambling, an Acquirer first must
register the Merchant or Submerchant with MasterCard as described in section 9.2.
An Acquirer must identify all non–face-to-face gambling Transactions using MCC 7995 and
TCC U unless the Acquirer has also registered the Merchant or Submerchant as described
below, in which case the Acquirer may use >>>MCC 7801 or 7802<<< instead of MCC 7995.
>>>In addition to the requirement to register the Merchant or Submerchant as described in
section 9.2, a U.S. Region Acquirer registering a U.S. Region Merchant or Submerchant
engaged in legal gambling activity involving horse racing, dog racing, or non-sports intrastate
Internet gambling must demonstrate that an adequate due diligence review was conducted
by providing the following items to MasterCard as part of the registration process (herein, all
references to a Merchant also apply to a Submerchant):<<<
1. Evidence of legal authority. The Acquirer must provide:
– a copy of the Merchant’s license (or similar document), if any, issued by the appropriate
governmental (for example, state or tribal) authority, that expressly authorizes the
Merchant to engage in the gambling activity; and
– any law applicable to the Merchant that permits the gambling activity.
2. Legal opinion. The Acquirer must obtain a reasoned legal opinion, addressed to the
Acquirer, from a private sector U.S. lawyer or U.S. law firm. The legal opinion must:
– identify all relevant gambling, gaming, and similar laws applicable to the Merchant;
– identify all relevant gambling, gaming, and similar laws applicable to Cardholders
permitted by the Merchant to transact with the Merchant; and
– demonstrate that the Merchant’s and Cardholders’ gambling and payment activities
comply at all times with any laws identified above.
The Acquirer must provide MasterCard with a copy of such legal opinion. The legal
opinion must be acceptable to MasterCard in its sole discretion.
3. Effective controls. The Acquirer must provide certification from a qualified independent
third party demonstrating that the Merchant’s systems for operating its gambling business:
– include effective age and location verification; and
– are reasonably designed to ensure that the Merchant’s Internet gambling business will
remain within legal limits (including in connection with interstate Transactions).
The certification must include all screenshots relevant to the certification (for example, age
verification process). Certifications from interested parties (such as the Acquirer,
Independent Sales Organizations [ISOs], the Merchant, and so on) are not acceptable
substitutes for the independent third-party certification.
4. Notification of changes. The Acquirer must certify that it will notify MasterCard of any
changes to the information that it has provided to MasterCard, including changes in
applicable law, Merchant activities, and Merchant systems. Such notification shall include
any revisions or additions to the information provided to MasterCard (for example, legal

opinion, third-party certification) to make the information current and complete. Such
notification is required within ten (10) days of any such change.
5. Acceptance of responsibilities. The Acquirer must specifically affirm that it will not
submit restricted Transactions from the Merchant for authorization. The Acquirer must
also specifically reaffirm its indemnification to MasterCard in connection with the
Acquirer’s or Merchant’s activities. Such reaffirmation shall specifically indicate that the
Acquirer acknowledges and agrees that the Transactions constitute the Acquirer’s Activity
and are subject to Rule 2.3 of the MasterCard Rules manual, regardless of the Acquirer’s
compliance with the MasterCard Internet Gambling Policy or these requirements.
9.4.3 Pharmaceutical and Tobacco Product Merchants

A non–face-to-face pharmaceutical Transaction occurs in a Card-not-present environment
when a consumer uses an Account to purchase prescription medicines from a Merchant
whose primary business is non–face-to-face selling of prescription drugs.
A non–face-to-face tobacco product Transaction occurs in a Card-not-present environment
when a consumer uses an Account to purchase tobacco products (including, but not limited
to cigarettes, cigars, or loose tobacco) from a Merchant whose primary business is non-face-
to-face selling of tobacco products.
Before acquiring Transactions as described below, an Acquirer first must register the Merchant
with MasterCard as described in section 9.2:
• Non–face-to-face sale of pharmaceuticals (MCC 5122 and MCC 5912)
• Non–face-to-face sale of tobacco products (MCC 5993)
An Acquirer must identify all non-face-to-face pharmaceutical Transactions using MCC 5122
(Drugs, Drug Proprietors, and Druggists Sundries) and TCC T for wholesale purchases or MCC
5912 (Drug Stores, Pharmacies) and TCC T for retail purchases. An Acquirer must identify all
non-face-to-face tobacco product Transactions using MCC 5993 (Cigar Stores and Stands) and
TCC T.
For clarity, the term acquiring, as used in this section, is “acquiring Activity” as such term is
used in Rule 2.3 of the MasterCard Rules manual.
At the time of registration of a Merchant or Submerchant in accordance with this section, the
Acquirer of such Merchant or Submerchant must have verified that the Merchant’s or
Submerchant's activity complies fully with all laws applicable to MasterCard, the Merchant or
Submerchant, the Issuer, the Acquirer, and any prospective customer of the Merchant or
Submerchant. Such verification may include, but is not limited to, a written opinion from
independent, reputable, and qualified legal counsel or accreditation by a recognized third
party.
By registering a Merchant or Submerchant as required by this section, the Acquirer represents
and warrants that the Acquirer has verified compliance with applicable law as described
above. The Acquirer must maintain such verification for so long as it acquires Transactions
from the Merchant or Submerchant that is subject to the aforedescribed registration
requirement and must, no less frequently than every 12 months, confirm continued
compliance with applicable law concerning the business of the registered Merchant or

Submerchant. The Acquirer must furnish MasterCard with a copy of such documentation
promptly upon request.
9.4.4 State Lottery Merchants (U.S. Region Only)

>>>A U.S. Region Acquirer must: <<<
>>>
• use MCC 7800 (Government Owned Lottery) to identify Transactions arising from a U.S.
Region Merchant or Submerchant and involving the purchase of a state lottery ticket; and
• register each such Merchant or Submerchant with MasterCard as described in section 9.2
and this section 9.4.4.
<<<
To register a Merchant or Submerchant, the Acquirer must demonstrate that an adequate due
diligence review was conducted by providing the following items to MasterCard as part of the
registration process (herein, all references to a Merchant also apply to a Submerchant):
Merchant to engage in the gambling activity; and
– any law applicable to the Merchant that permits state lottery ticket sales.
– identify all relevant state lottery and other laws applicable to the Merchant;
– identify all relevant state lottery and other laws applicable to Cardholders permitted by
the Merchant to transact with the Merchant; and
– demonstrate that the Merchant’s and Cardholders’ state lottery and payment activities
third party demonstrating that the Merchant’s systems for operating its state lottery
business:
– include effective age and location verification; and
– are reasonably designed to ensure that the Merchant’s state lottery business will remain
within legal limits (including in connection with interstate Transactions).
verification process). Certifications from interested parties (such as the Acquirer, ISOs, the
Merchant, and so on) are not acceptable substitutes for the independent third-party
certification.

submit restricted Transactions from the Merchant for authorization. The Acquirer must
also specifically reaffirm its indemnification to MasterCard in connection with the
Acquirer’s or Merchant’s activities. Such reaffirmation shall specifically indicate that the
Acquirer acknowledges and agrees that the Transactions constitute the Acquirer’s Activity
and are subject to Rule 2.3 of the MasterCard Rules manual, regardless of the Acquirer’s
compliance with MasterCard rules, policies, and procedures or these requirements.
9.4.5 Skill Games Merchants (U.S. Region Only)

A U.S. Region Acquirer may use MCC 7994 (Video Game Arcades/Establishments) to identify
Transactions arising from a U.S. Region Merchant or Submerchant conducting certain games
(herein, “skill games”) if the Acquirer has first registered the Merchant or Submerchant with
MasterCard as described in section 9.2 and this section 9.4.5. For purposes of this section,
“skill games” means:
• game participants pay a game entry fee;
• the outcome of the game is determined by the skill of the participants rather than by
chance;
• the winner of a game receives cash and/or a prize of monetary value; and
• no non-participant in the game pays or receives cash and/or a prize of monetary value in
relation to the game.
To register a Merchant or Submerchant, the Acquirer must demonstrate that an adequate due
diligence review was conducted by providing the following items to MasterCard as part of the
registration process (herein, all references to a Merchant also apply to a Submerchant):
Merchant to conduct the particular type of skill game(s) for which it wishes to accept
Cards as payment for entry fees; and
– any law applicable to the Merchant that permits the conduct of skill games.
– identify all relevant laws that address the conduct of skill games (e.g., anti-gambling
laws that provide an exemption for skill games) and other laws applicable to the
Merchant’s skill games activities;
– identify all relevant laws that address the participation in skill games and other laws
applicable to Cardholders permitted by the Merchant to participate in skill games with
the Merchant; and
– demonstrate that the Merchant’s and Cardholders’ skill games and payment activities

third party demonstrating that the Merchant’s systems for operating its skill games
business:
– include effective age and location verification, as applicable; and
– are reasonably designed to ensure that the Merchant’s skill games business will remain
within legal limits (including in connection with interstate Transactions).
verification process). Certifications from interested parties (such as the Acquirer, ISOs, the
Merchant, and so on) are not acceptable substitutes for the independent third-party
certification.
submit Restricted Transactions (as defined in the Internet Gambling Policy) from the
Merchant for authorization. The Acquirer must also specifically reaffirm its indemnification
to MasterCard in connection with the Acquirer’s or Merchant’s activities. Such
reaffirmation shall specifically indicate that the Acquirer acknowledges and agrees that the
Transactions constitute the Acquirer’s Activity and are subject to Rule 2.3 of the
MasterCard Rules manual, regardless of the Acquirer’s compliance with MasterCard rules,
policies, and procedures or these requirements.

Account Data Protection Standards and Programs
Chapter 10 Account Data Protection Standards and

Programs
This chapter may be of particular interest to Customer personnel responsible for protecting
Account, Cardholder, and Transaction data; and to Customers that have experienced or wish to
protect themselves against account data compromise events.
10.1 Account Data Protection Standards..................................................................................... 116

10.2 Account Data Compromise Events...................................................................................... 116
10.2.1 Policy Concerning Account Data Compromise Events and Potential Account Data
Compromise Events................................................................................................................117
10.2.2 Responsibilities in Connection with ADC Events and Potential ADC Events.................. 118
10.2.2.1 Time-Specific Procedures for ADC Events and Potential ADC Events..................... 119
10.2.2.2 Ongoing Procedures for ADC Events and Potential ADC Events............................121
10.2.3 Forensic Report........................................................................................................... 122
10.2.4 Alternative Standards Applicable to Certain Merchants................................................123
10.2.5 MasterCard Determination of ADC Event or Potential ADC Event................................ 124
10.2.5.1 Assessments for PCI Violations in Connection with ADC Events........................... 124
10.2.5.2 Potential Reduction of Financial Responsibility......................................................124
10.2.5.3 ADC Operational Reimbursement and ADC Fraud Recovery—MasterCard Only....125
10.2.5.4 Determination of Operational Reimbursement (OR) .............................................126
10.2.5.5 Determination of Fraud Recovery (FR).................................................................. 127
10.2.5.6 Investigation and Other Costs.............................................................................. 131
10.2.6 Assessments and/or Disqualification for Noncompliance.............................................. 131
10.2.7 Final Financial Responsibility Determination................................................................. 131
10.3 MasterCard Site Data Protection (SDP) Program.................................................................. 132
10.3.1 Payment Card Industry Data Security Standards........................................................... 132
10.3.2 Compliance Validation Tools........................................................................................ 133
10.3.3 Acquirer Compliance Requirements............................................................................. 133
10.3.4 Implementation Schedule............................................................................................ 135
10.3.4.1 MasterCard PCI DSS Risk-based Approach........................................................... 139
10.3.4.2 MasterCard PCI DSS Compliance Validation Exemption Program.......................... 139
10.3.4.3 Mandatory Compliance Requirements for Compromised Entities..........................140
10.4 Connecting to MasterCard—Physical and Logical Security Requirements............................. 141
10.4.1 Minimum Security Requirements................................................................................. 141
10.4.2 Additional Recommended Security Requirements........................................................ 142
10.4.3 Ownership of Service Delivery Point Equipment........................................................... 142

10.1 Account Data Protection Standards
10.1 Account Data Protection Standards

PCI Security Standards are technical and operational requirements established by the Payment
Card Industry Security Standards Council (PCI SSC) to protect Account data. MasterCard
requires that all Customers that store, process, or transmit Card, Cardholder, or Transaction
data and all Customer agents that store, process, or transmit Card, Cardholder, or Transaction
data on the Customer’s behalf adhere to the most current Payment Card Industry PIN
Transaction Security Program (PCI PTS) and Payment Card Industry Data Security Standard (PCI
DSS). Customers and their agents also must ensure that:
• a Point-of-Sale (POS) Terminal or other device at the Point of Interaction (POI) does not
display, replicate, or store any Card-read data except primary account number (PAN),
expiration date, service code, or Cardholder name; and
• before discarding any media containing Card, Cardholder, or Transaction data, including
such data as PANs, personal identification numbers (PINs), credit limits, and account
balances, the Customer or its agent must render the data unreadable; and
• access to Card, Cardholder, or Transaction data stored in computers, terminals, and PCs is
limited and controlled by establishing data protection procedures that include, but are not
limited to, a password system for Computer Remote Terminal (CRT) access, control over
dial-up lines, and any other means of access.
10.2 Account Data Compromise Events
NOTE: This section 10.2 applies to MasterCard and Maestro Transactions, unless otherwise
indicated.
Definitions
As used in this section 10.2, the following terms shall have the meaning set forth below:
Account Data Compromise Event or ADC Event
An occurrence that results, directly or indirectly, in the unauthorized access to or disclosure
of Account data or the unauthorized manipulation of Account data controls, such as
Account usage and spending limits.
Agent
Any entity that stores, processes, or has access to Account data by virtue of its contractual
or other relationship, direct or indirect, with a Customer. For the avoidance of doubt,
Agents include, but are not limited to, Merchants, Third Party Processors (TPPs), and Data
Storage Entities (DSEs) (regardless of whether the TPP or DSE is registered with
MasterCard).
Customer
This term appears in the Definitions section at the end of the manual. For the avoidance of
doubt, for purposes of this section 10.2, any entity that MasterCard licenses to issue a

MasterCard and/or Maestro Card(s) and/or acquire a MasterCard and/or Maestro

Transaction(s) shall be deemed a Customer.
Digital Activity Customer
This term appears in the Definitions section at the end of this manual. For the avoidance
of doubt, for purposes of this section 10.2, any entity that MasterCard has approved to be
a Wallet Token Requestor shall be deemed a Digital Activity Customer. A Digital Activity
Customer is a type of Customer.
Hybrid POS Terminal
A terminal that (i) is capable of processing both chip Transactions and magnetic stripe
Transactions; and (ii) has the equivalent hardware, software, and configuration as a
Terminal with full EMV Level 1 and Level 2 type approval status with regard to the chip
technical specifications; and (iii) has satisfactorily completed the MasterCard Terminal
Integration Process (TIP) in the appropriate environment of use.
Potential Account Data Compromise Event or Potential ADC Event
An occurrence that could result, directly or indirectly, in the unauthorized access to or
disclosure of Account data or the unauthorized manipulation of Account data controls,
such as Account usage and spending limits.
Sensitive Card Authentication Data
This term has the meaning set forth in the Payment Card Industry Data Security Standard,
and includes, by way of example and not limitation, the full contents of a Card’s magnetic
stripe or the equivalent on a chip, Card validation code 2 (CVC 2) data, and PIN or PIN
block data.
Standards
This term appears in the Definitions section at the end of the manual.
Wallet Token Requestor
This term appears in the Definitions section at the end of the manual.
10.2.1 Policy Concerning Account Data Compromise Events and Potential Account
Data Compromise Events
MasterCard operates a payment solutions system for all of its Customers. Each Customer
benefits from, and depends upon, the integrity of that system. ADC Events and Potential ADC
Events threaten the integrity of the MasterCard system and undermine the confidence of
Merchants, Customers, Cardholders, and the public at large in the security and viability of the
system. Each Customer therefore acknowledges that MasterCard has a compelling interest in
adopting, interpreting, and enforcing its Standards to protect against and respond to ADC
Events and Potential ADC Events.
Given the abundance and sophistication of criminals, ADC Events and Potential ADC Events
are risks inherent in operating and participating in any system that utilizes payment card
account data for financial or non-financial transactions. MasterCard Standards are designed to
place responsibility for ADC Events and Potential ADC Events on the Customer that is in the
best position to guard against and respond to such risk. That Customer is generally the
Customer whose network, system, or environment was compromised or was vulnerable to

compromise or that has a direct or indirect relationship with an Agent whose network,
system, or environment was compromised or was vulnerable to compromise. In the view of
MasterCard, that Customer is in the best position to safeguard its systems, to require and
monitor the safeguarding of its Agents’ systems, and to insure against, and respond to, ADC
Events and Potential ADC Events.
MasterCard requires that each Customer apply the utmost diligence and forthrightness in
protecting against and responding to any ADC Event or Potential ADC Event. Each Customer
acknowledges and agrees that MasterCard has both the right and need to obtain full
disclosure (as determined by MasterCard) concerning the causes and effects of an ADC Event
or Potential ADC Event as well as the authority to impose assessments, recover costs, and
administer compensation, if appropriate, to Customers that have incurred costs, expenses,
losses, and/or other liabilities in connection with ADC Events and Potential ADC Events.
Except as otherwise expressly provided for in the Standards, MasterCard determinations with
respect to the occurrence of and responsibility for ADC Events or Potential ADC Events are
conclusive and are not subject to appeal or review within MasterCard.
Any Customer that is uncertain with respect to rights and obligations relating to or arising in
connection with the Account Data Protection Standards and Programs set forth in this
Chapter 10 should request advice from MasterCard Fraud Investigations.
Notwithstanding the generality of the foregoing, the relationship of network, system, and
environment configurations with other networks, systems, and environments will often vary,
and each ADC Event and Potential ADC Event tends to have its own particular set of
circumstances. MasterCard has the sole authority to interpret and enforce the Standards,
including those set forth in this chapter. Consistent with the foregoing and pursuant to the
definitions set forth in section 10.2 above, MasterCard may determine, as a threshold matter,
whether a given set of circumstances constitutes a single ADC Event or multiple ADC Events.
In this regard, and by way of example, where a Customer or Merchant connects to, utilizes,
accesses, or participates in a common network, system, or environment with one or more
other Customers, Merchants, Service Providers, or third parties, a breach of the common
network, system, or environment that results, directly or indirectly, in the compromise of local
networks, systems, or environments connected thereto may be deemed to constitute a single
ADC Event.
10.2.2 Responsibilities in Connection with ADC Events and Potential ADC Events
The Customer whose system or environment, or whose Agent’s system or environment, was
compromised or vulnerable to compromise (at the time that the ADC Event or Potential ADC
Event occurred) is fully responsible for resolving all outstanding issues and liabilities to the
satisfaction of MasterCard, notwithstanding any subsequent change in the Customer’s
relationship with any such Agent after the ADC Event or Potential ADC Event occurred. In the
event of any dispute, MasterCard will determine the responsible Customer(s).
Should a Customer, in the judgment of MasterCard, fail to fully cooperate with the
MasterCard investigation of an ADC Event or Potential ADC Event, MasterCard (i) may infer
that information sought by MasterCard, but not obtained as a result of the failure to
cooperate, would be unfavorable to that Customer and (ii) may act upon that adverse
inference in the application of the Standards. By way of example and not limitation, a failure

to cooperate can result from a failure to provide requested information; a failure to cooperate
with MasterCard investigation guidelines, procedures, practices, and the like; or a failure to
ensure that MasterCard has reasonably unfettered access to the forensic examiner.
A Customer may not, by refusing to cooperate with the MasterCard investigation, avoid a
determination that there was an ADC Event. Should a Customer fail without good cause to
comply with its obligations under this section 10.2 or to respond fully and in a timely fashion
to a request for information to which MasterCard is entitled under this section 10.2,
MasterCard may draw an adverse inference that information to which MasterCard is entitled,
but that was not timely obtained as a result of the Customer’s noncompliance, would have
supported or, where appropriate, confirmed a determination that there was an ADC Event.
Before drawing such an adverse inference, MasterCard will notify the Customer of its
noncompliance and give the Customer an opportunity to show good cause, if any, for its
noncompliance. The drawing of an adverse inference is not exclusive of other remedies that
may be invoked for a Customer’s noncompliance.
The following provisions set forth requirements and procedures to which each Customer and
its Agent(s) must adhere upon becoming aware of an ADC Event or Potential ADC Event.
10.2.2.1 Time-Specific Procedures for ADC Events and Potential ADC Events
A Customer is deemed to be aware of an ADC Event or Potential ADC Event when the
Customer or the Customer’s Agent first becomes aware of an ADC Event or a Potential ADC
Event. A Customer or its Agent is deemed to be aware of an ADC Event or Potential ADC
Event under circumstances that include, but are not limited to, any of the following:
• the Customer or its Agent is informed, through any source, of the installation or existence
of any malware in any of its systems or environments, or any system or environment of one
of its Agents, no matter where such malware is located or how it was introduced;
• the Customer or its Agent receives notification from MasterCard or any other source that
the Customer or its Agent(s) has experienced an ADC Event or a Potential ADC Event; or
• the Customer or its Agent discovers or, in the exercise of reasonable diligence, should have
discovered a security breach or unauthorized penetration of its own system or environment
or the system or environment of its Agent(s).
A Customer must notify MasterCard immediately when the Customer becomes aware of an
ADC Event or Potential ADC Event in or affecting any system or environment of the Customer
or its Agent. In addition, a Customer must, by contract, ensure that its Agent notifies
MasterCard immediately when the Agent becomes aware of an ADC Event or Potential ADC
Event in or affecting any system or environment of the Customer or the Agent.
When a Customer or its Agent becomes aware of an ADC Event or Potential ADC Event either
in any of its own systems or environments or in the systems or environments of its Agent(s),
the Customer must take (or cause the Agent to take) the following actions, unless otherwise
directed in writing by MasterCard.
• Immediately commence a thorough investigation into the ADC Event or Potential ADC
Event.

• Immediately, and no later than within twenty-four (24) hours, identify, contain, and
mitigate the ADC Event or Potential ADC Event, secure Account data and preserve all
information, in all media, concerning the ADC Event or Potential ADC Event, including:
1. preserve and safeguard all potential evidence pertinent to a forensic examination of an
ADC Event or Potential ADC Event;
2. isolate compromised systems and media from the network;
3. preserve all Intrusion Detection Systems, Intrusion Prevention System logs, all firewall,
Web, database, and events logs;
4. document all incident response actions; and
5. refrain from restarting or rebooting any compromised or potentially compromised
system or taking equivalent or other action that would have the effect of eliminating or
destroying information that could potentially provide evidence of an ADC Event or
Potential ADC Event.
• Within twenty-four (24) hours, and on an ongoing basis thereafter, submit to MasterCard
all known or suspected facts concerning the ADC Event or Potential ADC Event, including,
by way of example and not limitation, known or suspected facts as to the cause and source
of the ADC Event or Potential ADC Event.
• Within twenty-four (24) hours and continuing throughout the investigation and thereafter,
provide to MasterCard, in the required format, all PANs and expiration dates associated
with Account data that were actually or potentially accessed or disclosed in connection
with the ADC Event or Potential ADC Event and any additional information requested by
MasterCard. As used herein, the obligation to obtain and provide PANs to MasterCard
applies to any MasterCard or Maestro Account number in a bank identification number
(BIN)/Issuer identification number (IIN) range assigned by MasterCard. This obligation
applies regardless of how or why such PANs were received, processed, or stored, including,
by way of example and not limitation, in connection with or relating to a credit, debit
(signature- or PIN-based) proprietary, or any other kind of payment Transaction, incentive,
or reward program.
• Within seventy-two (72) hours, engage the services of a PCI SSC Forensic Investigator (PFI)
to conduct an independent forensic investigation to assess the cause, scope, magnitude,
duration, and effects of the ADC Event or Potential ADC Event. The PFI engaged to
conduct the investigation must not have provided the last PCI compliance report
concerning the system or environment to be examined. Prior to the commencement of
such PFI’s investigation, the Customer must notify MasterCard of the proposed scope and
nature of the investigation and obtain preliminary approval of such proposal by MasterCard
or, if such preliminary approval is not obtained, of a modified proposal acceptable to
MasterCard. MasterCard and the responsible Customer(s) may agree that a PFI’s
investigation of, investigation findings, and recommendations concerning fewer than all of
the Merchants within the scope of the ADC Event or Potential ADC Event will be deemed
to be representative of and used for purposes of the application of the Standards as the
investigation findings and recommendations by the PFI with respect to all of the Merchants
within the scope of the ADC Event or Potential ADC Event.
• Within two (2) business days from the date on which the PFI was engaged, identify to
MasterCard the engaged PFI and confirm that such PFI has commenced its investigation.

• Within three (3) business days from the commencement of the forensic investigation,
ensure that the PFI submits to MasterCard a preliminary forensic report detailing all
investigative findings to date.
• Within twenty (20) business days from the commencement of the forensic investigation,
provide to MasterCard a final forensic report detailing all findings, conclusions, and
recommendations of the PFI, continue to address any outstanding exposure, and
implement all recommendations until the ADC Event or Potential ADC Event is resolved to
the satisfaction of MasterCard. In connection with the independent forensic investigation
and preparation of the final forensic report, no Customer may engage in or enter into (or
permit an Agent to engage in or enter into) any conduct, agreement, or understanding
that would impair the completeness, accuracy, or objectivity of any aspect of the forensic
investigation or final forensic report. The Customer shall not engage in any conduct (or
permit an Agent to engage in any conduct) that could or would influence, or undermine
the independence of, the PFI or undermine the reliability or integrity of the forensic
investigation or final forensic report. By way of example, and not limitation, a Customer
must not itself, or permit any of its Agents to, take any action or fail to take any action that
would have the effect of:
1. precluding, prohibiting, or inhibiting the PFI from communicating directly with
MasterCard;
2. permitting a Customer or its Agent to substantively edit or otherwise alter the forensic
report; or
3. directing the PFI to withhold information from MasterCard.
Notwithstanding the foregoing, MasterCard may engage a PFI on behalf of the Customer in
order to expedite the investigation. The Customer on whose behalf the PFI is so engaged will
be responsible for all costs associated with the investigation.
10.2.2.2 Ongoing Procedures for ADC Events and Potential ADC Events
From the time that the Customer or its Agent becomes aware of an ADC Event or Potential
ADC Event until the investigation is concluded to the satisfaction of MasterCard, the
Customer must:
• Provide weekly written status reports containing current, accurate, and updated
information concerning the ADC Event or Potential ADC Event, the steps being taken to
investigate and remediate same, and such other information as MasterCard may request.
• Preserve all files, data, and other information pertinent to the ADC Event or Potential ADC
Event, and refrain from taking any actions (e.g., rebooting) that could result in the
alteration or loss of any such files, forensic data sources, including firewall and event log
files, or other information.
• Respond fully and promptly, in the manner prescribed by MasterCard, to any questions or
other requests (including follow-up requests) from MasterCard with regard to the ADC
Event or Potential ADC Event and the steps being taken to investigate and remediate same.
• Authorize and require the PFI to respond fully, directly, and promptly to any written or oral
questions or other requests from MasterCard, and to so respond in the manner prescribed
by MasterCard, with regard to the ADC Event or Potential ADC Event, including the steps
being taken to investigate and remediate same.

• Consent to, and cooperate with, any effort by MasterCard to engage and direct a PFI to
perform an investigation and prepare a forensic report concerning the ADC Event or
Potential ADC Event, in the event that the Customer fails to satisfy any of the foregoing
responsibilities.
• Ensure that the compromised entity develops a remediation action plan, including
implementation and milestone dates related to findings, corrective measures, and
recommendations identified by the PFI and set forth in the final forensic report.
• Monitor and validate that the compromised entity has fully implemented the remediation
action plan, recommendations, and corrective measures.
10.2.3 Forensic Report

The responsible Customer (or its Agent) must ensure that the PFI retains and safeguards all
draft forensic report(s) pertaining to the ADC Event or Potential ADC Event and, upon request
of MasterCard, immediately provides to MasterCard any such draft. The final forensic report
required under section 10.2.2.1 must include the following, unless otherwise directed in
writing by MasterCard:
• A statement of the scope of the forensic investigation, including sources of evidence and
information used by the PFI.
• A network diagram, including all systems and network components within the scope of the
forensic investigation. As part of this analysis, all system hardware and software versions,
including POS applications and versions of applications, and hardware used by the
compromised entity within the past twelve (12) months, must be identified.
• A payment Card Transaction flow depicting all POIs associated with the transmission,
processing, and storage of Account data and network diagrams.
• A written analysis explaining the method(s) used to breach the subject entity’s network or
environment as well as method(s) used to access and exfiltrate Account data.
• A written analysis explaining how the security breach was contained and the steps (and
relevant dates of the steps) taken to ensure that Account data are no longer at risk of
compromise.
• An explanation of investigative methodology as well as identification of forensic data
sources used to determine final report findings.
• A determination and characterization of Account data at-risk of compromise, including the
number of Accounts and at-risk data elements (magnetic stripe data—Track 1 and Track 2,
Cardholder name, PAN, expiration date, CVC 2, PIN, and PIN block).
• The location and number of Accounts where restricted Account data (magnetic stripe,
Track 1 and Track 2, Cardholder name, PAN, expiration date, CVC 2, PIN, or PIN block),
whether encrypted or unencrypted, was or may have been stored by the entity that was
the subject of the forensic investigation. This includes restricted Account data that was or
may have been stored in unallocated disk space, backup media, and malicious software
output files.
• A time frame for Transactions involving Accounts determined to be at risk of compromise.
If the Transaction date/time is not able to be determined, file-creation timestamps must be
supplied.

• A determination of whether a security breach that exposed payment card data to

compromise occurred.
• On a requirement-by-requirement basis, a conclusion as to whether, at the time that the
ADC Event or Potential ADC Event occurred, each applicable PCI SSC requirement was
complied with. For the avoidance of doubt, as of the date of the publication of these
Standards, the PCI Security Standards include the PCI DSS, PIN Entry Device (PCI PED)
Security Requirements, and Payment Application Data Security Standard (PA-DSS).
MasterCard may require the Customer to cause a PFI to conduct a PCI gap analysis and
include the result of that analysis in the final forensic report.
The Customer must direct the PFI to submit a copy of the preliminary and final forensic reports
to MasterCard via Secure Upload.
10.2.4 Alternative Standards Applicable to Certain Merchants

In the event of an ADC Event or Potential ADC Event (for purposes of this section 10.2.4, an
“Event”) for which the subject is a Level 2, Level 3, or Level 4 Merchant (as set forth in section
10.3.4), in lieu of complying with the responsible Customer obligations set forth in section
10.2.2.1, the first bullet point of section 10.2.2.2, and section 10.2.3 of this Chapter 10, a
responsible Customer may comply with the Standards set forth in this section 10.2.4 provided
all of the following criteria are satisfied:
Criterion A
MasterCard determines that fewer than 7,500 Accounts are at risk of unauthorized
disclosure as a result of the Event; and
Criterion B
MasterCard determines that the Merchant has not been the subject of an ADC Event or
Potential ADC Event for the thirty-six (36) consecutive months immediately preceding the
date that MasterCard determines likely to be the earliest possible date of the Event; and
Criterion C
The responsible Customer determines that the Merchant uses a computer-based
acceptance system that is not used by another Merchant or Merchants and that is not
operated by a Service Provider of the responsible Customer.
Should MasterCard determine that the subject of the Event is a Level 2, 3, or 4 Merchant and
that Criteria A and B, above, are satisfied, MasterCard will provide notice to the responsible
Customer via an email message to the responsible Customer’s Security Contact listed in the
Member Information—MasterCard application then available on MasterCard Connect™.
Upon receipt of such notice, the responsible Customer may elect to cause a PFI to conduct an
examination of the Merchant in accordance with section 10.2.2.1 of this Chapter 10.
Alternatively, and provided the responsible Customer determines that Criterion C is satisfied,
the responsible Customer itself may elect to investigate the Event in lieu of causing a PFI to
conduct an examination of the Merchant.
If the responsible Customer itself elects to conduct the investigation, not later than sixty (60)
days following the date of the notice by MasterCard described above, the responsible

Customer must provide to MasterCard a written certification by an officer of the responsible

Customer certifying that all of the following are true:
• The responsible Customer elected to investigate the ADC Event or Potential ADC Event in
lieu of causing a PFI to investigate the ADC Event or Potential ADC Event; and
• The Merchant that is the subject of the ADC Event or Potential ADC Event does not use a
computer-based acceptance system that is used by another Merchant or Merchants; and
• The responsible Customer’s investigation of the ADC Event or Potential ADC Event has
been completed and all security vulnerabilities have been eliminated; and
• The Merchant has newly validated or revalidated compliance with the PCI DSS.
Documentation confirming such validation or revalidation must be provided to MasterCard
with the officer certification.
Except as specifically set forth in this section 10.2.4, all other MasterCard and Customer rights
and obligations with respect to an ADC Event or Potential ADC Event shall continue with
respect to any ADC Event or Potential ADC Event that a responsible Customer itself elects to
investigate in accordance with this section 10.2.4. Further, and for the avoidance of doubt,
MasterCard has a right at any time to require a responsible Customer to cause a PFI to
conduct a forensic examination of a Merchant notwithstanding the provisions of this section
10.2.4.
10.2.5 MasterCard Determination of ADC Event or Potential ADC Event

MasterCard will evaluate the totality of known circumstances, including but not limited to the
following, to determine whether or not an occurrence constitutes an ADC Event or Potential
ADC Event:
• a Customer or its Agent acknowledges or confirms the occurrence of an ADC Event or
Potential ADC Event;
• any PFI report; or
• any information determined by MasterCard to be sufficiently reliable at the time of receipt.
10.2.5.1 Assessments for PCI Violations in Connection with ADC Events

Based on the totality of known circumstances surrounding an ADC Event or Potential ADC
Event, including the knowledge and intent of the responsible Customer, MasterCard (in
addition to any assessments provided for elsewhere in the Standards) may assess a responsible
Customer up to USD 100,000 for each violation of a requirement of the PCI SSC.
10.2.5.2 Potential Reduction of Financial Responsibility

Notwithstanding a MasterCard determination that an ADC Event occurred, MasterCard may
consider any actions taken by the compromised entity to establish, implement, and maintain
procedures and support best practices to safeguard Account data prior to, during, and after
the ADC Event or Potential ADC Event, in order to relieve, partially or fully, an otherwise
responsible Customer of responsibility for any assessments, ADC operational reimbursement,
ADC fraud recovery, and/or investigative costs. In determining whether to relieve a responsible
Customer of any or all financial responsibility, MasterCard may consider whether the
Customer has complied with all of the following requirements:

• Substantiation to MasterCard from a PCI SSC-approved Qualified Security Assessor (QSA)

of the compromised entity’s compliance with the PCI DSS at the time of the ADC Event or
Potential ADC Event.
• Reporting that certifies any Merchant(s) associated with the ADC Event or Potential ADC
Event as compliant with the PCI DSS and all applicable MasterCard Site Data Protection
(SDP) Program requirements at the time of the ADC Event or Potential ADC Event in
accordance with section 10.3.3 of this manual. Such reporting must also affirm that all
third party-provided payment applications used by the Merchant(s) associated with the
ADC Event or Potential ADC Event are compliant with the Payment Card Industry Payment
Application Data Security Standard, as applicable. The applicability of the PCI PA-DSS to
third party-provided payment applications is defined in the PCI PA-DSS Program Guide,
found at pcisecuritystandards.org.
• If the compromised entity is a Europe Region Merchant, a PFI has validated that the
Merchant was compliant with milestones one through four of the PCI DSS Prioritized
Approach at the time of the ADC Event or Potential ADC Event.
• Registration of any TPP(s) or DSE(s) associated with the ADC Event through MasterCard
Connect, in accordance with Chapter 7 of the MasterCard Rules.
• Notification of an ADC Event or Potential ADC Event to and cooperation with MasterCard
and, as appropriate, law enforcement authorities.
• Verification that the forensic investigation was initiated within seventy-two (72) hours of
the ADC Event or Potential ADC Event and completed as soon as practical.
• Timely receipt by MasterCard of the unedited (by other than the forensic examiner) forensic
examination findings.
• Evidence that the ADC Event or Potential ADC Event was not foreseeable or preventable by
commercially reasonable means and that, on a continuing basis, best security practices
were applied.
In connection with its evaluation of the Customer’s or its Agent’s actions, MasterCard will
consider, and may draw adverse inferences from, evidence that a Customer or its Agent(s)
deleted or altered data.
As soon as practicable, MasterCard will contact the Customer’s Security Contact, Principal
Contact, or Merchant Acquirer Contact as they are listed in the Member Information tool,
notifying all impacted parties of the impending financial obligation or compensation, as
applicable.
It is the sole responsibility of each Customer, not MasterCard, to include current and complete
information in the Member Information tool.
10.2.5.3 ADC Operational Reimbursement and ADC Fraud Recovery—MasterCard

Only
NOTE: This section applies to MasterCard Transactions only.
ADC operational reimbursement enables an Issuer to partially recover costs incurred in

reissuing Cards and for enhanced monitoring of compromised and/or potentially compromised
MasterCard Accounts associated with an ADC Event. ADC fraud recovery enables an Issuer to
recover partial incremental magnetic-stripe (POS 90) and/or Hybrid POS Terminal unable to

process (POS 80) counterfeit fraud losses associated with an ADC Event. MasterCard
determines ADC operational reimbursement and ADC fraud recovery.
ADC operational reimbursement and ADC fraud recovery are available to an Issuer that is
licensed to access the Manage My Fraud & Risk Programs application at the time of the ADC
Event. MasterCard reserves the right to determine which ADC Events will be eligible for ADC
operational reimbursement and/or ADC fraud recovery and to limit or “claw back” ADC
operational reimbursement and/or ADC fraud recovery based on the amount collected from
the responsible Customer, excluding assessments, or for the purpose of compromising any
claim asserted that arises from or is related to an ADC Event.
With regard to any particular ADC Event, MasterCard has no obligation to disburse an
amount in excess of the amount that MasterCard actually and finally collects from the
responsible Customer. In that regard, (i) any such amount actually and finally charged to a
responsible Customer with respect to a particular ADC Event is determined by MasterCard
following the full and final resolution of any claim asserted against MasterCard that arises
from or is related to that ADC Event; and (ii) any funds disbursed by MasterCard to a
Customer as ADC operational reimbursement and/or ADC fraud recovery is disbursed
conditionally and subject to “claw back” until any claim and all claims asserted against
MasterCard that arise from or are related to the ADC Event are fully and finally resolved.
MasterCard will charge the Issuer an administrative fee as established from time to time for
administering the ADC operational reimbursement and ADC fraud recovery processes.
In the administration of the ADC operational reimbursement (OR) and ADC fraud recovery (FR)
programs, MasterCard may determine the responsible Customer’s financial responsibility with
respect to an ADC Event. When determining financial responsibility, MasterCard may take into
consideration the compromised entity’s PCI level (as set forth in section 10.3.4), annual sales
volume, and the factors set forth in section 10.2.5.2.
The annual sales volume is derived from the Merchant’s clearing Transactions processed during
the previous year via the Global Clearing Management System (GCMS). Transactions that are
not processed by MasterCard will be included in the annual sales volume if such data is
available. In the event that the Merchant’s annual sales volume is not known, MasterCard will
use the Merchant’s existing sales volume to project the annual sales volume.
10.2.5.4 Determination of Operational Reimbursement (OR)
Subject to section 10.2.5.3, MasterCard generally determines OR in accordance with the

following steps. MasterCard reserves the right to determine OR by an alternative means if
MasterCard determines that information needed to use the following steps is not readily
available. For additional information pertaining to OR, refer to the MasterCard Account Data
Compromise User Guide.
1. MasterCard determines the number of at-risk Accounts per Issuer ICA number by type of
Card, using an assumption of one and one-half (1 1/2) Cards per at-risk Account.
2. MasterCard multiplies the number of at-risk Accounts by an amount fixed by MasterCard
from time to time.

3. From the results of Steps 1 and 2, MasterCard may subtract a fixed deductible (published
in a Global Security Bulletin or other MasterCard publication), to account for Card
expirations, Card re-issuance cycles, Accounts included in previous ADC Alerts, and the re-
issuance of Accounts using the same PAN but a different expiration date.
4. United States Region Only—For an ADC Event investigation opened by MasterCard on
or after 1 October 2013, MasterCard will:
a. Halve the amount determined by Steps 1, 2, and 3, above, if the compromised entity
is a U.S. Region Acquirer’s Merchant located in the U.S. Region and MasterCard
determines that (i) at least seventy–five percent (75%) of the Merchant’s annual total
Transaction count was processed via Dual Interface Hybrid POS Terminals; and (ii) at
least seventy-five percent (75%) of the Transactions deemed by MasterCard to be
within the scope of the ADC Event were processed via Dual Interface Hybrid POS
Terminals; and (iii) the Merchant has not been identified by MasterCard as having
experienced a different ADC Event during the twelve (12) months prior to the date of
publication of the earliest ADC Alert for the subject ADC Event; and (iv) MasterCard
determines that the Merchant was not storing Sensitive Card Authentication Data; or
b. Effective 1 October 2015, not assess OR if the compromised entity is a U.S. Region
Acquirer’s Merchant located in the U.S. Region and MasterCard determines that (i) at
least ninety-five percent (95%) of the Merchant’s annual total Transaction count was
acquired via Dual Interface Hybrid POS Terminals; and (ii) at least ninety-five percent
(95%) of the Transactions deemed by MasterCard to be within the scope of the ADC
Event were acquired via Dual Interface Hybrid POS Terminals; and (iii) the Merchant
has not been identified by MasterCard as having experienced a different ADC Event
during the twelve (12) months prior to the date of publication of the earliest ADC
Alert for the subject ADC Event; and (iv) MasterCard determines that the Merchant
was not storing Sensitive Card Authentication Data.
For purposes of this Step 4, a Merchant’s annual total Transaction count is determined
based on the Merchant’s clearing Transactions processed during the twelve (12)
months prior to the date of publication of the ADC Alert via the GCMS. Transactions
not processed by MasterCard are included in the annual Transaction count only if data
pertaining to such Transactions is readily available to MasterCard. In the event that
MasterCard is unable to readily determine the Merchant’s actual annual total
Transaction count, MasterCard may exercise its judgment to determine an annual total
Transaction count. MasterCard may require an Acquirer to provide information to
MasterCard for that purpose.
5. All Regions Other than the U.S. Region—For an ADC Event investigation opened by
MasterCard on or after 1 December 2014, MasterCard will determine OR in the manner
set forth in Step 4, above, provided the requisite percentage of processed Transactions
were processed via Hybrid POS Terminals.
10.2.5.5 Determination of Fraud Recovery (FR)
MasterCard determines FR in the manner set forth in this section.

Subject to section 10.2.5.3, MasterCard determines an amount of incremental counterfeit

fraud attributable to an ADC Event based on the fraud data reported to the System to Avoid
Fraud Effectively (SAFE). As used in the immediately preceding sentence, the word
“incremental counterfeit fraud” means counterfeit fraud incremental to the counterfeit fraud
that MasterCard determines would have been expected to occur had the ADC Event not
occurred. For additional information pertaining to FR, refer to the MasterCard Account Data
Compromise User Guide.
NOTE: If the fraud type reported to SAFE for one or more fraud Transactions is changed after
MasterCard has calculated the ADC fraud recovery amount, MasterCard does not recalculate
the ADC fraud recovery amount.
The calculation of FR uses an “at-risk time frame.” The at-risk time frame may be known or
unknown.
>>>
Known At-risk Time Frame

The at-risk time frame is “known” if MasterCard is able to determine a period of time during
which Accounts were placed at risk of use in fraudulent transactions due to or in connection
with an ADC Event or Potential ADC Event. In such event, the at-risk time frame for an
Account number commences as of the date that MasterCard determines that Account
became at risk, and ends on the date specified in the first ADC Alert pertaining to that ADC
Event or Potential ADC Event disclosing that Account number. The number of days that the
Issuer has to report fraudulent Transactions to SAFE associated with an Account number
disclosed in an ADC Alert is specified in the Alert; an Issuer is ineligible to receive FR
associated with a fraudulent Transaction arising from use of an Account number if that
fraudulent Transaction is not timely reported to SAFE. MasterCard will determine the number
of days that the Issuer has to report fraudulent Transactions to SAFE for a disclosed Account
number as follows:
• If MasterCard publishes an ADC Alert before MasterCard has received a final PFI report
concerning the ADC Event or Potential ADC Event, then that ADC Alert will specify
whether the Issuer has 30, 45, or 60 days to report fraudulent Transactions to SAFE.
NOTE: As set forth in Chapter 5 of the ADC User’s Guide, MasterCard determines the
number of days in which an Issuer must report fraudulent Transactions to SAFE based on
the number of Accounts placed at risk in the ADC Event or Potential ADC Event: (i) if an
Alert discloses 7,500 to 1,000,000 Accounts, then the number of days will be 30 for the
Accounts disclosed in the Alert; (ii) if an Alert discloses 1,000,000 to 5,000,000 Accounts,
then the number of days will be 45 for the Accounts disclosed in the Alert; or (iii) if an
Alert discloses at least 5,000,000 Accounts, then the number of days will be 60 for the
Accounts disclosed in the Alert.
• If MasterCard publishes an ADC Alert after MasterCard has received a final PFI report

<<<
>>>
Unknown At-risk Time Frame

The at-risk time frame is “unknown” if MasterCard is unable to readily determine a known at-
risk time frame. In such event, an at-risk time frame for an Account number commences
twelve (12) months prior to the date of publication of the first ADC Alert for the ADC Event or
Potential ADC Event that discloses that Account number, and ends on the date specified in
that ADC Alert. The number of days that the Issuer has to report fraudulent Transactions to
SAFE associated with an Account number disclosed in an ADC Alert is specified in the Alert;
an Issuer is ineligible to receive FR associated with a fraudulent Transaction arising from use of
an Account number if that fraudulent Transaction is not timely reported to SAFE. MasterCard
will determine the number of days that the Issuer has to report fraudulent Transactions to
SAFE for a disclosed Account number as follows:
• If MasterCard publishes an ADC Alert before MasterCard has received a final PFI report
• If MasterCard publishes an ADC Alert after MasterCard has received a final PFI report

<<<
Accounts Disclosed for Different ADC Events

An Account number disclosed in an ADC Alert in connection with a different ADC Event
during the six (6) months prior to the earliest disclosure of that Account number in an ADC
Alert published in connection with the subject ADC Event is not eligible for ADC fraud
recovery for the subject ADC Event. In addition, a standard deductible, published from time to
time, is applied to compensate for chargeback recoveries on Transactions using at-risk
Account numbers.
>>>For additional information regarding the criteria used by MasterCard in determining the
at-risk time frame, refer to Chapter 5 of the ADC User’s Guide.<<<
United States Region Only—MasterCard will:
For an ADC Event investigation opened by MasterCard on or after 1 October 2013:
1. Halve the FR, if the compromised entity is a U.S. Region Acquirer’s Merchant located in the
U.S. Region and MasterCard determines that (i) at least seventy-five percent (75%) of the
Merchant’s annual total Transaction count was processed via Dual Interface Hybrid POS
Terminals; and (ii) at least seventy-five percent (75%) of the Transactions deemed by
MasterCard to be within the scope of the ADC Event were processed via Dual Interface
Hybrid POS Terminals; and (iii) the Merchant has not been identified by MasterCard as
having experienced a different ADC Event during the twelve (12) months prior to the date
of publication of the earliest ADC Alert for the subject ADC Event; and (iv) MasterCard
determines that the Merchant was not storing Sensitive Card Authentication Data; or
2. Effective 1 October 2015, not assess FR if the compromised entity is a U.S. Region
Acquirer’s Merchant located in the U.S. Region and MasterCard determines that (i) at least
ninety-five percent (95%) of the Merchant’s annual total Transaction count was acquired
via Dual Interface Hybrid POS Terminals; and (ii) at least ninety-five percent (95%) of the
Transactions deemed by MasterCard to be within the scope of the ADC Event were
acquired via Dual Interface Hybrid POS Terminals; and (iii) the Merchant has not been
identified by MasterCard as having experienced a different ADC Event during the twelve
(12) months prior to the date of publication of the earliest ADC Alert for the subject ADC
Event; and (iv) MasterCard determines that the Merchant was not storing Sensitive Card
Authentication Data.
For purposes of this subsection, a Merchant’s annual total Transaction count is determined
based on the Merchant’s clearing Transactions processed during the twelve (12) months

prior to the date of publication of the ADC Alert via the GCMS. Transactions not
processed by MasterCard are included in the annual Transaction count only if data
pertaining to such Transactions is readily available to MasterCard. In the event that
MasterCard is unable to readily determine the Merchant’s actual annual total Transaction
count, MasterCard may exercise its judgment to determine an annual total Transaction
count. MasterCard may require an Acquirer to provide information to MasterCard for that
purpose.
All Regions Other than the U.S. Region—For an ADC Event investigation opened by
MasterCard on or after 1 December 2014, MasterCard will determine FR in the manner set
forth in the subsection above pertaining to the U.S. Region, provided the requisite percentage
of processed Transactions were processed via Hybrid POS Terminals.
10.2.5.6 Investigation and Other Costs

MasterCard may assess the responsible Customer for all investigation and other costs incurred
by MasterCard in connection with an ADC Event and may assess a Customer for all
investigative and other costs incurred by MasterCard in connection with a Potential ADC
Event.
10.2.6 Assessments and/or Disqualification for Noncompliance

If the Customer fails to comply with the procedures set forth in this section 10.2, MasterCard
may impose an assessment of up to USD 25,000 per day for each day that the Customer is
noncompliant and/or disqualify the Customer from participating as a recipient of ADC
operational reimbursement and fraud recovery disbursements, whether such disbursements
are made in connection with the subject ADC Event or any other ADC Event, from the date
that MasterCard provides the Customer with written notice of such disqualification until
MasterCard determines that the Customer has resolved all compliance issues under this
section 10.2.
10.2.7 Final Financial Responsibility Determination

Upon completion of its investigation, if MasterCard determines that a Customer bears
financial responsibility for an ADC Event or Potential ADC Event, MasterCard will notify the
responsible Customer of such determination and, either contemporaneous with such
notification or thereafter, specify the amount of the Customer’s financial responsibility for the
ADC Event or Potential ADC Event.
The responsible Customer has thirty (30) calendar days from the date of such notification of
the amount of the Customer’s financial responsibility to submit a written appeal to
MasterCard, together with any documentation and/or other information that the Customer
wishes MasterCard to consider in connection with the appeal. Only an appeal that both
contends that the MasterCard financial responsibility determination was not in accordance
with the Standards and specifies with particularity the basis for such contention will be
considered. MasterCard will assess a non-refundable USD 500 fee to consider and act on a
request for review of an appeal.
If the appeal is timely and meets these criteria, MasterCard will consider the appeal and the
documentation and/or other information submitted therewith in determining whether or not

10.3 MasterCard Site Data Protection (SDP) Program
the MasterCard final financial responsibility determination was made in accordance with the
Standards. An appeal that is not timely or does not meet these criteria will not be considered.
The MasterCard decision with respect to an appeal is final and there are no additional internal
appeal rights.
This section does not relieve a Customer of any responsibility set forth in sections 10.2.2 and
10.2.3, including the responsibility to submit to MasterCard on a continuing basis throughout
the pendency of the MasterCard investigation the information required by those sections. If
MasterCard determines that a Customer knew or should have known with reasonable
diligence of documents or other information that the Customer was required to submit to
MasterCard during the pendency of the MasterCard investigation in accordance with sections
10.2.2 or 10.2.3, but failed to do so, such documents or other information will not be
considered by MasterCard in deciding the appeal.
NOTE: This section applies to MasterCard and Maestro Transactions.
The MasterCard Site Data Protection (SDP) Program is designed to encourage Customers,
Merchants, Third Party Processors (TPPs), and Data Storage Entities (DSEs) to protect against
Account data compromises. The SDP Program facilitates the identification and correction of
vulnerabilities in security processes, procedures, and website configurations. For the purposes
of the SDP Program, TPPs and DSEs are collectively referred to as “Service Providers” in this
chapter.
An Acquirer must implement the MasterCard SDP Program by ensuring that its Merchants and
Service Providers are compliant with the Payment Card Industry Data Security Standard (PCI
DSS) and that all applicable third party-provided payment applications used by its Merchants
and Service Providers are compliant with the Payment Card Industry Payment Application Data
Security Standard (PCI PA-DSS), in accordance with the implementation schedule defined in
section 10.3.1 of this manual. Going forward, the Payment Card Industry Data Security
Standard and the Payment Card Industry Payment Application Data Security Standard will be
components of the SDP Program; these documents set forth security Standards that
MasterCard hopes will be adopted as industry standards across the payment brands.
A Customer that complies with the SDP Program requirements may qualify for a reduction,
partial or total, of certain costs or assessments if the Customer, a Merchant, or a Service
Provider is the source of an Account data compromise.
MasterCard has sole discretion to interpret and enforce the SDP Program Standards.
10.3.1 Payment Card Industry Data Security Standards

The Payment Card Industry Data Security Standard and the Payment Card Industry Payment
Application Data Security Standard establish data security requirements. Compliance with the
Payment Card Industry Data Security Standard is required for all Issuers, Acquirers, Digital
Activity Customers, Merchants, Service Providers, and any other person or entity that a

Customer permits, directly or indirectly, to store, transmit, or process Account data.

MasterCard requires validation of compliance only for those entities specified in the SDP
Program implementation schedule in section 10.3.4. All Merchants and Service Providers that
use third party-provided payment applications must only use payment applications that are
compliant with the Payment Card Industry Payment Application Data Security Standard, as
applicable. The applicability of the PCI PA-DSS to third party-provided payment applications is
defined in the PCI PA-DSS Program Guide.
The Payment Card Industry Data Security Standard, the Payment Card Industry Payment
Application Data Security Standard, the PCI PA-DSS Program Guide, and other PCI Security
Standards manuals are available on the PCI Security Standards Council (SSC) website at
www.pcisecuritystandards.org.
10.3.2 Compliance Validation Tools

As defined in the implementation schedule in section 10.3.4, Merchants and Service Providers
must validate their compliance with the Payment Card Industry Data Security Standard by
using the following tools:
Onsite Reviews
The onsite review evaluates Merchant or Service Provider compliance with the Payment
Card Industry Data Security Standard. Onsite reviews are an annual requirement for Level 1
Merchants and for Level 1 Service Providers. Merchants may use an internal auditor or
independent assessor recognized by MasterCard as acceptable. Service Providers must use
an acceptable third-party assessor as defined on the SDP Program website. Onsite reviews
must be conducted in accordance with the Payment Card Industry Security Audit
Procedures manual.
The Payment Card Industry Self-assessment Questionnaire
The Payment Card Industry Self-assessment Questionnaire is available at no charge on the
PCI SSC website. To be compliant, each Level 2, 3, and 4 Merchant, and each Level 2
Service Provider must generate acceptable ratings on an annual basis.
Network Security Scan
The network security scan evaluates the security measures in place at a website. To fulfill
the network scanning requirement, all Level 1 to 3 Merchants and all Service Providers as
required by the implementation schedule must conduct scans on a quarterly basis using a
vendor listed on the PCI SSC website. To be compliant, scanning must be conducted in
accordance with the guidelines contained in the Payment Card Industry DSS Security
Scanning Procedures manual.
10.3.3 Acquirer Compliance Requirements

To ensure compliance with the MasterCard SDP Program, an Acquirer must:
• For each Level 1, Level 2, and Level 3 Merchant, submit a quarterly status report via an
email message to sdp@mastercard.com using the form provided on the SDP Program
website. This submission form must be completed in its entirety and may include
information on:

– The name and primary contact information of the Acquirer

– The name of the Merchant
– The Merchant identification number of the Merchant
– The number of Transactions that the Acquirer processed for the Merchant during the
previous 12-month period
– The Merchant’s level under the implementation schedule provided in section 10.3.4 of
this manual
– The Merchant's compliance status with its applicable compliance validation
requirements
– The Merchant's anticipated compliance validation date or the date on which the
Merchant last validated its compliance (the “Merchant Validation Anniversary Date”)
• Communicate the SDP Program requirements to each Level 1, Level 2, and Level 3
Merchant, and validate the Merchant’s compliance with the Payment Card Industry Data
Security Standard by reviewing its Payment Card Industry Self-assessment Questionnaire
and the Reports on Compliance (ROC) that resulted from network security scans and onsite
reviews of the Merchant, if applicable.
• Communicate the SDP Program requirements to each Level 1 and Level 2 Service Provider,
and ensure that Merchants use only compliant Service Providers.
In submitting a quarterly SDP status report indicating that the Merchant has validated
compliance within 12 months of the report submission date, the Acquirer certifies that:
1. The Merchant has, when appropriate, engaged and used the services of a data security
firm(s) considered acceptable by MasterCard for onsite reviews, security scanning, or both.
2. Upon reviewing the Merchant’s onsite review results, Payment Card Industry Self-
assessment Questionnaire, or network scan reports, the Acquirer has determined that the
Merchant is in compliance with the Payment Card Industry Data Security Standard
requirements.
3. On an ongoing basis, the Acquirer will monitor the Merchant’s compliance. If at any time
the Acquirer finds the Merchant to be noncompliant, the Acquirer must notify the
MasterCard SDP Department in writing at sdp@mastercard.com.
At its discretion and from time to time, MasterCard may also request the following
information:
• Merchant principal data
• The name of any TPP or DSE that performs Transaction processing services for the
Merchant’s Transactions
• Whether the Merchant stores Account data
When considering whether a Merchant stores Account data, Acquirers carefully should survey
each Merchant’s data processing environment. Merchants that do not store Account
information in a database file still may accept payment Card information via a web page and
therefore store Account data temporarily in memory files. Per the MasterCard data storage
definition, any temporary or permanent retention of Account data is considered to be storage.
A Merchant that does not store Account data never processes the data in any form, such as in
the case of a Merchant that outsources its environment to a web hosting company, or a
Merchant that redirects customers to a payment page hosted by a third-party Service Provider.

10.3.4 Implementation Schedule

All onsite reviews, network security scans, and self-assessments must be conducted according
to the guidelines in section 10.3.2. For purposes of the SDP Program, Service Providers in this
section refer to TPPs and DSEs.
The Acquirer must ensure, with respect to each of its Merchants, that “transition” from one
PCI level to another (for example, the Merchant transitions from Level 4 to Level 3 due to
Transaction volume increases), that such Merchant achieves compliance with the requirements
of the applicable PCI level as soon as practical, but in any event not later than one year after
the date of the event that results in or causes the Merchant to transition from one PCI level to
another.
All Level 1, 2, and 3 Merchants and all Service Providers that use any third party-provided
payment applications must validate that each payment application used is listed on the PCI
SSC website at www.pcisecuritystandards.org as compliant with the Payment Card Industry
Payment Application Data Security Standard, as applicable. The applicability of the PCI PA-DSS
to third party-provided payment applications is defined in the PCI PA-DSS Program Guide.
Level 1 Merchants
A Merchant that meets any one or more of the following criteria is deemed to be a Level 1
Merchant and must validate compliance with the Payment Card Industry Data Security
Standard:
• Any Merchant that has suffered a hack or an attack that resulted in an Account data
compromise,
• Any Merchant having greater than six million total combined MasterCard and Maestro
transactions annually,
• Any Merchant meeting the Level 1 criteria of Visa, and
• Any Merchant that MasterCard, in its sole discretion, determines should meet the Level 1
Merchant requirements to minimize risk to the system.
To validate compliance, each Level 1 Merchant must successfully complete:
• An annual onsite assessment conducted by a PCI SSC approved Qualified Security Assessor
(QSA) or internal auditor, and
• Quarterly network scans conducted by a PCI SSC Approved Scanning Vendor (ASV).
Level 1 Merchants that use internal auditors for compliance validation must ensure that
primary internal auditor staff engaged in validating compliance with the Payment Card
Industry Data Security Standard attend the PCI SSC-offered Internal Security Assessor (ISA)
Program and pass the PCI SSC associated accreditation examination annually in order to
continue to use internal auditors.
Level 2 Merchants
Unless deemed to be a Level 1 Merchant, the following are deemed to be a Level 2 Merchant
and must validate compliance with the Payment Card Industry Data Security Standard:

• Any Merchant with greater than one million but less than or equal to six million total
combined MasterCard and Maestro transactions annually, and
• Any Merchant meeting the Level 2 criteria of Visa.
• An annual self-assessment, and
• Quarterly network scans conducted by a PCI SSC ASV.
Each Level 2 Merchant must ensure that staff engaged in self-assessing the Merchant’s
compliance with the Payment Card Industry Data Security Standard attend the PCI SSC-
offered ISA Program and pass the associated PCI SSC accreditation examination annually in
order to continue the option of self-assessment for compliance validation. Level 2 Merchants
may alternatively, at their own discretion, engage a PCI SSC-approved QSA for an onsite
assessment instead of performing a self-assessment.
Level 3 Merchants
Unless deemed to be a Level 1 or Level 2 Merchant, the following are deemed to be a Level 3
Merchant and must validate compliance with the Payment Card Industry Data Security
Standard:
• Any Merchant with greater than 20,000 but less than or equal to one million total
combined MasterCard and Maestro electronic commerce (e-commerce) transactions
annually, and
• Any Merchant meeting the Level 3 criteria of Visa.
Level 4 Merchants
Any Merchant not deemed to be a Level 1, Level 2, or Level 3 Merchant is deemed to be a
Level 4 Merchant. Compliance with the Payment Card Industry Data Security Standard is
required for a Level 4 Merchant, although validation of compliance (and all other MasterCard
SDP Program Acquirer requirements set forth in section 10.3.3) is optional for a Level 4
Merchant. However, a validation of compliance is strongly recommended for Acquirers with
respect to each Level 4 Merchant in order to reduce the risk of Account data compromise and
for an Acquirer potentially to gain a partial waiver of related assessments.
A Level 4 Merchant may validate compliance with the Payment Card Industry Data Security
Standard by successfully completing:
If a Level 4 Merchant has validated its compliance with the Payment Card Industry Data
Security Standard and the Payment Card Industry Payment Application Data Security Standard

as described in this section, the Acquirer may, at its discretion, fulfill the reporting
requirements described in section 10.3.3.
Level 1 Service Providers

A Level 1 Service Provider is any TPP (regardless of volume) and any DSE that stores, transmits,
or processes more than 300,000 total combined MasterCard and Maestro transactions
annually.
Each Level 1 Service Provider must validate compliance with the Payment Card Industry Data
Security Standard by successfully completing:
• An annual onsite assessment by a PCI SSC approved QSA, and
Level 2 Service Providers

A Level 2 Service Provider is any DSE that is not deemed a Level 1 Service Provider and that
stores, transmits, or processes 300,000 or less total combined MasterCard and Maestro
transactions annually.
Each Level 2 Service Provider must validate compliance with the Payment Card Industry Data
Security Standard by successfully completing:
MasterCard has the right to audit Customer compliance with the SDP Program requirements.
Noncompliance on or after the required implementation date may result in assessments
described in Table 10.1.
Table 10.1—Assessments for Noncompliance with the SDP Program
Failure of the following to comply

with the SDP Program mandate… May result in an assessment of…
Classification Violations per calendar year
Level 1 and Level 2 Merchants Up to USD 25,000 for the first violation
Up to USD 50,000 for the second violation
Up to USD 100,000 for the third violation
Up to USD 200,000 for the fourth violation

Failure of the following to comply

with the SDP Program mandate… May result in an assessment of…
Classification Violations per calendar year
Level 3 Merchants Up to USD 10,000 for the first violation

Level 1 and Level 2 Service Providers Up to USD 25,000 for the first violation
Noncompliance also may result in Merchant termination, deregistration of a TPP or DSE as a

Service Provider, or termination of the Acquirer as a Customer as provided in Rule 2.1.2 of the
MasterCard Rules manual.
The Acquirer must provide compliance action plans and quarterly compliance status reports
for each Level 1, Level 2, and Level 3 Merchant using the SDP Acquirer Submission and
Compliance Status Form, available at http://www.mastercard.com/us/sdp/index.html or by
contacting the MasterCard SDP Department at sdp@mastercard.com.
Acquirers must complete the form(s) in their entirety and submit the form(s) via email message
to sdp@mastercard.com on or before the last day of the quarter, as indicated below.
For this quarter… Submit the form(s) no later than…
1 January to 31 March 31 March
1 April to 30 June 30 June
1 July to 30 September 30 September
1 October to 31 December 31 December
Late submission or failure to submit the required form(s) may result in an additional
assessment to the Acquirer as described for Category A violations in Rule 2.1.4 of the

10.3.4.1 MasterCard PCI DSS Risk-based Approach

A qualifying Level 1 or Level 2 Merchant located outside of the U.S. Region may use the
MasterCard PCI DSS Risk-based Approach, pursuant to which the Merchant:
• Validates compliance with the first four of the six total milestones set forth in the PCI DSS
Prioritized Approach, as follows:
– A Level 1 Merchant must validate compliance through an onsite assessment conducted
by a PCI SSC-approved QSA, or by conducting an onsite assessment using internal
resources that have been trained and certified through the PCI SSC-offered ISA
Program.
– A Level 2 Merchant must validate compliance using a Self-Assessment Questionnaire
(SAQ) completed by internal resources that have been trained and certified through the
PCI SSC-offered ISA Program. Alternatively, the Level 2 Merchant may validate PCI DSS
compliance via an onsite assessment.
• Annually revalidates compliance with milestones one through four using an SAQ. The SAQ
must be completed by internal staff trained and currently certified through the PCI SSC-
offered ISA Program.
To qualify as compliant with the MasterCard PCI DSS Risk-based Approach, a Merchant must
satisfy all of the following:
• The Merchant must certify that it is not storing Sensitive Card Authentication Data.
• On a continuous basis, the Merchant must keep fully segregated the “Card-not-present”
Transaction environment from the “face-to-face” Transaction environment. A face-to-face
Transaction requires the Card, the Cardholder, and the Merchant to all be present together
at the time and place of the Transaction.
• For a Merchant located in the Europe Region, at least 95 percent of the Merchant’s annual
total count of Card-present MasterCard and Maestro transactions must occur at Hybrid
POS Terminals.
• For a Merchant located in the Asia/Pacific Region, Canada Region, Latin America and the
Caribbean Region, or Middle East/Africa Region, at least 75 percent of the Merchant’s
annual total count of Card-present MasterCard and Maestro transactions must occur at
Hybrid POS Terminals.
• The Merchant must not have experienced an ADC Event within the last 12 months. At the
discretion of MasterCard, this and other criteria may be waived if the Merchant validated
full PCI DSS compliance at the time of the ADC Event or Potential ADC Event.
• The Merchant must establish and annually test an ADC Event incident response plan.
Information about the PCI DSS Prioritized Approach is available at:
www.pcisecuritystandards.org/education/prioritized.shtml
10.3.4.2 MasterCard PCI DSS Compliance Validation Exemption Program

A qualifying Level 1 or Level 2 Merchant may participate in the MasterCard PCI DSS
Compliance Validation Exemption Program (the “Exemption Program”), which exempts the
Merchant from the requirement to annually validate its compliance with the PCI DSS.

To qualify or remain qualified to participate in the Exemption Program, a duly authorized and
empowered officer of the Merchant must certify to the Merchant’s Acquirer in writing that the
Merchant has satisfied all of the following:
1. The Merchant validated its compliance with the PCI DSS within the previous twelve (12)
months or, alternatively, has submitted to its Acquirer, and the Acquirer has submitted to
MasterCard, a defined remediation plan satisfactory to MasterCard designed to ensure
that the Merchant achieves PCI DSS compliance based on a PCI DSS gap analysis;
2. The Merchant does not store Sensitive Card Authentication Data. The Acquirer must notify
MasterCard through compliance validation reporting of the status of Merchant storage of
Sensitive Card Authentication Data;
3. The Merchant has not been identified by MasterCard as having experienced an ADC Event
during the prior twelve (12) months;
4. The Merchant has established and annually tests an ADC Event incident response plan in
accordance with PCI DSS requirements; and
5. At least 75 percent of the Merchant’s annual total acquired MasterCard and Maestro
Transaction count is processed through Dual Interface Hybrid POS Terminals, as
determined based on the Merchant’s transactions processed during the previous twelve
(12) months via the GCMS and/or Single Message System. Transactions that were not
processed by MasterCard may be included in the annual acquired Transaction count if the
data is readily available to MasterCard.
An Acquirer must retain all Merchant certifications of eligibility for the Exemption Program for
a minimum of five (5) years. Upon request by MasterCard, the Acquirer must provide a
Merchant’s certification of eligibility for the Exemption Program and any documentation
and/or other information applicable to such certification. An Acquirer is responsible for
ensuring that each Exemption Program certification is truthful and accurate.
A Merchant that does not satisfy the Exemption Program’s eligibility criteria, including any
Merchant whose Transaction volume is primarily from e-commerce and Mail Order/Telephone
Order (MO/TO) acceptance channels, must continue to validate its PCI DSS compliance in
accordance with the MasterCard SDP implementation schedule.
All Merchants must maintain ongoing compliance with the PCI DSS regardless of whether
annual compliance validation is a requirement.
10.3.4.3 Mandatory Compliance Requirements for Compromised Entities

Under the audit requirement set forth in section 10.2.2.1, the Acquirer must ensure that a
detailed forensics evaluation is conducted.
At the conclusion of the forensics evaluation, MasterCard will provide a MasterCard Site Data
Protection (SDP) Account Data Compromise Information Form for completion by the
compromised entity itself, if the compromised entity is a TPP or DSE, or by its Acquirer, if the
compromised entity is a Merchant. The form must be returned via email to pci-
adc@mastercard.com within 30 calendar days of its receipt, and must include:
• The names of the QSA and the ASV that conducted the forensics evaluation, and
• The entity’s current level of compliance with the Payment Card Industry Data Security
Standard, and

10.4 Connecting to MasterCard—Physical and Logical Security Requirements
• A gap analysis providing detailed steps required for the entity to achieve full compliance
with the Payment Card Industry Data Security Standard.
As soon as practical, but no later than 60 calendar days from the conclusion of the forensics
evaluation, the compromised entity or its Acquirer must provide evidence from a QSA and an
ASV that the compromised entity has achieved full compliance with the Payment Card
Industry Data Security Standard.
Such evidence (for example, a letter attesting to the entity’s compliance, a compliance
certificate, or a compliance status report) must be submitted to MasterCard via email to pci-
adc@mastercard.com.
Failure to comply with these requirements may result in SDP noncompliance assessments as
described in section 10.3.4. Any Merchant or Level 1 or Level 2 Service Provider that has
suffered a confirmed Account data compromise will be automatically reclassified to become a
Level 1 Merchant or a Level 1 Service Provider, respectively. All compliance validation
requirements for such Level 1 entities will apply.
10.4 Connecting to MasterCard—Physical and Logical Security

Requirements
Each Customer and any agent thereof must be able to demonstrate to the satisfaction of
MasterCard the existence and use of meaningful physical and logical security controls for any
communications processor or other device used to connect the Customer’s processing systems
to the MasterCard Network (herein, “a MasterCard Network Device”) and all associated
components, including all hardware, software, systems, and documentation (herein
collectively referred to as “Service Delivery Point Equipment”) located on-site at the Customer
or agent facility. Front-end communications processors include MasterCard interface
processors (MIPs), network interface units (NIUs), and debit interface units (DIUs).
The controls must meet the minimum requirements described in this section, and preferably
will include the recommended additional parameters.
10.4.1 Minimum Security Requirements

At a minimum, the Customer or its agent must put in place the following controls at each
facility housing Service Delivery Point Equipment:
1. Each network segment connecting a MasterCard Network Device to the Customer’s
processing systems must be controlled tightly, as appropriate or necessary to prevent
unauthorized access to or from other public or private network segments.
2. The connectivity provided by each such network segment must be dedicated wholly and
restricted solely to the support of communications between MasterCard and the
Customer’s processing systems.
3. The Customer or its agent must replace each vendor-supplied or default password present
on the Customer’s processing systems, each MasterCard Network Device, and any device
providing connectivity between them with a “strong password.” A strong password

contains at least eight characters, uses a combination of letters, numbers, symbols,

punctuation, or all, and does not include a name or common word(s).
4. The Customer or its agent must conduct regular periodic reviews of all systems and
devices that store Account information to ensure that access is strictly limited to
appropriate Customer personnel on a “need to know” basis.
5. The Customer or its agent must notify MasterCard within 30 business days of any change
in the personnel designated to administer the MasterCard Network Device. Refer to
Appendix C of this manual for contact information.
6. The Customer or its agent must maintain and document appropriate audit procedures for
each MasterCard Network Device. Audit reports must be maintained and accessible to the
Customer for at least one year, including a minimum of 90 days in an easily retrieved
electronic format.
7. The Customer must ensure that the software employed in any system or device used to
provide connectivity to the MasterCard Network is updated with all appropriate security
patches, revisions, and other updates as soon after a release as is practicable.
8. The physical location of the Service Delivery Point Equipment must be accessible only by
authorized personnel of the Customer or its agent. Visitor access must be controlled by at
least one of the following measures:
a. Require each visitor to provide government-issued photo identification before entering
the physical location; and/or
b. Require each visitor to be escorted to the physical location by authorized personnel of
the Customer or its agent.
9. If the physical location of the Service Delivery Point Equipment provides common access to
other devices or equipment, then the MasterCard Network Device must be stored in a
cabinet that is locked both in front and the rear at all times. Keys to the cabinet must be
stored in a secured location.
10. The Customer or its agent must have documented procedures for the removal of Service
Delivery Point Equipment from the physical location.
10.4.2 Additional Recommended Security Requirements

Customers and their agents are strongly encouraged to put in place the following additional
controls at each facility housing a MasterCard Network Device:
1. Placement of the MasterCard Network Device in a physical location that is enclosed by
floor-to-ceiling walls.
2. Continual monitoring of the MasterCard Network Device by cameras or other type of
electronic surveillance system. Video records should be maintained for a minimum of 90
days.
10.4.3 Ownership of Service Delivery Point Equipment

MasterCard is the sole and exclusive owner of all Service Delivery Point Equipment placed by
MasterCard at the Service Delivery Point.

Effective as of date of placement, the Customer is granted a non-exclusive, non-assignable

License to use the Service Delivery Point Equipment. The Customer may not take any action
adverse to MasterCard with respect to its ownership of the Service Delivery Point Equipment.
The Customer at all times remains responsible for the safety and proper use of all Service
Delivery Point Equipment placed at a location by request of the Customer, and must employ at
that location the minimum security requirements set forth in this section 10.4. At its own
expense, the Customer must promptly return all Service Delivery Point Equipment to
MasterCard upon request of MasterCard and without such request, in the event of
bankruptcy or insolvency.

MATCH System
Chapter 11 MATCH System

This chapter is for Acquirer personnel responsible for investigating and signing potential new
Merchants and for adding Merchants to the MasterCard Alert to Control High-risk (Merchants)
(MATCH™) system.
11.1 MATCH Overview............................................................................................................... 145

11.1.1 System Features.......................................................................................................... 145
11.1.2 How does MATCH Search when Conducting an Inquiry?............................................. 145
11.1.2.1 Retroactive Possible Matches............................................................................... 146
11.1.2.2 Exact Possible Matches........................................................................................ 146
11.1.2.3 Phonetic Possible Matches................................................................................... 148
11.2 MATCH Standards.............................................................................................................. 148
11.2.1 Certification................................................................................................................ 149
11.2.2 When to Add a Merchant to MATCH...........................................................................149
11.2.3 Inquiring about a Merchant.........................................................................................149
11.2.4 MATCH Noncompliance Assessments.......................................................................... 150
11.2.5 Exceptions to MATCH Standards..................................................................................150
11.2.6 MATCH Record Retention............................................................................................151
11.3 Merchants Listed by MasterCard......................................................................................... 151
11.3.1 Questionable Merchants..............................................................................................151
11.4 Merchant Removal from MATCH.........................................................................................151
11.5 MATCH Reason Codes........................................................................................................ 152
11.5.1 Reason Codes for Merchants Listed by the Acquirer.....................................................152
11.5.2 Reason Codes for Merchants Listed by MasterCard......................................................154
11.6 Requesting Access to and Using MATCH.............................................................................155
11.7 Legal Notice........................................................................................................................156

MATCH System
11.1 MATCH Overview
11.1 MATCH Overview

The MasterCard Alert to Control High-risk (Merchants) (MATCH™) system is designed to
provide Acquirers with the opportunity to develop and review enhanced or incremental risk
information before entering into a Merchant Agreement. MATCH is a mandatory system for
MasterCard Acquirers. The MATCH database includes information about certain Merchants
(and their owners) that an Acquirer has terminated.
When an Acquirer considers signing a Merchant, MATCH can help the Acquirer assess
whether the Merchant was terminated by another Acquirer due to circumstances that could
affect the decision whether to acquire for this Merchant and, if a decision is made to acquire,
whether to implement specific action or conditions with respect to acquiring.
11.1.1 System Features

MATCH uses Customer-reported information regarding Merchants and their owners to offer
Acquirers the following fraud detection features and options for assessing risk:
• Acquirers may add and search for information regarding up to five principal and associate
business owners per Merchant.
• Acquirers may designate regions and countries for database searches.
• MATCH uses multiple fields to determine possible matches.
• MATCH edits specific fields of data and reduces processing delays by notifying inquiring
Customers of errors as records are processed.
• MATCH supports retroactive alert processing of data residing on the database for up to
360 days.
• Acquirers determine whether they want to receive inquiry matches, and if so, the type of
information that the system returns.
• MATCH processes data submitted by Acquirers once per day and provides daily detail
response files.
• Acquirers may add the name of the Service Provider associated with signing the Merchant.
• Acquirers may access MATCH data in real time using MATCH Online or the Open
Application Programming Interface (Open API).
• Acquirers may submit and receive bulk data using Batch and Import file operations.
• Acquirers may add and search for information regarding Merchant Universal Resource
Locator (URL) website addresses.
Through direct communication with the listing Acquirer, an inquiring Acquirer may determine
whether the Merchant inquired of is the same Merchant previously reported to MATCH,
terminated, or inquired about within the past 360 days. The inquiring Acquirer must then
determine whether additional investigation is appropriate, or if it should take other measures
to address risk issues.
11.1.2 How does MATCH Search when Conducting an Inquiry?

MATCH searches the database for possible matches between the information provided in the
inquiry and the following:

MATCH System
11.1 MATCH Overview
• Information reported and stored during the past five years

• Other inquiries during the past 360 days
MATCH searches for exact possible matches and phonetic possible matches.
NOTE: All MATCH responses reflecting that inquiry information is resident on MATCH are
deemed “possible matches” because of the nature of the search mechanisms employed and
the inability to report a true and exact match with absolute certainty.
NOTE: There are two types of possible matches, including a data match (for example, name-
to-name, address-to-address) and a phonetic (sound-alike) match made using special
software.
NOTE: For convenience only, the remainder of this manual may sometimes omit the word
“possible” when referring to “possible matches” or “a possible match.”
The Acquirer determines the number of phonetic matches—one to nine—that will cause a
possible match to be trustworthy.
MATCH returns the first 100 responses for each inquiry submitted by an Acquirer. MATCH
returns all terminated Merchant MATCH responses regardless of the number of possible
matches.
11.1.2.1 Retroactive Possible Matches

If the information in the original inquiry finds new possible matches of a Merchant or inquiry
record in the MATCH database added since the original inquiry was submitted and this
information has not been previously reported to the Acquirer at least once within the past 360
days, the system returns a retroactive possible match response.
11.1.2.2 Exact Possible Matches

MATCH finds an exact possible match when data in an inquiry record matches data on the
MATCH system letter-for-letter, number-for-number, or both. An exact match to any of the
following data results in a possible match response from MasterCard:
Table 11.1—Exact Possible Match Criteria
Field + Field + Field = Match
Merchant Name = √
Doing Business as (DBA) Name = √
Phone Number (Merchant) = √

MATCH System
11.1 MATCH Overview
Alternate Phone Number = √

(Merchant)
Merchant National Tax ID + Country = √
Merchant State Tax ID + State = √
Merchant Street Address + City + State4 = √
Merchant Street Address + City + Country5 = √
Merchant URL Website Address + City + Country = √
Principal Owner’s (PO) First Name + Last Name = √
PO Phone Number = √
Alternate Phone Number (PO) = √
PO Social Security Number4 = √
PO National ID5 = √
PO Street Address (lines 1 and 2) + PO City + PO State4 = √
PO Street Address (lines 1 and 2) + PO City + PO Country5 = √
PO Driver’s License (DL) Number + DL State4 = √
PO Driver’s License Number + DL Country5 = √
NOTE: MATCH uses Street, City, and State if the Merchant’s country is USA; otherwise, Street,
City, and Country are used.
NOTE: Acquirers must populate the Merchant URL Website Address field when performing an
inquiry of an electronic commerce (e-commerce) Merchant.
4 If country is USA.
5 If country is not USA.

MATCH System
11.2 MATCH Standards
11.1.2.3 Phonetic Possible Matches

The MATCH system converts certain alphabetic data, such as Merchant Name and Principal
Owner Last Name to a phonetic code. The phonetic code generates matches on words that
sound alike, such as “Easy” and “EZ.” The phonetic matching feature of the system also
matches names that are not necessarily a phonetic match but might differ because of a
typographical error, such as “Rogers” and “Rokers,” or a spelling variation, such as “Lee,”
“Li,” and “Leigh.”
MATCH evaluates the following data to determine a phonetic possible match.
Table 11.2—Phonetic Possible Match Criteria
Merchant Name = √
Doing Business As (DBA) Name = √
Merchant Street Address + City + State6 = √
Merchant Street Address + City + Country7 = √
Principal Owner’s (PO) First Name + Last Name = √
PO Street Address (lines 1 and 2) + PO City + PO State6 = √
PO Street Address (lines 1 and 2) + PO City + PO Country7 = √
NOTE: MATCH uses Street, City, and State if the Merchant’s country is USA; otherwise, Street,
City, and Country are used.

MasterCard mandates that all Acquirers with Merchant activity use MATCH.8 To use means
both to:
• Add information about a Merchant that is terminated while or because a circumstance
exists (See section 11.2.2), and
• Inquire against the MATCH database
6 If country is USA.
7 If country is not USA.
8 Acquirers globally are assessed an annual MATCH usage fee of USD 4,000. In addition, Acquirers are assessed a
MATCH inquiry fee (per Member ID/ICA number) for each MATCH inquiry.

MATCH System
Customers must act diligently, reasonably, and in good faith to comply with MATCH
Standards.
11.2.1 Certification
Each Acquirer that conducts Merchant acquiring Activity must be certified by MasterCard to
use MATCH because it is a mandatory system. An Acquirer that does not comply with these
requirements may be assessed for noncompliance, as described in this chapter.
Certification is the process by which MasterCard connects an Acquirer to the MATCH system,
so that the Acquirer may send and receive MATCH records to and from MasterCard. To be
certified for MATCH usage, Acquirers must request access for each Member ID/ICA number
under which acquiring Activity is conducted.
NOTE: An Acquirer that conducts Merchant acquiring Activity under a Member ID/ICA number
that does not have access to the MATCH system is not considered certified.
An Acquirer that is not MATCH-certified is subject to noncompliance assessments as described

in Table 11.3.
11.2.2 When to Add a Merchant to MATCH

If either the Acquirer or the Merchant acts to terminate the acquiring relationship (such as by
giving notice of termination) and, at the time of that act, the Acquirer has reason to believe
that a condition described in Table 11.4 exists, then the Acquirer must add the required
information to MATCH within five calendar days of the earlier of either:
1. A decision by the Acquirer to terminate the acquiring relationship, regardless of the
effective date of the termination, or
2. Receipt by the Acquirer of notice by or on behalf of the Merchant of a decision to
terminate the acquiring relationship, regardless of the effective date of the termination.
Acquirers must act diligently, reasonably, and in good faith to comply with MATCH system
requirements.
Acquirers may not use or threaten to use MATCH as a collection tool for minor Merchant
discretionary activity. One of the defined reason codes in Table 11.4 must be met or suspected
(at decision to terminate) to justify a Merchant addition. Acquirers that use or threaten to use
MATCH as a collection tool for minor Merchant discretionary activity are subject to
noncompliance assessments as described in Table 11.3.
An Acquirer that fails to enter a Merchant into MATCH is subject to a noncompliance
assessment, and may be subject to an unfavorable ruling in a compliance case filed by a
subsequent Acquirer of that Merchant.
11.2.3 Inquiring about a Merchant

An Acquirer must check MATCH before signing an agreement with a Merchant in accordance
with section 7.1 of this manual.

MATCH System
An Acquirer that enters into a Merchant Agreement without first submitting an inquiry to
MATCH about the Merchant may be subject to an unfavorable ruling in a compliance case
filed by a subsequent Acquirer of that Merchant.
Acquirers must conduct inquiries under the proper Member ID/ICA Number for reporting
compliance reasons. If an Acquirer does not conduct the inquiry under the proper Member
ID/ICA Number (that is, the Member ID/ICA Number that is actually processing for the
Merchant), MasterCard may find the Acquirer in noncompliance and may impose an
assessment.
Failure to comply with either the requirement of adding a terminated Merchant or inquiring
about a Merchant may result in noncompliance assessments as described in Table 11.3.
11.2.4 MATCH Noncompliance Assessments

Acquirers that fail to comply with MATCH certification or use (adding and inquiring about
Merchants, using or threatening to use as a collection tool for minor Merchant discretionary
activity) requirements are subject to noncompliance assessments as described in Table 11.3.
MasterCard, in its sole discretion, will determine whether the Acquirer is in compliance. If
deemed appropriate, MasterCard will advise the Acquirer’s senior management of instances of
noncompliance and the resulting noncompliance assessments.
Table 11.3—Noncompliance Assessments
Reason Assessment
Failure to certify for MATCH usage under each Up to USD 10,000 per month until Acquirer is
Member ID/ICA number used for Merchant certified
acquiring Activity
Failure to inquire to MATCH before signing a Up to USD 5,000 for each instance of
Merchant Agreement noncompliance
Failure to add a terminated Merchant to MATCH Up to USD 5,000 per month for each instance of
noncompliance
Use or threaten to use MATCH as a collection tool Up to USD 5,000 for each instance of
for minor Merchant discretionary activity noncompliance
11.2.5 Exceptions to MATCH Standards

For any exception to these MATCH Standards, send a written request to the Merchant Fraud
Control address provided in the Security and Risk Services section of Appendix C.

MATCH System
11.3 Merchants Listed by MasterCard
11.2.6 MATCH Record Retention

An Acquirer should retain all MATCH records returned by MasterCard to substantiate
that the Acquirer complied with the required procedures. MasterCard recommends that the
Acquirer retain these records in a manner that allows for easy retrieval.
Merchant records remain on the MATCH system for five years. Each month, MATCH
automatically purges any Merchant information that has been in the database for five years.
NOTE: The MATCH system database stores inquiry records for 360 days.
11.3 Merchants Listed by MasterCard

A Merchant listing may prompt inquiry or additional inquiry by an Acquirer about the
Merchant. If MATCH inquiry data matches data in the MATCH file, either by an exact or
phonetic match, MasterCard will generate a response record. The Member ID/ICA Number
1996 in a response record, together with one of the MATCH reason codes listed in Table 11.6,
indicates that the inquiry record matches a MasterCard Listed Merchant.
NOTE: A value of 1996 in the MasterCard Reference Number field of a response record
indicates that an inquiry possibly matched a questionable Merchant record.
Acquirers that receive a possible match response with Member ID/ICA Number 1996 in the
MasterCard Reference Number field may contact the Merchant Fraud Control staff as
described in the Security and Risk Services section of Appendix C.
11.3.1 Questionable Merchants

MATCH also contains data about Merchants and their owners classified as questionable by the
Merchant Fraud Control staff. These Merchants and owners are listed as questionable
Merchants because MasterCard is auditing the Merchant for compliance with rules.
The questionable Merchant listings may prompt inquiry or additional inquiry by an Acquirer
about the Merchant. If MATCH inquiry data matches data in the MATCH file, either by an
exact or phonetic match, MasterCard will generate a response record. The Member ID/ICA
Number 1996 in a response record, together with a MATCH reason code 00, indicates that
the inquiry record matches a questionable Merchant entry.
11.4 Merchant Removal from MATCH

MasterCard may remove a Merchant listing from MATCH for the following reasons:
• The Acquirer reports to MasterCard that the Acquirer added the Merchant to MATCH in
error.
• The Merchant listing is for reason code 12 (Payment Card Industry Data Security Standard
Noncompliance) and the Acquirer has confirmed that the Merchant has become compliant

MATCH System
11.5 MATCH Reason Codes
with the Payment Card Industry Data Security Standard. The Acquirer must submit the
request to remove a MATCH reason code 12 Merchant listing from MATCH in writing on
the Acquirer’s letterhead to Merchant Fraud Control. Such request must include the
following information:
1. Acquirer ID Number
2. Merchant ID Number
3. Merchant Name
4. Doing Business As (DBA) Name
5. Business Address
a. Street Address
b. City
c. State
d. Country
e. Postal Code
6. Principal Owner (PO) Data
a. PO’s First Name and Last Name
b. PO’s Country of Residence
Refer to section C.2 of Appendix C of this manual for the contact information of
Merchant Fraud Control.
Any request relating to a Merchant listed for reason code 12 must contain:
– The Acquirer’s attestation that the Merchant is in compliance with the Payment
Card Industry Data Security Standard, and
– A letter or certificate of validation from a MasterCard certified forensic examiner,
certifying that the Merchant has become compliant with the Payment Card
Industry Data Security Standard.
If an Acquirer is unwilling or unable to submit a request to MasterCard with respect
to a Merchant removal from a MATCH listing as a result of the Merchant obtaining
compliance with the Payment Card Industry Data Security Standard, the Merchant
itself may submit a request to MasterCard for this reason. The Merchant must
follow the same process as described above for Acquirers to submit the MATCH
removal request.

MATCH reason codes identify whether a Merchant was added to the MATCH system by the
Acquirer or by MasterCard, and the reason for the listing.
11.5.1 Reason Codes for Merchants Listed by the Acquirer

The following reason codes indicate why an Acquirer reported a terminated Merchant to
MATCH.

MATCH System
Table 11.4—MATCH Listing Reason Codes Used by Acquirers
MATCH
Reason
Code Description
01 Account Data Compromise

An occurrence that results, directly or indirectly, in the unauthorized access to or disclosure of
Account data.
02 Common Point of Purchase (CPP)

Account data is stolen at the Merchant and then used for fraudulent purchases at other
Merchant locations.
03 Laundering
The Merchant was engaged in laundering activity. Laundering means that a Merchant
presented to its Acquirer Transaction records that were not valid Transactions for sales of
goods or services between that Merchant and a bona fide Cardholder.
04 Excessive Chargebacks
With respect to a Merchant reported by a MasterCard Acquirer, the number of chargebacks
in any single month exceeded 1% of the number of MasterCard sales Transactions in that
month, and those chargebacks totaled USD 5,000 or more.
With respect to a merchant reported by an American Express acquirer (ICA numbers 102
through 125), the merchant exceeded the chargeback thresholds of American Express, as
determined by American Express.
05 Excessive Fraud
The Merchant effected fraudulent Transactions of any type (counterfeit or otherwise) meeting
or exceeding the following minimum reporting Standard: the Merchant’s fraud-to-sales dollar
volume ratio was 8% or greater in a calendar month, and the Merchant effected 10 or more
fraudulent Transactions totaling USD 5,000 or more in that calendar month.
06 Reserved for Future Use
07 Fraud Conviction
There was a criminal fraud conviction of a principal owner or partner of the Merchant.
08 MasterCard Questionable Merchant Audit Program

The Merchant was determined to be a Questionable Merchant as per the criteria set forth in
the MasterCard Questionable Merchant Audit Program (refer to section 8.4 of this manual).

MATCH System
MATCH
Reason
Code Description
09 Bankruptcy/Liquidation/Insolvency
The Merchant was unable or is likely to become unable to discharge its financial obligations.
10 Violation of Standards
With respect to a Merchant reported by a MasterCard Acquirer, the Merchant was in
violation of one or more Standards that describe procedures to be employed by the Merchant
in Transactions in which Cards are used, including, by way of example and not limitation, the
Standards for honoring all Cards, displaying the Marks, charges to Cardholders, minimum/
maximum Transaction amount restrictions, and prohibited Transactions set forth in Chapter 5
of the MasterCard Rules manual.
With respect to a merchant reported by an American Express acquirer (ICA numbers 102
through 125), the merchant was in violation of one or more American Express bylaws, rules,
operating regulations, and policies that set forth procedures to be employed by the merchant
in transactions in which American Express cards are used.
11 Merchant Collusion
The Merchant participated in fraudulent collusive activity.
12 PCI Data Security Standard Noncompliance

The Merchant failed to comply with Payment Card Industry (PCI) Data Security Standard
requirements.
13 Illegal Transactions
The Merchant was engaged in illegal Transactions.
14 Identity Theft
The Acquirer has reason to believe that the identity of the listed Merchant or its principal
owner(s) was unlawfully assumed for the purpose of unlawfully entering into a Merchant
Agreement.
11.5.2 Reason Codes for Merchants Listed by MasterCard

The following MATCH reason codes and descriptions apply to those Merchants listed
following evaluation by the Merchant Fraud Control staff.

MATCH System
11.6 Requesting Access to and Using MATCH
Table 11.6—MATCH Reason Codes and Descriptions
MATCH
Reason
Code Description
00 Questionable Merchant/Under Investigation

A Merchant that is the subject of an audit with respect to the Standards. MasterCard
currently conducts special Merchant audits for excessive fraud-to-sales ratios, excessive
chargebacks, counterfeit activity, or collusive or otherwise fraudulent Merchant activity.
20 MasterCard Questionable Merchant Audit Program

A Merchant that MasterCard has determined to be a Questionable Merchant as per the
criteria set forth in the MasterCard Questionable Merchant Audit Program (refer to section
8.4 of this manual).
21 Non-face-to-face Adult Content and Services Special Merchant

A non-face-to-face adult content and services Merchant that MasterCard has determined to
have violated MasterCard excessive chargeback Standards.
22 Excessive Chargeback Merchant

A Merchant that MasterCard has determined to have violated the MasterCard Excessive
Chargeback Program and is not a non-face-to-face adult content and services Merchant.
23 Merchant Collusion
The Merchant participated in fraudulent collusive activity, as determined by the Acquirer by
any means, including data reporting, criminal conviction, law enforcement investigation, or
as determined by MasterCard.
24 Illegal Transactions
The Merchant was engaged in illegal Transactions.
11.6 Requesting Access to and Using MATCH

Customers may request access to MATCH through the MasterCard Connect Store on
MasterCard Connect™.
For information about MATCH records, how to access and navigate the MATCH system, make
inquiries, and add, modify, or delete Merchant information, refer to the MATCH User Manual,
available in the MasterCard Connect™ Publications product.

MATCH System
11.7 Legal Notice
For technical information regarding the use of MATCH, refer to the MATCH User Manual,
available in the MasterCard Connect™ Publications product.
For information about MATCH reports, refer to the MATCH User Manual.
11.7 Legal Notice
The MasterCard MATCH system and data are proprietary and confidential to MasterCard
International and its licensed Customers.
A Customer may use MATCH solely for the purpose of developing enhanced or incremental
risk information before entering into a Merchant Agreement; any other use is prohibited.
The Standards in Chapter 11 of the MasterCard Security Rules and Procedures set forth
Customer rights and obligations pertaining to access to and use of MATCH. The Standards
require, among other things, that an Acquirer conduct an inquiry before acquiring
MasterCard-branded Transactions from a Merchant and that an Acquirer report information
pertaining to a Merchant that has been terminated for any one or more of a specified number
of reasons. The Standards do not require an Acquirer to take any action or any specific action
after receiving a response record and do not require that an Acquirer provide any information
to or otherwise cooperate with any other Acquirer. MATCH may enable an Acquirer to
develop enhanced or incremental risk information concerning a Merchant, but does not itself
provide risk information. The Acquirer itself must determine whether the Merchant that is the
subject of a “possible match” response is the same Merchant that the Acquirer conducted an
inquiry about. A “possible match” response to an inquiry does not mean or suggest that a
Merchant is a poor risk or greater risk than any other Merchant. A Customer itself must
determine whether a Merchant poses a risk and, if so, the nature of such risk.
MasterCard does not verify, otherwise confirm, or ask for confirmation of either the basis for
or accuracy of any information that is reported to or listed in MATCH. MATCH may include
incorrect, inaccurate, and incomplete information as well as information that should not have
been reported. It is possible that facts and circumstances giving rise to a MATCH system report
may be subject to interpretation and dispute.
Use of MATCH is “Activity”, as such term is defined in the Definitions portion of the
MasterCard Rules. MATCH is a part of “Systems”, as such term is defined in MasterCard Rule
2.3 (Indemnity and Limitation of Liability). A Customer that directly or indirectly has access to
or use of MATCH is an “Indemnifying Customer,” as such term is defined in MasterCard Rule
2.3. A Customer’s direct or indirect access to or use of MATCH is Activity of that Customer
and subject to the terms of MasterCard Rule 2.3.

System to Avoid Fraud Effectively (SAFE) Reporting Standards
Chapter 12 System to Avoid Fraud Effectively (SAFE)

Reporting Standards
This chapter addresses reporting fraudulent data to MasterCard via SAFE OnLine. It also provides an
overview of the SAFE Compliance Program.
12.1 SAFE Overview....................................................................................................................158

12.2 SAFE Fraud Reporting Standards......................................................................................... 158
12.2.1 Digital Secure Remote Payment Transactions and Tokenized Account Data.................. 158
12.3 SAFE Reason Codes............................................................................................................ 159
12.4 Data Accuracy and Integrity................................................................................................ 160
12.5 Timely Reporting of MasterCard and Debit MasterCard Transactions................................... 160
12.5.1 Tier I Reporting Requirement....................................................................................... 161
12.5.2 Tier II Reporting Requirement ..................................................................................... 161
12.5.3 Tier III Reporting Requirement..................................................................................... 161
12.6 Timely Reporting of Maestro Transactions........................................................................... 161
12.7 Timely Reporting of Cirrus Transactions...............................................................................161
12.8 Digital Goods Transactions.................................................................................................. 161
12.9 Fraud-related Chargebacks................................................................................................. 162
12.10 High Clearing Transaction Volume.....................................................................................162
12.11 Transaction Amount..........................................................................................................162
12.12 Resubmitting Rejected Transactions...................................................................................162
12.13 Noncompliance Assessments.............................................................................................163
12.14 Variances ......................................................................................................................... 163

12.1 SAFE Overview
12.1 SAFE Overview

MasterCard requires all Issuers to report fraudulent Transactions to MasterCard using the
System to Avoid Fraud Effectively (SAFE). Each Issuer must ensure that the Transaction
information submitted to MasterCard via SAFE is accurate and delivered in a timely fashion.
MasterCard has established data quality controls to monitor the Transaction information that
an Issuer submits to SAFE. SAFE does not permit an Issuer to report fraudulent credits
(refunds) on an Account or authorizations that the Issuer declined due to suspicion of
potential fraud.
12.2 SAFE Fraud Reporting Standards

An Issuer must use SAFE for the monthly reporting of all of the following Transaction types,
including Transactions charged back for a fraud-related reason and Transactions for which
fraud losses were recovered by a means other than a chargeback:
1. All fraudulent MasterCard Point-of-Sale (POS) Transactions;
2. All fraudulent Maestro POS Transactions processed by means of the Interchange System,
plus fraudulent intra-European >>>and inter-European<<< Maestro POS Transactions not
processed by means of the Interchange System; and
3. All fraudulent ATM Transactions.
The Issuer must identify each fraudulent Transaction reported to SAFE using the applicable
SAFE reason code, as set forth in section 12.3.
An Issuer with no reportable occurrence of fraudulent Transactions within a relevant reporting
period must submit a Fraud Negative Reporting (FDN) Record by the end of the reporting
month.
NOTE: An Issuer can submit an FDN Record between the first day and the last day of the
month. For information on how to submit such report, see Chapter 1 of the SAFE Products
User Guide.
12.2.1 Digital Secure Remote Payment Transactions and Tokenized Account Data
The Issuer must report each Digital Secure Remote Payment Transaction identified as
fraudulent to SAFE using SAFE reason code 05 (Account Takeover Fraud). For information
about Digital Secure Remote Payment Transaction identification requirements, refer to
Appendix E of the Chargeback Guide.
When reporting any Transaction containing a MasterCard Token to SAFE, the Issuer must
include the Token Primary Account Number (Token PAN) from DE 48, subelement 33, subfield
2 of the Authorization Request/0100 or Financial Transaction Request/0200 message in Field 7
(Cardholder Number) of the SAFE record, along with all other applicable Transaction type
indicators.

12.3 SAFE Reason Codes
12.3 SAFE Reason Codes

The following SAFE reason codes must be used by Issuers to indicate the reason that the Issuer
reported a fraudulent Transaction via SAFE.
Table 12.1—SAFE Listing Reason Codes Used by Issuers
Code Description
00 Lost Fraud—A fraudulent Transaction that occurs with the use of a lost Card or other
Access Device (or other instrument accessing an Account—for example, convenience
and balance transfer checks) without the actual, implied, or apparent authority of the
Cardholder.
01 Stolen Fraud—A fraudulent Transaction that occurs with the use of a stolen Card or
other Access Device (or other instrument accessing an Account—for example,
convenience and balance transfer checks) without the actual, implied, or apparent
authority of the Cardholder.
02 Never Received Issue—The interception and use of a Card or other Access Device (or
other instrument accessing an Account—for example, convenience and balance transfer
checks), before receipt by the Cardholder, by a person without the actual, implied, or
apparent authority of the Cardholder.
03 Fraudulent Application—A fraudulent Transaction that occurs with the use of a Card
or other Access Device that was obtained with an application using a false name or
other false identification information.
04 Counterfeit Card Fraud—The use of an altered or illegally reproduced Card or other

Access Device (or other instrument accessing an Account—for example, convenience
and balance transfer checks) including the replication or alteration of the magnetic stripe
or embossing.
05 Account Takeover Fraud—An existing credit or debit Account is used without the
actual, implied, or apparent authority of the Cardholder, by a person who gains access to
and use of the Account through unauthorized means, such as a change of address or
request for the re-issuance of a Card or other Access Device (or other instrument for
accessing an Account—for example, convenience and balance transfer checks) but not
lost or stolen Cards.
06 Card Not Present Fraud—A fraudulent Transaction that occurs with the use of credit or
debit Account information including pseudo-account information without the Card or
other Access Device being involved, via the phone, mail, Internet, or other electronic
means without the actual, implied, or apparent authority of the Cardholder.

12.4 Data Accuracy and Integrity
Code Description
07 Multiple Imprint Fraud—A fraudulent Transaction that occurs with a credit or debit
Card where the Merchant, having completed a legitimate face-to-face Transaction,
deposits one or more additional Transactions without the actual, implied, or apparent
authority of the Cardholder. For example, the Merchant makes several imprints of a Card
on paper formsets or produces POS Terminal receipts upon receiving additional online or
offline Card-read authorization approvals.
51 Bust-out Collusive Merchant—A collusive Cardholder engaging in Transactions with a

collusive Merchant as defined in the MasterCard Questionable Merchant Audit Program.
12.4 Data Accuracy and Integrity

An Issuer is responsible for accurately submitting fraudulent Transactions via the SAFE tool.
MasterCard matches the submitted SAFE information with the corresponding authorization
and clearing records to ensure data accuracy.
12.5 Timely Reporting of MasterCard and Debit MasterCard

Transactions
With respect to MasterCard® and Debit MasterCard® Transactions, MasterCard has established
three tiers to monitor timeliness of SAFE reporting based on fraud type.
Table 12.2—Fraud Tiered Classification
Tier I Fraud Tier II Fraud Tier III Fraud
Reason Code 00 (Lost Card) Reason Code 06 (Card Not Reason Code 03 (Fraudulent
Present) Application)
Reason Code 01 (Stolen Card)
Reason Code 05 (Account
Reason Code 02 (Never Received
Takeover)
Issue)
Reason Code 07 (Multiple
Reason Code 04 (Counterfeit
Imprint)
Card Fraud)
For purposes of the SAFE program, the following terms have the meanings set forth below:
1. “Tier I Transaction” means a Transaction that is properly identified using SAFE message
reason code 00 (Lost Fraud), 01 (Stolen Fraud), 02 (Never Received Issue), or 04
(Counterfeit Card Fraud).

12.6 Timely Reporting of Maestro Transactions
2. “Tier II Transaction” means a Transaction that is properly identified using SAFE message
reason code 06 (Card Not Present Fraud).
3. “Tier III Transaction” means a Transaction that is properly identified using SAFE message
reason code 03 (Fraudulent Application), 05 (Account Takeover Fraud), or 07 (Multiple
Imprint Fraud).
12.5.1 Tier I Reporting Requirement

An Issuer must report at least 80% of Tier I Transactions to SAFE within 60 days from the
Transaction date or 30 days from the Cardholder notification date or 60 days of the first
chargeback date, unless the Standards require the Issuer to report the Transaction to SAFE
before a chargeback occurs.
12.5.2 Tier II Reporting Requirement

An Issuer must report at least 65% of Tier II Transactions to SAFE within 60 days from the
Transaction date or 30 days from the Cardholder notification date or 60 days of the first
chargeback date, unless the Standards require the Issuer to report the Transaction to SAFE
before a chargeback occurs.
12.5.3 Tier III Reporting Requirement

An Issuer must report Tier III Transactions to SAFE within 30 days of the Cardholder
notification date.
12.6 Timely Reporting of Maestro Transactions

All fraudulent Maestro POS Transactions processed via the Interchange System, fraudulent
intra-European >>>and inter-European<<< Maestro POS Transactions not processed via the
Interchange System, and fraudulent Maestro ATM Transactions must be reported to SAFE. An
Issuer must report at least 80% of all such fraudulent Transactions to SAFE within 60 days
from the Transaction date or 30 days from the Cardholder notification date.
12.7 Timely Reporting of Cirrus Transactions

A Cirrus® Transaction is an ATM Transaction that occurs through the use of a Card that bears
the Cirrus Mark(s) but no other Mark(s) or Visa mark(s) and is processed via the Interchange
System. The Issuer must report at least 80% of fraudulent Cirrus Transactions to SAFE within
90 days from the date of discovery or 90 days from the Cardholder notification date,
whichever occurs first.
12.8 Digital Goods Transactions

>>>

12.9 Fraud-related Chargebacks
An Issuer must not report a non-fraudulent e-commerce Transaction that is less than or equal
to USD 25 (or the local currency equivalent) for the purchase of Digital Goods via SAFE. An
Issuer that reports any such Transaction via SAFE will be subject to assessments for
noncompliance with the SAFE reporting Standards.
<<<
12.9 Fraud-related Chargebacks

An Issuer must report all fraudulent Transactions to SAFE, notwithstanding the status of the
Account or the reason for the chargeback. All Transactions charged back for a fraud-related
reason that are not submitted for second presentment are considered fraudulent.
MasterCard identifies Issuers that have processed fraud-related chargebacks using message
reason code 4837 (No Cardholder Authorization) or 4840 (Fraudulent Processing of
Transactions) and have not reported the corresponding Transactions to SAFE. Such
Transactions must otherwise be reported to SAFE within 60 days of the first chargeback date.
12.10 High Clearing Transaction Volume

MasterCard monitors Issuers with high clearing Transaction volumes that have not reported
any fraudulent Transaction to SAFE during the relevant time periods. Any Issuer that has not
reported fraud in a month in which the Issuer had clearing volume of at least 25,000
Transactions or in a quarter in which the Issuer had clearing volume of at least 75,000
Transactions will be identified as noncompliant with the SAFE reporting Standards.
12.11 Transaction Amount

Where appropriate, SAFE will generate a return code to identify a suspicious amount
Transaction.
A suspicious amount Transaction with a return code of 24800 is a Transaction reported to
SAFE that is equal to or greater than USD 9,999. A suspicious amount Transaction with a
return code of 24511 is a Transaction reported to SAFE for which the Transaction amount
exceeds the billing amount by more than the 25% allowable difference.
An Issuer must confirm, modify, or delete each identified suspicious amount Transaction
within 60 days of receiving a return code.
12.12 Resubmitting Rejected Transactions

An Issuer must monitor Transactions rejected during submission to SAFE. The Issuer must
correct and resubmit each rejected Transaction to SAFE in the following transmission. Failure

12.13 Noncompliance Assessments
to correct a rejected Transaction within 60 days of notification will result in noncompliance

with SAFE reporting Standards and may result in noncompliance assessments.
12.13 Noncompliance Assessments

MasterCard, in its sole discretion, determines whether an Issuer is compliant with the SAFE
reporting Standards. An Issuer that fails to timely report fraudulent Transactions to SAFE is
subject to noncompliance assessments and ineligibility to claim reimbursement for incurred
losses under the Excessive Chargeback Program (ECP).
After the first quarter of noncompliance, MasterCard will send an Issuer a warning letter
(“First Notice”) informing such Issuer that it risks being assessed for noncompliance with
SAFE. The First Notice affords an Issuer the opportunity to remedy the noncompliance issue
without being assessed. After two consecutive quarters of noncompliance, MasterCard will
send an Issuer a noncompliance assessment letter (“Final Notice”) describing any applicable
assessment amounts.
12.14 Variances
MasterCard, at its sole discretion, may grant a SAFE compliance variance to an Issuer for a
limited period of time due to exigent circumstances. Throughout such variance period, said
Issuer must take appropriate and timely action to resolve any outstanding noncompliance
issues. If an Issuer fails to become compliant by the end of the stated variance period, an
assessment may be reinstated for the variance period.
NOTE: Unless noncompliance is the result of a MasterCard issue, an Issuer is required to check
the Promise Agreement box, thereby agreeing to be fully SAFE compliant for a period of at
least one year beginning from the end of the variance period. Any noncompliance during the
Promise Period automatically puts such Issuer into Final Notice.

Global Risk Management Program
Chapter 13 Global Risk Management Program

This chapter describes the Global Risk Management Program Standards and applies to all
MasterCard Customers, Service Providers, and Payment Facilitators.
13.1 About the Global Risk Management Program..................................................................... 165

13.1.1 Customer Onboarding Reviews................................................................................... 165
13.1.2 Third Party Risk Reviews.............................................................................................. 166
13.1.3 Customer Risk Reviews................................................................................................166
13.1.3.1 Merchant Risk Review Requirement .................................................................... 166
13.1.4 Customer Consultative Reviews...................................................................................166
13.2 Global Risk Management Program Review Topics................................................................ 167
13.2.1 Issuer Global Risk Management Program Review Topics............................................... 167
13.2.2 Acquirer Global Risk Management Program Review Topics...........................................167
13.3 Global Risk Management Program Reports......................................................................... 168
13.4 Customer Risk Review Conditions....................................................................................... 169
13.4.1 Customer Risk Review Issuer Criteria .......................................................................... 169
13.4.2 Customer Risk Review Acquirer Criteria....................................................................... 169
13.4.3 Basis Points Calculation............................................................................................... 170
13.5 Global Risk Management Program Fees.............................................................................. 170
13.6 Noncompliance with Fraud Loss Control Standards............................................................. 170

13.1 About the Global Risk Management Program

The MasterCard Global Risk Management Program is a tool for assessing a MasterCard
Customer’s current capability to manage, anticipate, and protect against internal and external
risks in the issuing and acquiring portfolio.
The Global Risk Management Program also determines the effectiveness of existing fraud loss
controls and other risk reduction measures and assists MasterCard Customers in identifying
specific areas where such measures may be inadequate.
In addition, the Global Risk Management Program provides industry best practices to support
business growth by enhancing the overall operational efficiency and profitability of the issuing
and acquiring portfolio while maintaining losses at an acceptable level.
The Global Risk Management Program consists of three mandatory levels and one optional
level. The three mandatory levels are Customer Onboarding Reviews for prospective
MasterCard Principal Customers and MasterCard Affiliate Customers, Third Party Risk Reviews,
and Customer Risk Reviews for MasterCard Principal Customers. A Maestro Customer
identified by MasterCard as a Group 3 Issuer pursuant to the Maestro Issuer Loss Control
Program may also be required to undergo a Customer Risk Review. A Customer may also
choose to participate in Customer Consultative Reviews. This chapter describes the Standards
for each review level.
13.1.1 Customer Onboarding Reviews

The Customer Onboarding Review is mandatory for any entity applying to become a
MasterCard Principal Customer or a MasterCard Affiliate Customer, at the sole discretion of
Global Risk Management Program staff.
The Customer Onboarding Review takes place during the initial licensing and certification
stage, and requires the entity to complete one or both of the following questionnaires:
• Global Risk Management Program Issuer Questionnaire
• Global Risk Management Program Acquirer Questionnaire
If an entity that has applied to become a MasterCard Principal Customer is not in compliance
with the fraud loss control Standards and the minimum requirements of fraud loss control
programs described in Chapter 6, MasterCard may withhold approval of the application until
the entity achieves compliance.
In addition, MasterCard reserves the right to require a Customer Risk Review if:
• Global Risk Management Program staff is dissatisfied with the response to a Customer
Onboarding questionnaire (in terms of speed, content, or both), or
• Global Risk Management Program staff determines that the Customer represents a
potential unacceptable risk, or potential threat to other Customers.
NOTE: There may be an additional on-site review conducted by Global Risk Management
Program staff within one year of assessment of the completed questionnaire.

13.1.2 Third Party Risk Reviews

The Third Party Risk Review is an annual review conducted for selected Service Providers and
Payment Facilitators, at the sole discretion of Global Risk Management Program staff.
MasterCard will examine the Service Provider’s or Payment Facilitator’s ability to support
MasterCard Customers so that they can adhere to the minimum fraud loss control Program
requirements described in Chapter 6 of this manual.
A Service Provider or Payment Facilitator that fails a Third Party Risk Review is subject to
deregistration.
13.1.3 Customer Risk Reviews

MasterCard requires that each MasterCard Customer (parent and child Member ID/ICA
number) conduct its issuing and acquiring Activities in a prudent and financially sound manner
so as to avoid inordinate risk to itself and other Customers.
MasterCard will select MasterCard Customers for a Customer Risk Review of their systems and
Programs, in an effort to determine whether the selected Customer has put in place adequate
and effective fraud loss control programs and to evaluate the Customer’s initial and
continuing ability to avoid inordinate risk.
A MasterCard Customer must submit to and cooperate in a Customer Risk Review.
MasterCard, at its sole discretion, may determine that a Customer Risk Review is necessary or
appropriate.
The Customer will receive a detailed and comprehensive gap analysis report containing
recommendations and benefits of critical findings during the course of the review.
If required, the report will be supplemented by an action plan.
13.1.3.1 Merchant Risk Review Requirement

A Customer selected for a Customer Risk Review that processes Transactions for e-commerce
Merchants will receive the following services:
• An online survey to determine the Customer’s risk level
• A scan of the Customer’s Merchants’ websites to determine the number of potential illegal
or brand-damaging violations
• A report that includes best practices, a risk report card, and a statistical review of the
Customer’s number of potential illegal or brand-damaging violations
13.1.4 Customer Consultative Reviews

The Customer Consultative Review is optional and is available upon request by a Customer.
This review is consultation-oriented, and is conducted on site.
The Customer will receive a detailed and comprehensive gap analysis report containing
recommendations and benefits of critical findings during the course of the review.
If required, the report will be supplemented by an action plan.

13.2 Global Risk Management Program Review Topics
13.2 Global Risk Management Program Review Topics

This section describes the topics that are covered by Global Risk Management Program
reviews. Additional topics may be included at the sole discretion of MasterCard.
13.2.1 Issuer Global Risk Management Program Review Topics

An Issuer review will cover the following topics, where applicable.
• Organizational structure
• Operational statistics
• Card acquisition channels
• Direct sales agency
• Card application process, including application fraud
• Credit scoring
• Credit bureau information
• Credit limit assignment
• Account management, including credit limit management
• Authorization function, process, and performance
• Data storage
• Fraud loss control programs
• Description of the Customer implementation strategy with regard to EMV Chip/PIN,
MasterCard® SecureCode™, and contactless payment technologies
• Anti-money laundering policies
• Fraud detection performance and effectiveness
• Transaction verification strategy
• Fraud investigations
• Account Data Compromise (ADC) Event or Potential ADC Event identification and analysis
• System to Avoid Fraud Effectively (SAFE) fraud reporting
• Use of MasterCard Connect™
• Fraud loss charge-off policy
• Fraud-related chargebacks and recoveries
• Receipt and use of fraud reports
• Fraud loss budgeting and forecasting
• Management information systems analysis and methodology
13.2.2 Acquirer Global Risk Management Program Review Topics

An Acquirer review will cover the following topics, where applicable.
• Organizational structure
• Operational statistics
• Merchant acquisition channels (retail and e-commerce)
• Direct sales agency

13.3 Global Risk Management Program Reports
• Merchant application process, including application fraud

• Merchant site inspections (retail and e-commerce)
• MasterCard Alert to Control High-risk (Merchants) (MATCH™)
• Credit bureau information
• Merchant Agreements
• Point-of-Sale (POS) Terminal capability
• Description of the Customer implementation strategy with regard to EMV Chip/PIN,
MasterCard® SecureCode™, and contactless payment technologies
• Anti-money laundering policies
• Merchant support and services
• Authorization function and process
• Data storage
• E-commerce and Internet site data integrity
• Fraud loss control programs and Merchant monitoring
• Fraud detection performance and effectiveness
• Use of a >>>Merchant<<< monitoring solution to avoid potential illegal or brand-
damaging violations
• Transaction verification strategy
• Fraud investigations
• ADC Event or Potential ADC Event identification and analysis
• Use of MasterCard Connect™
• Receipt and use of fraud reports
• Acquirer compliance programs
• Management information systems analysis and methodology
13.3 Global Risk Management Program Reports

After a Global Risk Management Program review, the Customer or non-Customer, as the case
may be, will receive a written report indicating its status as to compliance with the fraud loss
control Standards and minimum fraud loss control program requirements set forth in Chapter
6, plus other required or recommended actions.
In the case of noncompliance:
• The report will indicate a number of actions that must be taken to bring the Customer or
non-Customer into compliance.
• The Customer or non-Customer, as the case may be, must complete an action plan and
indicate implementation dates.
• The Global Risk Management Program staff assesses the action plan and the proposed
implementation dates, monitors progress and results, and determines whether the
Customer’s programs meet the loss control program requirements.
• The Customer may be subject to noncompliance assessments with the fraud loss control
Standards set forth in Chapter 6 of this manual. Please refer to section 13.6 of this manual
for more information regarding noncompliance assessments.

13.4 Customer Risk Review Conditions
13.4 Customer Risk Review Conditions

The following conditions are examples of specific situations or conditions that may warrant a
Customer Risk Review. Other conditions may also warrant a Customer Risk Review.
13.4.1 Customer Risk Review Issuer Criteria

MasterCard may subject an Issuer to a Customer Risk Review if any of the following
conditions exist:
1. MasterCard determines that the Issuer creates or may create an unacceptable risk. By way
of example and not limitation, this condition exists when:
– The Issuer’s fraud basis points or counterfeit basis points exceed two times the Regional
average
OR
– The Issuer’s fraud basis points or counterfeit basis points exceed two times the
worldwide basis point average.
2. The Issuer has been identified two or more times for SAFE noncompliance.
13.4.2 Customer Risk Review Acquirer Criteria

MasterCard may subject an Acquirer to a Customer Risk Review if any of the following
conditions exist:
1. MasterCard staff determines that the Acquirer creates or may create a burden to the
system. By way of example and not limitation, this condition exists when:
– The Acquirer’s fraud basis points or counterfeit basis points exceed two times the
Regional average (averaged over four quarters)
OR
– The Acquirer’s fraud basis points or counterfeit basis points exceed two times the
worldwide fraud basis point average (averaged over four quarters).
2. The Acquirer has six or more Merchant locations, each of which, in any one month, has:
– Counterfeit Transactions totaling 5 percent of their total Transactions for the month,
when the dollar volume associated with any counterfeit Transaction is a minimum of
USD 1,000
OR
– At least two counterfeit Transactions in one month totaling a minimum of USD 2,500.
3. The Acquirer Counterfeit Volume Ratio (ACVR) is above a threshold ten times the
worldwide ACVR.
4. The Acquirer has been notified of a violation of the Illegal or Brand-damaging Transactions
Rule (Rule 5.11.7 of the MasterCard Rules manual).
5. The Acquirer acquires Transactions for a Merchant that has engaged in activity that
MasterCard deems inappropriate in connection with use of the MasterCard brand.

13.5 Global Risk Management Program Fees
13.4.3 Basis Points Calculation

The calculation for fraud basis points is performed as follows:
• The gross fraud (as reported to SAFE) for a given time frame (such as a quarter or a year)
• Is divided by the corresponding sales (as reported through the Quarterly MasterCard Report
[QMR]) for the same time frame
• The result is multiplied by a factor of 10,000 to obtain fraud basis points.
Given that fraud basis points are calculated using both SAFE and QMR data, Customers are
advised to coordinate with the department responsible for QMR reporting to ensure that the
data that they report is complete, accurate, and up-to-date.
13.5 Global Risk Management Program Fees

The pricing principles for Global Risk Management Program reviews (questionnaires and on-
site reviews) are indicated in the MasterCard Consolidated Billing System Reports relevant to
the Customer’s or non-Customer’s Region.
13.6 Noncompliance with Fraud Loss Control Standards

Following a Global Risk Management Program review, a noncompliant Customer will receive a
written report with requirements that must be satisfied within an established period to
achieve compliance with the fraud loss control Standards and minimum fraud loss control
program requirements.
If a MasterCard Customer fails to take the required actions to achieve compliance, one or
more of the following may occur:
• Noncompliance assessments, as indicated in Table 13.1.
• Revocation of the Customer’s License. A Customer may appeal such a revocation to
MasterCard. Any decision by MasterCard is final.
Table 13.1—Noncompliance Assessments with Loss Control Program Requirements
Period Amount assessed per month
First quarter of noncompliance USD/EUR 25,000 per month
Second quarter of noncompliance USD/EUR 50,000 per month
Third quarter of noncompliance USD/EUR 75,000 per month
Each month after the third quarter of noncompliance USD/EUR 100,000 per month

Track Data Content and Format
Appendix A Track Data Content and Format

This appendix contains information about magnetic stripe Track 1 and Track 2 data layout, content,
and format requirements.
A.1 Track 1 Data Content and Format......................................................................................... 172

A.2 Track 2 Data Content and Format......................................................................................... 174

A.1 Track 1 Data Content and Format

Track 1 of the magnetic stripe must be encoded with the information shown in Figure A.1 and
Table A.1 in the defined format, using the control character values shown in Figure A.2. The
Discretionary Data field (the location of the CVC 1) is field 9.
NOTE: Figure A.1 represents a Track 1 data layout example in which the Account Number is 16
characters in length and the Discretionary Data is 24 characters in length.
Figure A.1—Track 1 Data Layout
Table A.1—Track 1 Data Format and Content
F = Fixed Length
Field Number Field Name V = Variable Length Maximum Characters
1 Start Sentinel F 1
2 Format Code–B F 1
(encode character B)
3 Account Number V 19
4 Separator F 1
5 Cardholder Name V 2–26
6 Separator F 1
7 Expiration Date F 4
8 Service Code F 3

F = Fixed Length
Field Number Field Name V = Variable Length Maximum Characters
9 Discretionary Data V Balance of available digits

not to exceed total track
(must include CVC 1)
length of 79 characters
10 End Sentinel F 1
11 Longitudinal Redundancy F 1
Check
Total record length—The maximum character count for Track 1 will not exceed 79 including
all control characters.
Figure A.2—Track 1 Data Control Character Values

The encoded Cardholder Name field in Track 1 is a variable length, alphanumeric field, with
a maximum length of 26 characters within (up to) three subfields. The Cardholder Name and
Content Format table shown in Table A.2 defines the specifications for encoding the
Cardholder name on the magnetic stripe.
Table A.2—Cardholder Name Content and Format
M = Mandatory
Element O = Optional Length Requirements/Comments
Surname M Variable Mandatory

Alphanumeric
Minimum length is one character
First character must be alphabetic, others
may be any valid character as defined in this
appendix.
Initials or First O Variable If used, must begin with a slash (/)

Name
May be any valid characters defined in this
appendix.
Title O Variable If used, must begin with a period (.)

Must always be after the surname and, if
used, initials or first name
May be any valid characters defined in this
appendix.
NOTE: Characters “%”, “^”, and “?” cannot be used in the Cardholder Name field, because
they are used only for specified encoding purposes.
The total length of the Cardholder Name field is 26 characters, including all control
characters.

Track 2 of the magnetic stripe must be encoded with the information shown in Figure A.3 and
Table A.3 in the defined format, using the control character values shown in Table A.4. The
Discretionary Data field (the location of the CVC 1) is field 6.

NOTE: Figure A.3 represents a Track 2 data layout example in which the Account Number is 16
characters in length and the Discretionary Data is 13 characters in length.
Figure A.3—Track 2 Data Layout
Table A.3—Track 2 Data Format and Content
F = Fixed Length
Field Number Field Name V = Variable Length Contents
1 Start Sentinel F Hexadecimal “B”
2 Primary Account Number V See Sections 3.2 and 3.3.

(PAN)
3 Separator F Hexadecimal “D”
4 Expiration Date F See Section 3.5.4.
5 Service Code F See Table 3.3 in Section

3.10.3.
6 Discretionary Data V
6.1 Reserved F Length is one digit.
6.2 PIN Verification Value (PVV) F Length is four digits.

Encoding of PVV is strongly
recommended to facilitate
Issuer use of on-behalf PIN
key management services.

F = Fixed Length
Field Number Field Name V = Variable Length Contents
6.3 Card Sequence Number F Length is one digit.

Identifies multiple Cards
using the same PAN.
6.4 Further Discretionary Data V Encode CVC 1 in any three

contiguous positions
following the 7th position
in the discretionary data.
CVC 1 is required for
MasterCard Cards and for
any Maestro and Cirrus
chip Card newly issued or
re-issued on or after 11
January 2013 with a PAN
length of 16 digits or less.
7 End Sentinel F Hexadecimal “F”
8 Longitudinal Redundancy F Length is one digit.

Check (LRC) Calculate by using LRC
Formula.
Total record length—The maximum character count for Track 2 will not exceed 40 including
all control characters.
The Track 2 data on a Chip Card’s magnetic stripe must be the same as the Track 2 data of the
corresponding Payment Application on the chip, except that the Issuer may vary Field 6
(Discretionary Data).
Table A.4—Track 2 Data Control Character Values
Bits Character
P B4 B3 B2 B1
1 0 0 0 0 0
0 0 0 0 1 1
0 0 0 1 0 2

Bits Character
P B4 B3 B2 B1
1 0 0 1 1 3
0 0 1 0 0 4
1 0 1 0 1 5
1 0 1 1 0 6
0 0 1 1 1 7
0 1 0 0 0 8
1 1 0 0 1 9
1 1 0 1 0 (A)
0 1 0 1 1 Start Sentinel
(Start
Character)
1 1 1 0 0 (A)
0 1 1 0 1 Separator
0 1 1 1 0 (A)
1 1 1 1 1 Stop Sentinel
(End Character)
These character positions (A) are available for hardware control purposes only, and cannot
contain information characters (data content).

Formset Specifications
Appendix B Formset Specifications

This appendix contains specifications for the interchange copy of MasterCard® Card Transaction
formsets.
B.1 MasterCard Formset Specifications........................................................................................179

B.1.1 Formset Physical Dimensions......................................................................................... 179
B.1.2 Standard Wording......................................................................................................... 179
B.1.3 Number of Copies and Retention Requirements............................................................ 179
B.1.4 Paper Stock Characteristics............................................................................................180
B.1.5 Color of Interchange Copy............................................................................................ 180
B.1.6 Carbon..........................................................................................................................180
B.1.7 Registration Mark..........................................................................................................180
B.1.7.1 Registration Mark Location.................................................................................... 180
B.1.8 Formset Numbering.......................................................................................................180
B.1.8.1 Formset Number Location......................................................................................181
B.1.9 Information Slip Specifications.......................................................................................181
B.2 Formset Printing Standards .................................................................................................. 181
B.2.1 Financial Transaction Formsets....................................................................................... 181
B.2.2 Information Slip Formsets.............................................................................................. 182
B.2.3 Imprinters......................................................................................................................183

B.1 MasterCard Formset Specifications

A formset is a Transaction information document (TID) produced with a manual imprinter. This
appendix describes the Standards for the interchange copy of Point-of-Sale (POS) Transaction,
refund Transaction, Manual Cash Disbursement Transaction, and information formsets,
including physical dimensions, weight, color, carbon paper, registration marks, numbering,
and printing.
B.1.1 Formset Physical Dimensions

Formsets must be the size of a standard 80-column Card (3.250 inches x 7.375 inches, or
8.260 cm x 18.744 cm) or a standard 51-column Card (3.250 inches x 4.852 inches, or 8.260
cm x 12.332 cm), with an upper right-hand corner cut.
B.1.2 Standard Wording

MasterCard has developed the following standard wording for use on the interchange copy of
the formset. Use the standard wording, which may appear in English, the local language, or
both, unless MasterCard has previously granted a variance permitting use of other wording.
Retail sale slips:
“The Issuer of the Card identified on this item is authorized to pay the amount shown as
‘total’ upon proper presentation. I promise to pay such total (together with any other
charges due thereon) subject to and in accordance with the agreement governing the use
of such Card.”
Credit slips:
“I request that the above Cardholder account be credited with the amount shown as
‘total’ because of the return of, or adjustments on, the goods, services, or other items of
value described, and authorize the bank to which this credit slip is delivered to charge my
account in accordance with my agreement with such bank.”
Cash disbursement slips:
“I hereby request the Issuer of the Card identified above to pay to bearer the amount
shown as ‘total’ hereon. I hereby confirm that I will pay said amount, with any charges
due thereon, to said Issuer in accordance with terms of the agreement governing the use
of said Card.”
Information slips:
“Information on this slip relates to the type of Transaction indicated above, and the
amount shown hereon as the total should agree with the amount on the receipt provided
at the time of the Transaction.”
B.1.3 Number of Copies and Retention Requirements

Each formset must consist of at least two copies, one complete copy for the Merchant/
Acquirer, and one complete copy for the customer. MasterCard recommends that the
Merchant or the Acquirer process the copy signed by the Cardholder. If this is the only copy

retained, the Merchant must hold the copy (microfilm or otherwise reproduced copy) for at
least 13 months to satisfy the MasterCard retention requirement.
B.1.4 Paper Stock Characteristics

Formsets must be no less than 28-pound stock and no more than 103-pound stock, U.S.
Region standards.
B.1.5 Color of Interchange Copy

The color of the interchange copy of a formset must be manila or white if Card stock (for
example, 95-pound stock, U.S. Region standards or heavier), and must be white if paper stock
(for example, 28-pound stock, U.S. Region standards or heavier but less than 95-pound stock).
B.1.6 Carbon
The carbon paper used to imprint the interchange copy of a formset must be black and of
optical character recognition (OCR) quality. All formsets ordered by Customers supplying
formsets to Merchants must be manufactured so that the Account number cannot be
identified on any carbons that may be discarded after a sales Transaction is completed. The
following types of formsets are examples that comply with this rule:
• Carbonless formsets
• Carbon on the back formsets
• Formsets with carbons that are perforated in such a manner that no complete Account
number remains on the carbon to be discarded
B.1.7 Registration Mark

If the interchange copy of an 80-column formset has a registration mark, then the registration
mark must be preprinted and of uniform density of non-reflective (preferably black) ink. The
stroke width of the mark must be 0.030 inches ± 0.010 inches (0.0762 cm ± 0.0254 cm), and
the length of each leg of the mark, measured on its inner edge, must be at least 0.400 inches
(1.017 cm). The mark must be aligned with the aligning edge with no visible skew (± 2
degrees).
B.1.7.1 Registration Mark Location

If the interchange copy of an 80-column formset has a registration mark, then the location of
the registration mark in relation to the leading and aligning edges cannot vary from document
to document more than ± 0.050 inches (± 127 cm). The leading edge of the vertical leg of the
registration mark shall be 2.40625 inches (6.116 cm) from the left edge of the interchange
copy (with the stub removed) and the bottom edge of the horizontal leg shall be 0.625 inches
(1.589 cm) from the bottom edge.
B.1.8 Formset Numbering

Each Acquirer must supply its Merchants with consecutively pre-numbered formsets with
sequential reference numbers. Each reference number must consist of seven digits, with the
seventh digit from the right being a Transaction code (the number “5” on POS Transaction

B.2 Formset Printing Standards
slips, the number “6” on refund Transaction slips, and the number “7” on Manual Cash
Disbursement Transaction slips), and must be in 7B font with nominal horizontal spacing of
seven characters to the inch.
B.1.8.1 Formset Number Location

On an 80-column Card size formset, the sequential reference number must be located in the
0.500 inches (1.271 cm) clear band area at the top front of each copy of the form. The first
(or low order) digit of the reference number must be a minimum of 1.4375 inches (3.653 cm)
from the right-most edge of the formset to the beginning of that character; the seventh (or
high order) digit must be a maximum of 2.625 inches (6.672 cm) from the right-most edge of
the formset to the end of that character; and the centerline of the numbers must be 0.219
inches ± 0.040 inches (0.557 cm ± 0.102 cm) from the top of the formset.
B.1.9 Information Slip Specifications

Information slips provide the Cardholder with additional details related to a POS Transaction,
refund Transaction, or Manual Cash Disbursement Transaction (herein, "financial
Transactions"). The information slip must be the same size, weight, and color as all other
MasterCard formsets.

The Standards listed below apply to the printing of formsets.
B.2.1 Financial Transaction Formsets

This section applies to the printing of the interchange copy of the MasterCard Card formsets
for financial Transactions. Refer to section B.1.9 for printing requirements specific to
information slips.
1. The reverse side of any interchange copy shall be blank.
2. The space reserved for imprinting on the interchange copy must remain clear of any
printing. This space shall be not less than 3.125 inches (7.943 cm) long by 2.125 inches
(5.401 cm) high lying horizontally across the top and commencing at the upper left-hand
corner (with the stubs removed).
3. The interchange copies of formsets must have an area not less than 4.250 inches (10.802
cm) long and 0.500 inches (1.271 cm) high lying horizontally across the bottom and
commencing at the lower right-hand corner, left clear of any printing.
4. This area shall be not less than 4.500 inches (11.437 cm) long and 0.625 inches (1.589
cm) high, and the balance of the area within 0.625 inches (1.589 cm) of the bottom shall
be left clear of any magnetic ink character recognition (MICR) and OCR active printing or
markings with the exception of MICR encoding.
5. The interchange copies of formsets must have an area not less than the length of the slip
by 0.500 inches (1.271 cm) high lying horizontally across the top of the slip, left clear of
any preprinting except for the sequential reference number on an 80-column slip and also

discretionary data (located between 0.375 inches and 1.3125 inches [0.953 cm and
3.3359 cm] from the right-hand edge in 7B font).
6. If the formset has a registration mark, a square, formed by a clear band 1/8 inches (0.318
cm) from the external edges and tips of a minimum length registration mark and not less
than 11/16 inches by 11/16 inches (1.747 cm x 1.747 cm), shall be left clear of any
printing except for the registration mark.
7. The printing on the face of the copies of refund Transaction slips shall be in red ink. The
printing on the face of the copies of POS Transaction and Manual Cash Disbursement
Transaction slips must not be in red ink. MasterCard recommends that the printing on POS
Transaction slips be in either blue or black ink and on Manual Cash Disbursement slips in
either green or black ink.
B.2.2 Information Slip Formsets

Following is a list of requirements for printing information slips:
1. The following areas shall be left clear of printing:
– 0.500 inches (1.271 cm) high lying horizontally across the entire length of the top of
the slip.
– 4.500 inches (11.437 cm) long by 0.625 inches (1.589 cm) high lying horizontally
across the bottom of the slip commencing at the lower right-hand corner.
starting 4.875 inches (12.390 cm) from the left edge and 0.970 inches (2.468 cm) from
the top edge of the slip.
the top edge of the slip.
the top edge.
starting 6 inches (15.250 cm) from the left edge and 2.281 inches (5.798 cm) from the
top edge.
2. MasterCard recommends using black ink for all printing.
3. For Transaction date identification, the information slip must contain a computer-printed
date area. Enter the elements of the date in this area by indicating the sequence (for
example, month-day-year) in English and, at the Acquirer’s option, also in the local
language.
4. For situations when the Transaction date is not available, each information slip will be
preprinted with the expression, “Transaction date not available” in English and, at the
Acquirer’s option, also in the local language.
5. The reverse side shall be blank.

B.2.3 Imprinters
Each Customer is responsible for supplying to its Merchants conducting face-to-face POS
Transactions, on such terms as may be agreed upon between them, and for maintaining at
each Customer location that disburses cash to Cardholders, imprinters capable of producing a
satisfactory imprint from a Card upon the interchange copy of a formset. The imprinter must
contain a plate that will imprint on the interchange copy of the formset the name and number
of the Merchant, or the name of the Customer disbursing the cash disbursement, and the city
and state (or country, if the location is outside the United States) where the Transaction
occurred.

Contact Information
Appendix C Contact Information

Contact Information
This appendix contains a list of MasterCard contacts to whom inquiries may be addressed and
required documentation submitted.
C.1 Security and Risk Services..................................................................................................... 185

C.2 Merchant Fraud Control....................................................................................................... 185
C.3 Account Data Compromise Events........................................................................................186
C.4 Card Design Management....................................................................................................186
C.5 MasterCard Connect™ Applications...................................................................................... 187
C.6 Customer Operations Services.............................................................................................. 187
C.7 Questionable Merchant Activity............................................................................................ 188

Contact Information
C.1 Security and Risk Services
C.1 Security and Risk Services

Customers may send forms and other documentation related to security and risk service
programs and Standards to:
Address: MasterCard
Attention: Security and Risk Services Department
2200 MasterCard Boulevard
O’Fallon MO 63368-7263
USA
Phone: 1-636-722-4100 (MasterCard Fraud Protection Center)
Phone: 1-914-249-5447 (Merchant Fraud Control Group)
Fax: 1-914-249-4257
E-mail: matchhelp@mastercard.com
E-mail: mfcg@mastercard.com (Merchant Fraud Control Group)
Telex: 0878 MSTCD UI
Correspondence regarding conflicts between the Standards and applicable law should be
addressed to the attention of the Law Department.
Address: MasterCard
Attention: Law Department
2000 Purchase Street
Purchase NY 10577-2509
USA
C.2 Merchant Fraud Control

Customers may send forms and other documentation related to security and risk management
programs and Standards to:

Contact Information
C.3 Account Data Compromise Events
Address: MasterCard
Attention: Merchant Fraud Control Department
USA
Phone: 1-914-249-5447
Fax: 1-914-249-4257
E-mail: mfcg@mastercard.com (Merchant Fraud Control Group)
Address: MasterCard
USA
C.3 Account Data Compromise Events

For MasterCard contact information related to Account Data Compromise (ADC) Events or
Potential ADC Events, refer to the Account Data Compromise User Guide, available through
the MasterCard Connect™ Publications product.
C.4 Card Design Management

Customers may send forms and other documentation related to Card design and production,
such as the Plastics Order Request Form, to:

Contact Information
C.5 MasterCard Connect™ Applications
Address: MasterCard
Attention: Card Design Management Department
Franchise Customer Management
USA
Fax: 1-914-249-4499
C.5 MasterCard Connect™ Applications

To register for a MasterCard Connect™ application, navigate your browser to
www.mastercardconnect.com and request access to the application from the MasterCard
Connect Store menu.
For assistance registering for an application or for technical support, contact Customer
Operations Services using one of the following methods:
Phone: 1-800-999-0363 (U.S. Region)
Phone: 1-636-722-6636 (Outside U.S. Region)
Phone: 1-636-722-6292 (Spanish language support)
E-mail: customer_support@mastercard.com
C.6 Customer Operations Services

Customers may address any general questions relating to security programs or products to the
Customer Operations Services team using one of the following methods:

Contact Information
C.7 Questionable Merchant Activity
Address: MasterCard
Attention: Customer Operations Services
2200 MasterCard Boulevard
O’Fallon MO 63368-7263
USA
Phone: 1-800-999-0363 or 1-636-722-6176 (U.S. and Canada Regions)

1-636-722-6292 (Spanish language support)
1-636-722-6176 (All other Regions)
Fax: 1-636-722-7192
E-mail: Canada, Latin America and the Caribbean, customer_support@mastercard.com
Europe, Middle East/Africa, and U.S.
Regions
Asia/Pacific:
Australia and New Zealand csd@mastercard.com
Brunei/Malaysia helpdesk.malaysia@mastercard.com
Cambodia/Laos/Vietnam helpdesk.indochina@mastercard.com
China, Hong Kong, and Taiwan helpdesk.gc@mastercard.com
Indonesia helpdesk.indonesia@mastercard.com
Japan/Guam helpdesk.tokyo@mastercard.com
Korea korea_helpdesk@mastercard.com
Philippines helpdesk.philippines@mastercard.com
Singapore helpdesk.singapore@mastercard.com
Thailand helpdesk.thailand@mastercard.com
Spanish language support lagroup@mastercard.com
Vendor Relations, All Regions vendor.program@mastercard.com

Customers may send forms and other documentation related to Questionable Merchant
activity fraud management programs and Standards to:

Contact Information
Address: MasterCard
Attention: QMAP—Fraud Management Department
USA
E-mail: qmap@mastercard.com
Address: MasterCard
USA

Best Practices Guides
Appendix D Best Practices Guides

This appendix contains a description of the publications in the MasterCard “Best Practices” series
and access instructions via MasterCard Connect™.
D.1 Acquirers’ Best Practices Guide............................................................................................. 191

D.2 MasterCard Debit Card and ATM Debit/Credit Card Fraud Guide.......................................... 191
D.3 Issuers’ Best Practices Guide................................................................................................. 191
D.4 Prepaid Card Fraud and Risk Management Best Practices Guide............................................191
D.5 Security Guidelines for Merchants’ Terminals........................................................................ 192
D.6 How to Access the “Best Practices” Guides.......................................................................... 192

D.1 Acquirers’ Best Practices Guide
D.1 Acquirers’ Best Practices Guide

The Acquirers’ Best Practices Guide covers critical issues of which Acquirers and their
Merchants should be aware in order to recognize and to combat fraud. It reviews the entire
process, from signing Merchants, to training them, to ongoing monitoring. The guide also
describes common fraudulent schemes to help Acquirers recognize illegal activity in their
businesses.
D.2 MasterCard Debit Card and ATM Debit/Credit Card Fraud Guide
The MasterCard Debit Card and ATM Debit/Credit Card Fraud Guide discusses the most
common types of fraud associated with signature-based debit Cards. The guide benefits
Customers by:
• Recommending procedures and control tools to help identify and prevent fraud losses
• Suggesting fraud control procedures that Customers can implement into their daily
operations
• Explaining the scope of ATM Card fraud
• Identifying and describing common schemes
• Discussing countermeasures, and
• Providing suggested strategies.
D.3 Issuers’ Best Practices Guide

The Issuers’ Best Practices Guide includes a review of, and provides solutions to, security
challenges in both the physical and virtual worlds. The guide defines the different fraud loss
types, provides best practices recommended for each, and explains the tools available from
MasterCard to help combat them.
D.4 Prepaid Card Fraud and Risk Management Best Practices Guide
The Prepaid Card Fraud and Risk Management Best Practices Guide is intended to help
MasterCard Customers proactively control and prevent potential losses from prepaid Card
fraud, thereby maximizing the potential revenue opportunities that such Card Programs offer.
In addition, the guide provides an overview of MasterCard resources and products relevant to
prepaid Card Programs.

D.5 Security Guidelines for Merchants’ Terminals
D.5 Security Guidelines for Merchants’ Terminals

The MasterCard Security Guidelines for Merchants’ Terminals aims to help Merchants manage
the risks related to the use of Point-of-Sale (POS) Terminals and to monitor, maintain, and
improve the security of their Terminal environment.
D.6 How to Access the “Best Practices” Guides

Follow these instructions to access the entire “Best Practices” series of guides:
1. Go to www.mastercardconnect.com.
2. Log on by entering your User ID and Password.
3. Click Library in the top toolbar, and then click References in the drop-down menu.
4. Click the plus (+) next to References on the left side of the screen to expand its menu.
5. Click the plus (+) next to the Security & Risk option to expand its menu.
6. Click the plus (+) next to Reading Rooms to display the Regional pages.
7. Click the appropriate link for your Region.
8. Under the Global Security & Risk Services Best Practices Guides section, click the link
of the guide that you want to view in portable document format (PDF).

Card Production Services
Appendix E Card Production Services

This appendix contains descriptions of Card production activities.
E.1 Card Production Services....................................................................................................... 194

E.1 Card Production Services

The activities in this appendix are Card production services. A Customer employing a vendor
to perform any such service on its behalf in connection with the issuance of Cards, Access
Devices, or Mobile Payment Devices must comply with the requirements described in Chapter
2 of this manual.
The tables below describe Card manufacture services, Card personalization services, and other
specialized services performed in connection with Card production.
Table E.1—Card Manufacture Services
Service Definition
Chip embedding Process by which an integrated circuit is permanently attached to a payment Card
to become an integral part of the Card.
Card manufacture Card production process composed of one or more of the following:
• Pre-press (Card design layout, printing films, and printing plates generation)
• White plastic sheets printing
• Sheets assembly
• Sheets lamination
• Sheets cutting or punching
• Hologram and signature panel hot-stamping
Table E.2—Card Personalization Services
Service Definition
Card embossing Personalization process that creates raised characters on a plastic Card body.
Card encoding Process by which personalization data is written onto a magnetic stripe residing
on the Card.
Card mailing Process by which a Card or PIN mailer is individually packaged and sent to a
presort facility or delivered to the postal service for delivery to the Cardholder.
Card Personalization process for unembossed Cards that writes data on the Card by a
personalization technology other than embossing such as laser engraving, thermal transfer, or
indent printing.

Service Definition
Chip Process of “writing” data to the integrated circuit by means of electrical or

personalization electromagnetic interaction between the chip and personalization device. Chip
personalization usually occurs subsequent to chip embedding but may also occur
prior to or during chip embedding.
Table E.3—Specialized Card Production Services
Service Definition
Card fulfillment Stand-alone service by which a newly issued or reissued Card is combined with
additional materials resulting in a complete package ready for distribution to the
Cardholder. A facility approved for personalization services is also approved for
Card fulfillment as part of its personalization activity.
Data preparation Stand-alone service by which Issuer and Cardholder data are processed and
configured for subsequent personalization by the Issuer or different certified
vendor. A facility approved for personalization services is also approved for data
preparation as part of its personalization activity.
Disaster recovery Card production at a facility established and activated exclusively during an
emergency event pursuant to a certified vendor’s Business Continuity Plan (BCP).
Card production at this facility is only authorized for the vendor that established it.
The disaster recovery facility must not be used to alleviate capacity restraints
associated with normal Card production. These facilities are evaluated against a
subset of the security requirements and must be upgraded to compliance with the
full set of security requirements upon activation.
Mobile Service whereby a Trusted Service Manager (TSM) loads a payment application,
provisioning provides personalization data, or sends post-issuance application management
commands to a Mobile Payment Device via an over-the-air (OTA) communication
method.
Partial Facility that produces Card components containing sensitive security features or
manufacture personalization data where the full Card is subsequently completed by a certified
vendor.
PIN printing Stand-alone service whereby a PIN mailer is printed and mailed. A facility approved
for personalization services is also approved for PIN mailing as part of its
personalization activity.

Definitions
Appendix F Definitions
Definitions
The following terms as used in this manual have the meanings set forth below.
Acceptance Mark........................................................................................................................201
Access Device............................................................................................................................. 201
Account......................................................................................................................................201
Account PAN.............................................................................................................................. 201
Account PAN Range....................................................................................................................201
Acquirer......................................................................................................................................201
Activity(ies)................................................................................................................................. 201
Affiliate Customer, Affiliate......................................................................................................... 202
Area of Use.................................................................................................................................202
Association Customer, Association.............................................................................................. 202
ATM Access Fee.......................................................................................................................... 202
ATM Owner Agreement.............................................................................................................. 202
ATM Terminal..............................................................................................................................202
ATM Transaction......................................................................................................................... 202
Automated Teller Machine (ATM)................................................................................................ 203
Brand Fee................................................................................................................................... 203
Brand Mark.................................................................................................................................203
Card........................................................................................................................................... 203
Cardholder................................................................................................................................. 203
Cardholder Communication........................................................................................................203
Cardholder Verification Method (CVM)....................................................................................... 203
Chip Card (Smart Card, Integrated Circuit Card, IC Card, or ICC)................................................ 204
Chip-only MPOS Terminal............................................................................................................204
Chip Transaction......................................................................................................................... 204
Cirrus Acceptance Mark..............................................................................................................204
Cirrus Access Device................................................................................................................... 205
Cirrus Account............................................................................................................................205
Cirrus Brand Mark.......................................................................................................................205
Cirrus Card................................................................................................................................. 205
Cirrus Customer..........................................................................................................................205
Cirrus Payment Application......................................................................................................... 205
Cirrus Word Mark....................................................................................................................... 205
Competing ATM Network........................................................................................................... 206

Definitions
Competing EFT POS Network......................................................................................................206

Competing International ATM Network.......................................................................................206
Competing North American ATM Network..................................................................................206
Contact Chip Transaction............................................................................................................ 207
Contactless Transaction...............................................................................................................207
Contactless Payment Device........................................................................................................207
Control, Controlled..................................................................................................................... 207
Corporation................................................................................................................................ 207
Credentials Management System................................................................................................ 208
Cross-border Transaction.............................................................................................................208
Customer....................................................................................................................................208
Customer Report........................................................................................................................ 208
Data Storage Entity (DSE)............................................................................................................ 208
Device Binding............................................................................................................................ 208
Digital Activity Agreement.......................................................................................................... 209
Digital Activity(ies).......................................................................................................................209
Digital Activity Customer.............................................................................................................209
Digital Activity Service Provider (DASP)........................................................................................ 209
Digital Goods..............................................................................................................................209
Digital Wallet.............................................................................................................................. 209
Digital Wallet Operator (DWO).................................................................................................... 210
Digital Wallet Operator Mark, DWO Mark................................................................................... 210
Digitization, Digitize....................................................................................................................210
Domestic Transaction.................................................................................................................. 210
Dual Interface............................................................................................................................. 210
Electronic Money........................................................................................................................ 210
Electronic Money Institution........................................................................................................211
Electronic Money Issuer...............................................................................................................211
EMV Mode Contactless Transaction.............................................................................................211
Gateway Customer..................................................................................................................... 211
Gateway Processing.................................................................................................................... 211
Gateway Transaction...................................................................................................................211
Host Card Emulation (HCE)......................................................................................................... 211
Hybrid Terminal...........................................................................................................................212
Identification & Verification (ID&V).............................................................................................. 212
Independent Sales Organization (ISO)..........................................................................................212
Interchange System.....................................................................................................................212
Interregional Transaction............................................................................................................. 212
Intracountry Transaction..............................................................................................................213

Definitions
Intraregional Transaction............................................................................................................. 213

Issuer.......................................................................................................................................... 213
Licensee......................................................................................................................................213
License, Licensed.........................................................................................................................213
Maestro...................................................................................................................................... 213
Maestro Acceptance Mark.......................................................................................................... 213
Maestro Access Device................................................................................................................214
Maestro Account........................................................................................................................ 214
Maestro Brand Mark................................................................................................................... 214
Maestro Card..............................................................................................................................214
Maestro Customer...................................................................................................................... 214
Maestro Payment Application..................................................................................................... 214
Maestro Word Mark....................................................................................................................214
Magnetic Stripe Mode Contactless Transaction............................................................................215
Manual Cash Disbursement Transaction...................................................................................... 215
Marks......................................................................................................................................... 215
MasterCard.................................................................................................................................215
MasterCard Acceptance Mark.....................................................................................................215
MasterCard Access Device.......................................................................................................... 215
MasterCard Account...................................................................................................................215
MasterCard-branded Application Identifier (AID)......................................................................... 216
MasterCard Brand Mark..............................................................................................................216
MasterCard Card........................................................................................................................ 216
MasterCard Cloud-Based Payments.............................................................................................216
MasterCard Customer.................................................................................................................216
MasterCard Digital Enablement Service....................................................................................... 216
MasterCard Europe..................................................................................................................... 216
MasterCard Incorporated............................................................................................................ 217
MasterCard Payment Application................................................................................................ 217
MasterCard Token.......................................................................................................................217
MasterCard Token Account Range.............................................................................................. 217
MasterCard Word Mark.............................................................................................................. 217
Member, Membership.................................................................................................................217
Merchandise Transaction.............................................................................................................218
Merchant....................................................................................................................................218
Merchant Agreement..................................................................................................................218
Mobile Payment Device...............................................................................................................218
Mobile POS (MPOS) Terminal.......................................................................................................218
Multi-Account Chip Card............................................................................................................ 218

Definitions
On-Device Cardholder Verification.............................................................................................. 219

Ownership, Owned.....................................................................................................................219
Participation................................................................................................................................219
Pass-through Digital Wallet......................................................................................................... 219
Pass-through Digital Wallet Operator (DWO)............................................................................... 219
Payment Application................................................................................................................... 219
Payment Facilitator......................................................................................................................220
PIN-based In-Branch Terminal...................................................................................................... 220
Point of Interaction (POI)............................................................................................................. 220
Point-of-Sale (POS) Terminal........................................................................................................ 220
Portfolio......................................................................................................................................220
Point–of–Sale (POS) Transaction.................................................................................................. 220
Principal Customer, Principal....................................................................................................... 221
Processed Transaction................................................................................................................. 221
Program......................................................................................................................................221
Program Service.......................................................................................................................... 221
Region........................................................................................................................................ 221
Remote Transaction.................................................................................................................... 221
Rules...........................................................................................................................................222
Service Provider...........................................................................................................................222
Service Provider Registration Facilitator........................................................................................222
Settlement Obligation................................................................................................................. 222
Shared Deposit Transaction......................................................................................................... 222
Solicitation, Solicit.......................................................................................................................222
Special Issuer Program................................................................................................................ 222
Sponsor, Sponsorship.................................................................................................................. 223
Staged Digital Wallet...................................................................................................................223
Staged Digital Wallet Operator (DWO)........................................................................................ 223
Standards................................................................................................................................... 223
Stand-In Parameters....................................................................................................................223
Stand-In Processing Service......................................................................................................... 224
Sub-licensee................................................................................................................................224
Submerchant.............................................................................................................................. 224
Submerchant Agreement............................................................................................................ 224
Terminal......................................................................................................................................224
Third Party Processor (TPP)...........................................................................................................224
Token..........................................................................................................................................225
Tokenization, Tokenize................................................................................................................ 225
Token Requestor......................................................................................................................... 225

Definitions
Transaction................................................................................................................................. 225
Volume....................................................................................................................................... 225
Wallet Provider............................................................................................................................225
Wallet Token Requestor.............................................................................................................. 225
Word Mark................................................................................................................................. 226

Definitions
Acceptance Mark
Additional and/or revised terms may also be used for purposes of the Rules in a particular chapter
or section of this manual.
Acceptance Mark
Any one of the Corporation’s Marks displayed at a POI to indicate brand acceptance. See
Cirrus Acceptance Mark, Maestro Acceptance Mark, MasterCard Acceptance Mark.
Access Device
A device other than a Card that uses at least one Payment Application to provide access to an
Account in compliance with the Standards. A Contactless Payment Device is a type of Access
Device. A Cirrus Access Device, Maestro Access Device, and MasterCard Access Device is each
an Access Device. Also see Mobile Payment Device.
Account
An account maintained by or on behalf of a Cardholder by an Issuer for the processing of
Transactions, and which is identified with a bank identification number (BIN) or Issuer
identification number (IIN) designated by the Corporation in its routing tables for routing to
the Interchange System. Also see Cirrus Account, Maestro Account, MasterCard Account.
Account PAN
The primary account number (PAN) allocated to an Account by an Issuer.
Account PAN Range

The range of Account PANs designated by an Issuer for Digitization.
Acquirer
A Customer in its capacity as an acquirer of a Transaction.
Activity(ies)
The undertaking of any act that can be lawfully undertaken only pursuant to a License
granted by the Corporation. Also see Digital Activity(ies).

Definitions
Affiliate Customer, Affiliate
Affiliate Customer, Affiliate

A Customer that participates indirectly in Activity through the Sponsorship of a Principal or,
solely with respect to MasterCard Activity, through the Sponsorship of an Association. An
Affiliate may not Sponsor any other Customer.
Area of Use
The country or countries in which a Customer is Licensed to use the Marks and conduct
Activity, and, as a rule, set forth in the License or in an exhibit to the License.
Association Customer, Association

A MasterCard Customer that participates directly in MasterCard Activity using its assigned
BINs and which may Sponsor one or more MasterCard Affiliates but may not directly issue
MasterCard Cards or acquire MasterCard Transactions without the express prior written
consent of the Corporation.
ATM Access Fee

A fee charged by an Acquirer in connection with a cash withdrawal or Shared Deposit
Transaction initiated at the Acquirer’s ATM Terminal with a Card, and added to the total
Transaction amount transmitted to the Issuer.
ATM Owner Agreement

An agreement between an ATM owner and a Customer that sets forth the terms pursuant to
which the ATM accepts Cards.
ATM Terminal
An ATM that enables a Cardholder to effect a Transaction with a Card in accordance with the
Standards.
ATM Transaction
A cash withdrawal effected at an ATM Terminal with a Card and processed through the
MasterCard ATM Network. An ATM Transaction is identified with MCC 6011 (Automated
Cash Disbursements—Customer Financial Institution).

Definitions
Automated Teller Machine (ATM)
Automated Teller Machine (ATM)

An unattended self-service device that performs basic banking functions such as accepting
deposits, cash withdrawals, ordering transfers among accounts, loan payments and account
balance inquiries.
Brand Fee
A fee charged for certain Transactions not routed to the Interchange System.
Brand Mark
A Word Mark as a custom lettering legend placed within the Corporation’s interlocking circles
device. The MasterCard Brand Mark, Maestro Brand Mark, and Cirrus Brand Mark is each a
Brand Mark.
Card
A card issued by a Customer pursuant to License and in accordance with the Standards and
that provides access to an Account. Unless otherwise stated herein, Standards applicable to
the use and acceptance of a Card are also applicable to an Access Device and, in a Card-not-
present environment, an Account. A Cirrus Card, Maestro Card, and MasterCard Card is each
a Card.
Cardholder
The authorized user of a Card or Access Device issued by a Customer.
Cardholder Communication
Any communication by or on behalf of an Issuer to a Cardholder or prospective Cardholder. A
Solicitation is one kind of Cardholder Communication.
Cardholder Verification Method (CVM)

A process used to confirm that the person presenting the Card is the genuine Cardholder. The
Corporation deems the following to be valid CVMs when conducted in accordance with the
Standards:

Definitions
Chip Card (Smart Card, Integrated Circuit Card, IC Card, or ICC)
• The comparison, by the Merchant or Acquirer accepting the Card, of the signature on the
Card’s signature panel with the signature provided on the Transaction receipt by the person
presenting the Card;
• The comparison, by the Card Issuer or the EMV chip on the Card, of the value entered on a
Terminal’s PIN pad with the personal identification number (PIN) given to or selected by the
Cardholder upon Card issuance; and
• On-Device Cardholder Verification
In certain Card-present environments, a Merchant may complete the Transaction without a
CVM ("no CVM" as the CVM), such as in Quick Payment Service (QPS) Transactions,
Contactless Transactions less than or equal to the CVM limit, and Transactions at an
unattended POS Terminal identified as Cardholder-activated Terminal (CAT) Level 2 or Level 3.
Chip Card (Smart Card, Integrated Circuit Card, IC Card, or ICC)

A Card with an embedded EMV-compliant chip containing memory and interactive capabilities
used to identify and store additional data about a Cardholder, an Account, or both.
Chip-only MPOS Terminal

An MPOS Terminal that has a contact chip reader and no magnetic stripe-reading capability
and that must:
1. Operate as an online-only POS Terminal for authorization purposes;
2. Support either signature or No CVM Required as a Cardholder verification method, and
may also support PIN verification if conducted by means of a PIN entry device (PED) that is
in compliance with the Payment Card Industry (PCI) POS PED Security Requirements and
Evaluation Program; and
3. Otherwise comply with the Corporation’s requirements for Hybrid POS Terminals.
Chip Transaction
A Contact Chip Transaction or a Contactless Transaction.
Cirrus Acceptance Mark

A Mark consisting of the Cirrus Brand Mark placed on the dark blue acceptance rectangle,
available at www.mastercardbrandcenter.com.

Definitions
Cirrus Access Device
Cirrus Access Device

An Access Device that uses at least one Cirrus Payment Application to provide access to a
Cirrus Account when used at an ATM Terminal or PIN-based In-Branch Terminal.
Cirrus Account
An account eligible to be a Cirrus Account, as set forth in Rule 6.1.3.2 of the MasterCard
Rules manual, and identified with a BIN/IIN associated with a Portfolio designated by the
Corporation as a Cirrus Portfolio in its routing tables.
Cirrus Brand Mark

A Mark consisting of the Cirrus Word Mark as a custom lettering legend placed within the
Corporation’s interlocking circles device. The Corporation is the exclusive owner of the Cirrus
Brand Mark.
Cirrus Card
A Card that provides access to a Cirrus Account.
Cirrus Customer
A Customer that has been granted a Cirrus License in accordance with the Standards.
Cirrus Payment Application

A Payment Application that stores Cirrus Account data.
Cirrus Word Mark

A Mark consisting of the word “Cirrus” followed by a registered trademark ® or ™ symbol
(depending on its trademark status in a particular country) or the local law equivalent.
“Cirrus” must appear in English and be spelled correctly, with the letter “C” capitalized.
“Cirrus” must not be abbreviated, hyphenated, used in the plural or possessive, or translated
from English into another language. The Corporation is the exclusive owner of the Cirrus
Word Mark.

Definitions
Competing ATM Network
Competing ATM Network

A Competing International ATM Network or a Competing North American ATM Network, as
the case may be.
Competing EFT POS Network

A network, other than any network owned and operated by the Corporation, which provides
access to Maestro Accounts at POS Terminals by use of payment cards and has the following
characteristics:
1. It provides a common service mark or marks to identify the POS Terminal and payment
cards, which provide Maestro Account access;
2. It is not an affiliate of the Corporation; and
3. It operates in at least one country in which the Corporation has granted a License or
Licenses.
The following networks are designated without limitation to be Competing EFT POS
Networks: Interlink; Electron; and V-Pay.
Competing International ATM Network

A network of ATMs and payment cards, other than the Corporation, identified by a common
brand mark that is used exclusively or primarily for ATM interchange that:
1. Operates in at least three countries;
2. Uses a common service mark or marks to identify the ATMs and payment cards which
provide account access through it; and
3. Provides account access to at least 40,000,000 debit cards and by means of at least
25,000 ATMs.
Competing North American ATM Network

A network of ATMs and access cards, other than the Corporation, identified by a common
brand mark that is used exclusively or primarily for ATM interchange and that possesses each
of the following characteristics:
1. It operates in at least 40 of the states or provinces of the states and provinces of the
United States and Canada;
2. It uses a common service mark or common service marks to identify the terminals and
cards which provide account access through it;
3. There are at least 40,000,000 debit cards that provide account access through it; and
4. There are at least 12,000 ATMs that provide account access through it.

Definitions
Contact Chip Transaction
Contact Chip Transaction

A Transaction in which data is exchanged between the Chip Card and the Terminal through
the reading of the chip using the contact interface, in conformance with EMV specifications.
Contactless Transaction
A Transaction in which data is exchanged between the Chip Card or Access Device and the
Terminal through the reading of the chip using the contactless interface, by means of radio
frequency communications. Also see EMV Mode Contactless Transaction, Magnetic Stripe
Mode Contactless Transaction.
Contactless Payment Device

A means other than a Card by which a Cardholder may access an Account at a Terminal in
accordance with the Standards. A Contactless Payment Device is a type of Access Device that
exchanges data with the Terminal by means of radio frequency communications. Also see
Mobile Payment Device.
Control, Controlled
As used herein, Control has such meaning as the Corporation deems appropriate in its sole
discretion given the context of the usage of the term and all facts and circumstances the
Corporation deems appropriate to consider. As a general guideline, Control often means to
have, alone or together with another entity or entities, direct, indirect, legal, or beneficial
possession (by contract or otherwise) of the power to direct the management and policies of
another entity.
Corporation
MasterCard International Incorporated, Maestro International Inc., and their subsidiaries and
affiliates. As used herein, Corporation also means the President and Chief Executive Officer of
MasterCard International Incorporated, or his or her designee, or such officers or other
employees responsible for the administration and/or management of a program, service,
product, system or other function. Unless otherwise set forth in the Standards, and subject to
any restriction imposed by law or regulation, or by the Board of Directors of MasterCard
International Incorporated, or by the MasterCard International Incorporated Certificate of
Incorporation or the MasterCard Incorporated Certificate of Incorporation (as each such
Certificate of Incorporation may be amended from time to time), each such person is
authorized to act on behalf of the Corporation and to so act in his or her sole discretion.

Definitions
Credentials Management System
Credentials Management System

Facilitates credential preparation and/or remote mobile Payment Application management for
MasterCard Cloud-Based Payments.
Cross-border Transaction
A Transaction that originates via a Terminal located in a different country from the country in
which the Card was issued.
Customer
A financial institution or other entity that has been approved for Participation. A Customer
may be a Principal, Association, Affiliate, or Digital Activity Customer. Also see Cirrus
Customer, Maestro Customer, MasterCard Customer, Member.
Customer Report
Any report a Customer is required to provide the Corporation, whether on a one-time or
repeated basis, pertaining to its License, Activities, Digital Activity Agreement, Digital
Activities, use of any Mark, or any such matters. By way of example and not limitation, the
Quarterly MasterCard Report (QMR) is a Customer Report.
Data Storage Entity (DSE)

A Service Provider that performs any one or more of the services described in Rule 7.1 of the
MasterCard Rules manual as DSE Program Service.
Device Binding
The process by which a Wallet Token Requestor binds a MasterCard Token corresponding to a
Cardholder’s Account to that Cardholder’s Mobile Payment Device, which may consist of:
• The provisioning of the Token and its associated encryption keys into the secure element
within the Mobile Payment Device;
• The loading of an application for a remotely-managed secure server into the Mobile
Payment Device and the successful communication of the device with the application; or
• Other methodology acceptable to the Corporation.

Definitions
Digital Activity Agreement
Digital Activity Agreement

The contract between the Corporation and a Digital Activity Customer granting the Digital
Activity Customer the right to participate in Digital Activity and a limited License to use one or
more of the Marks in connection with such Digital Activity, in accordance with the Standards.
Digital Activity(ies)
The undertaking of any act that can be lawfully undertaken only pursuant to approval by the
Corporation as set forth in a Digital Activity Agreement or other written documentation.
Participation in the MasterCard Digital Enablement Service as a Wallet Token Requestor is a
Digital Activity.
Digital Activity Customer

A Customer that participates in Digital Activity pursuant to a Digital Activity Agreement and
which may not issue Cards, acquire Transactions, or Sponsor any other Customer into the
Corporation.
Digital Activity Service Provider (DASP)

MasterCard Rules as DASP Program Service.
Digital Goods
Any goods that are stored, delivered, and used in electronic format, such as, by way of
example but not limitation, books, newspapers, magazines, music, games, game pieces, and
software (excludes gift cards). The delivery of a purchase of digital goods may occur on a one-
time or subscription basis.
Digital Wallet
A Pass-through Digital Wallet or a Staged Digital Wallet.

Definitions
Digital Wallet Operator (DWO)
Digital Wallet Operator (DWO)

MasterCard Rules manual as DWO Program Service. Also see Staged Digital Wallet Operator
and Pass-through Digital Wallet Operator.
Digital Wallet Operator Mark, DWO Mark

A mark identifying a particular Pass-through Digital Wallet and/or Staged Digital Wallet, and
which may be displayed at the POI to denote that a retailer, or any other person, firm, or
corporation, accepts payments effected by means of that Pass-through Digital Wallet and/or
Staged Digital Wallet. A “Staged DWO Mark” and a “Pass-through DWO Mark” are both
types of DWO Marks.
Digitization, Digitize
Data preparation performed on the Issuer’s behalf prior to the provisioning of Account
credentials, in the form of a MasterCard Token, onto a connected Mobile Payment Device or
into a Host Card Emulation (HCE) server after Identification & Verification (ID&V). Digitization
includes Tokenization.
Domestic Transaction
See Intracountry Transaction.
Dual Interface
The description of a Terminal that is capable of processing Contactless Transactions by means
of its contactless interface and Contact Chip Transactions by means of its contact interface.
Electronic Money
Electronically (including magnetically) accessed monetary value as represented by a claim on
the Electronic Money Issuer which:
1. Is issued on receipt of funds for the purpose of making transactions with payment cards;
and
2. Is accepted by the Electronic Money Issuer or a person other than the Electronic Money
Issuer.

Definitions
Electronic Money Institution
Electronic Money Institution

An entity authorized by applicable regulatory authority or other government entity as an
“electronic money institution”, “e-money institution”, “small electronic money institution”, or
any other applicable qualification under which an entity is authorized to issue or acquire
Electronic Money transactions under applicable law or regulation.
Electronic Money Issuer

An Electronic Money Institution with respect only to its issuing activities.
EMV Mode Contactless Transaction

A Contactless Transaction in which the Terminal and the chip exchange data, enabling the
chip to approve the Transaction offline on the Issuer’s behalf or to request online authorization
from the Issuer, in compliance with the Standards.
Gateway Customer
A Customer that uses the Gateway Processing service.
Gateway Processing
A service that enables a Customer to forward a Gateway Transaction to and/or receive a
Gateway Transaction from the MasterCard ATM Network®.
Gateway Transaction
An ATM transaction effected with a payment card or other access device not bearing a Mark
that is processed through or using the MasterCard ATM Network®.
Host Card Emulation (HCE)

The presentation on a Mobile Payment Device of a virtual and exact representation of a Chip
Card using only software on the Mobile Payment Device and occurring by means of its
communication with a secure remote server.

Definitions
Hybrid Terminal
Hybrid Terminal
A Terminal, including any POS or MPOS Terminal (“Hybrid POS Terminal”, “Hybrid MPOS
Terminal”), ATM Terminal (“Hybrid ATM Terminal”), or PIN-based In-Branch Terminal (“Hybrid
PIN-based In-Branch Terminal”), that:
1. Is capable of processing both Contact Chip Transactions and magnetic stripe Transactions;
2. Has the equivalent hardware, software, and configuration as a Terminal with full EMV
Level 1 and Level 2 type approval status with regard to the chip technical specifications;
and
3. Has satisfactorily completed the Corporation’s Terminal Integration Process (TIP) in the
appropriate environment of use.
Identification & Verification (ID&V)

The identification and verification of a person as the Cardholder to whom the Issuer allocated
the Account PAN to be Tokenized.
Independent Sales Organization (ISO)

MasterCard Rules manual as ISO Program Service.
Interchange System
The computer hardware and software operated by and on behalf of the Corporation for the
routing, processing, and settlement of Transactions including, without limitation, the
MasterCard Network, the MasterCard ATM Network, the MasterCard Dual Message System,
the MasterCard Single Message System, the Global Clearing Management System (GCMS),
and the Settlement Account Management (SAM) system.
Interregional Transaction
A Transaction that originates via a Terminal located in a different Region from the Region in
which the Card was issued. In the Europe Region, the term “Interregional Transaction”
includes any “Inter-European Transaction,” as such term is defined in the “Europe Region”
chapter of the MasterCard Rules.

Definitions
Intracountry Transaction
Intracountry Transaction
A Transaction that originates via a Terminal located in the same country as the country in
which the Card was issued. A Transaction conducted with a Card bearing one or more of the
Brand Marks, either alone or in combination with the marks of another payment scheme, and
processed as a Transaction, as shown by the Card type identification in the Transaction record,
via either the Interchange System or a different network, qualifies as an Intracountry
Transaction. “Domestic Transaction” is an alternative term for Intracountry Transaction.
Intraregional Transaction
A Transaction that occurs at a Terminal located in a different country from the country in
which the Card was issued, within the same Region. In the Europe Region, this term is
replaced by “Intra-European Transaction,” as such term is defined in the “Europe Region”
chapter of the MasterCard Rules.
Issuer
A Customer in its capacity as an issuer of a Card or Account.
Licensee
A Customer or other person authorized in writing by the Corporation to use one or more of
the Marks.
License, Licensed
The contract between the Corporation and a Customer granting the Customer the right to
use one or more of the Marks in accordance with the Standards. To be “Licensed” means to
have such a right pursuant to a License.
Maestro
Maestro International Incorporated, a Delaware U.S.A. corporation or any successor thereto.
Maestro Acceptance Mark

A Mark consisting of the Maestro Brand Mark placed on the dark blue acceptance rectangle,
as available at www.mastercardbrandcenter.com.

Definitions
Maestro Access Device
Maestro Access Device

An Access Device that uses at least one Maestro Payment Application to provide access to a
Maestro Account when used at a Terminal.
Maestro Account
An account eligible to be a Maestro Account, as set forth in Rule 6.1.2.1 of the MasterCard
Rules manual, and identified with a BIN/IIN associated with a Portfolio designated by the
Corporation as a Maestro Portfolio in its routing tables.
Maestro Brand Mark

A Mark consisting of the Maestro Word Mark as a custom lettering legend placed within the
Corporation’s interlocking circles device. The Corporation is the exclusive owner of the
Maestro Brand Mark.
Maestro Card
A Card that provides access to a Maestro Account.
Maestro Customer
A Customer that has been granted a Maestro License in accordance with the Standards.
Maestro Payment Application

A Payment Application that stores Maestro Account data.
Maestro Word Mark

A Mark consisting of the word “Maestro” followed by a registered trademark ® or ™ symbol
(depending on its trademark status in a particular country) or the local law equivalent.
“Maestro” must appear in English and be spelled correctly, with the letter “M” capitalized.
“Maestro” must not be abbreviated, hyphenated, used in the plural or possessive, or
translated from English into another language. Maestro is the exclusive owner of the Maestro
Word Mark.

Definitions
Magnetic Stripe Mode Contactless Transaction
Magnetic Stripe Mode Contactless Transaction

A Contactless Transaction in which the Terminal receives static and dynamic data from the
chip and constructs messages that can be transported in a standard magnetic stripe message
format, in compliance with the Standards.
Manual Cash Disbursement Transaction

A disbursement of cash performed upon the acceptance of a MasterCard Card or, at a PIN-
based In-Branch Terminal, a Maestro or Cirrus Card by a Customer financial institution teller. A
Manual Cash Disbursement Transaction is identified with MCC 6010 (Manual Cash
Disbursements—Customer Financial Institution).
Marks
The names, logos, trade names, logotypes, trademarks, service marks, trade designations, and
other designations, symbols, and marks that the Corporation owns, manages, licenses, or
otherwise Controls and makes available for use by Customers and other authorized entities in
accordance with a License. A “Mark” means any one of the Marks.
MasterCard
MasterCard International Incorporated, a Delaware U.S.A. corporation.
MasterCard Acceptance Mark

A Mark consisting of the MasterCard Brand Mark placed on the dark blue acceptance
rectangle, as available at www.mastercardbrandcenter.com.
MasterCard Access Device

An Access Device that uses at least one MasterCard Payment Application to provide access to
a MasterCard Account when used at a Terminal.
MasterCard Account
Any type of account (credit, debit, prepaid, commercial, etc.) identified as a MasterCard
Account with a primary account number (PAN) that begins with a BIN in the range of 510000
to 559999.

Definitions
MasterCard-branded Application Identifier (AID)
MasterCard-branded Application Identifier (AID)

Any of the Corporation’s EMV chip application identifiers for MasterCard, Maestro, and Cirrus
Payment Applications as defined in the M/Chip Requirements manual.
MasterCard Brand Mark

A Mark consisting of the MasterCard Word Mark as a custom lettering legend placed within
the MasterCard Interlocking Circles Device. The Corporation is the exclusive owner of the
MasterCard Brand Mark.
MasterCard Card
A Card that provides access to a MasterCard Account.
MasterCard Cloud-Based Payments

A specification that facilitates the provisioning of Digitized Account data into a Host Card
Emulation (HCE) server and the use of the remotely stored Digitized Account data, along with
single-use payment credentials, in Transactions effected by a Cardholder using a Mobile
Payment Device. The MasterCard Digital Enablement Service offers MasterCard Cloud-Based
Payments as an on-behalf service.
MasterCard Customer
A Customer that has been granted a MasterCard License in accordance with the Standards.
Also see Member.
MasterCard Digital Enablement Service

Any of the services offered by the Corporation exclusively to Customers for the digital
enablement of Account data, including but not limited to ID&V Service, Tokenization Service,
Digitization Service, Token Mapping Service, MasterCard Cloud-Based Payments, Digital Card
Image Database, CVC 3 pre-validation and other on-behalf cryptographic validation services,
and Service Requests.
MasterCard Europe
MasterCard Europe sprl, a Belgian private limited liability (company).

Definitions
MasterCard Incorporated
MasterCard Incorporated
MasterCard Incorporated, a Delaware U.S.A. corporation.
MasterCard Payment Application

A Payment Application that stores MasterCard Account data.
MasterCard Token
A Token allocated from a MasterCard Token Account Range that the Corporation has
designated to an Issuer and that corresponds to an Account PAN for which the Issuer’s
Cardholder has requested Digitization. The Corporation exclusively owns all right, title and
interest in any MasterCard Token.
MasterCard Token Account Range

A Bank Identification Number (BIN) or portion of a BIN (“BIN range”) designated by the
Corporation to an Issuer for the allocation of MasterCard Tokens in a particular Token
Implementation. A MasterCard Token Account Range must be designated from a BIN reserved
for the Corporation by the ISO Registration Authority and for which the Corporation is
therefore the “BIN Controller,” as such term is defined in the EMV Payment Tokenization
Specification Technical Framework (also see the term “Token BIN Range” in that document). A
MasterCard Token Account Range is identified in the Corporation’s routing tables as having
the same attributes as the corresponding Account PAN Range.
MasterCard Word Mark

A Mark consisting of the word “MasterCard” followed by a registered trademark ® symbol or
the local law equivalent. “MasterCard” must appear in English and be spelled correctly, with
the letters “M” and “C” capitalized. “MasterCard” must not be abbreviated, hyphenated,
used in the plural or possessive, or translated from English into another language. The
Corporation is the exclusive owner of the MasterCard Word Mark.
Member, Membership
A financial institution or other entity that is approved to be a MasterCard Customer in
accordance with the Standards and which, as a MasterCard Customer, has been granted

Definitions
Merchandise Transaction
membership (“Membership”) in and has become a member (“Member”) of the Corporation.

“Membership” also means “Participation”.
Merchandise Transaction
The purchase by a Cardholder of merchandise or a service, but not currency, in an approved
category at an ATM Terminal and dispensed or otherwise provided by such ATM Terminal. A
Merchandise Transaction is identified with MCC 6012 (Merchandise and Services—Customer
Financial Institution), unless otherwise specified.
Merchant
A retailer, or any other person, firm or corporation that, pursuant to a Merchant Agreement,
agrees to accept Cards when properly presented.
Merchant Agreement
An agreement between a Merchant and a Customer that sets forth the terms pursuant to
which the Merchant is authorized to accept Cards.
Mobile Payment Device

A Cardholder-controlled mobile phone containing a Payment Application compliant with the
Standards, and which uses an integrated keyboard and screen to access an Account. A Mobile
Payment Device is a type of Contactless Payment Device.
Mobile POS (MPOS) Terminal

An MPOS Terminal enables a mobile device to be used as a POS Terminal. Card “reading” and
software functionality that meets the Corporation’s requirements may reside within the mobile
device, on a server accessed by the mobile device, or in a separate accessory connected (such
as via Bluetooth or a USB port) to the mobile device. The mobile device may be any multi-
purpose mobile computing platform, including, by way of example and not limitation, a
feature phone, smart phone, tablet, or personal digital assistant (PDA).
Multi-Account Chip Card

A Chip Card with more than one Account encoded in the chip.

Definitions
On-Device Cardholder Verification
On-Device Cardholder Verification

A CVM whereby the Cardholder’s mobile-specific credentials for accessing an Account (for
example, a numeric passcode) are verified by means of an application on the Cardholder’s
Mobile Payment Device.
Ownership, Owned
As used herein, ownership has such meaning as the Corporation deems appropriate in its sole
discretion given the context of the usage of the term in all facts and circumstances the
Corporation deems appropriate to consider. As a general guideline, ownership often means to
own indirectly, legally, or beneficially more than fifty percent (50%) of an entity.
Participation
The right to participate in Activity, Digital Activity, or both granted to a Customer by the
Corporation. For a MasterCard Customer, Participation is an alternative term for Membership.
Pass-through Digital Wallet

Functionality by which the Pass-through Digital Wallet Operator stores MasterCard or Maestro
Account data provided by the Cardholder to the DWO for purposes of effecting a payment
initiated by the Cardholder to a Merchant or Submerchant, and upon the performance of a
Transaction, transfers the Account data to the Merchant or Submerchant or to its Acquirer or
the Acquirer’s Service Provider.
Pass-through Digital Wallet Operator (DWO)

The operator of a Pass-through Digital Wallet.
Payment Application
The magnetic stripe or M/Chip functionality that stores Account data on or in a Card or
Contactless Payment Device and enables the reading and/or transmission of such data to a
Terminal via a contact or contactless interface to effect a Transaction, in accordance with the
Standards. A MasterCard Payment Application, Maestro Payment Application, and Cirrus
Payment Application is each a Payment Application.

Definitions
Payment Facilitator
Payment Facilitator
A Service Provider registered by an Acquirer to facilitate the acquiring of Transactions by the
Acquirer from Submerchants, and which in doing so, performs any one or more of the services
described in Rule 7.1 of the MasterCard Rules manual as PF Program Service.
PIN-based In-Branch Terminal

An attended device, located on the premises of a Customer or other financial institution
designated as its authorized agent by the Corporation, that facilitates a cash withdrawal
Transaction by a Cardholder.
Point of Interaction (POI)

The location at which a Transaction occurs, as determined by the Corporation.
Point-of-Sale (POS) Terminal

An attended or unattended device located in or at a Merchant’s premises that enables a
Cardholder to effect a Transaction for the purchase of products or services sold by such
Merchant with a Card and/or Contactless Payment Device, in accordance with the POS
Terminal security and other applicable Standards.
Portfolio
All Cards issued bearing the same major industry identifier, BIN/IIN, and any additional digits
that uniquely identify Cards for routing purposes.
Point–of–Sale (POS) Transaction

The sale of products or services by a Merchant to a Cardholder pursuant to acceptance of a
Card by the Merchant. A POS Transaction may be a Card-present Transaction taking place in a
face-to-face environment or at an unattended POS Terminal, or a Card-not-present
Transaction taking place in a non-face-to-face environment (for example, an e-commerce, mail
order, phone order, or recurring payment Transaction).

Definitions
Principal Customer, Principal
Principal Customer, Principal

A Customer that participates directly in Activity using its assigned BINs/IINs and which may
Sponsor one or more Affiliates.
Processed Transaction
A Transaction for which:
• Either (i) the Issuer or its agent approved the Acquirer's request to complete the Transaction
("authorization") by means of the Interchange System, or (ii) online authorization was not
required in accordance with the Standards (for example, a Chip Transaction occurred that
was less than or equal to the applicable chip floor limit and both the Terminal and the chip
approved an offline authorization); and
• The Acquirer used the Interchange System to submit the Transaction record data to the
Issuer ("clearing") for the purpose of a transfer of funds ("settlement") via the Interchange
System.
Program
A Customer’s Card issuing program, Merchant acquiring program, ATM Terminal acquiring
program, Digital Activity program, or all.
Program Service
Any service described in Rule 7.1 of the MasterCard Rules manual or elsewhere in the
Standards that directly or indirectly supports a Program and regardless of whether the entity
providing the service is registered as a Service Provider of one or more Customers. The
Corporation has the sole right to determine whether a service is a Program Service.
Region
A geographic region as defined by the Corporation from time to time. See Appendix A of the
Remote Transaction
A non–face-to-face POS Transaction performed partially or wholly by means of electronic
communication, such as via phone order, the Internet, text messaging, facsimile, or the like.

Definitions
Rules
Rules
The Standards set forth in this manual.
Service Provider
A person that performs Program Service. The Corporation has the sole right to determine
whether a person is or may be a Service Provider and if so, the category of Service Provider. A
Service Provider is an agent of the Customer that receives or otherwise benefits from Program
Service, whether directly or indirectly, performed by such Service Provider.
Service Provider Registration Facilitator

A Service Provider that performs Service Provider identification and registration services.
Settlement Obligation
A financial obligation of a Principal or Association Customer to another Principal or
Association Customer arising from a Transaction.
Shared Deposit Transaction

A deposit to a savings Account or checking Account conducted at an ATM Terminal located in
the U.S. Region, initiated with a Card issued by a U.S. Region Customer other than the
Acquirer, and processed through the MasterCard ATM Network.
Solicitation, Solicit
An application, advertisement, promotion, marketing communication, or the like intended to
solicit the enrollment of a person as a Cardholder or as a Merchant. To “Solicit” means to use
a Solicitation.
Special Issuer Program

Issuer Activity the Corporation deems may be undertaken only with the express prior consent
of the Corporation. As of the date of the publication of these Rules, Special Issuer Programs
include Affinity Card Programs, Co-Brand Card Programs, and Prepaid Card Program, and
with respect to MasterCard Activity only, Brand Value Transaction and proprietary account,
Remote Transaction MasterCard Account, and secured MasterCard Card Programs.

Definitions
Sponsor, Sponsorship
Sponsor, Sponsorship
The relationship described in the Standards between a Principal or Association and an Affiliate
that engages in Activity indirectly through the Principal or Association. In such event, the
Principal or Association is the Sponsor of the Affiliate and the Affiliate is Sponsored by the
Principal or Association. “Sponsorship” means the Sponsoring of a Customer.
Staged Digital Wallet

Functionality by which the Staged Digital Wallet Operator effects a two-stage payment to a
retailer to complete a purchase initiated by a consumer, as follows:
• Payment stage—In the payment stage, the Staged DWO pays the retailer by means of:
– A transaction conducted using MasterCard or Maestro Account or other account data
assigned to the consumer by the DWO or by an issuer, acting for or on behalf of the
DWO (herein, a “consumer-assigned payment account”); or
– A funds transfer to an account held by the Staged DWO for or on behalf of the retailer.
• Funding stage—In the funding stage, the Staged DWO uses MasterCard or Maestro
Account or other account data provided to the Staged DWO by the consumer (herein, the
“funding account”) to perform a transaction that funds or reimburses the Staged Digital
Wallet.
Neither the retailer nor, if the retailer is a Merchant, its Acquirer or the Acquirer’s Service
Provider receives MasterCard or Maestro Account data and other information identifying the
network brand and payment card issuer for the funding account.
Staged Digital Wallet Operator (DWO)

The operator of a Staged Digital Wallet.
Standards
The organizational documents, operating rules, regulations, policies, and procedures of the
Corporation, including but not limited to any manuals, guides or bulletins, as may be
amended from time to time.
Stand-In Parameters
A set of authorization requirements established by the Corporation or the Issuer that are
accessed by the Interchange System using the Stand-In Processing Service to determine the
appropriate responses to authorization requests.

Definitions
Stand-In Processing Service
Stand-In Processing Service

A service offered by the Corporation in which the Interchange System authorizes or declines
Transactions on behalf of and uses Stand-In Parameters provided by the Issuer (or in some
cases, by the Corporation). The Stand-In Processing Service responds only when the Issuer is
unavailable, the Transaction cannot be delivered to the Issuer, or the Issuer exceeds the
response time parameters set by the Corporation.
Sub-licensee
A person authorized in writing to use a Mark either by a Licensee in accordance with the
Standards or by the Corporation.
Submerchant
A merchant that, pursuant to an agreement with a Payment Facilitator, is authorized to accept
Cards when properly presented.
Submerchant Agreement
An agreement between a Submerchant and a Payment Facilitator that sets forth the terms
pursuant to which the Submerchant is authorized to accept Cards.
Terminal
Any attended or unattended device that meets the Corporation requirements for the
electronic capture and exchange of Card data and that permits a Cardholder to effect a
Transaction in accordance with the Standards. An ATM Terminal, PIN-based In-Branch
Terminal, and POS Terminal is each a type of Terminal.
Third Party Processor (TPP)

MasterCard Rules manual as TPP Program Service.

Definitions
Token
Token
A numeric value that (i) is a surrogate for the primary account number (PAN) used by a
payment card issuer to identify a payment card account; (ii) is issued in compliance with the
EMV Payment Tokenization Specification Technical Framework; and (iii) passes the basic
validation rules for a PAN, including the Luhn Formula for Computing Modulus 10 Check
Digit. Also see MasterCard Token.
Tokenization, Tokenize
The process by which a MasterCard Token replaces an Account PAN.
Token Requestor
An entity that requests the replacement of Account PANs with MasterCard Tokens. See Wallet
Token Requestor.
Transaction
A financial transaction arising from the proper acceptance of a Card or Account at a Card
acceptance location and identified in messages with a Card Program identifier.
Volume
The aggregate financial value of a group of Transactions. “Volume” does not mean the
number of Transactions.
Wallet Provider
See Wallet Token Requestor.
Wallet Token Requestor

A DWO that, upon the request of a Cardholder for Digitization, including Tokenization, of an
Account PAN, invokes Identification & Verification (ID&V) and Device Binding; also called a
“Wallet Provider”. A Wallet Token Requestor is a type of Token Requestor.

Definitions
Word Mark
Word Mark
A Mark consisting of the name of one of the Corporation’s brands followed by a registered
trademark ® or ™ symbol (depending on its trademark status in a particular country) or the
local law equivalent. See Cirrus Word Mark, Maestro Word Mark, MasterCard Word Mark.

Notices
Notices
Proprietary Rights
The information contained in this document is proprietary and confidential to MasterCard International
Incorporated, one or more of its affiliated entities (collectively “MasterCard”), or both.
This material may not be duplicated, published, or disclosed, in whole or in part, without the prior written
permission of MasterCard.
Trademarks
Trademark notices and symbols used in this document reflect the registration status of MasterCard
trademarks in the United States. Please consult with the Customer Operations Services team or the
MasterCard Law Department for the registration status of particular product, program, or service names
outside the United States.
All third-party product and service names are trademarks or registered trademarks of their respective
owners.
Disclaimer
MasterCard makes no representations or warranties of any kind, express or implied, with respect to the
contents of this document. Without limitation, MasterCard specifically disclaims all representations and
warranties with respect to this document and any intellectual property rights subsisting therein or any part
thereof, including but not limited to any and all implied warranties of title, non-infringement, or suitability
for any purpose (whether or not MasterCard has been advised, has reason to know, or is otherwise in fact
aware of any information) or achievement of any particular result. Without limitation, MasterCard
specifically disclaims all representations and warranties that any practice or implementation of this
document will not infringe any third party patents, copyrights, trade secrets or other rights.
Translation
A translation of any MasterCard manual, bulletin, release, or other MasterCard document into a language
other than English is intended solely as a convenience to MasterCard customers. MasterCard provides any
translated document to its customers “AS IS” and makes no representations or warranties of any kind with
respect to the translated document, including, but not limited to, its accuracy or reliability. In no event shall
MasterCard be liable for any damages resulting from reliance on any translated document. The English
version of any MasterCard document will take precedence over any translated version in any legal
proceeding.
Information Available Online
MasterCard provides details about the standards used for this document—including times expressed,
language use, and contact information—on the Publications Support page available on MasterCard
Connect™. Go to Publications Support for centralized information.

Security Rules and Procedures • 30 July 2015 SP

Security Rules and Procedures 30 July 2015

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Rules and Procedures 30 July 2015

Uploaded by

Copyright:

Available Formats

Security Rules and

Summary of Changes, 30 July 2015

Description of Change Where to Look

Updated definitions of the following terms: Interregional Transaction; Appendix F

NOTE: The changes to Appendix F (Definitions) cannot be located

Clarified the CVC 2 value verification requirements for Issuers. 3.9.2

Clarified the CVC 2 value provision requirements for Acquirers. 3.9.4

Added section 6.2.1.4—Product Portfolio Management. 6.2.1.4

Added section 6.2.1.6—Additional Prepaid Monitoring Requirements. 6.2.1.6

Added section 6.2.1.7—Fraud Detection Tool Implementation. 6.2.1.7

Added section 6.2.1.8—Cardholder Communication Strategy. 6.2.1.8

Clarified the Merchant deposit monitoring parameters for Acquirers. 6.2.2.2

Updated the recommended additional monitoring parameters for 6.2.2.3

©1991–2015 MasterCard. Proprietary. All rights reserved.

Description of Change Where to Look

Updated references from website monitoring to Merchant monitoring. 6.2.2.3

Added MATCH compliance requirements for Acquirers. 7.1.2

NOTE: The MATCH compliance requirements added to section 7.1.2

Removed MCC 9754 from the types of non-face-to-face gambling 9.1

Updated applicable references from MasterCard POS Transaction to Chapter 10

Updated applicable references from Maestro POS Transaction to Maestro Chapter 10

Updated the ADC FR determination process. 10.2.5.5

Added references of fraudulent inter-European Maestro POS Transactions 12.2

Added section 12.8—Digital Goods Transactions. 12.8

©1991–2015 MasterCard. Proprietary. All rights reserved.

Description of Change Where to Look

Removed section 13.1.1.1—Merchant Risk Review Offering. 13.1.1.1 (deleted)

©1991–2015 MasterCard. Proprietary. All rights reserved.

Summary of Changes, 30 July 2015....................................................................2

Chapter 1: Customer Obligations...................................................................... 13

Chapter 2: Card Production Standards............................................................15

Chapter 3: Card and TID Design Standards.................................................. 21

©1991–2015 MasterCard. Proprietary. All rights reserved.

3.9.3 Issuer Requirements for CVC 3........................................................................... 32

Chapter 4: Terminal and PIN Security Standards....................................... 40

Chapter 5: Card Recovery and Return Standards...................................... 50

©1991–2015 MasterCard. Proprietary. All rights reserved.

5.2.2 Providing a Progress Report................................................................................ 57

Chapter 6: Fraud Loss Control Standards...................................................... 59

Chapter 7: Merchant, Submerchant, and ATM Owner Screening

Chapter 8: MasterCard Fraud Control Programs........................................ 82

©1991–2015 MasterCard. Proprietary. All rights reserved.

8.2 Global Merchant Audit Program.................................................................................86

Chapter 9: MasterCard Registration Program........................................... 106

©1991–2015 MasterCard. Proprietary. All rights reserved.

Chapter 10: Account Data Protection Standards and Programs...... 115

Chapter 11: MATCH System................................................................................144

©1991–2015 MasterCard. Proprietary. All rights reserved.

Chapter 12: System to Avoid Fraud Effectively (SAFE) Reporting

Chapter 13: Global Risk Management Program....................................... 164

Appendix A: Track Data Content and Format........................................... 171

©1991–2015 MasterCard. Proprietary. All rights reserved.

A.2 Track 2 Data Content and Format............................................................................ 174

Appendix B: Formset Specifications...............................................................178

Appendix C: Contact Information................................................................... 184

Appendix D: Best Practices Guides................................................................. 190

Appendix E: Card Production Services.......................................................... 193

©1991–2015 MasterCard. Proprietary. All rights reserved.

©1991–2015 MasterCard. Proprietary. All rights reserved.

Chapter 1 Customer Obligations

1.1 Compliance with the Standards.............................................................................................. 14

©1991–2015 MasterCard. Proprietary. All rights reserved.

1.1 Compliance with the Standards

Section Number Section Title Category