You are here
MasterCard Inc. and Visa USA Inc. are clamping down on merchants that break rules aimed at protecting card transactions from fraudsters.
In recent weeks, MasterCard has imposed fines on merchants that haven't met its requirements to keep transactions secure, and starting Saturday, Visa will take aim at the nation's largest merchants with fines that start at $10,000 a month and can rise to $100,000 a month, the Wall Street Journal reported.
The fines are the latest effort by the credit- and debit-card industry to reduce financial exposure -- and bad publicity -- from a round of high-profile security breaches. Cardholders normally aren't responsible for unauthorized purchases, but merchants and banks involved with fraudulent transactions -- both at stores and online -- can find themselves on the hook, the newspaper said.
Visa and MasterCard don't fine the merchants directly. Rather, they levy fines against those that process the transactions on behalf of the merchants. Those entities then commonly pass on the fines to their merchant customers. In addition to assessing penalties for failing to comply with the rules, Visa and MasterCard also issue separate fines if a noncompliant merchant has a security breach, according to the report.
Neither Visa nor MasterCard would identify to the Wall Street Journal merchants that are violating the rules. But because Visa is honing in on the biggest merchants -- those that ring up more than six million transactions a year -- the newspaper said they likely include some household names. Visa counts 334 merchants in this category; as of Friday, 20 of them were in violation and could face fines if they don't comply by the end of the month, according to the card association. These big merchants represent nearly 50 percent of transactions each year.
Visa and MasterCard, which operate the massive card networks, have established comprehensive security rules for banks, merchants and other entities that store, process or transmit cardholder data. Among the rules: Merchants aren't permitted to store data that is contained on a card's magnetic stripe; they must take precautions with people who have access to computer systems; and they must restrict access to cardholder information.
MasterCard declined to discuss the amount of fines that have been levied, but indicated that the decision to impose financial penalties is taken as a last resort. "We are not levying fines for non-compliance. We are levying them for non-cooperation," Chris Thom, chief risk officer for the card network, told the Wall Street Journal.
Although MasterCard has been issuing fines for more than a year, several industry members said that the levies seem to have accelerated recently and a series have been handed down this month. They estimate that fines have ranged between $5,000 and $15,000. MasterCard declined to comment.
"Visa and MasterCard are paying a lot more attention to this and they should be," said Robert Carr, chief executive of Heartland Payment Systems Inc., a company that processes transactions on behalf of small- and medium-size merchants.
The security rules are particularly daunting for small merchants, who might not be sophisticated with security issues or don't want to spend the money necessary for crucial upgrades to their computer systems. For now, Visa is concentrating its efforts on levying fines for non-compliance by the largest merchants. It expects to tackle the issue as it relates to some smaller merchants beginning next year, the newspaper said.
According to the Wall Street Journal, security has become a top issue in the card industry amid mounting concerns about identity theft. Earlier this year, Citigroup Inc., the nation's largest bank as measured by market value and assets, reissued thousands of MasterCard-branded debit and credit cards after it flagged several hundred fraudulent cash withdrawals at automated teller machines in Britain, Russia and Canada.
Last year some 40 million cards became vulnerable to possible fraud when CardSystems Solutions Inc., a small company that processed transactions for merchants, acknowledged that it had stored customer data in violation of card-industry rules. Retailers also have reported data breaches.
A breach also was reported at one of the Visa's on-site cafeterias last year when someone hacked into the server of the vendor that managed the facility. It was determined that the vendor wasn't complying with Visa's rules.