PCI DSS and Regulatory Compliance Blog

Visa Account Data Compromise Recovery Process (ADCR)

January 6th, 2007 Posted in Card Brands, Credit Card Fraud, Merchant

money.jpgVisa USA has a new process for issuers to address “disputes related to account compromises that have been linked to subsequent magnetic stripe-read counterfeit fraud.” The Account Data Compromise Recovery Process (ADCR) went into effect in October of 2006.

It works like this:

Once a merchant notifies their acquirer of an account compromise, the acquirer sends the stolen account numbers directly to CAMS [Compromised Account Management System]

CAMS works as follows:

  • When a merchant becomes aware of a breach, he notifies the acquirer immediately.
  • The acquirer then uploads the compromised data to the CAMS system at Visa.
  • Visa investigates the matter. If Visa determines a compromise has occurred, it sends an electronic message to all affected issuance banks, alerting them that certain cards have been compromised.
  • The issuers immediately block, terminate or monitor the accounts affected.

It is up to Visa to determine if the validated account compromise meets ADCR criteria. If it does, Visa calculates and advises the acquirer of its potential ADCR financial liability, which includes a percentage of magnetic stripe-read counterfeit fraud and partial operating expense liability amounts. The magnetic stripe-read counterfeit fraud estimate is based on the magnetic stripe-read counterfeit fraud that has been reported at the time of the notice and includes an estimation of fraud that is projected to occur prior to the end of the event window, but has yet to be fraud reported. An event window is a 13-month time period that can be up to 12 months prior to and one month past the CAMS event date.

An acquirer has 30 days to appeal the preliminary decision and provide documents to Visa for consideration. If Visa confirms the event still meets ADCR criteria at the end of the issuer fraud-reporting window, which ends 90 days after the end of the 13th month, Visa calculates the actual acquirer magnetic stripe-read counterfeit fraud and operating expense liability amounts due each participating issuer impacted by the compromise.

Sound complicated yet? Check out the Visa ADCR site here and read their report on What Every Merchant Should Know About the New Account Data Compromise Recovery Process [PDF]. Then read the Green Sheet article Visa U.S.A. to speed fraud recovery for financial institutions.

Still confused? The ADCR program will put in place certain parameters for issuer recovery of compromise costs. The program is limited to those compromises involving track data and over 10,000 unique card numbers. The program will only be triggered (at Visa’s discretion) if track-data flaud is identified and reported to an acquirer through to Visa’s CAMS process.

How does this affect the merchant? If the merchant falls within the ADCR criteria the issuer can file for compensation from the merchant. If the merchant does not meet the ADCR criteria then issuer cost recovery follow the historical process (and could take up to 32 months).

Within ADCR the issuer application for recovery of costs is limited to the 12 months before and one month after the issuance of the CAMS alert. This sounds more merchant friendly in that it limits the merchant’s exposure to a 13 month window.

Many credit card hackers will compromise the data and wait between 12-18 months to commit fraud. If track data fraud occurs outside the 13 month window the issuer would not be able to recover costs under the ADCR program.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 4 Trackback(s)

  2. Mar 18, 2007: Will ROI of Security Ever Stop? at PCI Compliance Demystified
  3. Mar 18, 2007: What is my liability in credit card fraud? at PCI Compliance Demystified
  4. Apr 12, 2007: Should I disclose a credit card compromise? at PCI Compliance Demystified
  5. Jun 8, 2007: PCI Law at PCI Compliance Demystified

Post a Comment