Visa Rules for Enhanced Risk Performance—What You Should Know

The year 2021 will bring new rules for fraud prevention introduced by Visa. Here’s what you should know and how it can impact your online business.

The new rules are intended to improve your payment performance by reducing fraudulent activity and creating more transparency, hence to remove confusion from processing payments.

The main changes include the following issues:

From 16 April 2021 existing decline codes will be regrouped into 4 categories, so issuers will be required to provide accurate decline reasons. The change results in extra fees for merchants who reattempt to authorize a transaction after receiving a certain reason for decline.

The main reason for introducing the 4 categories is minimizing confusion and creating more clarity in the payment process. This is because when issuers send generic decline reasons that are hard for merchants to understand, merchants reattempt to send the same transaction which leads to increased costs—and confused customers.

Below are decline reasons grouped into the categories to shine more light on whether reattempts are allowed, how many of them are allowed, and for how long merchants can reattempt.

This category includes transactions with blocked or never existing cards, so there is no circumstance under which the issuer will approve the transaction.

Be ready for fees charged for any reattempt to authorize a transaction under category 1 from 1 October 2021. The decline codes in this category are:

Requirements for issuers in this category relate to transactions that may be approved, but not at the moment due to a system issue or insufficient funds on the cardholder’s account. So the decline is temporary and may change after reattempts.

Note that for any attempt over 15 transaction reattempts per card in 30 days that received a category-2 decline there will be a fee from 1 April 2021. Below are the decline codes in category 2:

Category 3 is for when the issuer cannot approve the transaction based on the provided details, such as an expired card or an incorrect CVV2.

For any attempt over 15 reattempts per card in 30 days and for any attempt to authorize a transaction after receiving 25,000 category-3 declines in 30 days per merchant a fee will be charged as of 1 April 2021. Reattempts are not permitted for code 14 – Invalid account number.

Here are the decline codes in category 3:

This category includes all other decline response codes, so it should be used for transactions where no other value applies. A fee will be charged from 1 April 2021 for attempting to authorize more than 15 transaction reattempts per card in 30 days.

The new decline code grouping rules are especially important for merchants offering recurring transactions, as the nature of such payments comes with more authorization reattempts.

If a merchant doesn’t comply with the limits mentioned above, the following fees will apply. For domestic and intraregional transactions Visa will charge 0.10 USD from 1 April 2021, and 0.15 USD for international transactions (valid from 1 October 2021). The fees will be charged from the first transaction exceeding the limits.

That’s why you need to update your system to comply with these limits.

Another thing included in the new rules introduced by Visa is the consistency of authorization effective from 1 October 2021. The main purpose of this program is to enhance the effectiveness of transactions’ authorization run by issuers. Visa defined guidelines for maintaining consistency of data and decreasing the number of resubmitting authorization requests with changed data elements usually practiced by merchants to improve success rates.

Following the new rules, from 1 October 2021 Visa will apply a fee if you reattempt a declined authorization with changed data fields. The data fields that cannot be changed include the merchant’s country, AVS, and electronic commerce indicator (ECI) as part of your 3D Secure process.

Why is that important? One of the main reasons is that amending data fields, even if effective in some cases, is often a waste of time and resources for every party involved in the process. A non-compliance fee will also apply to transactions that were a result of fraud attacks or mislaying.

Visa’s internal research has revealed that this lack of consistent decline reason code grouping opens new opportunities for fraudsters. As they’ve noticed an increasing trend of cardholders raising fraud chargebacks for legitimate purchases (read more about friendly fraud here), Visa introduced guidelines for preventing and managing fraud.

First party fraud is difficult for merchants to control and comes with extra costs for both issuers and merchants. Here’s how you can control such an issue to limit suspicious activity:

• Control how your customers use the card on file:

• Prevent future fraud attempts:

• Include contact information on the transaction details in the merchant location field so that your customers can easily request refunds directly from you rather than issuing a dispute. If you don’t provide such information, penalties for non-compliance will apply.

The good news is that the new rules don’t require any technical changes on your end, as we’ll take care of them on your behalf so that they don’t affect your transaction processing.

You can (and should) also take extra steps to protect your business from online fraud and to reduce decline rates by working with a reliable payment processor that delivers proven fraud prevention tools.

Fraud detection requires a comprehensive approach to analyzed data, so a multilevel strategy is what you should aim for. A single tool is not enough to defend your business. Ask your payment processor whether it provides a versatile mix of features to collect and analyze the data so that you can rest assured that your business is in good hands.

If you have any questions, please contact our support team always available to address them.