This article was originally published by NAFCU.
Small dollar (< $50), high volume fraudulent transactions are on the rise. More and more, small dollar fraud can be traced back to PINless transactions. Either the merchant does not require the PIN for small dollar transactions or the transaction is made in a remote environment.
With card not present (CNP) transactions now making up 33% of all plastic card transactions ecommerce merchants want a seat at the payment rails table. The rise in digital transactions led to Regulation II including card not present transactions, allowing ecommerce merchants to route the transaction down their network of choice and impact the interchange fee the ecommerce merchant will receive.
What is Regulation II?
Regulation II initially went into effect in 2011 to establish two unaffiliated network choices along with interchange fees debit card present transactions. A Reg II amendment is going into effect in July 2023 that will impact card not present debit transactions. Card not present transactions include all remote transactions where the card wasn’t swiped, tapped, or inserted. By nature, these transactions are performed online and there is no option to enter a PIN in a remote environment.
Who is impacted by Reg II?
All financial institutions who issue debit cards must adhere to Reg II for CNP offering at least two unaffiliated networks for routing of the transaction. Based on the limited security measures in place, card holders may be impacted by an increase in fraudulent transactions.
What are the new Reg II rules?
Under the previous 2011 Reg II rule, all debit card issuers were required to have at least two unaffiliated networks for card present debit transactions. Now all card not present transactions must adhere to the enhanced Reg II rule. An unaffiliated network is a payment system other than Visa or MasterCard (i.e., STAR, Pulse, NYCE etc.)
Are there any fraud concerns involving Reg II?
Yes. There are concerns that an increase in unaffiliated networks will cause a spike in fraud. When a transaction is PINless (which constitutes a CNP transaction) the ecommerce merchant decides which network to use. In the absence of a PIN, the transaction is routed down the debit PIN rails for authorization. The online merchant will use the least expensive routing which may translate to less protection for your financial institution and accountholder.
Another concern is that certain network rules may prevent your financial institution from having dispute or chargeback rights. This can become very costly for your institution when multiple fraudulent transactions are involved.
How can my financial institution stay protected AND compliant?
FIs need to be aware of the impending requirement for two unaffiliated networks in place for CNP transactions and prepare for the implementation of Reg II for card not present transactions.
- Have at least two unaffiliated networks in place. The Federal Reserve Board believes that this rule will “encourage competition between networks and incentivize them to improve their fraud-prevention capabilities.” All financial institutions must have two unaffiliated payment networks to remain compliant.
- Review your network agreements. Payment network agreements may have been signed years ago so it’s important to make sure your networks are providing… Read the full blog here.