MRC Advocacy: Voice of the Merchant



Advocacy is of tremendous importance to MRC merchant members as the payments industry becomes more regulated than ever before. The MRC's advocacy work is focused on several key areas, one of them being a strong collaboration with the card networks, enabling us to get advanced notifications about new mandates and providing the merchant voice regarding changes before they come into effect.


MRC Advocacy -- Card Networks

MRC Advocacy -- SCA/EMV 3DS
The MRC has established relationships with each of the major card networks, Visa, Mastercard, American Express, and Discover. We are advocating for the voice of the merchant to be heard before rule changes are enacted, raising visibility on challenges merchants face today, and collaboratively working towards solutions.
Regulation calls for SCA requirements to be in place. Implementation was enforced beginning December 31, 2020. The MRC has advocated EU Regulators (18) to move the enforcement date, by country, based on reports of industry readiness, or lack thereof. Our merchant community, lead by Microsoft and Amazon, have published SCA readiness dashboards by country. Through this initiative, we created a deadline dashboard by country and a Slack channel for merchants and issuers to discuss challenges.

Find out more

MRC Advocacy -- Friendly Fraud/First Party Misuse

MRC Advocacy -- Cybercrime
The MRC is working to address First-Party Misuse or Hostile Friendly Fraud. This problem represents up to 80% of all fraud for many of our merchant members and the current economics in the ecosystem do not support a solution. Working with our related Committee, the MRC has defined the problem, reviewed compelling evidence required to address it, and we are now building a strategy to visit with standards bodies to advocate for change.

Merchants and other industry stakeholders are asked to report data based on their own analysis, to strengthen our ability to advocate for sensible policy decisions specifically with the appropriate evidence, to re-classify chargebacks from fraud coded chargebacks to dispute coded chargebacks, and to shift liability for these disputes from the merchant to the issuer and ultimately the consumer.

First-party misuse has become a significant problem for the industry and in fact, in 2021 Global Fraud Survey Report, it was reported as the number one fraud challenge merchants face. Help us change the narrative! Download First-Party Misuse Report Card Guidelines for more information.
The MRC applied for a portion of the EU Commission Internal Security Fund and was awarded €500K for a public-private partnership project so that MRC merchant members and Law Enforcement agencies would have a platform to work together against cybercrime. MRC also partners with the IC3 (Internet Crime Complaint Center) and has a Memorandum of understanding in place with Europol.


MRC Advocacy Efforts in India


India’s Financial Regulator, the Reserve Bank of India (RBI) introduced new payments regulations including an e-mandate on recurring transactions, effective 30 September 2021, and guidelines relating to Card on File set to be implemented by 31 December 2021. While the regulations were designed to provide consumer protection, eCommerce merchants operating in India have raised concerns about the deadlines, and the lack of time to make the necessary changes and enable compliance. Additional concerns were raised around the merchants’ challenge to manage basic functions such as dispute resolution (chargebacks). If card details can no longer be held, transactions will be more difficult to identify.

The MRC has prioritized advocating for merchants on this topic, and to further that goal, has written to the RBI in September 2021 to ask for the timeline changes in order to prepare the payments ecosystem for those regulations and ensure compliance. This was followed by a meeting between merchants, card issuers, PSPs, retail associations, as well as four representatives from the Indian Financial Regulator (RBI) in November 2021. It was clear all participants want to collaborate, to facilitate enablement across the ecosystem, but they also recognized that all stakeholders need to cooperate to reach compliance. The MRC followed up with the RBI again after the meeting to highlight concerns raised during the session.

This meeting was an excellent example of how advocacy can increase communication and transparency for all stakeholders by facilitating a constructive multi-lateral conversation.

*UPDATE*

The Reserve Bank of India (RBI) has extended the upcoming card payment regulation compliance deadline by six months, from 31 December 2021 to 30 June 2022.

The MRC has been engaging the RBI, merchant members, regulating bodies and other industry organizations in the country throughout 2021, advocating for an extension to the compliance deadline regarding the storing of card on file (CoF) data and tokenization requirements.

In addition to these discussions, the MRC facilitated a Merchant Round Table meeting with leading retail brands operating in India, also attended by RBI representatives. These efforts, along with a follow-up MRC webinar on the topic delivered by Microsoft and Google, helped inform the Regulator and pave the way for this decision.

Click here for more detail regarding these updates and the continued efforts of the MRC to act as the voice of the merchant in APAC.


SCA/EMV 3DS


The MRC is working with merchants and issuers to ensure upcoming regulation enforcement does not have a negative impact on the industry. On September 14, 2019, new requirements for authenticating online retail payments were introduced in Europe as part of the Payments Services Directive update (PSD2). The industry was proven not to be ready at that time, so the European Banking Authority (EBA) facilitated an extension to the implementation deadline of the regulation, to December 31, 2020. The MRC shares the goal of a robust implementation of Strong Customer Authentication (SCA); however, our merchant members have shown us in recent months that the ecosystem is not yet ready for the regulation to be implemented.

Microsoft's SCA Scorecard for August 2021 is available on LinkedIn (click here for details).

For more information on how Microsoft built their scorecard, see the following articles on LinkedIn Pulse:

Scorecards from Adyen, Amazon, and Google are available by clicking "Download Scorecards" below.

Download Scorecards


The MRC has called on the EBA and the European Commission to use their influence to encourage all NCAs (National Conduct Authorities) to adopt a flexible approach to the implementation of SCA and give industry scope beyond the December 31 deadline. The MRC also wrote to 18 NCAs directly to suggest the deadline for the operational application of SCA should be pushed out by at least 6 months.

Click here to view the MRC's correspondence with the European Commission, European Banking Authority, the Commission's responses, and a joint letter from the European Payment Institutions Federation signed by MRC, Visa, Mastercard, the European Hotel Forum, and many more.

The MRC has also engaged consumer associations in Europe to ensure they are fully informed on the impact on consumers from January 1 when card issuers are forced to decline transactions that do not appear to be SCA compliant. In some countries, the reports are showing this figure could be up to 50% of transactions.

The MRC has produced a Country SCA deadline dashboard to note the enforcement deadlines for European countries. See it here.

Other merchant scorecards are available to Regulators and Card Issuers. Contact us for access to these.

The MRC heard from card issuers and merchants that it is extremely hard to test for and debug problems highlighted when processing SCA-ready transactions, so we established a Slack channel where the community is working together to solve issues. If you wish to join the Slack channel (open to merchants and card issuers), contact slack3ds@merchantriskcouncil.org.

To sign up for testing with Visa, email Visa at gct3dssupp@visa.com. To sign up for the Mastercard test platform, visit https://3dss.netcetera.com/mastercard-psd2-testing/.


Who makes the regulation in Europe and who implements it?
The European Commission produced the regulation (PSD2). The regulation specifically relating to SCA has been enforceable since September 14, 2019. In effect, all regulated bodies (banks, credit institutions, etc.) should be compliant since that date. However, on that date, nothing really changed.

The EBA -- European Banking Authority -- are the enforcers of the regulation in the EU (European Union). They enforce the NCAs -- the national competent / conduct authorities, normally the Central Banks of each nation -- to ensure compliance in each nation. It was the EBA, in September 2019, that allowed the NCAs time before which they had to enforce the regulation in each nation. This flexibility ended at the close of 2020.

The Commission and the EBA have noted all parties have been aware of the regulation since 2017. They are currently not willing to extend the deadline for enforcement for that reason. The FCA was able to make an early decision most likely because of Brexit, i.e. they have left the EU and as such are not required to comply with EU regulation, in theory. That said, the UK will wish to remain competitive, so they aim to comply but have allowed another 9 months for their regulated bodies (issuers and acquirers) to comply with the regulation.

While each NCA can make its own decision on delaying the date, they are required to enforce the regulation under the EBA. To date, some NCAs have decided to move their dates (see the MRC SCA deadline chart for more information).

Global Customer Verification Methods


The MRC is collecting data from members to collate the various authentication/ verification methods for consumers in different countries. This has proven useful for businesses wishing to comply with payments regulations in this space and those wishing to expand to other countries.

The data is ever-changing and the spreadsheet is available here.