In October 2012, VISA quietly released new operating regulations which retroactively phased out VISA’s Account Data Compromise Recovery (ADCR) Process, and replaced it with the Global Compromised Account Recovery (GCAR) Program (see page 802 of VISA's operating regulations for a full description of GCAR).  For those that have not dealt with the ADCR, it is a program that VISA used to assess fraud recovery and operating expense recovery amounts on acquiring banks whose merchants  suffered certain payment card security breaches (Mastercard, Discover and AMEX all have similar programs).  Via various merchant agreements, those costs are typically passed on to the merchant that suffered the breach. Even though VISA's new operating regulations weren’t officially released until October 15, 2012, the rules indicate that GCAR replaces ADCR with respect to “Qualifying CAMS Events” sent on or before May 14, 2012 (more on the strange timing issue later).  So effectively, merchants suffering breaches after May 14, 2012 (and even some that suffered breaches before that date where CAMS Alerts were sent out after May 14, 2012) will be evaluated under GCAR for purposes of VISA’s assessment of fraud recovery (i.e. reimbursing issuing banks for fraud perpetrated on cards subject to a data breach) and operating expense recovery amounts (i.e. reimbursing issuing banks for the costs to reissue payment cards subject to a data breach).

This post summarizes some of the differences between ADCR and GCAR, and issues that merchants should take into account if they suffer a data breach and face the significant monetary assessments that can arise under GCAR.

GCAR Applicability Trigger Changes

Overall, under the ADCR, fraud and operating expense recovery by VISA (and ultimately to issuing banks) was only available if a payment card data breach occurred and certain criteria were met (paraphrasing):  (1)  the electronic storage of the full contents of any track of the Magnetic Stripe after authorizing a transaction;  (2)  non-compliance with the Payment Card Industry Data Security Standard (PCI-DSS) that could allow compromise of the full contents of any track on the Magnetic Stripe; or (3) non-compliance with PIN Management Requirements Documents that could allow a compromise of PIN data.

To be eligible for counterfeit fraud recovery and operating expense recovery under the ADCR, the account compromise event (aka the payment card data breach) must have involved at least 10,000 unique Visa account numbers and a combined total of US $100,000 or more of fraud recovery for all issuers involved in the event.   In terms of calculating fraud recovery amounts, VISA applied a complex formula that yielded a fraud recovery amount. That amount is ultimately contingent on several factors, including most significantly, the amount of fraud actually perpetrated using account numbers exposed by the breach.  For operating expense recovery (for qualifying accounts) VISA set the recovery amount at $1 per card (so if 10,000 qualified accounts had to have cards reissued, that would amount to $10,000 in operating expense recovery).

There have been some changes (some subtle, but potentially impactful, and some more obvious) in GCAR (relative to ADCR).  There are several criteria that must be met to impose recovery under GCAR, including the existence of:

A Payment Card Industry Data Security Standard (PCI DSS), PIN Management Requirements Documents, or Visa PIN Security Program Guide violation [ . . . ] that could have allowed a compromise of Account Number and Card Verification Value (CVV) Magnetic-Stripe Data, and PIN data for events also involving PIN compromise.

Some aspects of this requirement track consistently against the requirements of the ADCR, in particular references to violations of PCI-DSS and various PIN security requirements.  What is different are the references to “Account Data” and “Card Verification Value (CVV) Magnetic-Stripe Data” instead of referring to the “full contents of any track of the Magnetic Stripe after authorizing a transaction” (as in the old ADCR).

While the ultimate reason and interpretation of these changes is unclear, the modification could have expanded the scope of GCAR applicability.  Reference to the full contents of magnetic stripe data arguably refers to situations where the data actually taken off the physical magnetic stripe was compromised.  For example, where a memory scraper takes magnetic stripe data in real time when it is swiped at a point of sale device at a physical merchant location (this is a very common mode of attack that leads to counterfeit credit cards).  In contrast, the “full contents of magnetic stripe data” would not be at issue in the e-commerce or call center context where account information is being provided orally or typed into a computer.

By referring to “Account Data” and “Card Verification Value (CVV) Magnetic-Stripe Data”, Visa may be trying to address that issue.  However, neither term is actually defined in Visa’s operating regulations glossary (note that the term “Card Verification Value” and “Magnetic-Stripe Data” are defined separately in the glossary, and if those terms are used, based on references to data “encoded” and “contained” in the stripe, it still appears the data would have to be taken from that stripe).  Note, also that other references to the Magnetic Stripe in GCAR further muddy the water on this issue.

GCAR also changes the minimum number of at risk cards and fraud necessary to trigger GCAR recovery.  Under GCAR there must be at least 15,000 compromised cards “potentially at risk”:

15,000 or more eligible accounts were sent in CAMS Internet Compromise (IC) and/or Research and Analysis (RA) alerts indicating Account Number and CVV Magnetic-Stripe Data is potentially at risk

This is good news for many merchants who suffer incidents involving smaller card counts.  However, too little/too late for all those merchants analyzed under the ADCR in the past that suffered a breach involving 10,000 to 14,999 compromised cards -- they would have been home free under GCAR (more on this below).  One other slight tweak to note:  the standard for GCAR qualification is cards “potentially at risk” which some could construe broadly (under the ADCR the trigger was an “account compromise event [that] involves at least 10,000 Account Numbers.”)

The minimum fraud recovery amount qualification criteria also changed between the ADCR and GCAR. To qualify for GCAR recovery there must be:

A combined total of US $150,000 or more Counterfeit Fraud Recovery and Operating Expense Recovery for all Issuers involved in the event.

The good news here is that the minimum recovery to qualify for GCAR has increased from $100,000 (under ADCR) to $150,000.  So again, merchants suffering less serious breaches involving lower fraud amounts will not have to pay for fraud recovery under GCAR.  The bad news is that, unlike the ADCR, the recovery threshold calculation now includes not only fraud recovery, but also operating expense recovery.  Under the ADCR, VISA only considered fraud recovery amounts in determining whether the $100,000 ADCR threshold was met.

Finally, GCAR changed the amount that issuing banks can recover as operating expenses.  Under the ADCR issuing banks could only recover $1 per qualifying account.  That recovery amount has more than doubled to $2.50 per qualifying account.  So a breach of 100,000 cards that would have yielded a $100,000 operating expense assessment now yields an assessment of $250,ooo under GCAR.

Strange Timing Issues Related to GCAR  

I first reviewed VISA’s updated October 15, 2012 Operating Regulations in November 2012 (in conjunction with a client matter involving a payment card breach).   Although I could not find an exact release date, based on the October 15 2012 designation I assume the new regulations indicating the replacement of the ADCR with GCAR happened that month.  However, under the terms of the VISA’s operating regulations, the ADCR was retroactively retired for Qualifying CAMS Events sent on or before 14 May 2012.    What does this mean in plain English?

If a merchant suffers a data breach, it is sometimes (but not always) asked to retain a PCI Forensic Investigator  ("PFI").  The PFI will determine the window of card data exposure relative to a security breach, and the payment card processors and card brands will determine what cards were at risk during that window.  After doing so VISA will send out “Compromised Account Management System (CAMS) Alert” to issuing banks alerting them that certain VISA cards they have issued could be at risk.  Those issuing banks will check for fraudulent activity and may have the cards reissued.  Essentially, the date that CAMS Alert is sent out is the date of the “Qualifying CAMS Event.”

This is where the unusual timing issue comes into play.  It may be that from May 15, 2012 to October 2012, because VISA's October 2012 rules had not been established or released yet, VISA was still “adjudicating” breaches under the ADCR (not GCAR) even for CAMS Alerts after May 14, 2012.  So if a merchant suffered a payment card breach related to a May 16, 2012 CAMS Alert involving 12,000 VISA cards and $500,000 in recovery assessments, it could ultimately be liable under the ADCR.  However, according to the current rules that merchant should have been analyzed under the GCAR regime and therefore should not have been liable at all since GCAR’s 15,000 at risk VISA card minimum threshold was not satisfied.  Perhaps VISA was internally already applying GCAR requirements on and after May 16, 2012 (thereby letting some merchant banks/merchants off the hook for breaches that would have qualified under the ADCR), but it is not at all clear that this was happening.  The timing here is strange because VISA could have just pegged the transition date to the release of the new October 15, 2012 operating regulations, but for some reason, it did not.

Conclusion

It will be interesting to see how the new GCAR regime is viewed now that its existence is public knowledge.  Since VISA has been the leader of the pack, will the new GCAR prompt the other card brands to follow suit and update their fraud and operating expense recovery processes?  We will have to see.  In the meantime, merchants that do suffer breaches, should think about potential liability under VISA’s GCAR and the other card brands’ processes from the outset.  In fact, the forensic investigation that establishes the window of card data exposure is very important because its findings feed into GCAR and the other processes and ultimately dictate whether a merchant could be liable for thousands, hundreds of thousands or even millions in fraud recovery and operating expense recovery.

Finally, merchants that had CAMS Alerts issued between May 16, 2012 and October 2012 for data breaches involving between 10000 and 15000 VISA cards, and who were required to pay assessments under the ADCR, should consider revisiting (and potentially challenging) those ADCR assessments.  It appears, based on VISA’s own October 2012 operating regulations, that such assessments should not have qualified for recovery assessments.