Visa Canada published a document titled The Future of Payment Security in Canada, detailing several new requirements related to ensuring security with Visa card transactions, including several new rules and deadlines coming into effect over the next few years. Notably, issuers must eliminate the use of static passwords with Verified by Visa by April 2018, while merchants will be required to collect and provide the CVV2 to issuers but in turn receive a liability shift when issuers approve incorrect CVV numbers.
Visa Canada outlined a new set of requirements around collection of the Card Verification Value (CVV) number that will apply to all new eCommerce and telephone order merchants immediately, then to all existing eCommerce and telephone order merchants effective October 13, 2018. These merchants will now or soon be required to capture the CVV2 and include this data in the authorization request for all Visa card transactions. Many to most merchants were already checking the CVV, but the new requirement also brings a new liability protection. If a card issuer approves a transaction where a CVV2 is provided but does not match, the issuer is liable for fraud.
These new requirements around the CVV2 only apply to eCommerce and phone order merchants, but a separate requirement will apply to mail order merchants. Catalog and mail order merchants are now prohibited from collecting the CVV2 in a written format.
The Visa Canada document also discusses the expanded features of 3DS 2.0 and new authentication requirements for Canada beginning in April 14, 2018. Effective that date, issuers will no longer be able to use static passwords for cardholders to authenticate with Verified by Visa. Visa Canada additionally noted that more than 62 percent of Canadian Visa card issuers use risk based authentication today, choosing to only require authentication on higher risk transaction attempts.
For more information: