As consumers increase their reliance on debit, and specifically for card-not-present (“CNP”) transactions, issuers should verify that they are prepared to comply with the Final Amendments to Regulation II to Clarify the Prohibition on Network Exclusivity issued by the Federal Reserve Board of Governors on September 21, 2022 (the “Clarification”). The Clarification, which takes effect on July 1, 2023 (the “Effective Date”), requires all debit issuers to ensure that at least two unaffiliated networks are available to merchants for every type of debit transaction (including CNP transactions).
Over the past decade, PULSE transformed our network and capabilities as the payments industry evolved in response to consumer demand for convenient and frictionless solutions. PULSE made significant investments and enhancements that enabled the network to support the full range of debit transactions and cardholder verification methods – at both the physical and digital points of sale. This includes both card-present and CNP transactions in all merchant categories, as required by the Clarification.
PULSE made significant investments and enhancements that enabled the network to support the full range of debit transactions and cardholder verification methods.
“Most issuers that I talk to want to be reassured that, if they are in PULSE, they are compliant,” said Craig Watson, Senior Vice President of Account Management at PULSE. “The answer is that debit issuers participating in the full range of PULSE’s CNP transactions, along with another unaffiliated network that also supports CNP transactions, are almost certainly already compliant, though they should consult their own legal and regulatory experts to confirm this.”
Support for CNP tokenized transactions
Historically, Visa and Mastercard had different policies with respect to CNP tokenized transactions routed from a merchant to another unaffiliated network. Visa would detokenize these transactions, providing the other network with the primary account number (“PAN”), but would not validate the cryptogram or domain-restriction controls. Mastercard would not detokenize CNP tokenized transactions routed to another unaffiliated network. Given these limitations, PULSE did not support CNP tokenized transactions when the “front-of-card brand” was Visa or Mastercard. As a result, merchants have not had the option to route these transactions to PULSE.
Following the Clarification, both Visa and Mastercard have announced that they will detokenize CNP transactions routed to another network for authorization, but with limitations as discussed below. To support issuer compliance with the Clarification, PULSE is working to complete the necessary certifications to support Visa and Mastercard CNP token callouts, and token bank identification numbers (“BINs”) will be included in the PULSE BIN file sent to merchant processors to enable the routing of transactions to PULSE. Any changes to the PULSE Operating Rules and Procedures in connection with the Clarification will be communicated to network participants and implemented prior to the Effective Date.
At this time, we do not know whether merchants will choose to route CNP transactions utilizing a token issued by Visa or Mastercard to PULSE for authorization. However, Visa and Mastercard have informed us that if these transactions are routed to PULSE and subsequently detokenized by either the Visa or Mastercard token service platform (each, a “TSP”), the cryptogram and domain-restriction controls for the transactions will not be validated by the TSP. If Visa and Mastercard do not change this policy, issuers and issuer processors may receive CNP transactions from PULSE that were initially tokenized, but where the cryptogram and domain-restriction controls have not been validated. Issuers and issuer processors should determine how best to evaluate these transactions, including appropriate fraud-mitigation strategies.
To support issuers and issuer processors in interrogating these transactions, PULSE provides a fraud score in the transaction message that is based on the FICO CNP neural network model. This model leverages debit consortium data from over 9,000 financial institutions, utilizing advanced analytics to detect fraud patterns based on cardholder behavior profiles specific to CNP transactions.
Additionally, PULSE has consulted with FICO to anticipate emerging fraud scenarios associated with these transactions. As a result, PULSE has established transaction monitoring parameters and deployed network-level safety rules that will block certain types of suspicious transactions to protect against systemic risk. For an issuer that desires additional fraud support, PULSE’s DebitProtect Authorization Blocking Service can interrogate transactions on the issuer’s behalf and block transactions based on risk parameters established by the issuer.
PULSE is also developing an alternative “side-by-side” token service that will enable both merchant routing choice and full support for CNP tokenized transactions, including validating the cryptogram and domain-restriction controls. PULSE’s side-by-side token service will provide issuers with another way to achieve compliance with Regulation II, including the Clarification. The service will be available in July and issuers interested in being an early adopter should reach out to their Account Executive.
If you have questions about PULSE’s response to the Clarification, our DebitProtect Authorization Blocking Service, or anything related to your participation in PULSE, please contact your Account Executive or a PULSE debit expert.