Maestro Global Rules (PDF) - MasterCard

More documents

Recommendations

Info

Security 8.9 Account Data Compromise Events Notwithstanding the generality of the foregoing, the relationship of network, >> system, and environment configurations with other networks, systems, and environments will often vary, and each ADC Event and Potential ADC Event tends to have its own particular set of circumstances. The Corporation has the sole authority to interpret and enforce the Standards, including those set forth in this chapter. Consistent with the foregoing and pursuant to the definitions set forth in Rule 8.9 above, the Corporation may determine, as a threshold matter, whether a given set of circumstances constitutes a single ADC Event or multiple ADC Events. In this regard, and by way of example, where a Customer or Merchant connects to, utilizes, accesses, or participates in a common network, system, or environment with one or more other Customers, Merchants, Service Providers, or third parties, a breach of the common network, system, or environment that results, directly or indirectly, in the compromise of local networks, systems, or environments connected thereto may be deemed to constitute a single ADC Event. 8.9.2 Responsibilities in Connection with ADC Events and Potential ADC Events The Customer whose system or environment, or whose Agent’s system or environment was compromised or vulnerable to compromise (at the time the ADC Event or Potential ADC Event occurred) is fully responsible for resolving all outstanding issues and liabilities to the satisfaction of the Corporation, notwithstanding any subsequent change in the Customer’s relationship with any such Agent after the ADC Event or Potential ADC Event occurred. In the event of a dispute, the Corporation will determine the responsible Customer(s). Should a Customer, in the Corporation’s judgment, fail to fully cooperate with >> the Corporation’s investigation of an ADC Event or Potential ADC Event, the Corporation (i) may infer that information sought by the Corporation, but not obtained as a result of the failure to cooperate, would be unfavorable to that Customer and (ii) may act upon that adverse inference in the application of the Standards. By way of example and not limitation, a failure to cooperate can result from a failure to provide requested information; a failure to cooperate with the Corporation’s investigation guidelines, procedures, practices and the like; or a failure to ensure that the Corporation has reasonably unfettered access to the forensic examiner. A Customer may not, by refusing to cooperate with the Corporation’s >> investigation, avoid a determination that there was an ADC Event. Should a Customer fail without good cause to comply with its obligations under this Rule 8.9 or to respond fully and in a timely fashion to a request for information to which the Corporation is entitled under this Rule 8.9, the Corporation may draw an adverse inference that information to which the Corporation is entitled, but that was not timely obtained as a result of the Customer’s noncompliance, would have supported or, where appropriate, confirmed a determination that there was an ADC Event. ©1993–2012 MasterCard. Proprietary. All rights reserved. Maestro Global Rules • 9 November 2012 8-9
Security 8.9 Account Data Compromise Events Before drawing such an adverse inference, the Corporation will notify the >> Customer of its noncompliance and give the Customer an opportunity to show good cause, if any, for its noncompliance. The drawing of an adverse inference is not exclusive of other remedies that may be invoked for a Customer’s noncompliance. The following provisions set forth requirements and procedures to which each Customer and its Agent(s) must adhere upon becoming aware of an ADC Event or Potential ADC Event. 8.9.2.1 Time-Specific Procedures for ADC Events and Potential ADC Events A Customer is deemed to be aware of an ADC Event or Potential ADC Event when the Customer or the Customer’s Agent first becomes aware of an ADC Event or a Potential ADC Event under circumstances that include, but are not limited to, any of the following: 1. the Customer or its Agent is informed, through any source, of the installation or existence of any malware in any of its systems or environments, or any system or environment of one of its Agents, no matter where such malware is located or how it was introduced; 2. the Customer or its Agent receives notification from the Corporation or any other source that the Customer or its Agent(s) has experienced an ADC Event or a Potential ADC Event; or 3. the Customer or its Agent discovers or, in the exercise of reasonable diligence, should have discovered a security breach or unauthorized penetration of its own system or environment or the system or environment of its Agent(s). A Customer must notify the Corporation immediately when the Customer becomes aware of an ADC Event or Potential ADC Event in or affecting any system or environment of the Customer or its Agent. In addition, a Customer must, by contract, ensure that its Agent notifies the Corporation immediately when the Agent becomes aware of an ADC Event or Potential ADC Event in or affecting any system or environment of the Customer or the Agent. When a Customer or its Agent becomes aware of an ADC Event or Potential ADC Event either in any of its own systems or environments or in the systems or environments of its Agent(s), the Customer must take (or cause the Agent to take) the following actions, unless otherwise directed in writing by the Corporation: 1. Immediately commence a thorough investigation into the ADC Event or Potential ADC Event. 2. Immediately, and no later than within twenty-four (24) hours, identify, contain and mitigate the ADC Event or Potential ADC Event, secure Account data and preserve all information, in all media, concerning the ADC Event or Potential ADC Event, including: ©1993–2012 MasterCard. Proprietary. All rights reserved. 8-10 9 November 2012 • Maestro Global Rules
Page 1 and 2:
Maestro Global Rules 9 November 201
Page 3 and 4:
Summary of Changes This document re
Page 5 and 6:
Table of Contents Definitions .....
Page 7 and 8:
Table of Contents 3.12 Contact Info
Page 9 and 10:
Table of Contents 6.2.4 Mobile Paym
Page 11 and 12:
Table of Contents 7.8 Eligible POI
Page 13 and 14:
Table of Contents 8.6.1 Account Pro
Page 15 and 16:
Table of Contents 9.9.3 Noncomplian
Page 17 and 18:
Table of Contents 14.1 Service Prov
Page 19 and 20:
Table of Contents 7.23 ATM Access F
Page 21 and 22:
Table of Contents 2.3 Area of Use .
Page 23 and 24:
Table of Contents 7.2 Additional Ac
Page 25 and 26:
Table of Contents 9.15 Clearing and
Page 27 and 28:
Table of Contents 6.4 PIN and Signa
Page 29 and 30:
Table of Contents 6.4 PIN and Signa
Page 31 and 32:
Table of Contents 7.1.8 Card Accept
Page 33 and 34:
Table of Contents D.8.1 Corresponde
Page 35 and 36:
Activity(ies) The undertaking of an
Page 37 and 38:
Control As used herein, Control has
Page 39 and 40:
Gateway Transaction Any ATM transac
Page 41 and 42:
Maestro Word Mark The Maestro Word
Page 43 and 44:
Payment Transaction A Payment Trans
Page 45 and 46:
Settlement Obligation A financial o
Page 47 and 48:
Chapter 1 Participation This chapte
Page 49 and 50:
Participation 1.2 Eligibility to be
Page 51 and 52:
Participation 1.2 Eligibility to be
Page 53 and 54:
Participation 1.4 Interim Participa
Page 55 and 56:
Participation 1.7 Termination of Li
Page 57 and 58:
Participation 1.7 Termination of Li
Page 59 and 60:
Chapter 2 Licensing and Licensed Ac
Page 61 and 62:
Licensing and Licensed Activities 2
Page 63 and 64:
Licensing and Licensed Activities 2
Page 65 and 66:
Chapter 3 Customer Obligations This
Page 67 and 68:
3.1 Standards Customer Obligations
Page 69 and 70:
3.1.2.1.3 Category C—Efficiency a
Page 71 and 72:
3.1.2.4 Review Process Customer Obl
Page 73 and 74:
3.3 Choice of Laws Customer Obligat
Page 75 and 76:
3.7 Provision and Use of Informatio
Page 77 and 78:
3.7.3 Use of Corporation Informatio
Page 79 and 80:
3.9.2 Photographs Customer Obligati
Page 81 and 82:
3.11.2 Card Count Reporting Procedu
Page 83 and 84:
Customer Obligations 3.18 Expenses
Page 85 and 86:
3.22 Data Protection—Europe Regio
Page 87 and 88:
4.1 Right to Use the Marks Marks 4.
Page 89 and 90:
4.4 Review of Solicitations 4.5 Dis
Page 91 and 92:
4.7.1 Global Minimum Branding Requi
Page 93 and 94:
Chapter 5 Special Issuer Programs T
Page 95 and 96:
Special Issuer Programs 5.1 Special
Page 97 and 98:
Special Issuer Programs 5.2 Affinit
Page 99 and 100:
Special Issuer Programs 5.4 A/CB Ca
Page 101 and 102:
5.6.2 Categories of Prepaid Card Pr
Page 103 and 104:
Special Issuer Programs 5.6 Prepaid
Page 105 and 106:
Special Issuer Programs 5.7 Chip-on
Page 107 and 108:
Issuing 6.4.2 Use of the PIN.......
Page 109 and 110:
Issuing 6.2 Card Standards and Spec
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Issuing 6.4 PIN and Signature Requi
Page 121 and 122:
Issuing 6.5 Transmitting, Processin
Page 123 and 124:
Issuing 6.8 Mobile Remote Payment T
Page 125 and 126:
Issuing 6.9 Electronic Commerce 6.9
Page 127 and 128:
Issuing 6.11 MasterCard MoneySend P
Page 129 and 130:
Issuing 6.14 Fraud Reporting 6.13.1
Page 131 and 132:
Issuing 6.19 Recurring Payments—E
Page 133 and 134:
Acquiring 7.2 Additional Acquirer O
Page 135 and 136:
Acquiring 7.18.2.2 Disposition of C
Page 137 and 138:
Acquiring 7.1 Acquirer Obligations
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148: Acquiring 7.1 Acquirer Obligations
Page 153 and 154: Acquiring 7.2 Additional Acquirer O
Page 155 and 156: Acquiring 7.3 Additional Acquirer O
Page 157 and 158: Acquiring 7.5 Acquiring Payment Tra
Page 159 and 160: Acquiring 7.6 Acquiring MoneySend P
Page 161 and 162: Acquiring 7.7 Acquiring Mobile Remo
Page 163 and 164: Acquiring 7.9 POS Terminal and Term
Page 165 and 166: Acquiring 7.9 POS Terminal and Term
Page 167 and 168: Acquiring 7.11 Additional Requireme
Page 169 and 170: Acquiring 7.12 Additional Requireme
Page 171 and 172: Acquiring 7.14 POI Terminal Transac
Page 173 and 174: Acquiring 7.15 Requirements for Tra
Page 175 and 176: Acquiring 7.16 POS Terminal and Ter
Page 177 and 178: Acquiring 7.17 Connection to the In
Page 179 and 180: Acquiring 7.18 Card Capture NOTE 7.
Page 181 and 182: Acquiring 7.20 Merchandise Transact
Page 183 and 184: Acquiring 7.23 ATM Access Fees 7.23
Page 185 and 186: Acquiring 7.23 ATM Access Fees 1. t
Page 187 and 188: Acquiring Compliance Zones Rule Num
Page 189 and 190: Security 8.10.4 Acquirer Compliance
Page 191 and 192: Security 8.3 Customer Compliance wi
Page 193 and 194: Security 8.5 PIN Entry Device Issue
Page 195 and 196: Security 8.6 POS Terminal Communica
Page 197: Security 8.9 Account Data Compromis
Page 201 and 202: Security 8.9 Account Data Compromis
Page 207 and 208: Security 8.10 Site Data Protection
Page 215 and 216: Security 8.11 Algorithms 8.11 Algor
Page 217 and 218: Chapter 9 Processing Requirements T
Page 219 and 220: Processing Requirements 9.12 Floor
Page 221 and 222: Processing Requirements 9.2 POS Tra
Page 229 and 230: Processing Requirements 9.3 Termina
Page 231 and 232: Processing Requirements 9.4 Special
Page 233 and 234: Processing Requirements 9.4 Special
Page 235 and 236: Processing Requirements 9.5 Process
Page 237 and 238: Processing Requirements 9.7 Process
Page 239 and 240: Processing Requirements 9.8 Authori
Page 241 and 242: Processing Requirements 9.8 Authori
Page 243 and 244: Processing Requirements 9.9 Perform
Page 245 and 246: Processing Requirements 9.12 Floor
Page 247 and 248: Processing Requirements 9.13 Ceilin
Page 249 and 250:
Processing Requirements 9.13 Ceilin
Page 251 and 252:
Page 253 and 254:
Page 255 and 256:
Page 257 and 258:
Processing Requirements 9.15 Cleari
Page 259 and 260:
10.1 Definitions 10.2 Settlement Se
Page 261 and 262:
Settlement and Reconciliation 10.4
Page 263 and 264:
Settlement and Reconciliation 10.7
Page 265 and 266:
10.8.2 Intraregional Fees Settlemen
Page 267 and 268:
The Customer must: Settlement and R
Page 269 and 270:
Content Relocated to Chargeback Gui
Page 271 and 272:
Content Relocated to Chargeback Gui
Page 273 and 274:
Liabilities and Indemnification 13.
Page 275 and 276:
13.6 Proprietary Card Mark Liabilit
Page 277 and 278:
Page 279 and 280:
Page 281 and 282:
Chapter 14 Service Providers This c
Page 283 and 284:
14.1 Service Provider Categories Se
Page 285 and 286:
14.1.1 Independent Sales Organizati
Page 287 and 288:
Service Providers 14.3 General Obli
Page 289 and 290:
Service Providers 14.3 General Obli
Page 291 and 292:
14.3.10 Fees Service Providers 14.3
Page 293 and 294:
14.3.15 No Endorsement of the Corpo
Page 295 and 296:
14.4.3 Access to Documentation Serv
Page 297 and 298:
Service Providers 14.6 Service Prov
Page 299 and 300:
Service Providers 14.8 Confidential
Page 301 and 302:
Chapter 15 Asia/Pacific Region This
Page 303 and 304:
Overview Definitions Asia/Pacific R
Page 305 and 306:
1.7 Termination of License Asia/Pac
Page 307 and 308:
6.13 Issuer Responsibilities to Car
Page 309 and 310:
Asia/Pacific Region 7.18 Card Captu
Page 311 and 312:
Asia/Pacific Region 7.23 ATM Access
Page 313 and 314:
Asia/Pacific Region 9.2 POS Transac
Page 315 and 316:
Technical Specifications Compliance
Page 317 and 318:
Canada Region 9.3.1 Issuer Requirem
Page 319 and 320:
Canada Region 6.17 Additional Rules
Page 321 and 322:
Canada Region 7.17 Connection to th
Page 323 and 324:
Canada Region 7.23 ATM Access Fees
Page 325 and 326:
Canada Region 9.8 Authorizations 9.
Page 327 and 328:
Canada Region Section 16a—Canada
Page 329 and 330:
Canada Region 7.1 Acquirer Obligati
Page 331 and 332:
Chapter 17 Europe Region This chapt
Page 333 and 334:
Europe Region 6.4.2.1 Chip Cards...
Page 335 and 336:
Europe Region 8.4 PIN and Key Manag
Page 337 and 338:
Europe Region Technical Specificati
Page 339 and 340:
Overview Definitions Europe Region
Page 341 and 342:
Europe Region 1.1 Types of Customer
Page 343 and 344:
2.3 Area of Use Europe Region 2.3 A
Page 345 and 346:
Europe Region 2.3 Area of Use In al
Page 347 and 348:
The intra-European Maestro Rules, i
Page 349 and 350:
3.4 Examination and Audits The foll
Page 351 and 352:
3.22 Data Protection Europe Region
Page 353 and 354:
Europe Region 4.2 Protection and Re
Page 355 and 356:
Europe Region 5.1 Special Issuer Pr
Page 357 and 358:
6.1 Eligibility Europe Region 6.1 E
Page 359 and 360:
6.2.2 Embossing and Engraving Stand
Page 361 and 362:
6.9 Electronic Commerce Europe Regi
Page 363 and 364:
Croatia Malta Turkey Cyprus Moldova
Page 365 and 366:
6.14 Fraud Reporting Europe Region
Page 367 and 368:
Europe Region 6.19 Recurring Paymen
Page 369 and 370:
7.1.5 Acquiring Transactions Europe
Page 371 and 372:
Europe Region 7.3 Additional Acquir
Page 373 and 374:
7.9.2 Manual Key-entry of PAN Europ
Page 375 and 376:
Europe Region 7.12 Additional Requi
Page 377 and 378:
Europe Region 7.13 Additional Requi
Page 379 and 380:
Europe Region 7.15 Requirements for
Page 381 and 382:
7.15.6 PAN Truncation Requirements
Page 383 and 384:
7.23.1.1 Transaction Field Specific
Page 385 and 386:
Europe Region 7.27 Identification o
Page 387 and 388:
Europe Region 8.13 Signature-based
Page 389 and 390:
Bosnia and Herzegovina Kosovo Slova
Page 391 and 392:
Europe Region 9.2 POS Transaction T
Page 393 and 394:
9.2.2.2 Optional Online POS Transac
Page 395 and 396:
Europe Region 9.2 POS Transaction T
Page 397 and 398:
9.3.2 Acquirer Requirements Europe
Page 399 and 400:
Europe Region 9.4 Special Transacti
Page 401 and 402:
Page 403 and 404:
9.4.7.4 CVC 2/AVS Checks Europe Reg
Page 405 and 406:
Country Code Country Country Code C
Page 407 and 408:
9.8.7 Authorization Response Time 9
Page 409 and 410:
Europe Region 9.9 Performance Stand
Page 411 and 412:
10.2.2 Assessment for Late Settleme
Page 413 and 414:
Europe Region 10.11 Customer Insolv
Page 415 and 416:
13.13 Additional Liabilities 13.13.
Page 417 and 418:
Europe Region Compliance Zones Rule
Page 419 and 420:
Definitions Europe Region Definitio
Page 421 and 422:
7.9 POS Terminal and Terminal Requi
Page 423 and 424:
9.4 Special Transaction Types Europ
Page 425 and 426:
9.4.9 Internet Stored Value Wallets
Page 427 and 428:
Page 429 and 430:
Europe Region 3.6 Non-discriminatio
Page 431 and 432:
Europe Region 6.4 PIN and Signature
Page 433 and 434:
Chapter 18 Latin America and the Ca
Page 435 and 436:
Overview Definitions Latin America
Page 437 and 438:
4.5 Display on Cards Latin America
Page 439 and 440:
6.4.2 Use of the PIN Latin America
Page 441 and 442:
Latin America and the Caribbean Reg
Page 443 and 444:
Page 445 and 446:
9.2.2 Acquirer Online POS Transacti
Page 447 and 448:
Page 449 and 450:
Chapter 19 South Asia/Middle East/A
Page 451 and 452:
South Asia/Middle East/Africa Regio
Page 453 and 454:
South Asia/Middle East/Africa Regio
Page 455 and 456:
Chapter 20 United States Region Thi
Page 457 and 458:
United States Region 7.25.7 Deposit
Page 459 and 460:
United States Region 3.15 Integrity
Page 461 and 462:
United States Region 6.2 Card Stand
Page 463 and 464:
United States Region 6.10 Selective
Page 465 and 466:
United States Region 6.17 Additiona
Page 467 and 468:
United States Region 7.4 Acquiring
Page 469 and 470:
United States Region 7.4 Acquiring
Page 471 and 472:
United States Region 7.10 Hybrid PO
Page 473 and 474:
United States Region 7.17 Connectio
Page 475 and 476:
United States Region 7.23 ATM Acces
Page 477 and 478:
United States Region 7.25 Shared De
Page 479 and 480:
United States Region 7.25 Shared De
Page 481 and 482:
United States Region 9.2 POS Transa
Page 483 and 484:
United States Region 9.2 POS Transa
Page 485 and 486:
United States Region 9.8 Authorizat
Page 487 and 488:
United States Region 10.2 Settlemen
Page 489 and 490:
United States Region Compliance Zon
Page 491 and 492:
Overview Maestro PayPass Overview S
Page 493 and 494:
7.1 Acquirer Obligations and Activi
Page 495 and 496:
7.15 Requirements for Transaction R
Page 497 and 498:
A.1 Asia/Pacific Region Geographica
Page 499 and 500:
• Cyprus • Czech Republic • D
Page 501 and 502:
• Estonia • Finland • France
Page 503 and 504:
• Puerto Rico • St. Kitts-Nevis
Page 505 and 506:
• Qatar • Reunion • Rwanda
Page 507 and 508:
Maestro Merchant Operating Guidelin
Page 509 and 510:
Maestro Merchant Operating Guidelin
Page 511 and 512:
Signage, Screen, and Receipt Text D
Page 513 and 514:
Page 515 and 516:
Page 517 and 518:
Page 519 and 520:
Page 521 and 522:
Page 523 and 524:
Page 525 and 526:
Page 527 and 528:
Page 529 and 530:
Page 531 and 532:
Page 533 and 534:
Page 535 and 536:
Page 537 and 538:
Page 539 and 540:
Page 541 and 542:
Page 543 and 544:
Page 545 and 546:
Page 547 and 548:
Page 549 and 550:
Page 551 and 552:
Page 553 and 554:
Page 555 and 556:
Page 557 and 558:
Page 559 and 560:
Glossary Glossary Glossary This sec
Page 561 and 562:
usiness day Glossary Glossary A “
Page 563 and 564:
data encryption standard (DES) Glos
Page 565 and 566:
global bank holding company Glossar
Page 567 and 568:
offline Glossary Glossary An operat
Page 569 and 570:
PIN verification Glossary Glossary
Page 571 and 572:
scrip Glossary Glossary A printed r
Page 573 and 574:
terminal response time Glossary Glo
show all

Maestro Global Rules (PDF) - MasterCard

Create successful ePaper yourself

Delete template?

Save as template?