Mastercard is introducing the Canada Assurance Framework to encourage enhanced security in the region. The program will address different subjects (listed below) that will encourage the use of technologies such as tokenization and 3D secure authentication.
How will this affect you?
There are several subjects that comprise the framework.
The fee per 3DS1 authentication will increase from 0.03 USD to 0.05 USD.
A new fee of 1 basis point with a cap at 0.10 USD will be assessed for 3DS2 authentications.
Effective date is July 1, 2021.
The introduction of new interchange rates from July 1, 2021, as per the below table:
|Interchange Program Type||Core||World||World Elite||Muse Mastercard|
|Canada Intracountry Consumer Credit 3DS||1.5%||1.7%||1.9%||2.03%|
|Canada Intracountry Consumer Credit Merit 3-Digital Commerce||1.76%||2.00%||2.24||2.39%|
Excessive Fraud Merchant Compliance Program
The Excessive Fraud Merchant (EFM) program aims to reduce fraud for e-commerce transactions by encouraging merchants to implement 3DS and to engage in other best practices for fraud management.
Compliance is measured at the merchant ID (MID) level and all the following conditions must be met to be identified by the EFM program:
- Minimum of 1.000 e-commerce transactions in clearing
- Monthly fraud is greater than 50K USD
- Monthly fraud is more than 50 basis points
- Penetration of 3DS transactions is less than 10% of the total card-not-present volume
Fines start at 500 USD on the 2nd month of identification and increase with each consecutive non-compliant month as shown in the table:
|Number of EFM Months||Assessment (USD)||Total Accumulated Assessment (USD)|
|4 to 6||5.000||Month 4 – 6.500
Month 5 – 11.500
Month 6 – 16.500
|7 to 11||25.000||Month 7 – 41.500
Month 8 – 66.500
Month 9 – 91.500
Month 10 – 116.500
Month 11 – 141.500
|12 to 18||50.000||Month 12 – 191.500
Month 13 – 241.500
Month 14 – 291.500
Month 15 – 341.500
Month 16 – 391.500
Month 17 – 441.500
Month 18 – 491.500
Account Data Compromise Relief
The ADC Program is designed to ensure the integrity of the payments processing environment and to encourage participants to comply with the PCI-DSS standards.
An Account Data Compromise Event is an occurrence that results in the unauthorized access to, or disclosure of, account data such as the PAN and card holder name.
In case of a breached environment, also named an ADC event under the program, merchants are financially liable. Mastercard will calculate the compensation amount due to be reimbursed.
Under the Canada Assurance Framework, merchants that have implemented tokenization through an approved Token Service Provider (TSP) and meet certain conditions are eligible for a relief of said liability. The details are as follows:
- Relief A
For merchants that have more than 75 percent of their annual total e-commerce transaction count tokenized, merchants are eligible for 50 percent liability relief resulting from an ADC Event.
That would mean up to 25 % of the merchant’s e-commerce transactions were account data and merchants would be eligible for 50 % relief in the liability calculations relating to the non-tokenized transaction count.
- Relief B
For merchants that have more than 95 % of their annual total e-commerce transactions count tokenized, merchants are eligible for 100 % liability relief resulting from an ADC Event.
That would mean up to 5 % of the merchant’s e-commerce transactions were compromised and merchants would be eligible for 100 % relief in the liability calculations relating to the non-tokenized transaction count.
A merchant’s annual total transaction count is determined based on the merchant’s clearing transactions processed during the twelve months prior to the date of publication of the ADC Alert.
July 1, 2021