Many of you are aware of the of the recent announcement from Mastercard regarding more stringent processing and communication requirements for merchants using the free trial continuity business model. These requirements have an impact on our trial continuity partners as well as the LimeLight platform, and so we wanted to take a deeper look into the requirements so you can understand what’s changing and take your own necessary steps to ensure compliance.
At LimeLight, we’re 100% committed to our partners in the trial continuity space — so ensuring that you understand all the requirements and the best practices for compliance is critical to us. If you have any questions, please don’t hesitate to contact us.
Existing LimeLight clients, if you have any questions or want to learn more about the changes we are making to the LimeLight platform to remain compliant with these regulations and any actions you may need to take within the LimeLight platform, please don’t hesitate to reach out to your client success manager for more information.
Who is impacted by the new regulations?
Mastercard receives a significant number of complaints from issuers and cardholders about deceptive merchant practices. The overarching goal of these regulations is to require merchants to provide full transparency to the consumer.
Mastercard’s AN 2202 – Revised Standards for High Risk Negative Option Billing Merchants applies to:
- Merchants who provide a sample of a good or service (complimentary or at a nominal price) and require the consumer to provide payment information to receive the sample. The merchant then bills the consumer at a future date unless the consumer proactively cancels their subscription. (Negative Option)
- Merchants using the above model to provide a physical product – as opposed to services or digital content (High Risk)
Merchants who fit both those categories need to be in compliance with the standards below. Merchants fitting these categories will also have certain requirements applied to their acquirer. We’ve broken out the requirements for compliance for both merchants and acquirers in detail below.
Mastercard specifically calls out nutraceutical merchants in their document, so they may apply additional levels of scrutiny to those businesses.
When do the new regulations take effect?
Mastercard initially published the revised standards for negative option billing merchants on October 18, 2018. The new standard will take effect on April 12, 2019. Merchants, processors, and acquirers must be compliant by that date. Note: This will affect any new subscriptions starting after April 12th.
Requirements for compliance: new merchant account creation and onboarding
1. MCC Classification: Negative Billing [Merchants]
Merchants who use negative option billing will be assigned a card acceptor business code or MCC of 5968: Direct Marketing—Continuity/Subscription.
2. High-Risk Designation [Merchants]
Merchants who use negative option billing to sell physical goods—not services or digital content—will be classified as a high-risk merchant.
3. Required Inclusion in the Mastercard Registration Program [Acquirers]
Acquirers must register all merchants who use negative option billing through the Mastercard Registration Program to ensure compliance. Acquirers must also code any transactions originating from high risk negative option billing.
4. Disclosure of Contact Information [Merchants]
Merchants are responsible for sharing their contact information in specific ways:
- eCommerce Merchants: Transactions must include the website URL where the customer requested the product in data element 43, subfield 1 in the dual message system. Merchants will be required to provide the website URL with each transaction and this information will be transmitted to the gateway/processor. Also, merchants must share a customer service phone number on the maintenance page that will be displayed when the website is offline for software updates, scheduled maintenance, technical difficulties, etc.
- MO/TO Merchants: List the merchant’s contact phone number—one that is valid and accessible worldwide—in private data subelement 0170, subfield 1 in the dual message system.
5. Disclosure of Third-Party Service Providers [Merchants] [Acquirers]
As part of the onboarding process, merchants must list all of their third-party service providers that have access to cardholder data (such as customer relationship managers or CRMs like LimeLight).
The merchant’s acquirer must register these service providers with Mastercard.
Requirements for compliance: payment processing
6. Trial Start Date and Duration [Merchants]
The trial period must begin on the date that the product is received by the customer, not before. This means that delivery time must be taken into consideration and the trial cannot start until the consumer has received the product. Delivery time can fluctuate, but it is recommended that merchants assess their average delivery time which you can request from your fulfillment provider.
7. Initial Payment Processing Consent [Merchants]
After the trial ends, but before the card is charged for the first rebill, the merchant must reach out to the customer and communicate:
- The amount the card will be charged
- The date the card will be charged
- The date the merchant will attempt to charge the card a second time if the account had insufficient funds when the first attempt was made (if applicable)
- The merchant’s name as it will appear on the cardholder’s statement
- Subscription cancellation instructions
The merchant must obtain the cardholder’s explicit consent for the transaction amount before initiating the authorization request.
8. Subsequent Payment Processing [Merchants]
All recurring transactions at the same acquirer must be processed with the same information that was used for the initial payment transaction.
The merchant ID (or MID) entered in DE 42 and the merchant name in DE 43, subfield 1 must match.
9. Unsuccessful Authorization Attempts [Merchants]
If an authorization attempt is unsuccessful, the merchant must send the cardholder a receipt and explain why authorization was declined.
10. Verifying Multiple Purchases [Acquirers]
The acquirer is responsible for verifying multiple purchases:
Acquirers must carefully monitor authorization messages. They need to be on the lookout for situations when the same cardholder account number is used to process transactions across multiple different merchant accounts.
If this repeat activity is noticed over a 60-day period, the acquirer must reach out to the merchant to verify the sales were bonafide transactions.
Documentation the merchant might provide to verify the transactions could include a copy of the cardholder’s transaction receipt.
Acquirers must retain this information for at least a year and share it with Mastercard if requested.
Requirements for compliance: subscription cancellation
11. Disclosure of Cancellation Policy [Merchants]
All eCommerce merchants must outline their cancellation policy and procedure on the website where the cardholder made the initial purchase. The policy must be easily accessible with a direct link. In the event the page is down, the merchant must present a customer service phone number on the website maintenance page.
12. Continued Reference to the Cancellation Policy [Merchants]
Each time the merchant submits an authorization request for a subsequent recurring transaction, a receipt must be sent to the cardholder via email or other electronic means (e.g., text message). The receipt needs to include instructions on how to cancel the subscription or negative option billing plan.
13. Cancellation Confirmation [Merchants]
The merchant must send a written confirmation to the cardholder when the subscription or negative option billing plan has been cancelled.