12/04/2012

MasterCard’s Terminal ID Requirement

MasterCard has issued a mandate, effective April 19, 2013, requiring merchants to provide a unique terminal ID with every transaction. Ostensibly, this requirement is to help MasterCard more quickly track down fraudulent activity by determining the specific point of sale where the fraud occurred.
While we agree with their desire to quickly stop fraud, and we understand the need to track down the endpoint where this occurred, we have to point out that the method they have imposed makes this mandate almost impossible to achieve.

Think about the scope of work involved:

• Every processor would have to be able to assign and manage a massive number of terminal IDs, and support those terminal IDs in their spec 
• Gateways and POSs would have to implement changes and recertify, which takes several months per integration 
• Gateways would also have to enter and manage the terminal IDs assigned by the processors
• Every point-of-sale and property management system would have to implement changes and recertify with gateways, which is a massive effort
• POSs may also have to recertify with PA-DSS due to “dramatic changes to the processing environment”

There simply is no practicable way for this amount of work to be completed within the given timeframe — or within any reasonable timeframe. (Especially when you consider that most of the players involved are already busy preparing for EMV in 2015!) And even if it were possible, the cost of those changes, along with the ongoing costs of managing specific terminal IDs and troubleshooting and resolving issues, would be enormous. Perhaps most ridiculous of all, the benefits of this mandate – the rewards for all this hard work – are questionable at best.

Theoretically, it could help track down the source of fraud, but only with the assumption that terminals remain in fixed locations for long periods of time. If there were any actual value in this mandate, it would only benefit MasterCard. For everyone else, it would only add cost. And what happens if you don’t bear these costs so that MasterCard can benefit? Well, MasterCard is threatening fines of up to $16,000 per violation. We can’t conceive of any legal grounds they have to levy such fines against merchants, so we’re not sure who they’re threatening. It seems they have forgotten that merchants hold the true power in their relationship. Sure, MasterCard could revoke a merchant’s ability to process MasterCard, but that just means less revenue for MasterCard. The store likely would not suffer as most customers have additional payment options available to them.

Add to that the fact that imposing fines or penalties for non-compliance with this mandate could easily be proved unjustified, and would likely lead to class-action lawsuits, and it’s plain to see that MasterCard would have to be crazy to pursue the issue… but crazy is something the card brands do well.

So, here’s our suggestion:

This mandate requires merchants and payments industry players to jump through a bunch of hoops in order to provide terminal IDs with each transaction. It asks them to do this on top of all the work they’re doing to prepare for EMV. However, it ignores the fact that EMV will provide a similar result. EMV readers already provide unique IDs back to the processors. Yes, EMV is an enormous effort but it provides clearer benefits, has broad acceptance, and (at this point) it’s inevitable. The MasterCard mandate is an enormous waste of time and resources that could be better spent implementing the future of payment processing, including P2PE, mobile, electronic wallets, and EMV. Best of all, while the deadline for EMV is in 2015, processors are required to be ready to process EMV transactions in April 2013 – the same month this new mandate takes effect. That means you could avoid all the pointless hassle of this mandate and jump straight to the next one… if that’s a choice that makes sense for your business.

If you do opt to comply with this mandate, please let us know what you will require of us. While we disagree with the mandate (at least as we currently understand it), we stand by our commitment to our merchant customers. We are happy to talk to your bank or processor to determine the best course of action and to set a unified plan of attack, since we have yet to find two processors who interpret this document the same way. Unfortunately, we have also not yet been able to find anyone at MasterCard who is able or willing to clarify the issue for us. That being said, we will continue to monitor MasterCard’s actions surrounding this issue and to do whatever it takes to keep our merchant customers safe.